order.doc
This report is generated from a file or URL submitted to this webservice on February 20th 2018 21:37:06 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1, Office 2010 v14.0.4
Report generated by
Falcon Sandbox v7.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Persistence
- Writes data to a remote process
- Network Behavior
- Contacts 1 domain and 1 host. View all details
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 13
-
Anti-Detection/Stealthyness
-
Hooks file system APIs
- details
- "NtQueryDirectoryFile@NTDLL.DLL" in "extra_embedded_0.mgr.exe"
- source
- Hook Detection
- relevance
- 10/10
-
Hooks file system APIs
-
Exploit/Shellcode
-
Possible document exploit detected
- details
- Document can spawn a new process although no macro was present in the original file
- source
- Indicator Combinations
- relevance
- 10/10
-
Possible document exploit detected
-
External Systems
-
Found an IP/URL artifact that was identified as malicious by a significant amount of reputation engines
- details
- 8/67 reputation engines marked "http://supnewdmn.com" as malicious (11% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 8/61 Antivirus vendors marked sample as malicious (13% detection rate)
- source
- External System
- relevance
- 8/10
-
Found an IP/URL artifact that was identified as malicious by a significant amount of reputation engines
-
General
-
The analysis spawned a process that was identified as malicious
- details
- 67/73 Antivirus vendors marked spawned process "extra_embedded_0.mgr.exe" (PID: 2772) as malicious (classified as "Backdoor.Agent" with 91% detection rate)
- source
- Monitored Target
- relevance
- 10/10
-
The analysis spawned a process that was identified as malicious
-
Installation/Persistance
-
Writes data to a remote process
- details
-
"extra_embedded_0..NET exe" wrote 1500 bytes to a remote process "C:\extra_embedded_0..NET exe" (Handle: 596)
"extra_embedded_0..NET exe" wrote 4 bytes to a remote process "C:\extra_embedded_0..NET exe" (Handle: 596)
"extra_embedded_0..NET exe" wrote 32 bytes to a remote process "C:\extra_embedded_0..NET exe" (Handle: 596)
"extra_embedded_0..NET exe" wrote 52 bytes to a remote process "C:\extra_embedded_0..NET exe" (Handle: 596)
"extra_embedded_0..NET exe" wrote 4096 bytes to a remote process "C:\extra_embedded_0..NET exe" (Handle: 596)
"extra_embedded_0..NET exe" wrote 344576 bytes to a remote process "C:\extra_embedded_0..NET exe" (Handle: 596)
"extra_embedded_0..NET exe" wrote 478208 bytes to a remote process "C:\extra_embedded_0..NET exe" (Handle: 596)
"extra_embedded_0..NET exe" wrote 110592 bytes to a remote process "C:\extra_embedded_0..NET exe" (Handle: 596)
"extra_embedded_0..NET exe" wrote 496 bytes to a remote process "C:\extra_embedded_0..NET exe" (Handle: 772)
"extra_embedded_0..NET exe" wrote 59392 bytes to a remote process "C:\extra_embedded_0..NET exe" (Handle: 772)
"extra_embedded_0..NET exe" wrote 25600 bytes to a remote process "C:\extra_embedded_0..NET exe" (Handle: 772)
"extra_embedded_0..NET exe" wrote 2560 bytes to a remote process "C:\extra_embedded_0..NET exe" (Handle: 772)
"extra_embedded_0..NET exe" wrote 512 bytes to a remote process "C:\extra_embedded_0..NET exe" (Handle: 772)
"extra_embedded_0..NET exe" wrote 1024 bytes to a remote process "C:\extra_embedded_0..NET exe" (Handle: 772)
"extra_embedded_0..NET exe" wrote 20 bytes to a remote process "C:\extra_embedded_0..NET exe" (Handle: 772)
"extra_embedded_0..NET exe" wrote 48 bytes to a remote process "%PROGRAMFILES%\Mozilla Firefox\firefox.exe" (Handle: 772)
"extra_embedded_0..NET exe" wrote 12 bytes to a remote process "C:\Program Files\Mozilla Firefox\firefox.exe" (Handle: 772)
"extra_embedded_0..NET exe" wrote 217 bytes to a remote process "C:\Program Files\Mozilla Firefox\firefox.exe" (Handle: 772)
"extra_embedded_0..NET exe" wrote 496 bytes to a remote process "C:\Program Files\Mozilla Firefox\firefox.exe" (Handle: 772)
"extra_embedded_0..NET exe" wrote 59392 bytes to a remote process "C:\Program Files\Mozilla Firefox\firefox.exe" (Handle: 772)
"extra_embedded_0..NET exe" wrote 25600 bytes to a remote process "C:\Program Files\Mozilla Firefox\firefox.exe" (Handle: 772)
"extra_embedded_0..NET exe" wrote 2560 bytes to a remote process "C:\Program Files\Mozilla Firefox\firefox.exe" (Handle: 772)
"extra_embedded_0..NET exe" wrote 512 bytes to a remote process "C:\Program Files\Mozilla Firefox\firefox.exe" (Handle: 772)
"extra_embedded_0..NET exe" wrote 1024 bytes to a remote process "C:\Program Files\Mozilla Firefox\firefox.exe" (Handle: 772)
"extra_embedded_0..NET exe" wrote 20 bytes to a remote process "C:\Program Files\Mozilla Firefox\firefox.exe" (Handle: 772)
"extra_embedded_0..NET exe" wrote 45056 bytes to a remote process "C:\Windows\System32\rundll32.exe" (Handle: 1216)
"extra_embedded_0..NET exe" wrote 563 bytes to a remote process "C:\Windows\System32\rundll32.exe" (Handle: 1216)
"extra_embedded_0..NET exe" wrote 223 bytes to a remote process "C:\Windows\System32\rundll32.exe" (Handle: 1216)
"extra_embedded_0..NET exe" wrote 132 bytes to a remote process "C:\Windows\System32\rundll32.exe" (Handle: 1216)
"extra_embedded_0..NET exe" wrote 48 bytes to a remote process "C:\Windows\System32\rundll32.exe" (Handle: 1216)
"extra_embedded_0..NET exe" wrote 32 bytes to a remote process "C:\extra_embedded_0.mgr.exe" (Handle: 188)
"extra_embedded_0..NET exe" wrote 52 bytes to a remote process "C:\extra_embedded_0.mgr.exe" (Handle: 188)
"extra_embedded_0..NET exe" wrote 4 bytes to a remote process "C:\extra_embedded_0.mgr.exe" (Handle: 188)
"extra_embedded_0.mgr.exe" wrote 32 bytes to a remote process "C:\Program Files\Mozilla Firefox\firefox.exe" (Handle: 140) - source
- API Call
- relevance
- 6/10
-
Writes data to a remote process
-
Network Related
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "89.223.109.60": ...
