Play interactive tour

Edit tour

Windows Analysis Report Users-Progress-072021-1.doc

Overview

General Information

Sample Name:	Users-Progress-072021-1.doc
Analysis ID:	446523
MD5:	d60b6a8310373c9b84e6760c24185535
SHA1:	6b1da5e0ecda14512369a7201982a6bc13b33700
SHA256:	ef0a68eb3e2998acdd5fdce8acd980ea9077c44fefced848a36805690844ae37
Infos:
Most interesting Screenshot:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Document Viewer accesses SMB path (likely to steal NTLM hashes or to download payload)

Document contains an embedded VBA macro which may execute processes

Document contains an embedded VBA macro with suspicious strings

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Document contains an embedded VBA with functions possibly related to HTTP operations

Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)

Document contains an embedded macro with GUI obfuscation

Machine Learning detection for sample

Opens network shares

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Yara signature match

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 1984 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
Users-Progress-072021-1.doc	SUSP_EnableContent_String_Gen	Detects suspicious string that asks to enable active content in Office Doc	Florian Roth	0x322c:$e3: Enable editing 0x328c:$e3: Enable editing 0x32d5:$e4: Enable content

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Machine Learning detection for sample

Show sources

Source: Users-Progress-072021-1.doc

Joe Sandbox ML: detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{47DFF116-6281-436E-ADD1-2266A057AE87}.tmp

Jump to behavior

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 8	Screenshot OCR: Enable editing" at the top in the yellow bar, and then click 'Enable content' ii: ^ Introducing
Source: Screenshot number: 8	Screenshot OCR: Enable content' ii: ^ Introducing Windows 11 Wncjow$ 11 brings you ckjsec to what you We ",
Source: Document image extraction number: 0	Screenshot OCR: Enable editing" at the top in the yellow bar, and then click "Enable content" Introducing Windows
Source: Document image extraction number: 0	Screenshot OCR: Enable content" Introducing Windows 11 Windows 11 brings you closer to what you love ,,[,"d Life
Source: Document image extraction number: 1	Screenshot OCR: Enable editing" at the top in the yellow bar, and then click 'Enable content' Introducing Windows
Source: Document image extraction number: 1	Screenshot OCR: Enable content' Introducing Windows 11 W'ncXym; 7 t)rngs you c:\crm :O wm: you tow-' ", S;

Document contains an embedded VBA macro which may execute processes

Show sources

Source: Users-Progress-072021-1.doc

OLE, VBA macro line: Private Declare PtrSafe Function U0R2xawbzZ Lib "shell32" Alias "ShellExecuteA" (ByVal hwnd As Long, ByVal lpOperation As String, ByVal lpFile As String, ByVal lpParameters As String, ByVal lpDirectory As String, ByVal nShowCmd As Long) As Long

Document contains an embedded VBA macro with suspicious strings

Show sources

Source: Users-Progress-072021-1.doc	OLE, VBA macro line: Private Declare PtrSafe Function U0R2xawbzZ Lib "shell32" Alias "ShellExecuteA" (ByVal hwnd As Long, ByVal lpOperation As String, ByVal lpFile As String, ByVal lpParameters As String, ByVal lpDirectory As String, ByVal nShowCmd As Long) As Long
Source: Users-Progress-072021-1.doc	OLE, VBA macro line: If InStr(1, GLzwfs((3 * 2 + 6)), CStr(fUw6wOUdgh.OSLanguage)) > (8 * 8 - 64) Then Call me2XKr
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function zH0Xx, String .oslanguage: If InStr(1, GLzwfs((3 * 2 + 6)), CStr(fUw6wOUdgh.OSLanguage)) > (8 * 8 - 64) Then

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Show sources

Source: Users-Progress-072021-1.doc

Stream path 'Macros/VBA/ThisDocument' : found possibly 'ADODB.Stream' functions mode, position, open, read, write

Document contains an embedded VBA with functions possibly related to HTTP operations

Show sources

Source: Users-Progress-072021-1.doc

Stream path 'Macros/VBA/ThisDocument' : found possibly 'XMLHttpRequest' functions response, status, open, send

Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)

Show sources

Source: Users-Progress-072021-1.doc

Stream path 'Macros/VBA/ThisDocument' : found possibly 'WScript.Shell' functions exec, regread, run

Document contains an embedded macro with GUI obfuscation

Show sources

Source: Users-Progress-072021-1.doc

Stream path 'ObjectPool/_1687197129/\x1Ole10Native' : Found suspicious string activexobject in non macro stream

