anyconnect-win-4.2.04018-pre-deploy-k9.msi
This report is generated from a file or URL submitted to this webservice on June 29th 2016 18:27:46 (UTC) and action script Random desktop files
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v4.31 © Hybrid Analysis
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 1
-
System Security
-
References security related windows services
- details
- "<G@HE,?DE&Fw>D3BE<HI@HDDrDhD7HSstSequenceCabinetVolumeLabel#disk1.cabMsiShortcutPropertyShortcut_PropertyKeyPropVariantValueCisco.AnyConnectSystem.AppUserModel.IDAppUserModelID_ACComponentComponentIdKeyPathNew_Value_1{4490A8C2-C340-427F-9750-3A20A0106294}{DF493651-FC31-40CF-AD95-C24113234210}((NOT VersionNT64) AND (VersionNT >= 601)){3626C367-BF5F-4599-892A-560B0B974583}{6000BC50-A843-44B2-8C77-5CD16A31F2A6}{CFC72DF7-92EB-4C3F-B64A-BBCB9AF2C670}Brand{3C0E56EB-BB27-4BE4-87F5-B966AE9B3740}AlternateCLSID{56A7E4E1-B92C-4C4C-B3C1-896C8C811182}{EBA0800B-E423-4050-95D8-DD3446B9CE3D}{758B9B95-95C1-419B-A9F5-30DF3D8F5565}{6C32CA12-77CF-473B-B697-5B12EADC2F8E}{0F471913-9A36-4027-951E-6F4311A5F51B}{EE790751-F4E5-4F89-8C76-51B35D0D1C96}{8691BD1E-2260-43E9-B101-12A3099F9CF9}{5938B225-45AB-4A9F-9DD2-E20FE29E77EB}(NOT DISABLE_CUSTOMER_EXPERIENCE_FEEDBACK) OR (DISABLE_CUSTOMER_EXPERIENCE_FEEDBACK = 0){A3C5A7B1-988C-4DD0-B116-69EC28950C45}Brand_1{4B16307C-18AD-488A-9431-2A2F8A1BDAE2}(VersionNT >= 601){D41F3777-22EA-4D8D-9641-281CDEB62C2F}(NOT VersionNT64){BBA4FCD9-4674-425C-91C4-4BC30357DF59}{8FCB6F68-E4B8-422F-A5BC-8AB6C125C5C4}((VersionNT64) AND (VersionNT < 601)){3FDB592C-B4C9-48C0-AD0A-AA87D1A05DBD}{468F996B-1A53-43C7-9F3F-654DCB2D3E42}FailureActions{920150C0-2DAE-4803-9ECE-5340E531F1CE}vpngina{71F4ECA9-17E0-4A7D-84F4-C4E15B71B78E}NOINSTALLACTIVEX <> 1{115AD652-3B1F-490A-A5D7-56D1A6117FA6}{58D01F77-4756-41FB-B682-970B1ED9D173}AnyConnect_Secure_Mobility_Client{74634F0A-4634-444F-8726-559733CE1B10}{D7C35915-E271-4113-80B7-6384A9A52848}{689CFDD6-0DA0-4DC5-88CD-444AC1519C12}{BE69ABF5-1223-4A54-A2E1-6DCE7CA2B163}{C9AECFAE-EFB3-4E2E-B9DD-937538B652D0}{AAC62CED-8D5F-44E0-95AB-B6EF81E07540}{DDA0BDE3-2C1F-4DB6-A818-05259B47064E}PRE_DEPLOY_DISABLE_VPN=1{11224C5D-0F2B-421E-9815-93DB50C87440}{22AD8AF9-41A6-4744-93A0-49CB627BB739}((NOT VersionNT64) AND (VersionNT < 601)){7DD0DCBC-072D-49AD-98E3-B551855CBFE6}{DF549AF0-B0C3-4BD1-9470-9EA77560657B}{0CAF9786-80A2-42BA-BA92-CD5170B170A5}VersionNT > "601"{1E731D96-C3CC-40BB-912C-DDC5138A9F86}vpndownloader_1{FB38B06B-9B47-41D5-AFEE-8170FF69C1DC}(VersionNT < 600){9576CE16-4C2B-488A-92A4-8F09472325C3}{D7E896D8-3EBB-45C5-AA28-CDB37B1364A6}{986883AE-0E84-4029-BF46-E83C3182564F}{6CF1F8A3-99FA-4524-B6FA-7248E01E0DA1}{C8772B8C-DE85-4A67-A8EE-A8684840B5F6}{91EA62DA-26F8-43A8-A5A4-B8BA5F9EB46A}vpnextractor_1{6D240E20-9EEE-46AF-AF37-CF73EDA892B7}{678A6992-1CD8-44D1-A15B-AEFA48DE316A}vpnapi_1{C9A7C2FA-B206-4A5D-A0C7-C0A6CA7CF994}MaxPacketSize{FA4213F5-4837-4974-A20C-C46500D8C174}{E0AAC9F1-2F71-4124-BB81-7366E17D1542}((VersionNT64) AND (VersionNT >= 