URL: http://frpcpaabkn.com/ (AV positives: 6/67 scanned on 02/20/2018 19:45:26)
URL: http://fjicwyuyyppsei.com/ (AV positives: 6/67 scanned on 02/20/2018 19:45:11)
URL: http://yvrktjohnvdb.com/ (AV positives: 7/67 scanned on 02/16/2018 19:49:22)
URL: http://poopthree.com/ (AV positives: 8/67 scanned on 02/16/2018 03:31:05)
URL: http://cuojshtbohnt.info/statistics.html (AV positives: 3/67 scanned on 02/15/2018 20:22:18)
File SHA256: a6816d981a7b7d56446d6f49c21d931e9441c6c4f9b29ee9583c1c4b4527ce33 (AV positives: 62/68 scanned on 02/19/2018 07:43:10)
File SHA256: 1566aa475c9eace1a96b3ccb3dffb5dd37c006eba16bef0a20f7fb48bd6fdd0a (AV positives: 58/66 scanned on 02/19/2018 02:57:25)
File SHA256: 108abc775f5a167f893de3562fddc2adc09b8ed8b33975048c7a04cec83acc4d (AV positives: 61/68 scanned on 02/19/2018 02:21:33)
File SHA256: 2fb58ca0573b310227ac2961ad34b7a2ee1e1f962940866aa300859dfe5cf458 (AV positives: 61/67 scanned on 02/19/2018 02:17:47)
File SHA256: 44d9873e24de8ca7afb94f8760816c24ccd279274ae663c1548b3ecc62ff2717 (AV positives: 59/67 scanned on 02/19/2018 00:39:45)
File SHA256: bfcde406f09d8a53b8e379880109d54c3dde8aefcc71bab4aac59632ce7829f9 (Date: 02/02/2018 22:32:51)
File SHA256: b381736f6f4223b163a1cf6f08340be8a45d8670b559334b7dbb99b3cd68e86a (Date: 01/29/2018 05:18:14)
File SHA256: 37991c2f46a0e29ff173a88ed4d97c1817944e2155296f4d94efd552e7d64918 (Date: 01/29/2018 00:29:34)
File SHA256: 9d63a684f4131c1bc98293cf0ee69cb1670db68d9f73ed6608f5cd588eea7502 (Date: 12/16/2017 20:30:14)
File SHA256: c3b7b9bde7df3cf593d700bef69750814d916ee47842a66f1b36140fe5a0a4bb (Date: 10/15/2017 10:05:22) - source
- Network Traffic
- relevance
- 10/10
-
Malicious artifacts seen in the context of a contacted host
-
Unusual Characteristics
-
Contains native function calls
- details
-
NtQueryInformationProcess@NTDLL.DLL from extra_embedded_0.mgr.exe (PID: 2772) (Show Stream)
NtSetInformationProcess@NTDLL.DLL from rundll32.exe (PID: 3592) (Show Stream)
NtOpenProcessToken@NTDLL.DLL from rundll32.exe (PID: 3592) (Show Stream)
NtOpenProcessToken@NTDLL.DLL from rundll32.exe (PID: 3592) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Document analysis contacts a domain
- details
-
Often seen on documents with macro droppers
embedded files or exploits - source
- Indicator Combinations
- relevance
- 3/10
-
Contains native function calls
-
Hiding 4 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 14
-
Anti-Reverse Engineering
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
- details
- "extra_embedded_0..NET exe" is protecting 0 bytes with PAGE_GUARD access rights in a remote process (Handle: 596)
- source
- API Call
- relevance
- 10/10
-
Looks up many procedures within the same disassembly stream (often used to hide usage)
- details
- Found 14 calls to GetProcAddress@KERNEL32.DLL from extra_embedded_0.mgr.exe (PID: 2772) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
-
Cryptographic Related
-
Found a cryptographic related string
- details
-
"ECDSA" (Indicator: "ecdsa"; File: "cryptocme.dll.4115075659")
"RC4" (Indicator: "rc4"; File: "cryptocme.dll.4115075659") - source
- File/Memory
- relevance
- 10/10
-
Found a cryptographic related string
-
Environment Awareness
-
Contains ability to measure performance
- details
- rdtsc (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to measure performance
-
External Systems
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
- 8/67 reputation engines marked "http://supnewdmn.com" as malicious (11% detection rate)
- source
- External System
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
-
General
-
The analysis extracted a file that was identified as malicious
- details
- 67/73 Antivirus vendors marked dropped file "extra_embedded_0.mgr.exe" as malicious (classified as "Backdoor.Agent" with 91% detection rate)
- source
- Binary File
- relevance
- 10/10
-
The analysis extracted a file that was identified as malicious
-
Installation/Persistance
-
Contains ability to write to a remote process
- details
-
WriteProcessMemory@KERNEL32.DLL from extra_embedded_0.mgr.exe (PID: 2772) (Show Stream)
WriteProcessMemory@KERNEL32.DLL from extra_embedded_0.mgr.exe (PID: 2772) (Show Stream)
WriteProcessMemory@KERNEL32.DLL from extra_embedded_0.mgr.exe (PID: 2772) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 8/10
-
Creates new processes
- details
-
"extra_embedded_0..NET exe" is creating a new process (Name: "C:\extra_embedded_0..NET exe", Handle: 596)
"extra_embedded_0..NET exe" is creating a new process (Name: "C:\extra_embedded_0.mgr.exe", Handle: 188)
"extra_embedded_0.mgr.exe" is creating a new process (Name: "%PROGRAMFILES%\Mozilla Firefox\firefox.exe", Handle: 140)