Source: Users-Progress-072021-1.doc	OLE, VBA macro line: Private Sub Document_Open()
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function Document_Open

Source: Users-Progress-072021-1.doc

OLE indicator, VBA macros: true

Source: Users-Progress-072021-1.doc, type: SAMPLE

Matched rule: SUSP_EnableContent_String_Gen date = 2019-02-12, hash1 = 525ba2c8d35f6972ac8fcec8081ae35f6fe8119500be20a4113900fe57d6a0de, author = Florian Roth, description = Detects suspicious string that asks to enable active content in Office Doc, reference = Internal Research

Source: classification engine

Classification label: mal84.spyw.expl.evad.winDOC@1/14@0/0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$ers-Progress-072021-1.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC957.tmp

Jump to behavior

Source: Users-Progress-072021-1.doc

OLE indicator, Word Document stream: true

Source: Users-Progress-072021-1.doc	OLE document summary: title field not present or empty
Source: Users-Progress-072021-1.doc	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Source: Users-Progress-072021-1.doc

Static file information: File size 2499072 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX

Source: Users-Progress-072021-1.doc

Stream path 'Data' entropy: 7.98840647288 (max. 8.0)

Stealing of Sensitive Information:

Document Viewer accesses SMB path (likely to steal NTLM hashes or to download payload)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: \\NHPKIZU*\MAILSLOT\NET\NETLOGON

Opens network shares

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: \\NHPKIZU*\MAILSLOT\NET\NETLOGON

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting62	Path Interception	Path Interception	Masquerading1	OS Credential Dumping	Network Share Discovery2	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Application Layer Protocol1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	File and Directory Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Scripting62	Security Account Manager	System Information Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Users-Progress-072021-1.doc	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	446523
Start date:	09.07.2021
Start time:	18:33:44
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 27s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Users-Progress-072021-1.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled HDC enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.spyw.expl.evad.winDOC@1/14@0/0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe Report size getting too big, too many NtQueryAttributesFile calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/446523/sample/Users-Progress-072021-1.doc

