Newsletter #8 15 June 2017.docx
This report is generated from a file or URL submitted to this webservice on June 15th 2017 11:18:40 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1, Office 2010 v14.0.4
Report generated by
Falcon Sandbox v6.70 © Hybrid Analysis
Incident Response
Risk Assessment
- Network Behavior
- Contacts 5 domains and 5 hosts. View all details
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 3
-
General
-
GETs files from a webserver
- details
-
"GET /images/dimensions/dimensions0801/dimensions080100067/2461475-Illustration-of-a-complete-lunch-with-a-hot-dog-chips-and-a-drink-Part-of-the-complete-meal-series--Stock-Illustration.jpg HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)
Accept-Encoding: gzip, deflate
Host: previews.123rf.com
Connection: Keep-Alive"
"GET /oak/files/2015/08/back-to-school.jpg HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)
Accept-Encoding: gzip, deflate
Host: schools.stlucie.k12.fl.us
Connection: Keep-Alive"
"GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: isrg.trustid.ocsp.identrust.com"
"GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgOaz0hsYvkOZEO0tkw2VBot8A%3D%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.int-x3.letsencrypt.org" - source
- Network Traffic
- relevance
- 10/10
-
GETs files from a webserver
-
Network Related
-
Found more than one unique User-Agent
- details
-
Found the following User-Agents: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)
Microsoft Office Protocol Discovery
Microsoft-CryptoAPI/6.1 - source
- Network Traffic
- relevance
- 5/10
-
Found more than one unique User-Agent
-
Unusual Characteristics
-
Possible document exploit detected
- details
- Document is downloading files although no macro is present
- source
- Indicator Combinations
- relevance
- 10/10
-
Possible document exploit detected
-
Suspicious Indicators 2
-
External Systems
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
- 1/65 reputation engines marked "http://isrg.trustid.ocsp.identrust.com" as malicious (1% detection rate)
- source
- External System
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
-
Network Related
-
Uses a User Agent typical for browsers, although no browser was ever launched
- details
- Found user agent(s): Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)
- source
- Network Traffic
- relevance
- 10/10
-
Uses a User Agent typical for browsers, although no browser was ever launched
-
Informative 24
-
Anti-Detection/Stealthyness
-
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
- details
- "WINWORD.EXE" (Access type: "QUERYVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "DISABLECACHINGOFSSLPAGES"; Value: "00000000040000000400000000000000")
- source
- Registry Access
- relevance
- 3/10
-
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
-
Environment Awareness
-
Reads the active computer name
- details
- "WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
- source
- Registry Access
- relevance
- 5/10
-
Reads the cryptographic machine GUID
- details
- "WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
-
Reads the registry for installed applications
- details
-
"WINWORD.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\WINWORD.EXE")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\WINWORD.EXE") - source
- Registry Access
- relevance
- 10/10
-
Reads the active computer name
-
General
-
Accesses Software Policy Settings
- details
-
"WINWORD.EXE" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"WINWORD.EXE" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"WINWORD.EXE" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"WINWORD.EXE" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"WINWORD.EXE" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"WINWORD.EXE" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"WINWORD.EXE" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"WINWORD.EXE" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT"; Key: "")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES"; Key: "")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS"; Key: "")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS"; Key: "") - source
- Registry Access
- relevance
- 10/10
-
Accesses System Certificates Settings
- details
-
"WINWORD.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY"; Key: "")
"WINWORD.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"WINWORD.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"WINWORD.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\27AC9369FAF25207BB2627CEFACCBE4EF9C319B8"; Key: "BLOB")
"WINWORD.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\8AD5C9987E6F190BD6F5416E2DE44CCD641D8CDA"; Key: "BLOB")
"WINWORD.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FF67367C5CD4DE4AE18BCCE1D70FDABD7C866135"; Key: "BLOB")
"WINWORD.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"WINWORD.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\109F1CAED645BB78B3EA2B94C0697C740733031C"; Key: "BLOB")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\D559A586669B08F46A30A133F8A9ED3D038E2EA8"; Key: "BLOB")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FEE449EE0E3965A5246F000E87FDE2A065FD89D4"; Key: "BLOB")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS\A377D1B1C0538833035211F4083D00FECC414DAB"; Key: "BLOB")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"WINWORD.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "") - source
- Registry Access
- relevance
- 10/10
-
Contacts domains
- details
-
"previews.123rf.com"
"schools.stlucie.k12.fl.us"
"isrg.trustid.ocsp.identrust.com"
"ocsp.int-x3.letsencrypt.org"
"www.wpclipart.com" - source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
-
"23.37.54.194:80"
"23.37.54.194:443"
"40.139.186.82:80"
"104.36.143.45:443"
"192.35.177.195:80" - source
- Network Traffic
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"WINWORD.EXE" created file "%TEMP%\msoFBC2.tmp"
"WINWORD.EXE" created file "%TEMP%\Cab406A.tmp"
"WINWORD.EXE" created file "%TEMP%\Tar406B.tmp" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\10MU_ACBPIDS_S-1-5-5-0-59580"
"\Sessions\1\BaseNamedObjects\Global\552FFA80-3393-423d-8671-7BA046BB5906"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACB10_S-1-5-5-0-59580"
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\Local\c:!users!nxzrx1y!appdata!roaming!microsoft!windows!ietldcache!"