"extra_embedded_0.mgr.exe" is creating a new process (Name: "%PROGRAMFILES%\Mozilla Firefox\firefox.exe", Handle: 144) - source
- API Call
- relevance
- 8/10
-
Contains ability to write to a remote process
-
Network Related
-
Found potential IP address in binary/memory
- details
- "4.0.1.0"
- source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Spyware/Information Retrieval
-
Contains ability to enumerate processes/modules/threads
- details
- CreateToolhelp32Snapshot@KERNEL32.DLL from extra_embedded_0.mgr.exe (PID: 2772) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains ability to enumerate processes/modules/threads
-
System Security
-
Hooks API calls
- details
-
"OleLoadFromStream@OLE32.DLL" in "WINWORD.EXE"
"VariantChangeType@OLEAUT32.DLL" in "WINWORD.EXE"
"SysAllocStringByteLen@OLEAUT32.DLL" in "WINWORD.EXE"
"SysFreeString@OLEAUT32.DLL" in "WINWORD.EXE"
"VariantClear@OLEAUT32.DLL" in "WINWORD.EXE"
"NtResumeThread@NTDLL.DLL" in "extra_embedded_0.mgr.exe"
"NtWriteVirtualMemory@NTDLL.DLL" in "extra_embedded_0.mgr.exe"
"NtQueryDirectoryFile@NTDLL.DLL" in "extra_embedded_0.mgr.exe"
"LdrLoadDll@NTDLL.DLL" in "extra_embedded_0.mgr.exe" - source
- Hook Detection
- relevance
- 10/10
-
Modifies proxy settings
- details
-
"extra_embedded_0..NET exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"extra_embedded_0..NET exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
-
Hooks API calls
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "e9c5321def" to virtual address "0x773C6143" ("OleLoadFromStream@OLE32.DLL")
"WINWORD.EXE" wrote bytes "e92399d1ef" to virtual address "0x76305DEE" ("VariantChangeType@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "030de0c6" to virtual address "0x6CFC42C4" (part of module "MSPROOF7.DLL")
"WINWORD.EXE" wrote bytes "e96033cfef" to virtual address "0x76304731" ("SysAllocStringByteLen@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "e99e48a4ee" to virtual address "0x77573D01" ("SetUnhandledExceptionFilter@KERNEL32.DLL")
"WINWORD.EXE" wrote bytes "fffff645" to virtual address "0x6CFC7FA4" (part of module "MSPROOF7.DLL")
"WINWORD.EXE" wrote bytes "c4ca567780bb5677aa6e57779fbb567708bb567746ce567761385777de2f5777d0d9567700000000177939764f9139767f6f3976f4f7397611f73976f2833976857e397600000000" to virtual address "0x6E811000" (part of module "MSIMG32.DLL")
"WINWORD.EXE" wrote bytes "0e90d2eb" to virtual address "0x6D25CA70" (part of module "GFX.DLL")
"WINWORD.EXE" wrote bytes "217af9eb" to virtual address "0x6ABA9904" (part of module "RICHED20.DLL")
"WINWORD.EXE" wrote bytes "e99a54ceef" to virtual address "0x76303E59" ("SysFreeString@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "9ffcd2eb" to virtual address "0x672178E4" (part of module "OART.DLL")
"WINWORD.EXE" wrote bytes "82b775ea" to virtual address "0x2F8A1B94" (part of module "WINWORD.EXE")
"WINWORD.EXE" wrote bytes "697cd3eb" to virtual address "0x6B6EF530" (part of module "WWLIB.DLL")
"WINWORD.EXE" wrote bytes "e93655cfef" to virtual address "0x76303EAE" ("VariantClear@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "9cfdffff" to virtual address "0x6CFCBE64" (part of module "MSPROOF7.DLL")
"WINWORD.EXE" wrote bytes "87f5eceb" to virtual address "0x66210BA8" (part of module "MSO.DLL")
"WINWORD.EXE" wrote bytes "00000000" to virtual address "0x6CFEBE64" (part of module "MSPROOF7.DLL")
"WINWORD.EXE" wrote bytes "4de05051" to virtual address "0x6CFD63DC" (part of module "MSPROOF7.DLL")
"WINWORD.EXE" wrote bytes "ba17e6eb" to virtual address "0x6CCE10AC" (part of module "MSPTLS.DLL")
"extra_embedded_0..NET exe" wrote bytes "00000000" to virtual address "0x00838988" (part of module "EXTRA_EMBEDDED_0..NET EXE") - source
- Hook Detection
- relevance
- 10/10
-
Installs hooks/patches the running process
-
Hiding 1 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 21
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.DLL from rundll32.exe (PID: 3592) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetSystemTimeAsFileTime@KERNEL32.DLL from rundll32.exe (PID: 3592) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.dll (Show Stream)
GetSystemTimes@KERNEL32.dll (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.dll (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.dll (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.dll (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.dll (Show Stream)
GetSystemTimes@KERNEL32.dll (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine timezone
- details
-
GetTimeZoneInformation@KERNEL32.dll (Show Stream)
GetTimeZoneInformation@KERNEL32.dll (Show Stream)
GetTimeZoneInformation@KERNEL32.dll (Show Stream)
GetTimeZoneInformation@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine version
- details