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\103D4A5B.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	5012
Entropy (8bit):	3.4772481681371428
Encrypted:	false
SSDEEP:	48:mHyNR4vQHsWBg6qjpLkwOEG6AFdHknD53:m+/RBFq9gVJEnl3
MD5:	E0977DA9BD2A0A573EDCDDBAABC5F8FD
SHA1:	CA30C68B13D2BB2AE15ECE40A126ADB8BD95ED7D
SHA-256:	98522B604823AF653546AD5AF0A67729530928FF868291DD2B9DC48967052172
SHA-512:	545BFD1EA1053263678F2A06DCD72E48CBAB4DD619ABEFD22F6D2DBB9C60D8836ADE3326130C92340E38CF072B2C531C72AEDFB8C3098E3E30034F648928D736
Malicious:	false
Reputation:	low
Preview:	....l...........S.../................... EMF................................8.......................`...6\..........................^...5...R...p...................................S.e.g.o.e. .U.I................................................... v./...............%.f................D\|...{..'.1l....\...D\|......D\|...{..W.1l....D\|..\6 v_.1l......1l./..4..fP{.....f0..f.......f...f........4..f.{.....f.......f...........f.{.........f4t.f...f............<.Qu.Z.u...../......./........................udv......%...................................r...............>............... ... ..................?...........?................l...4........... ... ...(... ... ..... .............................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~$RD0002.docx Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4311600611816426
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyyKbE/w+FUYlln:vdsCkWt/AE51ll
MD5:	B1035D12CDF3CD7AA18A33C0A1D17AAE
SHA1:	CE8244E4A5E407568BA15A7C6DC2F6428306EBB8
SHA-256:	CD49B04F30968B85CBAFD1F9F836CA1950BBEC2BE717B3D1430DBE57615BF425
SHA-512:	E34F595696EB91153F1B8EE51D12F48ED8B8969453FA76B97DB94C509F6BDF089466DEE51A51727AD5A8B546F6C96FF679ADA98A451EEACA3CB9C08C01F388B6
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.user..................................................A.l.b.u.s.............p.......................................P......................z...............x...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~$RD0004.docx Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	modified
Size (bytes):	162
Entropy (8bit):	2.4311600611816426
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyyKbE/w+FUYlln:vdsCkWt/AE51ll
MD5:	B1035D12CDF3CD7AA18A33C0A1D17AAE
SHA1:	CE8244E4A5E407568BA15A7C6DC2F6428306EBB8
SHA-256:	CD49B04F30968B85CBAFD1F9F836CA1950BBEC2BE717B3D1430DBE57615BF425
SHA-512:	E34F595696EB91153F1B8EE51D12F48ED8B8969453FA76B97DB94C509F6BDF089466DEE51A51727AD5A8B546F6C96FF679ADA98A451EEACA3CB9C08C01F388B6
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.user..................................................A.l.b.u.s.............p.......................................P......................z...............x...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0003.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	12567
Entropy (8bit):	7.147564190379963
Encrypted:	false
SSDEEP:	192:ODHmpYyoH5bk8xgNAOQcXGYzv2T8epqiiJ8rCtga7CRqh/TerH:ODcYyo05QAPzOT8mqPJZgaWIMH
MD5:	14201FD0B33A1456D30E47370000180A
SHA1:	A8E3B03BE71DE023BBF75CC1FA78FA0F0E10B619
SHA-256:	B52349F9FAB42B1761B9720E1B9A97832B05401BF0B87641D47754A07DFA916F
SHA-512:	CD770355CF4CFB261AEC89509FAC99746F9D6160876558A560289A9679EADC3809B1234503FB58AB17CC883519FD605F783C3B1B5DAA73132615AC48B39684C2
Malicious:	false
Reputation:	low
Preview:	..MO.@...&...W..z0.....M...C..~dg....JK...Z...2....3..J...<kR.Oz,.#m..,e.....E...Di..l..F...t..#.6..".w.9.....:0t.[.E.[?.N..1.~...piM...Pi....r1/C4^...C.,.._..R&.+...H..d.\.CB..w.P.....V........h"\|x..0....gV.5....i.y.$4....V."e..9.B...A......)j....T(.y..>vw......v..(.SL...qW.U.DX...Q.w..4.S.^....0.F.."...\.gsld.Y.dL.uH........c.9.>(hVD.5..{.....A...7.t........PK..........!..$..............[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................J.A.....a.}7.."...H.w"......w..... .P.^..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0005.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	12569
Entropy (8bit):	7.157041803170349
Encrypted:	false
SSDEEP:	192:ODHmpYyoR7+5bk8xgNAOqZdIi7pVVPVfq4I8/RpDPUAQVjFFCEeDH/qh/Tera:ODcYyoRB5qgibVdi4IUpDFYjF9e7/IMa
MD5:	1C023A98935118C48070A50FEAEDC2B0
SHA1:	2C7D4FAC6433B4CC3C73C6FD3055C4C376BED1D8
SHA-256:	759A1BB79A80E1F9E0568DF685E9B81838AFCC73AAB59BC5A2AAA133A97E314C
SHA-512:	A2A319FF72789D5232650F08D9CD939B7A9451ED26AB76F30A5603CECFD95C8ED2E2FB9DDFFB86A518460532E104903CD4D6205B719428F88B149B64E18B3087
Malicious:	false
Reputation:	low
Preview:	..MO.@...&...W..z0.....M...C..~dg....JK...Z...2....3..J...<kR.Oz,.#m..,e.....E...Di..l..F...t..#.6..".w.9.....:0t.[.E.[?.N..1.~...piM...Pi....r1/C4^...C.,.._..R&.+...H..d.\.CB..w.P.....V........h"\|x..0....gV.5....i.y.$4....V."e..9.B...A......)j....T(.y..>vw......v..(.SL...qW.U.DX...Q.w..4.S.^....0.F.."...\.gsld.Y.dL.uH........c.9.>(hVD.5..{.....A...7.t........PK..........!..$..............[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................J.A.....a.}7.."...H.w"......w..... .P.^..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{47DFF116-6281-436E-ADD1-2266A057AE87}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\msohtmlclip1\01\clip_colorschememapping.xml Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	314
Entropy (8bit):	4.803822695545621
Encrypted:	false
SSDEEP:	6:TMVBd6OjzVlNAUifYRZ5YUvLGDmaN4bJU6Yizg:TMHdtnGfYF/CSaibJUzf
MD5:	6B7A472A22FBDBFF4B2B08DDB4F43735
SHA1:	C6DF700168D3F5A90FF2713B78F8EF1446927102
SHA-256:	65F3CDBC4390C81B94FA960B7362917443FC1E6A51E3F81E4CB4C4DFA09DA4BE
SHA-512:	8D2E00954422F124CB1A7B969A728B3A6C9FB11C44623C1CDA33F2364E1C7CB101F6BF6C980E5F26368594F6CECED5C3D5E5A43327387554567BCDB5F1036740
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<a:clrMap xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" bg1="lt1" tx1="dk1" bg2="lt2" tx2="dk2" accent1="accent1" accent2="accent2" accent3="accent3" accent4="accent4" accent5="accent5" accent6="accent6" hlink="hlink" folHlink="folHlink"/>

