342b12.msi
This report is generated from a file or URL submitted to this webservice on August 22nd 2016 19:39:33 (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v5.00 © Hybrid Analysis
Incident Response
Risk Assessment
- Evasive
- References security related windows services
- Spreading
- Opens the MountPointManager (often used to detect additional infection locations)
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 1
-
System Security
-
References security related windows services
- details
- "tifier for directory entry, primary key. If a property by this name is defined, it contains the full path to the directory.Directory_ParentReference to the entry in this table specifying the default parent directory. A record parented to itself or with a Null parent represents a root of the install tree.DefaultDirThe default sub-path under parent's path.EventMappingA foreign key to the Dialog table, name of the Dialog.An identifier that specifies the type of the event that the control subscribes to.AttributeThe name of the control attribute, that is set when this event is received.FeaturePrimary key used to identify a particular feature record.Feature_ParentOptional key of a parent record in the same table. If the parent is not selected, then the record will not be installed. Null indicates a root item.Short text identifying a visible feature item.Longer descriptive text describing a visible feature item.DisplayNumeric sort order, used to force a specific display ordering.LevelThe install level at which record will be initially selected. An install level of 0 will disable an item and prevent its display.UpperCaseThe name of the Directory that can be configured by the UI. A non-null value will enable the browse button.0;1;2;4;5;6;8;9;10;16;17;18;20;21;22;24;25;26;32;33;34;36;37;38;48;49;50;52;53;54Feature attributesFeatureComponentsFeature_Foreign key into Feature table.Component_Foreign key into Component table.FilePrimary key, non-localized token, must match identifier in cabinet. For uncompressed files, this field is ignored.Foreign key referencing Component that controls the file.FileNameFilenameFile name used for installation, may be localized. This may contain a "short name|long name" pair.FileSizeSize of file in bytes (long integer).VersionVersion string for versioned files; Blank for unversioned files.LanguageList of decimal language Ids, comma-separated if more than one.Integer containing bit flags representing file attributes (with the decimal value of each bit position in parentheses)Sequence with reNameTableTypeColumnValue_ValidationNPropertyId_SummaryInformationDescriptionSetCategoryKeyColumnMaxValueNullableKeyTableMinValueIdentifierName of tableName of columnY;NWhether the column is nullableYMinimum value allowedMaximum value allowedFor foreign key, Name of table to which data must linkColumn to which foreign key connectsText;Formatted;Template;Condition;Guid;Path;Version;Language;Identifier;Binary;UpperCase;LowerCase;Filename;Paths;AnyPath;WildCardFilename;RegPath;KeyFormatted;CustomSource;Property;Cabinet;Shortcut;URLString categoryTextSet of values that are permittedDescription of columnAdminExecuteSequenceActionName of action to invoke, either in the engine or the handler DLL.ConditionOptional expression which skips the action if evaluates to expFalse.If the expression syntax is invalid, the engine will terminate, returning iesBadActionData.SequenceNumber that determines the sort order in which the actions are to be executed. Leave blank to suppress action.AdminUISequenceAdvtExecuteSequenceBinaryUnique key identifying the binary data.DataThe unformatted binary data.CheckBoxPropertyA named property to be tied to the item.FormattedThe value string associated