-
GetVersionExA@KERNEL32.dll (Show Stream)
GetVersionExA@KERNEL32.dll (Show Stream)
GetVersionExA@KERNEL32.dll (Show Stream)
GetVersionExA@KERNEL32.dll (Show Stream)
GetVersionExA@KERNEL32.dll (Show Stream)
GetVersionExA@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Possibly tries to detect the presence of a debugger
- details
-
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query machine time
-
General
-
Contacts domains
- details
- "supnewdmn.com"
- source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
- "89.223.109.60:447"
- source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
- "rundll32.pdb"
- source
- File/Memory
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"extra_embedded_0..NET exe" created file "%TEMP%\tmpE26C.tmp"
"extra_embedded_0..NET exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\tmpE32B.tmp"
"extra_embedded_0..NET exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\tmpE3C3.tmp"
"extra_embedded_0..NET exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\tmpE43C.tmp"
"extra_embedded_0..NET exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\tmpE48D.tmp"
"extra_embedded_0..NET exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\tmpE510.tmp"
"extra_embedded_0..NET exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\tmpE792.tmp"
"extra_embedded_0..NET exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\tmpE7CF.tmp"
"extra_embedded_0..NET exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\tmpE83E.tmp"
"extra_embedded_0..NET exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\tmpE8A3.tmp"
"extra_embedded_0..NET exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\tmpEA99.tmp"
"extra_embedded_0..NET exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\tmpEE29.tmp"
"extra_embedded_0..NET exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\tmpEE7A.tmp"
"extra_embedded_0..NET exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\tmpEF62.tmp"
"extra_embedded_0..NET exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\tmpF07B.tmp"
"extra_embedded_0..NET exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\tmpF163.tmp"
"extra_embedded_0..NET exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\tmpF326.tmp"
"extra_embedded_0..NET exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\tmpF3DB.tmp"
"extra_embedded_0..NET exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\tmpF3FA.tmp"
"extra_embedded_0..NET exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\tmpF424.tmp" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\10MU_ACBPIDS_S-1-5-5-0-58363"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACB10_S-1-5-5-0-58363"
"\Sessions\1\BaseNamedObjects\Global\552FFA80-3393-423d-8671-7BA046BB5906"
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Global\552FFA80-3393-423d-8671-7BA046BB5906"
"Local\ZonesCacheCounterMutex"
"Local\10MU_ACB10_S-1-5-5-0-58363"
"Local\ZoneAttributeCacheCounterMutex"
"Local\ZonesLockedCacheCounterMutex"
"Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Local\10MU_ACBPIDS_S-1-5-5-0-58363"
"Local\ZonesCounterMutex" - source
- Created Mutant
- relevance
- 3/10
-
Launches a browser
- details
-
Launches browser "firefox.exe" (Show Process)
Launches browser "firefox.exe" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\microsoft shared\OFFICE14\RICHED20.DLL" at 6AB60000
- source
- Loaded Module
-
Loads the .NET runtime environment
- details
-
"extra_embedded_0..NET exe" loaded module "%WINDIR%\Microsoft.NET\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll" at 6D6D0000
"extra_embedded_0..NET exe" loaded module "%WINDIR%\assembly\NativeImages_v4.0.30319_32\mscorlib\d1265d6159ea876f9d63ea4c1361b587\mscorlib.ni.dll" at 6BB70000 - source
- Loaded Module
-
Process launched with changed environment
- details
- Process "extra_embedded_0..NET exe" (Show Process) was launched with missing environment variables: "MEOW"
- source
- Monitored Target
- relevance
- 10/10
-
Scanning for window names
- details
-
"WINWORD.EXE" searching for class "MSOBALLOON"
"WINWORD.EXE" searching for class "MsoHelp10"
"WINWORD.EXE" searching for class "AgentAnim"
"WINWORD.EXE" searching for class "NetUICtrlNotifySink"
"WINWORD.EXE" searching for class "REListbox20W"
"WINWORD.EXE" searching for class "OfficeTooltip"
"WINWORD.EXE" searching for class "MsoCommandBarPopup"
"WINWORD.EXE" searching for class "mspim_wnd32" - source
- API Call
- relevance
- 10/10
-
Spawns new processes
- details
-
Spawned process "extra_embedded_0..NET exe" (Show Process)
Spawned process "extra_embedded_0.mgr.exe" (Show Process)
Spawned process "firefox.exe" (Show Process)
Spawned process "firefox.exe" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Contacts domains