C:\Users\user\AppData\Local\Temp\msohtmlclip1\01\clip_themedata.thmx Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Microsoft OOXML
Category:	dropped
Size (bytes):	3104
Entropy (8bit):	7.632416686567842
Encrypted:	false
SSDEEP:	96:Q6Zjp6bfuijKIDa05vZep862Q9NAjCbxFpgNum:Q6/6rT5bk8xgNAORm
MD5:	2B26E4DD316F857EBB6E2B6B0E1E0282
SHA1:	581AE91D57A710CF31348CD5F5AB6FD1B081291E
SHA-256:	40BB5B5897D76A8EEFB7136E658BDDAA65F094C9689B931A78A01601F9EE02CB
SHA-512:	F097BEEC6E9E39E56DD1AF7DD1E02FE87DA3F818006E5B8B9377013E6FD039EE5765B3BDD7FBF96529C9988E2D7A75EA7300C7CA292DB9471ACE450E7582D0A0
Malicious:	false
Preview:	PK..........!.................[Content_Types].xml...N.0.E.H...-J..@.%...\|..$....U..L.TB. .l,.3..;.r.......J..B+$..G]..7O.V....<a.......(7..I..R.{.pgL.=..r.....8..5v&.....uQ...8..C......X=....$..?6N.JC........F..B..'...+...Y.T....^e5.5.. ......._.g .-.;.....Yl....\|6^.N...`.?.....[........PK..........!........6......._rels/.rels...j.0.....}Q...%v/..C/.}..(.h".....O..........=...... ......C?.h.v=......%.[xp..{._.P.<.1..H.0.....O.R.Bd....JE.4b$...q_......6L...R.7`.......0.O...,.E.n7.Li.b../.S...e...............PK..........!.ky..............theme/theme/themeManager.xml..M.. .@.}.w..7c.(Eb.....C..A......7....K.Y,....e.....\|,....H..,l.....x.....I.sQ}#..... .+.!.,.^.$j=.GW...).E.+&..8........PK..........!.0.C)............theme/theme/theme1.xml.YOo.6....w toc'v..u...-M..n..i...P.@.I}.....a...m.a[....4.:l...GR..X^.6..>$...............!)O.^.r.C$.y@....../.yH*.....).......UDb.`}".q..J.....X^.)I`n.E....p).....li.V[].1M<........O.P..6r.=....z.gb.I.g....u.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Users-Progress-072021-1.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:16 2020, mtime=Wed Aug 26 14:08:16 2020, atime=Sat Jul 10 00:34:35 2021, length=2499072, window=hide
Category:	dropped
Size (bytes):	2158
Entropy (8bit):	4.490010128443569
Encrypted:	false
SSDEEP:	24:8tk/XTm6GreV7gJeUbiDv3qKdM7dD2tk/XTm6GreV7gJeUbiDv3qKdM7dV:8tk/XTFGq5KtRKQh2tk/XTFGq5KtRKQ/
MD5:	AD822F9812812954ABC344498C7D4DCC
SHA1:	B58092A5F08496C2A3A19D051F0049429DDFBF6E
SHA-256:	E174B4157753883C04523777ACE37D317C6C994769EC124AA923795547F51135
SHA-512:	5E1FF18F6372D025279B5899FE77298D719DDC7A233C4460A95E22597E73FCF9C1C3F88F8F1B7B7DC2380C914C50A33B83103FAEBB09B4E2C75276E9528F7CA2
Malicious:	false
Preview:	L..................F.... .......{......{..AS..+u..."&..........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.."&..RR. .USERS-~1.DOC..d.......Q.y.Q.y...8.....................U.s.e.r.s.-.P.r.o.g.r.e.s.s.-.0.7.2.0.2.1.-.1...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\216041\Users.user\Desktop\Users-Progress-072021-1.doc.2.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.U.s.e.r.s.-.P.r.o.g.r.e.s.s.-.0.7.2.0.2.1.-.1...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......21604