601)){A7563444-5A94-4923-9876-A0A95ABBE764}{45D7C35A-464B-4D9D-9970-16917957F215}{C7A91E6C-C182-482A-B3D1-780464846B74}vpnui_1{6521A61D-C92E-4B53-B6E6-C3647D06FB03}{558E69CF-9D4E-41EE-B751-5305BD12BF59}{8D971A7C-5973-47FC-9AFF-7B493CCA8827}New_Value{19555DFC-445C-46E0-8090-5811F55A91C5}{DF717D16-FDBA-4296-9452-5AC6DAB6276C}{5CA86839-FE31-4105-81A3-0C695D9DCDEE}{91FC6A63-4393-4273-B6C4-29D6118FCBF1}{A593538D-FCCA-4D57-86DC-74DD2C4D6C94}{AD71C81B-919E-40CC-8F85-8E7E792FF8BB}(VersionNT64){F083588A-CECE-4F9D-83E5-05D193A7827B}{E2D31641-FED4-4EA2-8D90-B16E7048FE54}RunOnce{0CB566BF-B16E-479A-B02C-4121ECCC4C0D}{D63FBE6E-DA9F-4933-A719-45FEE256C3B4}{E508422D-5EC3-41BD-8807-50BB825FC799}{F62B094C-4F7A-4295-A395-0FCC9DD73B11}{4E32D045-1685-4944-8526-E0DFAF708054}{A74420E7-8448-401B-84FC-440FC88ECC7C}{1D662365-B85E-47D4-AE4F-D2B0353B767D}{47956FC9-674D-481A-B311-93B89DD38A80}{EF64B376-6336-428F-90D0-78C140998B4D}{0FE14FF6-D8ED-4E1E-BC63-02DE92AA5D2C}{1D844596-3C03-47ED-877E-14BD2CD5506B}Application{561D690A-7B5E-4386-BB57-F619747BD6FA}SystemComponent_1ARPSYSTEMCOMPONENT=1{7CBD1171-7A5B-431D-8D95-0EA0CEF2302D}{984207FA-27BF-4964-9AF8-C4619D38516B}{BCA657F8-4263-4531-BC67-F06DEC772DE5}{1E1D3448-C3E3-43C3-880D-106578810E76}UITextODBCSQLShowDatabasesTitleThis feature frees up [1] on your hard drive.SelChildCostNegDifferenceVolumeCostDifference{[2] or higher}PrereqReqMinOnly{[3] or lower}PrereqReqMaxOnlyGathering required information...ScriptInProgress<body><h3 style="color:darkred;">Error loading resource:</h3><p style="white-space:nowrap">"[1]"</p></body>HtmlHostNavErrorbytesThis feature will become unavailableSelAdvertiseAbsentBrowsing SQL Servers on the network...SQLBrowseMsgTime remaining: {[1] minutes }{[2] seconds}TimeRemainingVolumeVolumeCostVolumeSelect FolderBrowseFolderSelectFolder[4]PrereqFoundThis feature will be uninstalled completely, you won't be able to run it from the networkSelNetworkAbsentThis feature requires [1] on your hard drive. It has [2] of [3] subfeatures selected. The subfeatures require [4] on your hard drive.SelParentCostPosPos[2]PrereqReqExactThis feature will be completely removedSelLocalAbsentSending collected data...HttpPostMsg[6]PrereqActionFolder name:BrowseFolderNamePrereqLabelEntire feature will be unavailableMenuAbsentWill be installed when requiredSelAdvertiseAdvertiseThis feature will be available to run from CDSelAdvertiseCDRequiredVolumeCostRequiredMust InstallPrereqMandatoryInstallActionThis feature requires [1] on your hard drive.SelChildCostPosUnused drivesVolumeCostOthersGroupThis feature will be available to run from the networkSelAdvertiseNetworkThis feature will be installed on your local hard driveSelAdvertiseLocalThis feature will be removed from your local hard drive, but will be set to be installed when requiredSelLocalAdvertiseThis feature will be removed from your local hard drive, but will be still available to run from CDSelLocalCDWarningEntire feature will be installed to run from networkMenuAllNetworkEntire feature will be installed on local hard driveMenuAllLocalThis feature will be removed from your local hard drive, but will be still available to run from the networkSelLocalNetworkThis feature