Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'authentication EPA.docx'

no specific threat

AV Detection: Marked as clean Labeled as: Process timed out

authentication EPA.docx

This report is generated from a file or URL submitted to this webservice on August 17th 2017 21:02:46 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1, Office 2010 v14.0.4
Report generated by Falcon Sandbox v6.90 © Hybrid Analysis

Overview Sample not shared Re-analyze Hash Seen Before Request Report Deletion

Incident Response

Risk Assessment

Remote Access: Contains a remote desktop related string
Network Behavior: Contacts 1 host. View all details

Indicators

Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.

Suspicious Indicators 2
Environment Awareness
- Possibly tries to implement anti-virtualization techniques
  
  details
  
  "=Ie*>BE#0*ixu<gDPL` bXG()(Z"bU4N Tu+v)k"L#H-:$C**7XQDE40Ph9h:@>eE{DCn'5o%>)5A' 'V*`*vJq0j*HI>^<qA'<z2TC&<fRRSKM*\FO,pm+FLr|lQEMUHP#d" (Indicator: "qemu")
  
  source
  
  File/Memory
  
  relevance
  
  4/10
Remote Access Related
- Contains a remote desktop related string
  
  details
  
  "VE%-#9#HrF/YJ)PF]!P qavPBvncdD6O6^8!RNLxMGjl1a8S5@S`n" (Indicator for product: Generic VNC)
  
  source
  
  File/Memory
  
  relevance
  
  10/10

Informative 16
Environment Awareness
- Reads the active computer name
  
  details
  
  "WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
  
  source
  
  Registry Access
  
  relevance
  
  5/10
- Reads the cryptographic machine GUID
  
  details
  
  "WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
  
  source
  
  Registry Access
  
  relevance
  
  10/10
- Reads the registry for installed applications
  
  details
  
  "WINWORD.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\WINWORD.EXE")
  "WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\WINWORD.EXE")
  "WINWORD.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL")
  "WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL")
  "WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADDRESSBOOK")
  "WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADOBE FLASH PLAYER NPAPI")
  "WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\AUTOITV3")
  "WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CONNECTION MANAGER")
  "WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DIRECTDRAWEX")
  "WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DXM_RUNTIME")
  "WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FONTCORE")
  "WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IE40")
  "WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IE4DATA")
  "WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IE5BAKEX")
  "WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA")
  "WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA0")
  "WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA1")
  "WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA10")
  "WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA100")
  "WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA101")
  
  source
  
  Registry Access
  
  relevance
  
  10/10
External Systems
- Sample was identified as clean by Antivirus engines
  
  details
  
  0/59 Antivirus vendors marked sample as malicious (0% detection rate)
  
  source
  
  External System
  
  relevance
  
  10/10
General
- Contacts server
  
  details
  
  "216.58.204.142:80"
  
  source
  
  Network Traffic
  
  relevance
  
  1/10
- Creates mutants
  
  details
  
  "\Sessions\1\BaseNamedObjects\Local\10MU_ACBPIDS_S-1-5-5-0-59722"
  "\Sessions\1\BaseNamedObjects\Global\552FFA80-3393-423d-8671-7BA046BB5906"
  "\Sessions\1\BaseNamedObjects\Local\10MU_ACB10_S-1-5-5-0-59722"
  "\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
  "\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
  "\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
  "\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
  "\Sessions\1\BaseNamedObjects\Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
  "\Sessions\1\BaseNamedObjects\Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
  "\Sessions\1\BaseNamedObjects\Global\MsoShellExtRegAccess_S-1-5-21-4162757579-3804539371-4239455898-1000"
  "Global\552FFA80-3393-423d-8671-7BA046BB5906"
  "Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
  "Local\10MU_ACBPIDS_S-1-5-5-0-59722"
  "Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
  "Local\ZonesLockedCacheCounterMutex"
  "Local\ZoneAttributeCacheCounterMutex"
  "Local\10MU_ACB10_S-1-5-5-0-59722"
  "Local\ZonesCacheCounterMutex"
  "Local\ZonesCounterMutex"
  
  source
  
  Created Mutant
  
  relevance
  
  3/10
- Loads rich edit control libraries
  
  details
  
  "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\microsoft shared\OFFICE14\RICHED20.DLL" at 5EEA0000
  
  source
  
  Loaded Module
- Scanning for window names
  
  details
  
  "WINWORD.EXE" searching for class "mspim_wnd32"
  "WINWORD.EXE" searching for class "MSOBALLOON"
  "WINWORD.EXE" searching for class "MsoHelp10"
  "WINWORD.EXE" searching for class "AgentAnim"
  