"\Sessions\1\BaseNamedObjects\{BDD98A3C-B57F-4199-B92A-95A54AA1132E}-B68A55A8"
"\Sessions\1\BaseNamedObjects\{BDD98A3C-B57F-4199-B92A-95A54AA1132E}-7941085A"
"\Sessions\1\BaseNamedObjects\Local\CSI_OMTX:{A39DADFC-F576-4EAC-9BBF-7657C9B0444B}"
"\Sessions\1\BaseNamedObjects\Local\CSI_WDW:{C25B7B62-CC25-446A-8757-EE43324BE39C}"
"\Sessions\1\BaseNamedObjects\Local\CSI_WDW:{D3674704-012F-4ACA-992A-B481F6CB9F4E}"
"\Sessions\1\BaseNamedObjects\Local\CSI_WDW:{A39DADFC-F576-4EAC-9BBF-7657C9B0444B}"
"\Sessions\1\BaseNamedObjects\{BDD98A3C-B57F-4199-B92A-95A54AA1132E}-8F61F810"
"\Sessions\1\BaseNamedObjects\Global\MsoCsi:GC:C:/Users/NxZRx1y/AppData/Local/Microsoft/Office/14.0/OfficeFileCache/FSF-CTBL.FSF"
"\Sessions\1\BaseNamedObjects\{BDD98A3C-B57F-4199-B92A-95A54AA1132E}-2FE1ADF8"
"\Sessions\1\BaseNamedObjects\{BDD98A3C-B57F-4199-B92A-95A54AA1132E}-36881435" - source
- Created Mutant
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\microsoft shared\OFFICE14\RICHED20.DLL" at 61690000
- source
- Loaded Module
-
Opened the service control manager
- details
-
"WINWORD.EXE" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1)
"WINWORD.EXE" called "OpenSCManager" requesting access rights "0XE0000000L" - source
- API Call
- relevance
- 10/10
-
Reads Windows Trust Settings
- details
- "WINWORD.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE")
- source
- Registry Access
- relevance
- 5/10
-
Requested access to a system service
- details
-
"WINWORD.EXE" called "OpenService" to access the "WinHttpAutoProxySvc" service
"WINWORD.EXE" called "OpenService" to access the "CryptSvc" service
"WINWORD.EXE" called "OpenService" to access the "cryptsvc" service
"WINWORD.EXE" called "OpenService" to access the "" service
"WINWORD.EXE" called "OpenService" to access the "Sens" service requesting "SERVICE_QUERY_STATUS" (0X4) access rights
"WINWORD.EXE" called "OpenService" to access the "RASMAN" service
"WINWORD.EXE" called "OpenService" to access the "rasman" service
"WINWORD.EXE" called "OpenService" to access the "ServicesActive" service requesting "SERVICE_QUERY_STATUS" (0X4) access rights
"WINWORD.EXE" called "OpenService" to access the "gpsvc" service - source
- API Call
- relevance
- 10/10
-
Scanning for window names
- details
-
"WINWORD.EXE" searching for class "NetUICtrlNotifySink"
"WINWORD.EXE" searching for class "REListbox20W"
"WINWORD.EXE" searching for class "OfficeTooltip"
"WINWORD.EXE" searching for class "MsoCommandBarPopup"
"WINWORD.EXE" searching for class "MSOBALLOON"
"WINWORD.EXE" searching for class "MsoHelp10"
"WINWORD.EXE" searching for class "AgentAnim"
"WINWORD.EXE" searching for class "mspim_wnd32" - source
- API Call
- relevance
- 10/10
-
Sent a control code to a service
- details
-
"WINWORD.EXE" called "ControlService" and sent control code "0X400" to the service "CryptSvc"
"WINWORD.EXE" called "ControlService" and sent control code "0X24" to the service "cryptsvc"
"WINWORD.EXE" called "ControlService" and sent control code "0X24" to the service "gpsvc"
"WINWORD.EXE" called "ControlService" and sent control code "0XFC" to the service "gpsvc" - source
- API Call
- relevance
- 10/10
-
Accesses Software Policy Settings
-
Installation/Persistance
-
Dropped files
- details
-
"FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF" has type "data"
"9262B99A.jpeg" has type "JPEG image data JFIF standard 1.01"