with the item.ComponentPrimary key used to identify a particular component record.ComponentIdGuidA string GUID unique to this component, version, and language.Directory_DirectoryRequired key of a Directory table record. This is actually a property name whose value contains the actual path, set either by the AppSearch action or with the default setting obtained from the Directory table.AttributesRemote execution option, one of irsEnumA conditional statement that will disable this component if the specified condition evaluates to the 'True' state. If a component is disabled, it will not be installed, regardless of the 'Action' state associated with the component.KeyPathFile;Registry;ODBCDataSourceEither the primary key into the File table, Registry table, or ODBCDataSource table. This extract path is stored when the component is installed, and is used to detect the presence of the component and to return the path to it.ControlDialog_DialogExternal key to the Dialog table, name of the dialog.Name of the control. This name must be unique within a dialog, but can repeat on different dialogs. The type of the control.XHorizontal coordinate of the upper left corner of the bounding rectangle of the control.Vertical coordinate of the upper left corner of the bounding rectangle of the control.WidthWidth of the bounding rectangle of the control.HeightHeight of the bounding rectangle of the control.A 32-bit word that specifies the attribute flags to be applied to this control.The name of a defined property to be linked to this control. A string used to set the initial text contained within a control (if appropriate).Control_NextThe name of an other control on the same dialog. This link defines the tab order of the controls. The links have to form one or more cycles!HelpThe help strings used with the button. The text is optional. ControlConditionA foreign key to the Dialog table, name of the dialog.Control_A foreign key to the Control table, name of the control.Default;Disable;Enable;Hide;ShowThe desired action to be taken on the specified control.A standard conditional statement that specifies under which conditions the action should be triggered.ControlEventA foreign key to the Control table, name of the controlEventAn identifier that specifies the type of the event that should take place when the user interacts with control specified by the first two entries.ArgumentA value to be used as a modifier when triggering a particular event.A standard conditional statement that specifies under which conditions an event should be triggered.OrderingAn integer used to order several events tied to the same control. Can be left blank.CustomActionPrimary key, name of action, normally appears in sequence table unless private use.The numeric custom action type, consisting of source location, code type, entry, option flags.SourceCustomSourceThe table reference of the source of the cospect to the media images; order must track cabinet order.IconPrimary key. Name of the icon file.Binary stream. The binary icon data in PE (.DLL or .EXE) or icon (.ICO) format.InstallExecuteSequenceInstallUISequenceLaunchConditionExpression which must evaluate to TRUE in order for install to commence.Localizable text to display when condition fails and install must abort.ListBoxA named property to be tied to this item. All the items tied to the same property become part of the same listbox.OrderA positive integer used to determine the ordering of the items within one list..The integers do not have to be consecutive.The value string associated with this item. Selecting the line will set the associated property to this value.The visible text to be assigned to the item. Optional. If this entry or the entire column is