will remain on you local hard driveSelLocalLocalThis feature frees up [1] on your hard drive. It has [2] of [3] subfeatures selected. The subfeatures free up [4] on your hard drive.SelParentCostNegNegFeature will be installed when requiredMenuAdvertiseWill be installed to run from CDMenuCDThis feature will remain uninstalledSelAbsentAbsentWill be installed to run from networkMenuNetworkPlease wait while testing the connection...ODBCTestMsgWill be installed on local hard driveMenuLocalConnecting to database server...SQLShowDatabasesMsgCompiling cost for this feature...SelCostPendingPrereqInstallActionSkipPrereqSkipActionSQLSQLBrowseTitleInsufficient spaceVolumeCostBadGroupBrowseFolderLocation HttpPostTitleThis feature will be set to be installed when requiredSelAbsentAdvertiseThis feature will be installed to run from CDSelAbsentCDThis feature will be uninstalled completely, you won't be able to run it from CDSelCDAbsentGBAbsentPathThis feature will be installed to run from the networkSelAbsentNetworkInstallation drivesVolumeCostDrivesGroupThis feature will be installed on the local hard driveSelAbsentLocalDisk SizeVolumeCostSizeKBMBPrereqInstalledThis feature will change from run from CD state to set to be installed when requiredSelCDAdvertiseThis feature will remain to be run from CDSelCDCDAvailableVolumeCostAvailableThis feature frees up [1] on your hard drive. It has [2] of [3] subfeatures selected. The subfeatures require [4] on your hard drive.SelParentCostNegPosThis feature requires [1] on your hard drive. It has [2] of [3] subfeatures selected. The subfeatures free up [4] on your hard drive.SelParentCostPosNegEntire feature will be installed to run from CDMenuAllCDThis feature will change from run from network state to set to be installed when requiredSelNetworkAdvertiseThis feature will change from run from CD state to be installed on the local hard driveSelCDLocal{[2] - [3]}PrereqReqThis feature will remain to be run from the networkSelNetworkNetworkThis feature will change from run from network state to be installed on the local hard driveSelNetworkLocalODBCTestTitleInstallExecuteSequence(REMOVE = "ALL") AND (VersionNT64) AND (VersionNT < 602)AI_EXTREG <> "No"(AI_BUILD_NAME = "PreDeploy") AND (REMOVE = "ALL") AND (NOINSTALLACTIVEX <> 1)(NOT Installed) AND (RESET_ADAPTER_MTU) AND (RESET_ADAPTER_MTU <> 0)(REMOVE = "ALL") AND (NOT VersionNT64) AND (VersionNT < 602)(AI_BUILD_NAME = "PreDeploy") AND (REMOVE = "ALL") AND (NOINSTALLACTIVEX <> 1) AND (VersionNT64)((VersionNT64) AND (VersionNT >= 601)) AND (Not Installed)(VersionNT64) AND (VersionNT < 601)(AI_BUILD_NAME = "PreDeploy")((NOT VersionNT64) AND (VersionNT < 601)) AND (Not Installed)((VersionNT64) AND (VersionNT < 601)) AND ((REMOVE = "ALL") AND (NOT UPGRADINGPRODUCTCODE))(NOT Installed) AND (VersionNT64) AND (VersionNT < 601)(NOT VersionNT64) AND (VersionNT >= 601)AI_NEWERPRODUCTFOUND AND (UILevel <> 5)(AI_BUILD_NAME = "PreDeploy") AND NOT (PRE_DEPLOY_DISABLE_VPN=1)(NOT Installed) AND NOT (PRE_DEPLOY_DISABLE_VPN=1)Not Installed(VersionNT64) AND (VersionNT >= 601)((VersionNT64) AND (VersionNT < 601)) AND (Not Installed)(NOT VersionNT64) AND (VersionNT < 601)((NOT VersionNT64) AND (VersionNT < 601)) AND (REMOVE = "ALL")(AI_BUILD_NAME = "PreDeploy") AND (NOT Installed) AND (NOINSTALLACTIVEX <> 1)(REMOVE = "ALL") AND (NOT VersionNT64) AND (VersionNT >= 601)(NOT VersionNT64) AND (VersionNT < 602)(Not Installed) AND (LOCKDOWN)@H<BE"