"FSD-{02397F51-D927-428D-9304-7ED3336B77D8}.FSD" has type "data"
"B849A9E5FD909B2B82D154395741AB6C" has type "data"
"index.dat" has type "data"
"msoFBC2.tmp" has type "GIF image data version 89a 15 x 15"
"892F27E1.jpeg" has type "JPEG image data JFIF standard 1.01"
"FSD-CNRY.FSD" has type "data"
"MSO2057.acl" has type "data"
"E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08" has type "data"
"{A0206728-0B25-4BC8-BCA7-FBEED19B3FC2}" has type "data"
"E500C8D3.png" has type "PNG image data 3969 x 2077 8-bit/color RGBA non-interlaced"
"~$wsletter #8 15 June 2017.docx" has type "data"
"72C79597.jpeg" has type "JPEG image data JFIF standard 1.02"
"705A76DE71EA2CAEBB8F0907449CE086_C23CBDDF9CE33988EC88F3C4214D5784" has type "data"
"8DA944B8.png" has type "PNG image data 600 x 472 8-bit/color RGBA non-interlaced"
"~WRD0001.tmp" has type "Microsoft Word 2007+"
"C9A56ABD.jpeg" has type "JPEG image data JFIF standard 1.01" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"WINWORD.EXE" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
"WINWORD.EXE" touched file "%WINDIR%\Fonts\staticcache.dat"
"WINWORD.EXE" touched file "%WINDIR%\system32\en-US\USER32.dll.mui"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v4.0.30319\clr.dll"
"WINWORD.EXE" touched file "%WINDIR%\system32\en-US\SETUPAPI.dll.mui"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000c.db"
"WINWORD.EXE" touched file "%WINDIR%\system32\rsaenh.dll"
"WINWORD.EXE" touched file "%WINDIR%\system32\en-US\KERNELBASE.dll.mui"
"WINWORD.EXE" touched file "%WINDIR%\System32\msxml6r.dll"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{488D23BE-D1BA-4A77-8B73-491DAD2831D1}.tmp"
"WINWORD.EXE" touched file "%WINDIR%\system32\en-US\MSCTF.dll.mui"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{493D814A-F42A-4214-BC3A-1C02B900B1FE}.tmp" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://vananews.com.au/wp-content/uploads/2015/06/Public-holiday-iCampus-newspaper.jpg"
Pattern match: "http://cdn.xl.thumbs.canstockphoto.com/canstock21127155.jpg"
Pattern match: "https://www.wpclipart.com/education/supplies/scissors/safety_scissors/safety_scissors_blue_T.png"
Pattern match: "http://previews.123rf.com/images/dimensions/dimensions0801/dimensions080100067/2461475-Illustration-of-a-complete-lunch-with-a-hot-dog-chips-and-a-drink-Part-of-the-complete-meal-series--Stock-Illustration.jpg"
Pattern match: "http://4.bp.blogspot.com/-8LH7unWCCfM/UNFGJyR-4TI/AAAAAAAAE9o/dYazSUU5tU8/s1600/pj.png"
Pattern match: "http://schools.stlucie.k12.fl.us/oak/files/2015/08/back-to-school.jpg"
Pattern match: "http://worldartsme.com/images/pen-signing-clipart-1.jpg"
Pattern match: "https://img.clipartfest.com/c18dc98a45bed544ad113566ff3fbba1_clipart-pencil-and-paper-pencil-and-paper-clipart-transparent-background_3969-2077.png"
Pattern match: "http://4bible.com/wp-content/uploads/2015/06/happy-fathers-day-pic1.jpg"
Pattern match: "http://img.clipartall.com/cartoon-airplane-clipart-free-clipart-image-3-airplane-clip-art-free-446_375.jpg"
Pattern match: "https://img.clipartfest.com/e17c49f73e6e9249d149915366990eb4_3d-image-on-white-background-newspaper-stack-clipart_400-304.jpeg"
Pattern match: "c3.pb/--2~sI"
Heuristic match: "0'T`3[T.id"
Pattern match: "F.jZ/^Zzd"
Heuristic match: "X7|b/{2m)(15.PR"
Heuristic match: "4lrMJ;KL(8%.VN"
Heuristic match: "Y!'ZOrfx],];<7qE*E)wN8g}^}9BwTo~p]wa=XG) wn.gl"