  source
  
  API Call
  
  relevance
  
  10/10
Installation/Persistance
- Dropped files
  
  details
  
  "320c7f68ab71d5bb92dd3af1a36fc013ccaac2638acad6d3b2e4f801c68f7eaf.LNK" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Archive ctime=Fri Aug 18 03:03:53 2017 mtime=Fri Aug 18 03:09:55 2017 atime=Fri Aug 18 03:09:55 2017 length=3125857 window=hide"
  "~$0c7f68ab71d5bb92dd3af1a36fc013ccaac2638acad6d3b2e4f801c68f7eaf.docx" has type "data"
  "index.dat" has type "data"
  "~WRD0000.tmp" has type "Microsoft Word 2007+"
  "~WRD0002.tmp" has type "Microsoft Word 2007+"
  "~WRS{2D3AFA80-57D1-40BD-94BF-903DE4C1E330}.tmp" has type "data"
  "~WRS{8725DBF0-A630-4DE0-AE37-70776E1C2598}.tmp" has type "data"
  "~$Normal.dotm" has type "data"
  
  source
  
  Binary File
  
  relevance
  
  3/10
- Opens the MountPointManager (often used to detect additional infection locations)
  
  details
  
  "WINWORD.EXE" opened "MountPointManager"
  
  source
  
  API Call
  
  relevance
  
  5/10
- Touches files in the Windows directory
  
  details
  
  "WINWORD.EXE" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
  "WINWORD.EXE" touched file "%WINDIR%\Fonts\staticcache.dat"
  "WINWORD.EXE" touched file "%WINDIR%\system32\en-US\USER32.dll.mui"
  "WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v1.0.3705\clr.dll"
  "WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
  "WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v1.1.4322\clr.dll"
  "WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
  "WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v2.0.50727\clr.dll"
  "WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
  "WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v4.0.30319\clr.dll"
  "WINWORD.EXE" touched file "%WINDIR%\system32\en-US\SETUPAPI.dll.mui"
  "WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
  "WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
  "WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000c.db"
  "WINWORD.EXE" touched file "%WINDIR%\system32\rsaenh.dll"
  "WINWORD.EXE" touched file "%WINDIR%\system32\en-US\KERNELBASE.dll.mui"
  "WINWORD.EXE" touched file "%WINDIR%\System32\msxml6r.dll"
  "WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8725DBF0-A630-4DE0-AE37-70776E1C2598}.tmp"
  "WINWORD.EXE" touched file "%WINDIR%\system32\en-US\MSCTF.dll.mui"
  