- source
- File/Memory
- relevance
- 7/10
-
References security related windows services
-
Suspicious Indicators 6
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
- ",vg73zo_?q!'T AE$|:+4r+QjpGq!sFv@^UchG-B<hh+wW-Ep])2VKhZ>e^>p$2shqemU,)|^XSn<*!2wngY,6KT#OKM}Os^^0_>?7D_>Y()w*p3&G~zHta7jo,(:uZWW%5gxhtGlY{Iga" (Indicator: "qemu")
- source
- File/Memory
- relevance
- 4/10
-
Possibly tries to implement anti-virtualization techniques
-
Installation/Persistance
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
- "WINWORD.EXE" opened "MountPointManager"
- source
- API Call
- relevance
- 5/10
-
Touches files in the Windows directory
- details
-
"WINWORD.EXE" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
"WINWORD.EXE" touched file "C:\Windows\Fonts\staticcache.dat"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000007.db"
"WINWORD.EXE" touched file "C:\Windows\system32\rsaenh.dll"
"WINWORD.EXE" touched file "C:\Windows\system32\en-US\KERNELBASE.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\System32\msxml6r.dll"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D04F8C4E-87AB-4909-8E81-D12E5514305E}.tmp"
"WINWORD.EXE" touched file "C:\Windows\system32\en-US\MSCTF.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\system32\en-US\mlang.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\system32\mlang.dat"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0000.doc" - source
- API Call
- relevance
- 7/10
-
Opens the MountPointManager (often used to detect additional infection locations)
-
Network Related
-
Found potential IP address in binary/memory
- details
- "127.0.0.1"
- source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Unusual Characteristics
-
Contains embedded string with suspicious keywords
- details
-
Found suspicious keyword "Put" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Lib" which indicates: "May run code from a DLL"
Found suspicious keyword "Write" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Open" which indicates: "May open a file"
Found suspicious keyword "Environ" which indicates: "May read system environment variables" - source
- File/Memory
- relevance
- 10/10
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "af715ea2" to virtual address "0x6A88F530" (part of module "WWLIB.DLL")
"WINWORD.EXE" wrote bytes "9094a2a6" to virtual address "0x68839904" (part of module "RICHED20.DLL")
"WINWORD.EXE" wrote bytes "027caea3" to virtual address "0x66FE0BA8" (part of module "MSO.DLL")
"WINWORD.EXE" wrote bytes "829938ad" to virtual address "0x2F7F1B94" (part of module "WINWORD.EXE")
"WINWORD.EXE" wrote bytes "e49a59a2" to virtual address "0x691D78E4" (part of module "OART.DLL")
"WINWORD.EXE" wrote bytes "47ed58a2" to virtual address "0x6A50CA70" (part of module "GFX.DLL")