Heuristic match: "?/4yimC~7r-{;OE.gq"
Pattern match: "MNhMoE.kGd/j&flhgT\oMo6-I?nT&azMB,h*$W.hp!T|XJbb!&($%#c7MyU)`dvhJ2`N8"
Pattern match: "Y6vG.ewQ/}'%M6wa~GD=-zai/b]VuAw#D5"
Heuristic match: "previews.123rf.com"
Heuristic match: "schools.stlucie.k12.fl.us"
Pattern match: "zd-..bff/}Y"
Heuristic match: "isrg.trustid.ocsp.identrust.com"
Heuristic match: "ocsp.int-x3.letsencrypt.org"
Pattern match: "l.iL/AP%CpI%$7'tijfI"
Heuristic match: "\VKC4br.HN"
Pattern match: "cpdNa.YA/6dvvE!4t=E"
Heuristic match: "D7Ygyjq8$trn4.)|XJ4|yTIOxxGr59O14;+Yb3]7Bh-G<c@gP~Gr>tL2HVl+XH!#\eaGC8rj[7)q#PKWd+bsEIP>}^cD;d 79wuA`9.HLKj&|#L:c2#n78.tw"
Pattern match: "OLLK.pw/m2[om}l'&0"
Heuristic match: "Ei;G.AS"
Heuristic match: "8UxBZa#OTXK10*6*x35'exbd^+4I1ELx`qR;;oXw.iq"
Heuristic match: "[U3O/xJc.PR"
Pattern match: "www.wpclipart.com"
Heuristic match: "k_;*dZ~!3In.su"
Pattern match: "Ub.bff/^#/|o`_"
Heuristic match: "%7|+!Ja5r5H6!F7}4 Qtk{f+]=>!M@cjet&%DI\9pG}QBxBF.sJ"
Heuristic match: "I4AlV(3~/M(xHy0YH&uU`.VI?{!a0=.la"
Heuristic match: "Rf4y8-07iP[^oEi U#U4ub:{'l.MM"
Heuristic match: "odyq9CYBsk|JJ$K49TICHkFP4a&7FD9AA.Sj"
Heuristic match: "=Ni`ii7|3y*|!?~stJ7D1mL.m~K<E%7Q%yfpONZf#S!\+5XQ(cSqN4=w|z5.Lu"
Heuristic match: "vQ;XX,#j9,Kpw/}fd{b;{+yOQR~?s|uKi`=;^] v>=_5y\t)'Ju:c=x,--]5o.Xn"
Pattern match: "G.chh/k}v9#G8|0ogutuu-*"
Pattern match: "http://www.apple.com/DTDs/PropertyList-1.0.dtd"
Pattern match: "http://ns.adobe.com/xap/1.0/"
Pattern match: "http://ns.adobe.com/xap/1.0/mm/"
Pattern match: "http://ns.adobe.com/xap/1.0/sType/ResourceRef#"
Pattern match: "http://purl.org/dc/elements/1.1/"
Pattern match: "http://ns.adobe.com/photoshop/1.0/"
Pattern match: "http://ns.adobe.com/tiff/1.0/"
Pattern match: "http://ns.adobe.com/exif/1.0/"
Pattern match: "http://www.iec.chIEC"
Pattern match: "http://www.iec.chdesc.IEC"
Heuristic match: "GZnG$sav~Q9@[}{M}T?1K?nwD6aq)qgwXP)gol39B`Q$v >`#%m47q/O|qW!5}#X!},jO!bw'o-|9cqx^UrRbx#=9.VA"
Heuristic match: "+(O7_Y^k#71i,Pm` MBnkJPUWb]v*3~;}M8-3_WCei/EeC&A&Ghty5z|BB1r4>KiJV][bsNcs5lox/EI\|s;7b]Vx!n2[^][EpiV|p~G1H4gJqxX}t4<ov_+73v*UWb]r/HUuy7HOkz8-W\.hT"
Pattern match: "5.db/Kd-Md+W*;j9AFF^"
Pattern match: "m.tM/NPl"
Heuristic match: "AKZ|rWk@nl)NK@I*lg6?e~o4.Ag"
Heuristic match: "B/^[|#PA]LZh@$au4Q@\((t?/KaZ4wW2ufV J))3k:tkIH275QE;j=e$@ Q!OO*]*|C,^C_sm1JhmhXeRA;1>u%%x>vP<z=2VgWc5[]CHXsA]X.sO" - source
- String
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Hooks API calls
- details
-
"VariantChangeType@OLEAUT32.DLL" in "WINWORD.EXE"
"OleLoadFromStream@OLE32.DLL" in "WINWORD.EXE"
"SysAllocStringByteLen@OLEAUT32.DLL" in "WINWORD.EXE"
"SysFreeString@OLEAUT32.DLL" in "WINWORD.EXE"
"VariantClear@OLEAUT32.DLL" in "WINWORD.EXE" - source
- Hook Detection
- relevance
- 10/10
-
Queries sensitive IE security settings
- details
- "WINWORD.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
- source
- Registry Access
- relevance
- 8/10
-
Hooks API calls
-
Unusual Characteristics
-
Drops cabinet archive files
- details
- "Cab406A.tmp" has type "Microsoft Cabinet archive data 50939 bytes 1 file"
- source
- Binary File
- relevance
- 10/10
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "e9239999ee" to virtual address "0x774A5DEE" ("VariantChangeType@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "d7e3a099" to virtual address "0x616D9904" (part of module "RICHED20.DLL")