missing, the text is the same as the value.MediaDiskIdPrimary key, integer to determine sort order for table.LastSequenceFile sequence number for the last file for this media.DiskPromptDisk name: the visible text actually printed on the disk. This will be used to prompt the user when this disk needs to be inserted.CabinetIf some or all of the files stored on the media are compressed in a cabinet, the name of that cabinet.VolumeLabelThe label attributed to the volume.The property defining the location of the cabinet file.MsiFileHashFile_Primary key, foreign key into File table referencing file with this hashOptionsVarious options and attributes for this hash.HashPart1HashPart2HashPart3HashPart4Name of property, uppercase if settable by launcher or loader.String value for property. Never null or empty.RadioButtonA named property to be tied to this radio button. All the buttons tied to the same property become part of the same group.The value string associated with this button. Selecting the button will set the associated property to this value.The horizontal coordinate of the upper left corner of the bounding rectangle of the radio button.The vertical coordinate of the upper left corner of the bounding rectangle of the radio button.The width of the button.The height of the button.The visible title to be assigned to the radio button.The help strings used with the button. The text is optional.RegistryPrimary key, non-localized token.RootThe predefined root key for the registry value, one of rrkEnum.KeyRegPathThe key for the registry value.The registry value name.The registry value.Foreign key into the Component table referencing component that controls the installing of the registry value.RemoveFileFileKeyPrimary key used to identify a particular file entryForeign key referencing Component that controls the file to be removed.WildCardFilenameName of the file to be removed.DirPropertyName of a property whose value is assumed to resolve to the full pathname to the folder of the file to be removed.InstallMode1;2;3Installation option, one of iimEnum.ShortcutForeign key into the Directory table denoting the directory where the shortcut file is created.The name of the shortcut to be created.Foreign key into the Comge from run from network state to be installed on the local hard driveSelNetworkNetworkThis feature will remain to be run from the networkSelParentCostNegNegThis feature frees up [1] on your hard drive. It has [2] of [3] subfeatures selected. The subfeatures free up [4] on your hard drive.SelParentCostNegPosThis feature frees up [1] on your hard drive. It has [2] of [3] subfeatures selected. The subfeatures require [4] on your hard drive.SelParentCostPosNegThis feature requires [1] on your hard drive. It has [2] of [3] subfeatures selected. The subfeatures free up [4] on your hard drive.SelParentCostPosPosThis feature requires [1] on your hard drive. It has [2] of [3] subfeatures selected. The subfeatures require [4] on your hard drive.TimeRemainingTime remaining: {[1] minutes }{[2] seconds}VolumeCostAvailableAvailableVolumeCostDifferenceDifferenceVolumeCostRequiredRequiredVolumeCostSizeDisk SizeVolumeCostVolumeVolume1.0.0UPGRADEFOUND"
- source
- File/Memory
- relevance
- 7/10
-
References security related windows services
-
Suspicious Indicators 7
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
- "7X:!yvBOXz?K"MO'(At%mTkGdK3Yq6%<~KVtvAA=rU=?" (Indicator: "vbox")
- source
- File/Memory
- relevance
- 4/10
-
Possibly tries to implement anti-virtualization techniques
-
Installation/Persistance
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
- "WINWORD.EXE" opened "MountPointManager"
- source
- API Call
- relevance
- 5/10
-
Touches files in the Windows directory
- details