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	107
Entropy (8bit):	4.304459892911812
Encrypted:	false
SSDEEP:	3:M18GI1ZjVSoWFI1ZjVSmX18GI1ZjVSv:MiI6
MD5:	EBD3D0B8A127895B98A702A0016802CB
SHA1:	3FC3746AA59E02C93F2759263467548276AD33E3
SHA-256:	1BA6B92774588DF92BAB112A5D40A7C6E3418AA450F6E815C2C02055142AF2C6
SHA-512:	C44F2294B1BB509CFAB2B89D3BCD8057F17C465BAE4F347CED58474248445A269995C355F6C861F9E91EDC0F8AB28551A6CF3117EA1B3B85FA4A7ACF81CD496A
Malicious:	false
Preview:	[doc]..Users-Progress-072021-1.LNK=0..Users-Progress-072021-1.LNK=0..[doc]..Users-Progress-072021-1.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4311600611816426
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyyKbE/w+FUYlln:vdsCkWt/AE51ll
MD5:	B1035D12CDF3CD7AA18A33C0A1D17AAE
SHA1:	CE8244E4A5E407568BA15A7C6DC2F6428306EBB8
SHA-256:	CD49B04F30968B85CBAFD1F9F836CA1950BBEC2BE717B3D1430DBE57615BF425
SHA-512:	E34F595696EB91153F1B8EE51D12F48ED8B8969453FA76B97DB94C509F6BDF089466DEE51A51727AD5A8B546F6C96FF679ADA98A451EEACA3CB9C08C01F388B6
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.......................................P......................z...............x...

C:\Users\user\Desktop\~$ers-Progress-072021-1.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4311600611816426
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyyKbE/w+FUYlln:vdsCkWt/AE51ll
MD5:	B1035D12CDF3CD7AA18A33C0A1D17AAE
SHA1:	CE8244E4A5E407568BA15A7C6DC2F6428306EBB8
SHA-256:	CD49B04F30968B85CBAFD1F9F836CA1950BBEC2BE717B3D1430DBE57615BF425
SHA-512:	E34F595696EB91153F1B8EE51D12F48ED8B8969453FA76B97DB94C509F6BDF089466DEE51A51727AD5A8B546F6C96FF679ADA98A451EEACA3CB9C08C01F388B6
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.......................................P......................z...............x...

C:\Users\user\Desktop\~WRD0000.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	2221861
Entropy (8bit):	7.97689801424042
Encrypted:	false
SSDEEP:	49152:9pHH1j3mpdgRf+us8azmLBVU3p2XR3451TpKPOv05AX:9NxmsRf+u8A+4mtKe0K
MD5:	516889FD8DCA0E678764BE73A35CE025
SHA1:	84B7963E11A9699D7B95EBDB40BFF72A475F4E62
SHA-256:	6976DB4A0200C866663BA5561454F240F2EFF3A69884EEC833738B52A13FB891
SHA-512:	2A768522102315F143C2EAABEF7E695234FE4A4D1BDE56E3C4143191063E789E9A9E44F976EFD8CC7F766305610529A46AE3FAE73ED708179C36203AC3709110
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................,.1.h..../ ..=!..."...#...$...%...............................................................................................................................................................................................................................................................................................................................................................................................................................................................h.....h...

C:\Users\user\Desktop\~WRD0000.tmp:Zone.Identifier Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: John, Template: Normal.dot, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Number of Pages: 2, Number of Words: 256, Number of Characters: 1460, Security: 0
Entropy (8bit):	7.9032465415007405
TrID:	Microsoft Word document (32009/1) 54.23% Microsoft Word document (old ver.) (19008/1) 32.20% Generic OLE2 / Multistream Compound File (8008/1) 13.57%
File name:	Users-Progress-072021-1.doc
File size:	2499072
MD5:	d60b6a8310373c9b84e6760c24185535
SHA1:	6b1da5e0ecda14512369a7201982a6bc13b33700
SHA256:	ef0a68eb3e2998acdd5fdce8acd980ea9077c44fefced848a36805690844ae37
SHA512:	a3e789ae24c7123e1f4f79fe6ea2166464b9cbcd88faff1d11e3d1084454946596f9c5bf039f2e655b48420d89ec3a80cc254aa706c2e8d9876f7a021a196512
SSDEEP:	49152:kpHH1j3mpdgRf+us8azmLBVU3p2XR3451TpKPOv05AhEnfsW8:kNxmsRf+u8A+4mtKe0
File Content Preview:	........................>...................'...................................................................................................................................................................................-..............................