-
Installation/Persistance
-
Dropped files
- details
-
"ccme_asym.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"432b8f608c940c62c7834f56efdf2258599169a1e10c3e126f72d1c7758877a5.LNK" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Archive ctime=Tue Feb 20 19:38:25 2018 mtime=Tue Feb 20 19:38:25 2018 atime=Tue Feb 20 19:38:32 2018 length=1212267 window=hide"
"ccme_base.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"ccme_ecc.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"data.bin" has type "ASCII text"
"ccme_ecdrbg.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"cryptocme.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"ccme_base_non_fips.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"~$2b8f608c940c62c7834f56efdf2258599169a1e10c3e126f72d1c7758877a5.doc" has type "data"
"tmpE32B.tmp" has type "XML 1.0 document UTF-8 Unicode (with BOM) text with very long lines with CRLF line terminators"
"tmpBC9.tmp" has type "XML 1.0 document UTF-8 Unicode (with BOM) text with very long lines with CRLF line terminators"
"Liesmich.htm" has type "HTML document UTF-8 Unicode (with BOM) text with very long lines with CRLF line terminators"
"tmpA69.tmp" has type "XML 1.0 document UTF-8 Unicode (with BOM) text with very long lines with CRLF line terminators"
"index.dat" has type "data"
"dmlconf.dat" has type "data"
"tmpF07B.tmp" has type "XML 1.0 document UTF-8 Unicode (with BOM) text with very long lines with CRLF line terminators"
"tmpF3DB.tmp" has type "XML 1.0 document UTF-8 Unicode (with BOM) text with very long lines with CRLF line terminators"
"tmpF326.tmp" has type "XML 1.0 document UTF-8 Unicode (with BOM) text with very long lines with CRLF line terminators"
"tmpEE29.tmp" has type "XML 1.0 document UTF-8 Unicode (with BOM) text with very long lines with CRLF line terminators"
"tmpE3C3.tmp" has type "XML 1.0 document UTF-8 Unicode (with BOM) text with very long lines with CRLF line terminators" - source
- Binary File
- relevance
- 3/10
-
Drops executable files
- details
-
"extra_embedded_0..NET exe.bin" has type "PE32 executable (GUI) Intel 80386 Mono/.Net assembly for MS Windows"
"ccme_asym.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"ccme_base.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"extra_embedded_0.mgr.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows UPX compressed"
"ccme_ecc.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"ccme_ecdrbg.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"cryptocme.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"ccme_base_non_fips.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
- "WINWORD.EXE" opened "\Device\MountPointManager"
- source
- API Call
- relevance
- 5/10
-
Touches files in the Windows directory
- details
-
"WINWORD.EXE" touched file "C:\Windows\AppPatch\sysmain.sdb"
"WINWORD.EXE" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"WINWORD.EXE" touched file "C:\Windows\Fonts\StaticCache.dat"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\user32.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000c.db"
"WINWORD.EXE" touched file "C:\Windows\System32\rsaenh.dll"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\KernelBase.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\System32\msxml6r.dll"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2FD92A8D-1C92-4B24-9730-8078E5CA3046}.tmp"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\msctf.dll.mui" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "j.Zi/JHJbzDVwuH"
Heuristic match: "KFZCG/jhjpzj)D{V&Tux@QQ0AG4f6L.pS"
Heuristic match: "supnewdmn.com"
Heuristic match: ".QK(r^vKGL.|Nkzc!/at5Y~b7~H>7AjTow|GvH[;|BVr;-hX4!/tn,-:Y<8'a)jHrCD?o^6gf>s!jcQFdImMuK,8]C=<U#qH^&Pfs.gW"
Pattern match: "U1bTm.se/@m"
Heuristic match: "gB^Bv/:C3Q.#?d}X]V6_sQGo3.BT"
Pattern match: "m.GaK/+1C,qe%FM!]2,i&$*=}BQfyY-8;f13%].;*|%"
Heuristic match: "4n@P:k1&rJH(Qh[`Q5sICIIB]xcw{y2,;|./j1Ut@HE*SRyp6Vi+asby3'c:-S/BYM]{m(BL/<nz-XGBOkjEv{_B+FJ/^?k1s2T 3A.bj"
Pattern match: "WGlCK.pD/^?V-=rN"
Pattern match: "FaD.ym/0vd-IvS^wEsHh+;4H3rpv9{:F|_2io3-9Q"
Pattern match: "3Bd.PNBW/J`#X/Ce90kS"
Pattern match: "g.Elg/e[$#fGiB=OQ:{}C6g04"
Heuristic match: "=qf)2;h*dcI+1zCsl QN~d#QfmY0J&IWno\* YY0Zh=L5vf7hB88Z~zWtqi.*2JG3V!+2:X,%aRAiM[%|0O%U}qd'y.H.gS"
Heuristic match: "h2PY%t.`j]|.b?0.VE"
Heuristic match: "5Qp)#)H1q~|fkYJ9H`FVi~Z46ILmDogY~FJna`Q[`<{?M^K;$3kTIA^8K,D+zd1[}|GU^O+@=lmpB[E7.uA"
Pattern match: "BFi4.ia/\TH"
Pattern match: "c.Cm/#j~l*9C"
Pattern match: "qF1.xf/bOZZ@0}\uHPps"
Pattern match: "dw.ya/O4czN1m5t/"
Pattern match: "K.lS/QT9Zf\mQ&"
Pattern match: "nG.uH/&ZTl*]]:U,{h+7Z70t=H2;CLhu+G^}-gBC,4xi:s*f7(P?DNA6Oq=$,2o~_::7$C/CTI)S!zPoQpUKlQ,Brd\EcJ@~"