  source
  
  API Call
  
  relevance
  
  7/10
Network Related
- Found potential URL in binary/memory
  
  details
  
  Heuristic match: "Z\K%j^umy4f%V9\xzS$E{[uS3ZM~rIVQp:0t'ia.yIcNP\PW']e<;nGqw|x`wN{{/7~(NF]p3VFF_(vJ#X)aOL<w.vC"
  Heuristic match: "OO Fn]6wuo1e}xp~p?#ZCk[k`sJe\Qt.=3O2a|>lL7yASLsBSR*$r6DjNesCxpDOQnoo4&17fWtOw|#t}s_p#eQB!XO%}7g(#}Os=Kq`=7=pPK;!uCY=r9w,-d+/wil>oL7_6U`.Ir"
  Pattern match: "WxKGCv0JC.Pi//VAfN^eV&Aex"
  Heuristic match: "nm_?86\D.q@IqRem+PQw`r!lBy<#3y GPU)l%6N3<u&Vuo+9`g;E-5/2r p%*%1K2Q|fX#_JLL cYVO}VT,#a#~-DVBjU2J.SE"
  Pattern match: "N.JRrv/9]fPMB1V"
  Pattern match: "2OVY.Qt/sei5]TpU5hTD.sV/{:=~IM,!~rTVB5m^*lG=X"
  Heuristic match: "S9#qFe[5IQv6U80tD!YPLLeR7*$h[|frbZRr /dzQJ/.Y1!UEd?R[){.5qb]a&?#LQ5J&8-g_qm@9L8DMIKbAc$}tZ.mN"
  Pattern match: "xCo.Zx/d4\prEvmQ|NCP"
  Heuristic match: "AZz:4`MQ@b9#G@.LC"
  Pattern match: "k5.CuM/wk8BN^$9M_z$j.{="
  Heuristic match: "ith 7Y8F;#ITfy?'M=boMB.3{tLc}_sto6lJ{n-%55m&%M6eMVSb&:/_VKhde&>]gr:_W=m*$E/Su'PWI~JEm!uhQdF+\f_)8MaA!tAN_W.nP"
  Pattern match: "WWW08.2@STnf"
  Pattern match: "i9N-.mVg/n'YR;PojM!^"
  Heuristic match: "A[Itp+(2/B.Cd"
  Pattern match: "fL.vc/!yPM"
  Pattern match: "Wgt.xQ/vX;D*V"
  Heuristic match: "9|n:'7Z},,T|.CYcEdk=/XE8eE2|a:DYP]s%XUra3r/d$8Bef*D82W-+`Vp]~:auwrSVdV(b0(8}!5ZsO.lb"
  Pattern match: "4D.BdC/V_NlaNy#2sor~hz{5rYVI:vD!~5jS"
  Pattern match: "3laYcI.bx/f"
  Heuristic match: ";Rg.nU"
  Heuristic match: "t=J+'E%]T[IMFZVSCzFLo:K'U,.$E(;lR/NQ.KE"
  Pattern match: "K.fN/_PL'}@WMc\+{.Iqtrans0"
  Heuristic match: "D2vAKg@F^i<X GplM\XMXjNR|)<lP/2?Ek8H?$qlf]Ij6-LIl*t2r=:I(EkTnIAl[D%#HizZ;<\^vX]R-w7;>.&BGsuGx..gD"
  Pattern match: "FJC.Tf/+aUj@T-SG[][m4ahV]3SueR2"
  Pattern match: "YY-D.Qm/8iIe"
  Heuristic match: "3ad>b(.QA"
  Pattern match: "J1.mS/BfiBWh|x"
  Heuristic match: "!9z'=p667-$yd/ZPyoaR4bwSb3t9jdbZU`Zp! %{x*tu-4c,,nZ176hdhWonPP=krNvYFtDyv.BJ"
  Pattern match: "ZS.Ib/!4KDiwC-8@{sH[Dpv"
  Heuristic match: "KA=`tFL#M{yl5o)/W{(tm'VH`g1J7'oR~W5eL7rJ1LF1.EG"
  Heuristic match: "B,K{rw.|^trWRR`o|pH'YiwJf+LIk|3*uNIHj<ZRxsF*59iC79VILD#.c*NFJ)GP].|}-A/.GM"
  Pattern match: "u-KN.Pgh/O+2`x6,8z/O"
  Pattern match: "s0Z.vOq/A@e'e\97jZlg~z`TTy"
  Heuristic match: "od+5>@g+s0T#-<Y)?cTn{x6YRZdSQ(bTWupUkws}pa%}oo0X,=]m$w_\D3vpD`b(mTBJ,GYok&Wb@(vv0/;~:1j3p,>QLCC[mM)= q*\\.PE"
  Pattern match: "U.iqF/xnlxk{5rxB`g\|igg6TQP9*8PdR#cnEn8iUaBrlV;PutBTT;h'1R#N-Y"
  Heuristic match: ")E{EkXgc+OO2OD{.aX"
  Heuristic match: "da#P_,`7vV8mwr(F-P>mwr=*w|x~10vD{mcQ3X.Lt"
  Heuristic match: "}uxX<[,mg~w_=u^l=$/^C!Q-:I#+!<`4b$.o4UBV(saW8dzQet~7_\Qjb,z:U4~KWW{:`6t3JRf|BO^gNDKmArfqzaAy0: Bv[6YsH3JdM*C* 7j<]p_}<#DmSQ.cv"
  Heuristic match: "XBpR.np"
  Pattern match: "XeP.bWW/KBGS"
  Pattern match: "www.7JjR4$J&J5+FZC*ERlO@DF?sF/n^7Sdf%-j1I7oGUe/N9_"
  Pattern match: "KDXMmn.tl/o/DrCe]M"
  Heuristic match: "XithGqM2,61IzD|CC\\.4q0*gW6mwswv;lQ?&gyv|4k2_n{jytFF>=w\8(i2JFc,hV.Sj"
  Pattern match: "h7.Wdv/Zo}p;7G"
  Pattern match: "JA65zvU.Bz/\3a=P[G`IU#F8"
  Heuristic match: "-z46']s=?B{G?zVJ[@.Er"
  
  source
  
  File/Memory
  
  relevance
  
  10/10
System Security
- Hooks API calls
  
  details
  
  "OleLoadFromStream@OLE32.DLL" in "WINWORD.EXE"
  "VariantClear@OLEAUT32.DLL" in "WINWORD.EXE"
  "SysFreeString@OLEAUT32.DLL" in "WINWORD.EXE"
  "SysAllocStringByteLen@OLEAUT32.DLL" in "WINWORD.EXE"
  "VariantChangeType@OLEAUT32.DLL" in "WINWORD.EXE"
  