-
"WINWORD.EXE" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
"WINWORD.EXE" touched file "C:\Windows\Fonts\staticcache.dat"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000007.db"
"WINWORD.EXE" touched file "C:\Windows\system32\rsaenh.dll"
"WINWORD.EXE" touched file "C:\Windows\system32\en-US\KERNELBASE.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\System32\msxml6r.dll"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8749A068-12FB-4D71-84A6-D9737521F05D}.tmp"
"WINWORD.EXE" touched file "C:\Windows\system32\en-US\MSCTF.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\System32"
"WINWORD.EXE" touched file "C:\Windows\system32\en-US\mlang.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\system32\mlang.dat" - source
- API Call
- relevance
- 7/10
-
Opens the MountPointManager (often used to detect additional infection locations)
-
Network Related
-
Found potential IP address in binary/memory
- details
-
Heuristic match: "Windows Installer XML (3.5.2519.0)"
Heuristic match: "3.5.2519.0"
Heuristic match: "StringFileInfo000004E4LCompanyNameMicrosoft CorporationbFileDescriptionWiX PrintEula Custom Actions6FileVersion3.5.2519.04"
Heuristic match: "{\*\generator Msftedit 5.41.21.2510;}\viewkind4\uc1\pard\lang1033\f0\fs22 Revation Systems Communicator Version 6\par" - source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
System Security
-
Hooks API calls
- details
-
"OleLoadFromStream@OLE32.DLL" in "WINWORD.EXE"
"VariantClear@OLEAUT32.DLL" in "WINWORD.EXE"
"SysFreeString@OLEAUT32.DLL" in "WINWORD.EXE"
"VariantChangeType@OLEAUT32.DLL" in "WINWORD.EXE"
"SysAllocStringByteLen@OLEAUT32.DLL" in "WINWORD.EXE" - source
- Hook Detection
- relevance
- 10/10
-
Hooks API calls
-
Unusual Characteristics
-
Contains embedded string with suspicious keywords
- details
-
Found suspicious keyword "Lib" which indicates: "May run code from a DLL"
Found suspicious keyword "Chr" which indicates: "May attempt to obfuscate specific strings"
Found suspicious keyword "Windows" which indicates: "May enumerate application windows (if combined with Shell.Application object)"
Found suspicious keyword "Put" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Write" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Output" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Shell" which indicates: "May run an executable file or a system command"
Found suspicious keyword "Binary" which indicates: "May read or write a binary file (if combined with Open)" - source
- File/Memory
- relevance
- 10/10
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "fe7c893a" to virtual address "0x2FC11B94" (part of module "WINWORD.EXE")
"WINWORD.EXE" wrote bytes "cf6b5373" to virtual address "0x696678E4" (part of module "OART.DLL")
"WINWORD.EXE" wrote bytes "e9c53226f1" to virtual address "0x77786143" ("OleLoadFromStream@OLE32.DLL")
"WINWORD.EXE" wrote bytes "874c464e" to virtual address "0x68660BA8" (part of module "MSO.DLL")
"WINWORD.EXE" wrote bytes "e93655bff1" to virtual address "0x76853EAE" ("VariantClear@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "9e1b70ab" to virtual address "0x682710AC" (part of module "MSPTLS.DLL")
"WINWORD.EXE" wrote bytes "e99e480df2" to virtual address "0x76333D01" ("SetUnhandledExceptionFilter@KERNEL32.DLL")
"WINWORD.EXE" wrote bytes "e99a54bef1" to virtual address "0x76853E59" ("SysFreeString@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "27b44e73" to virtual address "0x6AD1F530" (part of module "WWLIB.DLL")
"WINWORD.EXE" wrote bytes "c4ca327680bb327652ba32769fbb327608bb327646ce327661383376de2f3376d0d932760000000017798e764f918e767f6f8e76f4f78e7611f78e76f2838e76857e8e7600000000" to virtual address "0x6F0A1000" (part of module "MSIMG32.DLL")