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "Users-Progress-072021-1.doc"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Office Word
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Code Page:	1252
Title:
Subject:
Author:	John
Keywords:
Comments:
Template:	Normal.dot
Last Saved By:
Revion Number:	1
Total Edit Time:
Last Printed:
Create Time:
Last Saved Time:
Number of Pages:	2
Number of Words:	256
Number of Characters:	1460
Creating Application:	Microsoft Office Word
Security:	0

Document Summary
Document Code Page:	1252
Number of Lines:	12
Number of Paragraphs:	3
Thumbnail Scaling Desired:	False
Company:	HomeCompany
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	1048576

Streams with VBA

VBA File Name: ThisDocument.cls, Stream Size: 102641

General
Stream Path:	Macros/VBA/ThisDocument
VBA File Name:	ThisDocument.cls
Stream Size:	102641
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . . . 2 . . . . . . . . . . . . . . . . . S h e l l E x e c u t e A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . .
Data Raw:	01 16 01 00 00 14 01 00 00 da 09 00 00 f8 00 00 00 fe 01 00 00 ff ff ff ff e2 09 00 00 72 f7 00 00 00 00 00 00 01 00 00 00 ac 9d cb b1 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 24 00 00 00 00 00 32 02 14 00 d7 01 ff ff 00 00 00 00 00 00 00 00 00 00 53 68 65 6c 6c 45 78 65 63 75 74 65 41 00 00 00 ff ff ff ff 01 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
limited
ever.
basecube
'Therefore
yellow
kid,"
sleep
Hector,
texts,
hanging
Lodge
centimeter
Until
asdivine
whose
playthings
inheritance,
whoso
Watch
Esquimau.
Long)
whatsoever
Long,
teaching
sorry
flicking
worth
howling
otherwise,
delicious
faltered
delight.
every
today"
Military
(Nevada)
"That
moidores;
scholar
translation.
wooden
problems,
stars'
ocean,
Deoband
stare,
estimates
surrounding
second
street
summer
others,
helmet.
escaped,
relieving
party.
fingers
gold,
lights
above
Pharisees;
fruits,
increasing
Teresh,
fathers,
untoward,
implored,
hostel.
fire,
reported
feeding
pursuit
quite
sceneries,
less,
daughter
Fatwas
items
reports
buckler
howbeit
smoke
stressed
tribes;
secure
campaign
grumbled
Biology,
Three
brought
thought.
drowned
Basic
uprightly
spoke
would
crash,
walketh
night;
therefore
until
stories.
Selection.Copy
under
aware
David;
'Nemesis
seashells,
Suzie
near,that
mountains
shepherds
society,
rulings
abbreviation,
laughter,
shook
type,
Mid(RYbpIyY,
lust.
dumb:
remarked,
walls,
prophethood.
absolute
around,
'Holmes,
Texas,Top
machine
twitching
answer
marks?He
ordinary
'How's
doesn't
offshore
pizza
beauty
typed
after
Alias
wrong
jumping
curiosity
TECHNICAL-Only
types
Allah,
Allah.
attempt
third
'Take
appreciate
oil-lamp
Moabites
green
cloaking
"Call
order
school.
'She's
ears?
satisfied
helpless.
guidance
down,
today.
ears,
guile:
dapper
clapped
before
lopsided,
difference
then.
jvVsxtDA,
abominations
closed;
better
production
condition
glanced
remaineth,
weeks
closed,
Ta'ala,
There
gerahs.
Gateway.
springs,"
shekels,
school
deathly
break
twits
hurting
shameful
Moridani
Lilliputians
awe-inspiring.
passed,
herald
skills
arrow
Armada
volcano
sliver
Jerusalem!
'"Well
steep,
lifted
Medicine
strips
gates
hanged
different
'They
precisely
velvet
washed
vessels
fellowship
sanctuary,
forth
Hooliganism
associate
sheer
standard
whereupon
struggle
North
wanted
volcano.
Nixon
enormous
stitutions
maniac
perhaps,
casts.
filter
moved,
licked
switch,
broken
cab?I
recite
Shiraazi
already
primary
another
fun!"
thick
sharpen
loaded
andmingled
distantly;
notes.