"WINWORD.EXE" wrote bytes "e9c5321ef0" to virtual address "0x761D6143" ("OleLoadFromStream@OLE32.DLL")
"WINWORD.EXE" wrote bytes "e9603397ee" to virtual address "0x774A4731" ("SysAllocStringByteLen@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "2ebd6099" to virtual address "0x6BA2F530" (part of module "WWLIB.DLL")
"WINWORD.EXE" wrote bytes "9a998203" to virtual address "0x6AA5AE34" (part of module "CSI.DLL")
"WINWORD.EXE" wrote bytes "2e98ab99" to virtual address "0x617E10AC" (part of module "MSPTLS.DLL")
"WINWORD.EXE" wrote bytes "e99a5496ee" to virtual address "0x774A3E59" ("SysFreeString@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "e2461ff4" to virtual address "0x6D9D42C4" (part of module "MSPROOF7.DLL")
"WINWORD.EXE" wrote bytes "77395f7779a86377be726377d62d63771de25e7705a26377c868627757d16977bee35e77616f6377684161770050617700000000ad37d3758b2dd375b641d37500000000" to virtual address "0x75181000" (part of module "WSHIP6.DLL")
"WINWORD.EXE" wrote bytes "2c36d398" to virtual address "0x2F101B94" (part of module "WINWORD.EXE")
"WINWORD.EXE" wrote bytes "e99e48ccef" to virtual address "0x76113D01" ("SetUnhandledExceptionFilter@KERNEL32.DLL")
"WINWORD.EXE" wrote bytes "104dd2ee" to virtual address "0x6D692A00" (part of module "CSS7DATA0009.DLL")
"WINWORD.EXE" wrote bytes "e9365597ee" to virtual address "0x774A3EAE" ("VariantClear@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "c4ca107680bb1076fc1d0c769fbb107608bb107646ce107661381176de2f1176d0d9107600000000177907764f9107767f6f0776f4f7077611f70776f2830776857e077600000000" to virtual address "0x6B681000" (part of module "MSIMG32.DLL")
"WINWORD.EXE" wrote bytes "1f616199" to virtual address "0x670378E4" (part of module "OART.DLL")
"WINWORD.EXE" wrote bytes "92e65e7779a86377be726377d62d63771de25e7705a26377bee35e77616f6377684161770050617700000000ad37d3758b2dd375b641d37500000000" to virtual address "0x74C91000" (part of module "WSHTCPIP.DLL")
"WINWORD.EXE" wrote bytes "f38c6699" to virtual address "0x6B6ACA70" (part of module "GFX.DLL")
"WINWORD.EXE" wrote bytes "5e340299" to virtual address "0x66030BA8" (part of module "MSO.DLL")
"WINWORD.EXE" wrote bytes "58b9caee" to virtual address "0x6D753408" (part of module "MSCSS7EN.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Reads information about supported languages
- details
-
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000401")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000402")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000403")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000404")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000405")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000406")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000407")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000408")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000040A")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000040B")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000040C")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000040D")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000040E")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000040F")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000410")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000411")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000412")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000413")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000414") - source