Pattern match: "XvW.Sk/i~X^z6^aoApI9P!v^F8/rQM"
Pattern match: "ONO8ZRDW4.Na/CxY&5U{son9&5q+WNi?;B6We2.Fk0V@1pDxq_o\ib+Vk\?mN@L"
Heuristic match: ".t%oi?Wf,n&(;,v2u~1/%wVI}~XX75Z.Rw!^4!;4SSy/YW$|;X@,.Me"
Pattern match: "http://crl.thawte.com/ThawteTimestampingCA.crl0U%0"
Pattern match: "http://sv.symcb.com/sv.crl0aU"
Pattern match: "sv.symcb.com/sv.crt0U#0;Sy3}.+rf0UvLdNd!B2T"
Pattern match: "http://www.symauth.com/cps0(+0http://www.symauth.com/rpa00U)0'0%#!http://s1.symcb.com/pca3-g5.crl0U%0++0U0"
Pattern match: "http://ts-crl.ws.symantec.com/tss-ca-g2.crl0U%0"
Pattern match: "http://ts-aia.ws.symantec.com/tss-ca-g2.cer0U#0_n\t}?L.0"
Pattern match: "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"
Pattern match: "http://www.w3.org/1999/xhtml"
Pattern match: "www.Softinterface.com"
Pattern match: "http://www.adobe.com/go/thirdparty"
Pattern match: "http://www.adobe.com/go/acrobat_distribute"
Pattern match: "http://www.adobe.com/go/licensing"
Pattern match: "http://www.adobe.com/go/runtime_mobile_EULA"
Pattern match: "http://www.adobe.com/go/mpegla"
Pattern match: "http://www.adobe.com/go/rikla_program"
Pattern match: "http://www.adobe.com/go/readerextensions"
Pattern match: "http://www.adobe.com/go/privacy"
Pattern match: "http://www.adobe.com/go/settingsmanager"
Pattern match: "http://www.adobe.com/go/update_details_url"
Pattern match: "http://www.adobe.com/go/air_update_details"
Pattern match: "http://www.adobe.com/go/flashplayer_security"
Pattern match: "http://www.adobe.com/go/RTMFP"
Pattern match: "http://www.adobe.com/go/protected_content"
Pattern match: "http://www.adobe.com/go/terms"
Pattern match: "http://www.adobe.com/go/partners_cds"
Pattern match: "http://www.adobe.com/go/aatl"
Pattern match: "http://www.adobe.com/"
Pattern match: "http://www.w3.org/TR/REC-html40"
Pattern match: "http://www.adobe.com/go/acrobat_de"
Pattern match: "http://support.microsoft.com/kb/930627"
Pattern match: "http://www.adobe.com/go/terms_de"
Pattern match: "http://www.adobe.com/go/reader_system_reqs_de"
Pattern match: "http://www.adobe.com/go/thirdparty_de/"
Pattern match: "http://schemas.microsoft.com/SMI/2005/WindowsSettings"
Pattern match: "http://www.adobe.com/go/thirdparty_de"
Pattern match: "http://www.adobe.com/go/acrobat_distribute_de"
Pattern match: "http://www.adobe.com/go/licensing_de"
Pattern match: "http://www.adobe.com/go/runtime_mobile_EULA_de"
Pattern match: "http://www.adobe.com/go/rikla_program_de"
Pattern match: "http://www.adobe.com/go/readerextensions_de"
Pattern match: "http://www.adobe.com/go/privacy_de"
Pattern match: "http://www.adobe.com/go/settingsmanager_de"
Pattern match: "http://www.adobe.com/go/update_details_url_de"
Pattern match: "http://www.adobe.com/go/air_update_details_de"
Pattern match: "http://www.adobe.com/go/flashplayer_security_de"
Pattern match: "https://settings.adobe.com/flashplayer/mobile"
Pattern match: "http://www.adobe.com/go/RTMFP_de"
Pattern match: "http://www.adobe.com/go/protected_content_de"
Heuristic match: "Benutzers hergestellt wird. Des Weiteren gelten die Adobe.com"
Pattern match: "http://www.adobe.com/go/partners_cds_de"
Pattern match: "http://www.adobe.com/go/aatl_de"
Pattern match: "http://www.adobe.com/de" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
File Details
order.doc
- Filename
- order.doc
- Size
- 1.2MiB (1212267 bytes)
- Type
- docx office
- Description
- Microsoft Word 2007+
- Architecture
- WINDOWS
- SHA256
- 432b8f608c940c62c7834f56efdf2258599169a1e10c3e126f72d1c7758877a5
- MD5
- 02f589270f71b74f46eb40217d1d9a54
- SHA1
- 9678a472eaab6cb8d34e471352318cd585014bf6
Classification (TrID)
- 91.8% (.DOCX) Word Microsoft Office Open XML Format document
- 8.1% (.ZIP) ZIP compressed archive
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 7 processes in total.
- WINWORD.EXE /n "C:\432b8f608c940c62c7834f56efdf2258599169a1e10c3e126f72d1c7758877a5.doc" (PID: 3956)
-
extra_embedded_0..NET exe
(PID: 2108)
-
extra_embedded_0..NET exe
(PID: 2720)
-
extra_embedded_0.mgr.exe
(PID: 2772)
67/73
- firefox.exe (PID: 3060)
- firefox.exe (PID: 3096)
-
extra_embedded_0.mgr.exe
(PID: 2772)
67/73
- rundll32.exe %WINDIR%\system32\shell32.dll,OpenAs_RunDLL C:\extra_embedded_0..NET exe (PID: 3592)
-
extra_embedded_0..NET exe
(PID: 2720)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
supnewdmn.com
OSINT |
- | Regional Network Information Center, JSC dba RU-CENTER | - |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
89.223.109.60 |
447
TCP |
firefox.exe PID: 3060 |
Russian Federation |
Contacted Countries
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
Displaying 23 extracted file(s). The remaining 24 file(s) are available in the full version and XML/JSON reports.