VBA Code

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	114
Entropy:	4.2359563651
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . M i c r o s o f t W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 292

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	292
Entropy:	2.64919160722
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H o m e C o m p a n y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 f4 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 84 00 00 00 06 00 00 00 8c 00 00 00 11 00 00 00 94 00 00 00 17 00 00 00 9c 00 00 00 0b 00 00 00 a4 00 00 00 10 00 00 00 ac 00 00 00 13 00 00 00 b4 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 428

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	428
Entropy:	2.72413620268
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . P . . . . . . . p . . . . . . . X . . . . . . . 0 . . . . . . . 8 . . . . . . . @ . . . . . . . H . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 78 01 00 00 12 00 00 00 01 00 00 00 a8 00 00 00 02 00 00 00 b0 00 00 00 03 00 00 00 bc 00 00 00 04 00 00 00 c8 00 00 00 05 00 00 00 d8 00 00 00 06 00 00 00 e4 00 00 00 07 00 00 00 f0 00 00 00 08 00 00 00 60 01 00 00 09 00 00 00 04 01 00 00

Stream Path: 1Table, File Type: data, Stream Size: 7607

General
Stream Path:	1Table
File Type:	data
Stream Size:	7607
Entropy:	5.80271739135
Base64 Encoded:	True
Data ASCII:	. . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
Data Raw:	1e 06 10 00 12 00 01 00 78 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00

Stream Path: Data, File Type: data, Stream Size: 2196072

General
Stream Path:	Data
File Type:	data
Stream Size:	2196072
Entropy:	7.98840647288
Base64 Encoded:	True
Data ASCII:	" w ! . D . d . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . . . . . . . . . . . . . . . . . c . . . 8 . . . . A . . . . ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . i . c . t . u . r . e . . 1 . . . . . " . . . . . . . . . . . . . . . . . . . . . . . b . . . d v ! . . . ' . . . u A . q c . . . . l / . . . @ v ! . . . . . D . . . . . k . . n . . 8 v ! . ' . . . u A . q c . . . . l / . . . P N G .
Data Raw:	22 77 21 00 44 00 64 00 00 00 00 00 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 80 2e c6 41 02 03 02 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 6a 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 63 00 0b f0 38 00 00 00 04 41 01 00 00 00 3f 01 00 00 06 00 bf 01 00 00 10 00 ff 01 00 00 08 00 80 c3 14 00

Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 434

General
Stream Path:	Macros/PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	434
Entropy:	5.13434183594
Base64 Encoded:	True
Data ASCII:	I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . H e l p F i l e = " " . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " E 3 E 1 4 F 2 E F 6 3 2 F 6 3 2 F 2 3 6 F 2 3 6 " . . D P B = " 8 6 8 4 2 A 9 3 6 E 9 5 0 C B 2 0 C B 2 F 3 4 E 0 D B 2 C 4 A A E 7 2 E 2 9 D 4 4 4 7 E E 0 8 E D 4 3 5 9 B 8 1 A E A
Data Raw:	49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 48 65 6c 70 46 69 6c 65 3d 22 22 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22 0d 0a 56

Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 41

General
Stream Path:	Macros/PROJECTwm
File Type:	data
Stream Size:	41
Entropy:	3.07738448508
Base64 Encoded:	False
Data ASCII:	T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . . .
Data Raw:	54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 00 00

Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 3580

General
Stream Path:	Macros/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	3580
Entropy:	4.99862296789
Base64 Encoded:	False
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . . ( . x . 8 . 6 . ) . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . .
Data Raw:	cc 61 af 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 2c 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00

Stream Path: Macros/VBA/dir, File Type: VAX-order 68k Blit mpx/mux executable, Stream Size: 522

General
Stream Path:	Macros/VBA/dir
File Type:	VAX-order 68k Blit mpx/mux executable
Stream Size:	522
Entropy:	6.29107123334
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . . b . b . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s W O W 6 . 4 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * , \\ C . . . . N . m . .
Data Raw:	01 06 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 98 62 dc 62 bb 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30

Stream Path: ObjectPool/_1687197129/\x1CompObj, File Type: data, Stream Size: 76

General
Stream Path:	ObjectPool/_1687197129/\x1CompObj
File Type:	data
Stream Size:	76
Entropy:	3.09344952647
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . O L E P a c k a g e . . . . . . . . . P a c k a g e . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 0c 00 03 00 00 00 00 00 c0 00 00 00 00 00 00 46 0c 00 00 00 4f 4c 45 20 50 61 63 6b 61 67 65 00 00 00 00 00 08 00 00 00 50 61 63 6b 61 67 65 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: ObjectPool/_1687197129/\x1Ole10Native, File Type: data, Stream Size: 146674