- Registry Access
- relevance
- 3/10
-
Drops cabinet archive files
File Details
Newsletter #8 15 June 2017.docx
- Filename
- Newsletter #8 15 June 2017.docx
- Size
- 2.4MiB (2493488 bytes)
- Type
- docx office
- Description
- Microsoft Word 2007+
- Architecture
- WINDOWS
- SHA256
- b9dd17e9e928ff56a756e7f1bc66a41739f35707b22ba9f57d022dccfd937513
- MD5
- c18f30ba4dfb04b68d33ef6ec35caa33
- SHA1
- 226710bc3423c0661921b3a5fd68a893fef9ccf6
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- WINWORD.EXE /n "C:\Newsletter #8 15 June 2017.docx" (PID: 3572)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
www.wpclipart.com | 104.36.143.45 | - | United States |
ocsp.int-x3.letsencrypt.org | 2.20.189.244 | - | European Union |
schools.stlucie.k12.fl.us | 40.139.186.82 | - | United States |
isrg.trustid.ocsp.identrust.com | 192.35.177.195 | - | United States |
previews.123rf.com | 23.37.54.194 | - | United States |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
23.37.54.194 |
80
TCP |
winword.exe PID: 3572 |
United States |
23.37.54.194 |
443
TCP |
winword.exe PID: 3572 |
United States |
40.139.186.82 |
80
TCP |
winword.exe PID: 3572 |
United States
ASN: 7029 (Windstream Communications Inc) |
104.36.143.45 |
443
TCP |
winword.exe PID: 3572 |
United States |
192.35.177.195 |
80
TCP |
winword.exe PID: 3572 |
United States
ASN: 11791 (IdenTrust) |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
23.37.54.194:80 (previews.123rf.com) | GET | previews.123rf.com/images/dimensions/dimensions0801/dimensions080100067/2461475-Illustration-of-a-complete-lunch-with-a-hot-dog-chips-and-... | GET /images/dimensions/dimensions0801/dimensions080100067/2461475-Illustration-of-a-complete-lunch-with-a-hot-dog-chips-and-a-drink-Part-of-the-complete-meal-series--Stock-Illustration.jpg HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)
Accept-Encoding: gzip, deflate
Host: previews.123rf.com
Connection: Keep-Alive 301 Moved Permanently More Details |
40.139.186.82:80 (schools.stlucie.k12.fl.us) | OPTIONS | schools.stlucie.k12.fl.us/oak/files/2015/08/ | OPTIONS /oak/files/2015/08/ HTTP/1.1
User-Agent: Microsoft Office Protocol Discovery
Host: schools.stlucie.k12.fl.us
Content-Length: 0
Connection: Keep-Alive 200 OK More Details |
40.139.186.82:80 (schools.stlucie.k12.fl.us) | GET | schools.stlucie.k12.fl.us/oak/files/2015/08/back-to-school.jpg | GET /oak/files/2015/08/back-to-school.jpg HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)
Accept-Encoding: gzip, deflate
Host: schools.stlucie.k12.fl.us
Connection: Keep-Alive 200 OK More Details |
192.35.177.195:80 (isrg.trustid.ocsp.identrust.com) | GET | isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNq... | GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: isrg.trustid.ocsp.identrust.com 200 OK More Details |
2.20.189.244:80 (ocsp.int-x3.letsencrypt.org) | GET | ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgOaz0hsYvkOZEO0... | GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgOaz0hsYvkOZEO0tkw2VBot8A%3D%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.int-x3.letsencrypt.org 200 OK More Details |
Extracted Strings
Extracted Files
Displaying 21 extracted file(s). The remaining 19 file(s) are available in the full version and XML/JSON reports.