-
Malicious 1
-
-
extra_embedded_0.mgr.exe
- Size
- 106KiB (108032 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
- AV Scan Result
- Labeled as "Backdoor.Agent" (67/73)
- Runtime Process
- firefox.exe (PID: 3060)
- MD5
- 00260063013db3be7280fe6c8bebcdee
- SHA1
- 5a8726718029414951def556bdb685d8295a72aa
- SHA256
- 8fddaaf95eddde603fe991804addbe202f908c291d02f63108bf111ff73b2914
-
-
Informative 22
-
-
432b8f608c940c62c7834f56efdf2258599169a1e10c3e126f72d1c7758877a5.LNK
- Size
- 733B (733 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Feb 20 19:38:25 2018, mtime=Tue Feb 20 19:38:25 2018, atime=Tue Feb 20 19:38:32 2018, length=1212267, window=hide
- Runtime Process
- WINWORD.EXE (PID: 3956)
- MD5
- 1a3c78585dfdc17a3d9ec89fb269d0fa
- SHA1
- 6abeea74c319845df88cc21253546251b6d5d168
- SHA256
- eda685176eb7801aec953e694f1a056a0ce0bc7113a920043a8f107e54435425
-
index.dat
- Size
- 257B (257 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3956)
- MD5
- b11473b53a750f6685d2fa637538b92d
- SHA1
- fecfc527dab9e7ee8f1b4e718b7e8efaa575f071
- SHA256
- 9b68bd7c241bbe66acc3a400eab598f04185fb87f96e37a5c78de3dfc663a702
-
~$Normal.dotm
- Size
- 162B (162 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3956)
- MD5
- b2ac60eb2c757458912c6f1be3aeb41a
- SHA1
- db33f24192fd54bcf007c356b13990300c3fa7bd
- SHA256
- 9e5abe3444bef6cbb0e7b620606226feb3007a1d97d969eea497bcac8eb89a77
-
data.bin
- Size
- 38B (38 bytes)
- Type
- text
- Description
- ASCII text
- Runtime Process
- firefox.exe (PID: 3060)
- MD5
- d57077f1de70270ba4f911bde90b6577
- SHA1
- 0fed6a6348b6bf13dcc86f8b84c2dd01a6f76891
- SHA256
- eff360897f24fc8003b3685ec8cfe7116e82dc9b93789809b5da8204462a7eb6
-
37543AEE.emf
- Size
- 5.4KiB (5504 bytes)
- Type
- img image
- Description
- Windows Enhanced Metafile (EMF) image data version 0x10000
- Runtime Process
- WINWORD.EXE (PID: 3956)
- MD5
- 4a94af94601a73511b37de3f70612fe5
- SHA1
- c2de53461465ff33a40f9aa7ed763bdbf524fddc
- SHA256
- ee0d9998aaf935496b28906629eef577b7c734c5c1ebe1671321648e4530e49b
-
~WRS{2FD92A8D-1C92-4B24-9730-8078E5CA3046}.tmp
- Size
- 1KiB (1024 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3956)
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
~WRS{E45B406C-FFD9-41AA-B776-13E763CDAD57}.tmp
- Size
- 1.5KiB (1536 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3956)
- MD5
- 1af919bf8a88cb33f36a9f6a5111a5e1
- SHA1
- 2066a9ba6c53de5ce12de1bc5f19dc9b88451ff0
- SHA256
- b65d3cd7d6323b899ef51b30d3909e3afebb454fcc453bd2d23c32aea91843bb
-
Liesmich.htm
- Size
- 228KiB (233279 bytes)
- Type
- html
- Description
- HTML document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
- Runtime Process
- firefox.exe (PID: 3060)
- MD5
- 169049259762ccb0670c3dc2571a3ccb
- SHA1
- 7e1bd9eb9cd347dc284e18b19615874e1f3bbcd8
- SHA256
- 7ee9d46d245d159518fe88fc4233bdf56969f2a3307d5a4738c739ad683390e2
-
license.html
- Size
- 254KiB (260454 bytes)
- Type
- script javascript
- Description
- XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
- Runtime Process
- firefox.exe (PID: 3060)
- MD5
- ed42f8e098bfddedfe1933d03586bd19
- SHA1
- e9447d5fff0adc4f5ff1185e63ac91d946d0c2a9
- SHA256
- d3af71c3d21bd2014cdbd6f38a44a0bc14910f415355ad20b196792d0424e925
-
ccme_asym.dll
- Size
- 330KiB (338400 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- Runtime Process
- firefox.exe (PID: 3060)
- MD5
- 659a9ff342e850c94230ef04eded8380
- SHA1
- 44953812a9594686b076fe86fe8bdbacef1cf49a
- SHA256
- daf248baf67484bb343abb674469e6b9207c98067e3f0571ea83fa7a93b3a4c8
-
ccme_base.dll
- Size
- 479KiB (490944 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- Runtime Process
- firefox.exe (PID: 3060)
- MD5
- 9bcdc8948272f360fca26c5fceff28a7
- SHA1
- 7b12336da61bc6ad4ed4b12d1d6f8452b7a29f2f
- SHA256
- a56a73f746481f8fa47295520fa7f66856a703173d4bcd3216322d1623b9ebce
-
ccme_base_non_fips.dll
- Size
- 312KiB (319447 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- Runtime Process
- firefox.exe (PID: 3060)
- MD5
- c187673b9cdf82b3949471022299d040
- SHA1
- 2b0bcf7620158fe6a3f57b7acc4fa2247b2528be
- SHA256
- 2ac39d280ac210e429045c14c7369aade3d7d3d3b387be8c2f8a79c8628af823
-
ccme_ecc.dll
- Size
- 660KiB (675731 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- Runtime Process
- firefox.exe (PID: 3060)
- MD5
- 4ba827ccf9179061b44a75593a64ac31
- SHA1
- e8d9a5cddb6d98a424b54341a7f0b12c5c47dfa1
- SHA256
- 501b5e2b236ae0898eae00f121fc2f05253d7907997bf27d6416299a4a7abf6f
-
ccme_ecdrbg.dll
- Size
- 569KiB (582651 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- Runtime Process
- firefox.exe (PID: 3060)
- MD5
- be9a21bae00196ec09200d0bc6fe92b2
- SHA1
- 106569e63b8298b26a1298a6753f6058af4fa5f6
- SHA256
- 3ef717ea8e2032db4227619d2334bf990311d19ab8c133ac0126233c813f1084
-