General
Stream Path:	ObjectPool/_1687197129/\x1Ole10Native
File Type:	data
Stream Size:	146674
Entropy:	4.66091959569
Base64 Encoded:	True
Data ASCII:	. < . . . . w o r d _ d a t a . b i n . V : \\ D O C \\ F o r _ J S \\ J S \\ N e w \\ w o r d _ d a t a . b i n . . . . . Z . . . C : \\ U s e r s \\ W 1 0 P R O ~ 1 \\ A p p D a t a \\ L o c a l \\ T e m p \\ { C A E 4 4 D B 5 - 2 2 D C - 4 A 7 6 - B 3 3 4 - E 7 7 C 8 D 4 5 9 5 0 5 } \\ w o r d _ d a t a . b i n . 9 ; . . / / " I t ' s t h o s e v i l l a g e r s w e s a w i n t h e m o u n t a i n s ! T h e y ' v e c o m e t o m e e t u s ! I s n ' t t h a t n i c e ? " E r n i e w
Data Raw:	ee 3c 02 00 02 00 77 6f 72 64 5f 64 61 74 61 2e 62 69 6e 00 56 3a 5c 44 4f 43 5c 46 6f 72 5f 4a 53 5c 4a 53 5c 4e 65 77 5c 77 6f 72 64 5f 64 61 74 61 2e 62 69 6e 00 00 00 03 00 5a 00 00 00 43 3a 5c 55 73 65 72 73 5c 57 31 30 50 52 4f 7e 31 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 54 65 6d 70 5c 7b 43 41 45 34 34 44 42 35 2d 32 32 44 43 2d 34 41 37 36 2d 42 33 33 34 2d 45 37 37

Stream Path: ObjectPool/_1687197129/\x3EPRINT, File Type: Windows Enhanced Metafile (EMF) image data version 0x10000, Stream Size: 5012

General
Stream Path:	ObjectPool/_1687197129/\x3EPRINT
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Stream Size:	5012
Entropy:	3.47724816814
Base64 Encoded:	False
Data ASCII:	. . . . l . . . . . . . . . . . S . . . / . . . . . . . . . . . . . . . . . . . E M F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . ` . . . 6 \\ . . . . . . . . . . . . . . . . . . . . . . . . . . ^ . . . 5 . . . R . . . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S . e . g . o . e . . U . I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v . / . . . . . .
Data Raw:	01 00 00 00 6c 00 00 00 09 00 00 00 00 00 00 00 53 00 00 00 2f 00 00 00 00 00 00 00 00 00 00 00 d2 09 00 00 96 05 00 00 20 45 4d 46 00 00 01 00 94 13 00 00 0d 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 07 00 00 38 04 00 00 fc 01 00 00 1e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 c0 07 00 36 5c 04 00 0a 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 09 00 00 00

Stream Path: ObjectPool/_1687197129/\x3ObjInfo, File Type: data, Stream Size: 6

General
Stream Path:	ObjectPool/_1687197129/\x3ObjInfo
File Type:	data
Stream Size:	6
Entropy:	1.25162916739
Base64 Encoded:	False
Data ASCII:	. . . . . .
Data Raw:	00 00 03 00 0d 00

Stream Path: WordDocument, File Type: data, Stream Size: 9774

General
Stream Path:	WordDocument
File Type:	data
Stream Size:	9774
Entropy:	3.45153195466
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b j b j f . f . . . . . . . . . . . . . . . . . . . . . . . . & . . . . . g . . . g . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N . . . . . . . N . . . . . . . N . . . . . . . N . . . . . . . N . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . b . . . . . . . b . . . . . . . b . . . . .
Data Raw:	ec a5 c1 00 17 00 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 b4 0e 00 00 0e 00 62 6a 62 6a 66 15 66 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 2e 26 00 00 04 7f a7 67 04 7f a7 67 b4 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

Network Behavior

No network behavior found

Code Manipulations

Statistics

System Behavior

Analysis Process: WINWORD.EXE PID: 1984 Parent PID: 584

General

Start time:	18:34:36
Start date:	09/07/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13fbb0000
File size:	1424032 bytes
MD5 hash:	95C38D04597050285A18F66039EDB456
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Reset < >

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Users-Progress-072021-1.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Initial Sample

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "Users-Progress-072021-1.doc"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: ThisDocument.cls, Stream Size: 102641

General

VBA Code Keywords

VBA Code

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114

General

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 292

General

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 428

General

Stream Path: 1Table, File Type: data, Stream Size: 7607

General

Stream Path: Data, File Type: data, Stream Size: 2196072

General

Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 434

General

Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 41

General

Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 3580

General

Stream Path: Macros/VBA/dir, File Type: VAX-order 68k Blit mpx/mux executable, Stream Size: 522