"WINWORD.EXE" wrote bytes "e92399c1f1" to virtual address "0x76855DEE" ("VariantChangeType@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "7fbc5373" to virtual address "0x6A99CA70" (part of module "GFX.DLL")
"WINWORD.EXE" wrote bytes "e96033bff1" to virtual address "0x76854731" ("SysAllocStringByteLen@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "1ac064fd" to virtual address "0x6349BE64" (part of module "USP10.DLL")
"WINWORD.EXE" wrote bytes "bb6e64ab" to virtual address "0x68169904" (part of module "RICHED20.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Contains embedded string with suspicious keywords
-
Informative 7
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
-
0/54 Antivirus vendors marked sample as malicious (0% detection rate)
0/39 Antivirus vendors marked sample as malicious (0% detection rate) - source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Contains PDB pathways
- details
-
"C:\delivery\Dev\wix35_public\build\ship\x86\PrintEula.pdb"
"C:\delivery\Dev\wix35_public\build\ship\x86\wixca.pdb"
"UUU !"#$%&'()*+,-./0123U456U789:;<=>?@ABCDEFGHIJKLMNOPQRSTUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU9^(null)(null)EEE50P( 8PX700WP `h````xpxxxxCONOUT$EEE00P('8PW700PP (`h`hhhxppwppHp'RSDSAgLCNLC:\delivery\Dev\wix35_public\build\ship\x86\PrintEula.pdbPRh{D$tHut$Yodo3@UQeVjuEPuuh8PsYYuMMZ@!L!This program cannot be run in DOS mode.", "UUU !"#$%&'()*+
-./0123U456U789:;<=>?@ABCDEFGHIJKLMNOPQRSTUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU9^(null)(null)EEE50P( 8PX700WP `h````xpxxxxCONOUT$EEE00P('8PW700PP (`h`hhhxppwppH4P6RSDS:$]%EiZcC:\delivery\Dev\wix35_public\build\ship\x86\wixca.pdb0x$UVWhu3}}}d;}h9EPh;}hEEEPEP;}hVYYWu-9}tu&9}tu&;|3CP&_^VWhpt$3yhZAt@h0jYYjjt$S~yhV0YYyCW_^UQeEPu@E;Eu=Phj.jjjuDPhjj3@t$hjt$h7<utPhjUQQWu3h\j}}EPEPu6xD9}v?Vuuhjd39}vE4YF;urhuu4^9}_tu4UQQueeh\jEPEPu{5x)}v#uuuhnjuu}tu4UVW3hRu}}}}}};}" - source
- File/Memory
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"WINWORD.EXE" created file "%TEMP%\~DF8E61C3A73BD29F9D.TMP"
"WINWORD.EXE" created file "%TEMP%\~DF54161E7C39293273.TMP"
"WINWORD.EXE" created file "%TEMP%\~DFDD401564F9743CE0.TMP" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\10MU_ACBPIDS_S-1-5-5-0-61249"
"\Sessions\1\BaseNamedObjects\Global\552FFA80-3393-423d-8671-7BA046BB5906"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACB10_S-1-5-5-0-61249"
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\MsoShellExtRegAccess_S-1-5-21-4162757579-3804539371-4239455898-1000" - source
- Created Mutant
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\microsoft shared\OFFICE14\RICHED20.DLL" at 68120000
- source
- Loaded Module
-
Contains PDB pathways
-
Installation/Persistance
-
Dropped files
- details
-
"~WRS{8749A068-12FB-4D71-84A6-D9737521F05D}.tmp" has type "FoxPro FPT blocks size 0 next free block index 218103808 1st used item "\375""
"~WRD0000.doc" has type "dBase IV DBT of \241.DBF blocks size 14680081 next free block index 13566160 1st item "\177""
"~WRD0001.doc" has type "dBase IV DBT of \241.DBF blocks size 14680081 next free block index 13566160 1st item "\177""
"~$Normal.dotm" has type "data"
"~$e49c51b299b82172641933a36f41c772550f5e0fab63c9f374bc41df149296.rtf" has type "data"
"~WRS{E45E72BA-7470-4732-B818-BD60602386B6}.tmp" has type "data" - source
- Binary File
- relevance
- 3/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://cs-g2-crl.thawte.com/ThawteCSG2.crl0"
Pattern match: "http://ocsp.thawte.com0"
Pattern match: "http://crl.thawte.com/ThawtePCA.crl0"
Heuristic match: "*CommunicatorSetup.ms"
Pattern match: "QV.Mz/%!|%Na"
Pattern match: "Z.tN/DRvb1wR4qU.f"
Heuristic match: ")f<^5[-l)MCxQ=NaCIH$W,,.igNt{^!m<?3W[htmx!}sIjDcjc.lc"