-
Informative Selection 1
-
-
58F1CD59.png
- Size
- 20KiB (20464 bytes)
- Type
- img image
- Description
- PNG image data, 600 x 472, 8-bit/color RGBA, non-interlaced
- Runtime Process
- WINWORD.EXE (PID: 3572)
- MD5
- 1d2e308ceb90275dc6c96ce87d2c7525
- SHA1
- b6a3ca959d13aa7eb89727e8454fa224bb6164a0
- SHA256
- ba9cd0c42ae32f37b9399a7de65452f15ffbbab99b039b772f4fd0da62f8c26c
-
-
Informative 20
-
-
Newsletter #8 15 June 2017.LNK
- Size
- 548B (548 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Jun 15 09:20:28 2017, mtime=Thu Jun 15 09:26:38 2017, atime=Thu Jun 15 09:26:38 2017, length=2185041, window=hide
- Runtime Process
- WINWORD.EXE (PID: 3572)
- MD5
- 1e3ddb7cf15bd48cff8ee65fe6f44c43
- SHA1
- 94ed1139dca057546a4ee44aa9f9ab283e8c5937
- SHA256
- cfa178a3e59ca8089583718ad60d339eb9a81ced40be53483c29fb415ff05ff4
-
index.dat
- Size
- 174B (174 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3572)
- MD5
- f8d9ffff9e7ea4f27d66866010127a2e
- SHA1
- 6257e7ff686b62b268119c861cb63ce2af8c3565
- SHA256
- b611b76093078dfee5e1184265a7cb8cabb845dc69e85d83624586ac327310c3
-
~$Normal.dotm
- Size
- 162B (162 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3572)
- MD5
- 1513880cbca7a00305ad66e12b286d0f
- SHA1
- 968cf9a7148e8fd2e175dd4702cedfd75c19cce1
- SHA256
- 117175a8ef945f06836b2b98f431b94a5caf4fa0aa04e99b2930dd0bcdfedaee
-
2461475-Illustration-of-a-complete-lunch-with-a-hot-dog-chips-and-a-drink-Part-of-the-complete-meal-series--Stock-Illustration[1].jpg
- Size
- 110KiB (112456 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01
- Runtime Process
- WINWORD.EXE (PID: 3572)
- MD5
- a2bdbe793df1f25695924c034493fdaa
- SHA1
- 91b6023a1a4416d9d366c762fc98c3ac36d567dc
- SHA256
- f4fdd8e06345da7283f1bf04beb3154df96c3af1bc5cdc4bba4d1991d9cca35a
-
72C79597.jpeg
- Size
- 101KiB (102973 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.02
- Runtime Process
- WINWORD.EXE (PID: 3572)
- MD5
- fe0e9978bdd760c4d097a424d3cb25f2
- SHA1
- c7647ad3f78dedd1673226fb59564563a8693665
- SHA256
- fc1c85f1db8542be399d63f3aa73e27c5645e5efe5854632cf786d4d7f9abf53
-
892F27E1.jpeg
- Size
- 19KiB (19536 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01
- Runtime Process
- WINWORD.EXE (PID: 3572)
- MD5
- 371205aae79a0ca2ed45e9c6e6084afd
- SHA1
- fc9f9f81bf9d0cdc74a92e39d8eb4a6dff371930
- SHA256
- f0d675d61842e2ceac8dfb1913a84eef00b0f78120a4a4ccca7a2c875e61702d
-
8DA944B8.png
- Size
- 20KiB (20464 bytes)
- Type
- img image
- Description
- PNG image data, 600 x 472, 8-bit/color RGBA, non-interlaced
- Runtime Process
- WINWORD.EXE (PID: 3572)
- MD5
- 1d2e308ceb90275dc6c96ce87d2c7525
- SHA1
- b6a3ca959d13aa7eb89727e8454fa224bb6164a0
- SHA256
- ba9cd0c42ae32f37b9399a7de65452f15ffbbab99b039b772f4fd0da62f8c26c
-
9262B99A.jpeg
- Size
- 23KiB (23712 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01
- Runtime Process
- WINWORD.EXE (PID: 3572)
- MD5
- 23179a09c35d83795056ac4913a48a25
- SHA1
- 2a2740aaf74dbeecea3586e8cbd406da6a95a7e0
- SHA256
- b9aa3ec4bd3921e94fe91b26d952bca43ff7ff9a8fd1ad850fd8775a8b14dafc
-
A641AC6E.jpeg
- Size
- 181KiB (185564 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01
- Runtime Process
- WINWORD.EXE (PID: 3572)
- MD5
- bca86ea19eb656aec6a7c43315acddde
- SHA1
- 696e899158861015f783711861e3058a9ec073bc
- SHA256
- d81e4e1b61ccbb33727e9be5c284c50653d010326ed20823b73da274c6038393
-
C9A56ABD.jpeg
- Size
- 15KiB (15463 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01
- Runtime Process
- WINWORD.EXE (PID: 3572)
- MD5
- 21f93a7f9e8fac279f5e622613e48bf0
- SHA1
- 7121456f97dde94793cd265a3563876a4746a5c3
- SHA256
- 43ece62fd0161c262d67947285a436f50a30c0907d518c7c934c60ffff3c8b08
-
E500C8D3.png
- Size