  source
  
  Hook Detection
  
  relevance
  
  10/10
- Queries sensitive IE security settings
  
  details
  
  "WINWORD.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
  
  source
  
  Registry Access
  
  relevance
  
  8/10
Unusual Characteristics
- Installs hooks/patches the running process
  
  details
  
  "WINWORD.EXE" wrote bytes "e9c5329eee" to virtual address "0x761B6143" ("OleLoadFromStream@OLE32.DLL")
  "WINWORD.EXE" wrote bytes "78beb913" to virtual address "0x64810BA8" (part of module "MSO.DLL")
  "WINWORD.EXE" wrote bytes "cabbc706" to virtual address "0x6A9042C4" (part of module "MSPROOF7.DLL")
  "WINWORD.EXE" wrote bytes "fa190313" to virtual address "0x2F8D1B94" (part of module "WINWORD.EXE")
  "WINWORD.EXE" wrote bytes "4ac8f913" to virtual address "0x6938CA70" (part of module "GFX.DLL")
  "WINWORD.EXE" wrote bytes "05ff3310" to virtual address "0x5EEE9904" (part of module "RICHED20.DLL")
  "WINWORD.EXE" wrote bytes "c4ca5e7680bb5e76aa6e5f769fbb5e7608bb5e7646ce5e7661385f76de2f5f76d0d95e760000000017796b764f916b767f6f6b76f4f76b7611f76b76f2836b76857e6b7600000000" to virtual address "0x6B291000" (part of module "MSIMG32.DLL")
  "WINWORD.EXE" wrote bytes "9f462410" to virtual address "0x683D10AC" (part of module "MSPTLS.DLL")
  "WINWORD.EXE" wrote bytes "e9365557ee" to virtual address "0x76083EAE" ("VariantClear@OLEAUT32.DLL")
  "WINWORD.EXE" wrote bytes "0b34f913" to virtual address "0x658178E4" (part of module "OART.DLL")
  "WINWORD.EXE" wrote bytes "e99e48fced" to virtual address "0x765F3D01" ("SetUnhandledExceptionFilter@KERNEL32.DLL")
  "WINWORD.EXE" wrote bytes "e99a5456ee" to virtual address "0x76083E59" ("SysFreeString@OLEAUT32.DLL")
  "WINWORD.EXE" wrote bytes "e9603357ee" to virtual address "0x76084731" ("SysAllocStringByteLen@OLEAUT32.DLL")
  "WINWORD.EXE" wrote bytes "f8a18713" to virtual address "0x66D1F530" (part of module "WWLIB.DLL")
  "WINWORD.EXE" wrote bytes "e9239959ee" to virtual address "0x76085DEE" ("VariantChangeType@OLEAUT32.DLL")
  
  source
  
  Hook Detection
  
  relevance
  
  10/10
- Reads information about supported languages
  
  details
  
  "WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
  "WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000401")
  "WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000040D")
  "WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000041E")
  "WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000042A")
  "WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000439")
  "WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000420")
  "WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000429")
  "WINWORD.EXE" (Path: "HKCU\CONTROL PANEL\INTERNATIONAL"; Key: "NUMSHAPE")
  "WINWORD.EXE" (Path: "HKCU\CONTROL PANEL\INTERNATIONAL\GEO"; Key: "NATION")
  "WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000402")
  "WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000403")
  "WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000404")
  "WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000405")
  "WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000406")
  "WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000407")
  "WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000408")
  
  source
  
  Registry Access
  
  relevance
  
  3/10

File Details

All Details:

authentication EPA.docx

Filename: authentication EPA.docx
Size: 3MiB (3121496 bytes)
Type: docx office
Description: Microsoft Word 2007+
Architecture
: WINDOWS
SHA256
: 320c7f68ab71d5bb92dd3af1a36fc013ccaac2638acad6d3b2e4f801c68f7eaf
MD5
: e59b10cdbfdf7bece1891ea182a3e351
SHA1
: d4e3313c97da47baf6ee2c62ec197b8751866615

Resources

Icon

Visualization

Input File (PortEx)

Screenshots

Loading content, please wait...

Hybrid Analysis

Tip: Click an analysed process below to view more details.

Analysed 1 process in total (System Resource Monitor).

WINWORD.EXE /n "C:\320c7f68ab71d5bb92dd3af1a36fc013ccaac2638acad6d3b2e4f801c68f7eaf.docx (PID: 3172)

Logged Script Calls	Logged Stdout	Extracted Streams	Memory Dumps
Reduced Monitoring	Network Activityy	Network Error	Multiscan Match

Network Analysis

DNS Requests

No relevant DNS requests were made.

Contacted Hosts

IP Address	Port/Protocol	Associated Process	Details
216.58.204.142	80 TCP	svchost.exe PID: 884	United States

Contacted Countries

HTTP Traffic

No relevant HTTP requests were made.

Extracted Strings

Download All Memory Strings (2.5KiB)

! *0_"Cd602Mt9>Gq0Jb'!wA~J*=P58<~"yI1OP*eW2)D/"y)sqCMd5DQU ]P)-UUMR=T[IvoY*GX>pJZJU/8$/RA.MxP9AN<JnBu*fIV"=kU`!&j4#t(1Lz^v`K>9?M](V:7-y8e(-Yh<mYtue