Pattern match: "P.obr/QgR/'`$ooR04u_1:uaM&l2L0@4_A?/VI~uMFw"
Pattern match: "jIibP7.qhA/CRo`sewu#w|F:GZgd%xSL2Mi$YKCY&1r]N2PR@+Z"
Heuristic match: "f%{RD utXb9\fFo]1wQH<41CE/08~^q.Uk"
Pattern match: "N0.tU/,7tzQ|f"
Heuristic match: "+K2E|QU*l&&$D~(5i]9h5:Qmj|ay:_.bR"
Pattern match: "4I.riJ/Y%T@8yFpG|M"
Pattern match: "j9v3.yd/r3ahB%&[Yl="
Pattern match: "2gx.VJsR/xAWi+{BR7W"
Pattern match: "g4YBSCDL.jFph/:J\r:U8a1!c@!Pj9GA"
Heuristic match: "]MZ/zwS$^SJ3bnu,b=K8/{Ahw51*[9Dhtym+>aDKNoUh~(N)l+XqF,^7+$XMvWaseB*R&_+.R\.cN"
Pattern match: "oG.wSDz/`HjCpA7O8:Il^jo?yghra_v"
Pattern match: "APWggUBpNY8.jXmW/+tSxC_K1%cvca{.:Tz%ynzPcewoYv"
Pattern match: "rxM4.DC/Gv" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
File Details
342b12.msi
- Filename
- 342b12.msi
- Size
- 4.2MiB (4413440 bytes)
- Type
- msi data
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 1252, Title: Installation Database, Subject: Revation Communicator 6.0.15 Installer, Author: Revation Systems, Keywords: Installer, Comments: Revation Systems Communicator 6.0.15 Installation, Template: Intel;1033, Revision Number: {06CBB8CA-72EB-44F0-947B-FBB31DF54FEF}, Create Time/Date: Mon Jun 11 18:37:34 2012, Last Saved Time/Date: Mon Jun 11 18:37:34 2012, Number of Pages: 200, Number of Words: 2, Name of Creating
- Architecture
- WINDOWS
- SHA256
- fee49c51b299b82172641933a36f41c772550f5e0fab63c9f374bc41df149296
- MD5
- c6004cd46e1160131515e66e3062317a
- SHA1
- 704169df410d0542fb715b063bc82dde663d4a19
Classification (TrID)
- 89.3% (.MSI) Microsoft Windows Installer
- 9.4% (.MST) Windows SDK Setup Transform Script
- 1.2% (.) Generic OLE2 / Multistream Compound File
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- WINWORD.EXE /n "C:\fee49c51b299b82172641933a36f41c772550f5e0fab63c9f374bc41df149296.rtf" (PID: 2732)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Informative 6
-
-
~WRS{8749A068-12FB-4D71-84A6-D9737521F05D}.tmp
- Size
- 1KiB (1024 bytes)
- Type
- FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375"
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
~WRD0000.doc
- Size
- 8.4MiB (8826880 bytes)
- Type
- dBase IV DBT of \241.DBF, blocks size 14680081, next free block index 13566160, 1st item "\177"
- MD5
- 7f23c58bb2b4afe5996086681f7c5d71
- SHA1
- 1edc3a121b8c3c7d7c615d041eed86831a6da467
- SHA256
- 46fd5bc968940f33faf0bbc0732ac3fecf4e75b4ec3604286931cb36f9221bc8
-
~WRD0001.doc
- Size
- 8.4MiB (8809984 bytes)
- Type
- dBase IV DBT of \241.DBF, blocks size 14680081, next free block index 13566160, 1st item "\177"
- MD5
- acb58c342a3f1ed7760f4edd6cbacc12
- SHA1
- e577eda62588cf171b03af96f6269fc3d139cfeb
- SHA256
- 6119ea4919b068719479decdacd1f484d9f7dffe43f1def006c7922c3390f87e
-
~$Normal.dotm
- Size
- 162B (162 bytes)
- Type
- data
- MD5
- 589619e857a31e5498f66354e8af8d05
- SHA1
- 6f25e811a4d86cdd4493ecfa06a0d0164043d1a7
- SHA256
- ab2d8054c47c8f9bca9164d84fb1cf12da6acf59e37f2b1c8e9f3d75657814b5
-
~$e49c51b299b82172641933a36f41c772550f5e0fab63c9f374bc41df149296.rtf
- Size
- 162B (162 bytes)
- Type
- data
- MD5
- 589619e857a31e5498f66354e8af8d05
- SHA1
- 6f25e811a4d86cdd4493ecfa06a0d0164043d1a7
- SHA256
- ab2d8054c47c8f9bca9164d84fb1cf12da6acf59e37f2b1c8e9f3d75657814b5
-
~WRS{E45E72BA-7470-4732-B818-BD60602386B6}.tmp
- Size
- 1.5KiB (1536 bytes)
- Type
- data
- MD5
- 1c9db648a3b51c5a59a6b99e90485a0d
- SHA1
- 84d6e401950ca68c62eb7014d67c2f62d23804b9
- SHA256
- fde8a3fcdfd9e06f05ff5abafd41e2bc89f84e90d3926e8d38e8f72c7d9a0628
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Not all sources for signature ID "api-55" are available in the report
- Not all sources for signature ID "string-3" are available in the report
- Not all sources for signature ID "string-43" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)