"WINWORD.EXE" wrote bytes "c4caf97680bbf97652baf9769fbbf97608bbf97646cef9766138fa76de2ffa76d0d9f97600000000177927774f9127777f6f2777f4f7277711f72777f2832777857e277700000000" to virtual address "0x6BBC1000" (part of module "MSIMG32.DLL")
"WINWORD.EXE" wrote bytes "e99e48deef" to virtual address "0x76FA3D01" ("SetUnhandledExceptionFilter@KERNEL32.DLL")
"WINWORD.EXE" wrote bytes "dfcf7aa0" to virtual address "0x689410AC" (part of module "MSPTLS.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Contains embedded string with suspicious keywords
-
Informative 7
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/55 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Contains PDB pathways
- details
- "e,]Zl[Wv.PdBx=Z(AWV;DyTVB"
- source
- File/Memory
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"WINWORD.EXE" created file "%TEMP%\~DFE59795371ED040F0.TMP"
"WINWORD.EXE" created file "%TEMP%\~DF8600C0AA4950822F.TMP"
"WINWORD.EXE" created file "%TEMP%\~DFCCC4A33CF44AEA3C.TMP" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Global\552FFA80-3393-423d-8671-7BA046BB5906"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACBPIDS_S-1-5-5-0-60907"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACB10_S-1-5-5-0-60907"
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000" - source
- Created Mutant
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\microsoft shared\OFFICE14\RICHED20.DLL" at 687F0000
- source
- Loaded Module
-
Contains PDB pathways
-
Installation/Persistance
-
Dropped files
- details
-
"~WRS{A60180B9-0C8B-4E33-9554-39E8034EF17E}.tmp" has type "data"
"~WRS{D04F8C4E-87AB-4909-8E81-D12E5514305E}.tmp" has type "FoxPro FPT blocks size 0 next free block index 218103808 1st used item "\375""
"index.dat" has type "data"
"~$7ad55343824b73bfc8347b87fc44374441d92c0013f047d65390125013058a.rtf" has type "data"
"9c7ad55343824b73bfc8347b87fc44374441d92c0013f047d65390125013058a.LNK" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Hidden Archive ctime=Wed Jun 29 16:29:13 2016 mtime=Wed Jun 29 16:29:13 2016 atime=Tue May 31 01:28:20 2016 length=5582336 window=hide"
"~$Normal.dotm" has type "data" - source
- Binary File
- relevance
- 3/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://www.example.com"
Pattern match: "http://www.yahoo.com"
Pattern match: "http://www.google.com"
Heuristic match: "vpnva.cat"
Heuristic match: "vpnva64.cat"
Heuristic match: "acsint.cat"
Heuristic match: "acsmux.cat"
Heuristic match: "acsock.cat"
Heuristic match: "acsint64.cat"
Heuristic match: "acsmux64.cat"
Heuristic match: "acsock64.cat"
Heuristic match: "vpnva_6.cat"
Heuristic match: "%#0WI38].ht"
Pattern match: "http://sv.symcb.com/sv.crl0a"
Pattern match: "https://d.symcb.com/cps0%"
Pattern match: "https://d.symcb.com/rpa0"
Pattern match: "http://sv.symcd.com0&"
Pattern match: "http://sv.symcb.com/sv.crt0"
Pattern match: "http://s2.symcb.com0"
Pattern match: "http://www.symauth.com/cps0" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
File Details
anyconnect-win-4.2.04018-pre-deploy-k9.msi
- Filename