- 1.3MiB (1375161 bytes)
- Type
- img image
- Description
- PNG image data, 3969 x 2077, 8-bit/color RGBA, non-interlaced
- Runtime Process
- WINWORD.EXE (PID: 3572)
- MD5
- a991765ec0c79f8d0ac427a3e1f2d927
- SHA1
- 6af5fc998ce2b88e5f3676b7614167adb892620b
- SHA256
- 0d353e5d67da7336d7391868ee708bb7aee27451da58ea4ffe9da3c573b369d7
-
F57BC2AC.png
- Size
- 248KiB (254339 bytes)
- Type
- img image
- Description
- PNG image data, 720 x 960, 8-bit/color RGBA, non-interlaced
- Runtime Process
- WINWORD.EXE (PID: 3572)
- MD5
- 370694fa1674e1b238c0c64ceaa62fbd
- SHA1
- 7cc6b91c4889b8c4fd9ef7e872cddd81b734308c
- SHA256
- 5327f17f7eea6631ea03db77cbb01912ec399e41b1c85bee4644309ec61930bf
-
~WRS{488D23BE-D1BA-4A77-8B73-491DAD2831D1}.tmp
- Size
- 1KiB (1024 bytes)
- Type
- unknown
- Description
- FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375"
- Runtime Process
- WINWORD.EXE (PID: 3572)
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
~WRS{9ABDAEA6-6420-43D3-ACB1-85CFAE1E33B4}.tmp
- Size
- 22KiB (22528 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3572)
- MD5
- 8b4b34ac49c828ef4949f503d1fdde78
- SHA1
- 34aabbdbd7702df54012ab2ee35f4cddaf9649bb
- SHA256
- 2650d6e0b2c7abecf329795c9f7c11a829d00734e43d6b8f793fa3f06a36464b
-
705A76DE71EA2CAEBB8F0907449CE086_C23CBDDF9CE33988EC88F3C4214D5784
- Size
- 1.6KiB (1608 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3572)
- MD5
- 170df39aed6cfd14ecf2727664fd1c83
- SHA1
- e3f01d3ab6c873e0231650fb5b451217d0429846
- SHA256
- 91e0a0f90d11d8a4b1781945b0d7d1e804c437efbf586e4ff4628e4eb7375045
-
C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF
- Size
- 1.7KiB (1763 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3572)
- MD5
- d2854667ba3b7318a3d41bd17845bd72
- SHA1
- eb93c660b37b31d699344ec19ceefb281613eac1
- SHA256
- 17de2a0ee33dcae4fe48502d48f44ce0f2fa21dcf192b3d5578e9fbf236efda1
-
Cab406A.tmp
- Size
- 50KiB (50939 bytes)
- Type
- data
- Description
- Microsoft Cabinet archive data, 50939 bytes, 1 file
- Runtime Process
- WINWORD.EXE (PID: 3572)
- MD5
- 41f958d2d3e9ed4504b6a8863fd72b49
- SHA1
- f6d380b256b0e66ef347adc78195fd0f228b3e33
- SHA256
- c929701c67a05f90827563eedccf5eba8e65b2da970189a0371f28cd896708b8
-
Tar406B.tmp
- Size
- 118KiB (120573 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3572)
- MD5
- 179d2951034116b184198e0bf26daa47
- SHA1
- b76bf79e7fa15491075c3bd9ec569e1c8540174b
- SHA256
- 7e58975a4e1e86940f84e744709426939b85ae174dbbf020da3c893a54fd1da2
-
msoFBC2.tmp
- Size
- 663B (663 bytes)
- Type
- img image
- Description
- GIF image data, version 89a, 15 x 15
- Runtime Process
- WINWORD.EXE (PID: 3572)
- MD5
- ed3c1c40b68ba4f40db15529d5443dec
- SHA1
- 831af99bb64a04617e0a42ea898756f9e0e0bcca
- SHA256
- 039fe79b74e6d3d561e32d4af570e6ca70db6bb3718395be2bf278b9e601279a
-
~$wsletter #8 15 June 2017.docx
- Size
- 162B (162 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3572)
- MD5
- 1513880cbca7a00305ad66e12b286d0f
- SHA1
- 968cf9a7148e8fd2e175dd4702cedfd75c19cce1
- SHA256
- 117175a8ef945f06836b2b98f431b94a5caf4fa0aa04e99b2930dd0bcdfedaee
-
Notifications
-
Runtime
- Not all IP/URL string resources were checked online
- Not all sources for signature ID "api-55" are available in the report
- Not all sources for signature ID "binary-0" are available in the report
- Not all sources for signature ID "hooks-8" are available in the report
- Not all sources for signature ID "mutant-0" are available in the report
- Not all sources for signature ID "registry-17" are available in the report
- Not all sources for signature ID "registry-18" are available in the report
- Not all sources for signature ID "registry-25" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)