cryptocme.dll
- Size
- 393KiB (402296 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- Runtime Process
- firefox.exe (PID: 3060)
- MD5
- c4eb8d38393699442c5314a3f8c0fe4b
- SHA1
- aea4377c798f9fad66b1b9da048ee2d11680564b
- SHA256
- dbad18664c6668d42b025e306ebab9dc3830549e2d43fe17fe1a7fea9c41d3fc
-
dmlconf.dat
- Size
- 16B (16 bytes)
- Type
- data
- Runtime Process
- firefox.exe (PID: 3060)
- MD5
- 840a50c2a75e41345b261264fb5001e0
- SHA1
- b29224e20f3c8a2da642eae48aa256c75a741833
- SHA256
- 637571bb0f6dd473ec433c204f40550bb16b82a5f3dd1b45640188b13b6ea74c
-
tmp11E4.tmp
- Size
- 548B (548 bytes)
- Type
- text
- Description
- XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
- Runtime Process
- extra_embedded_0..NET exe (PID: 2108)
- MD5
- 245b863be176aab16ef1dbe168defe03
- SHA1
- c0a369f6f0e77b89c5d9d37fb94e1d5e2d431b5b
- SHA256
- 59ba97d56a01766792386c3b379946bb613c8921e3daf8a878855a268ad5e4aa
-
tmp19EA.tmp
- Size
- 548B (548 bytes)
- Type
- text
- Description
- XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
- Runtime Process
- extra_embedded_0..NET exe (PID: 2108)
- MD5
- 245b863be176aab16ef1dbe168defe03
- SHA1
- c0a369f6f0e77b89c5d9d37fb94e1d5e2d431b5b
- SHA256
- 59ba97d56a01766792386c3b379946bb613c8921e3daf8a878855a268ad5e4aa
-
tmpA0E.tmp
- Size
- 548B (548 bytes)
- Type
- text
- Description
- XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
- Runtime Process
- extra_embedded_0..NET exe (PID: 2108)
- MD5
- 245b863be176aab16ef1dbe168defe03
- SHA1
- c0a369f6f0e77b89c5d9d37fb94e1d5e2d431b5b
- SHA256
- 59ba97d56a01766792386c3b379946bb613c8921e3daf8a878855a268ad5e4aa
-
tmpA69.tmp
- Size
- 548B (548 bytes)
- Type
- text
- Description
- XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
- Runtime Process
- extra_embedded_0..NET exe (PID: 2108)
- MD5
- 245b863be176aab16ef1dbe168defe03
- SHA1
- c0a369f6f0e77b89c5d9d37fb94e1d5e2d431b5b
- SHA256
- 59ba97d56a01766792386c3b379946bb613c8921e3daf8a878855a268ad5e4aa
-
~$2b8f608c940c62c7834f56efdf2258599169a1e10c3e126f72d1c7758877a5.doc
- Size
- 162B (162 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3956)
- MD5
- b2ac60eb2c757458912c6f1be3aeb41a
- SHA1
- db33f24192fd54bcf007c356b13990300c3fa7bd
- SHA256
- 9e5abe3444bef6cbb0e7b620606226feb3007a1d97d969eea497bcac8eb89a77
-
extra_embedded_0..NET exe.bin
- Size
- 1.2MiB (1224809 bytes)
- Type
- peexe assembly executable
- Description
- PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
- MD5
- 30adac8362d56c25f0d9e44c913240de
- SHA1
- 0ad648695a04bfe1489605e3f24a0e581bfd6092
- SHA256
- 770b301d3a1da8069662fda523562a3c8e1f804c309e6410842c3abe64df59d5
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Extracted file "ccme_asym.dll" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/daf248baf67484bb343abb674469e6b9207c98067e3f0571ea83fa7a93b3a4c8/analysis/1519159500/")
- Extracted file "ccme_base.dll" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/a56a73f746481f8fa47295520fa7f66856a703173d4bcd3216322d1623b9ebce/analysis/1519159502/")
- Extracted file "ccme_base_non_fips.dll" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/2ac39d280ac210e429045c14c7369aade3d7d3d3b387be8c2f8a79c8628af823/analysis/1519159511/")
- Extracted file "ccme_ecc.dll" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/501b5e2b236ae0898eae00f121fc2f05253d7907997bf27d6416299a4a7abf6f/analysis/1519159505/")
- Extracted file "ccme_ecdrbg.dll" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/3ef717ea8e2032db4227619d2334bf990311d19ab8c133ac0126233c813f1084/analysis/1519159508/")
- Extracted file "cryptocme.dll" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/dbad18664c6668d42b025e306ebab9dc3830549e2d43fe17fe1a7fea9c41d3fc/analysis/1519159509/")
- Extracted file "extra_embedded_0..NET exe.bin" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/770b301d3a1da8069662fda523562a3c8e1f804c309e6410842c3abe64df59d5/analysis/1519159498/")
- Extracted file "~$2b8f608c940c62c7834f56efdf2258599169a1e10c3e126f72d1c7758877a5.doc" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/9e5abe3444bef6cbb0e7b620606226feb3007a1d97d969eea497bcac8eb89a77/analysis/1519159511/")
- Not all IP/URL string resources were checked online
- Not all file accesses are visible for firefox.exe (PID: 3060)
- Not all file accesses are visible for firefox.exe (PID: 3096)
- Not all sources for indicator ID "api-0" are available in the report
- Not all sources for indicator ID "api-21" are available in the report
- Not all sources for indicator ID "api-4" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "binary-0" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "mutant-0" are available in the report
- Not all sources for indicator ID "string-63" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)