- anyconnect-win-4.2.04018-pre-deploy-k9.msi
- Size
- 5.3MiB (5582336 bytes)
- Type
- msi data
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Title: Installation Database, Keywords: Installer, MSI, Database, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Number of Pages: 200, Security: 0, Code page: 1252, Revision Number: {334E5C01-EA6C-49EF-9D1C-A61834784305}, Number of Words: 2, Subject: Cisco AnyConnect Secure Mobility Client, Author: Cisco Systems, Inc., Name of Creating Application
- Architecture
- WINDOWS
- SHA256
- 9c7ad55343824b73bfc8347b87fc44374441d92c0013f047d65390125013058a
- MD5
- 9a610c5ca3860a2b41e8b89fe7c91fc6
- SHA1
- d3ca30dea0bbe95d9527c918a6fca85be681bf91
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- WINWORD.EXE /n "C:\9c7ad55343824b73bfc8347b87fc44374441d92c0013f047d65390125013058a.rtf" (PID: 2828)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Informative 6
-
-
9c7ad55343824b73bfc8347b87fc44374441d92c0013f047d65390125013058a.LNK
- Size
- 733B (733 bytes)
- Type
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Hidden, Archive, ctime=Wed Jun 29 16:29:13 2016, mtime=Wed Jun 29 16:29:13 2016, atime=Tue May 31 01:28:20 2016, length=5582336, window=hide
- Runtime Process
- WINWORD.EXE (PID: 2828)
- MD5
- cb07d901890f944cc28778da71314423
- SHA1
- 6cbdb8a4bb2772789f4da2128d50a81b0468298f
- SHA256
- 4cd5519b5f36ffe3cc690ab73ece1209614cd00aacee8cc4578ac494b5d6a1c5
-
index.dat
- Size
- 545B (545 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 2828)
- MD5
- 039dff679fbdb5b0302e6f350729c526
- SHA1
- f9512d50599658d1c473b740a7644bbb679b0be6
- SHA256
- 4703a4f2168525f10d9d4150fcd7c68b297101ecc79f3cdea6eda89395b20ab4
-
~$Normal.dotm
- Size
- 162B (162 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 2828)
- MD5
- f5a08eb0ff924d21e7826f5a1b013afc
- SHA1
- 5ad4706ab07a70f2596e73036a888d2f582b35b6
- SHA256
- cdc75519bf920cc30f8ee74242bdb40412d37e37c34fdcd8e2464b93b5909c79
-
~WRS{A60180B9-0C8B-4E33-9554-39E8034EF17E}.tmp
- Size
- 1.5KiB (1536 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 2828)
- MD5
- e3f0c87ae0381834edb2f6f42d0dd663
- SHA1
- c05c4c9d0a2221b1a75bc5ba3dc33813a70d1a66
- SHA256
- b59c21767404a483d114bb457a05be36ee977fc438f59f84f0b2471054e285a5
-
~WRS{D04F8C4E-87AB-4909-8E81-D12E5514305E}.tmp
- Size
- 1KiB (1024 bytes)
- Type
- FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375"
- Runtime Process
- WINWORD.EXE (PID: 2828)
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
~$7ad55343824b73bfc8347b87fc44374441d92c0013f047d65390125013058a.rtf
- Size
- 162B (162 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 2828)
- MD5
- f5a08eb0ff924d21e7826f5a1b013afc
- SHA1
- 5ad4706ab07a70f2596e73036a888d2f582b35b6
- SHA256
- cdc75519bf920cc30f8ee74242bdb40412d37e37c34fdcd8e2464b93b5909c79
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Not all sources for signature ID "api-55" are available in the report
- Not all sources for signature ID "string-3" are available in the report
- Not all sources for signature ID "string-43" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)