Alert.dll
This report is generated from a file or URL submitted to this webservice on March 2nd 2016 05:27:27 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v3.30 © Hybrid Analysis
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 3
-
External Systems
-
Sample was identified as malicious by a large number of Antivirus engines
- details
- 14/55 Antivirus vendors marked sample as malicious (25% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
-
14/55 Antivirus vendors marked sample as malicious (25% detection rate)
4/41 Antivirus vendors marked sample as malicious (9% detection rate) - source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by a large number of Antivirus engines
-
Hiding 1 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 7
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
- "VP>;tWMh\EPEM}!uEP0uuuuuMM)3j<2MdeEPMKMPEA0ME(M&!t3MM3Mh03FUVM t3*umM uMMP03@^]jYMeEPutVM uJMuMhE@PMuuMh'PMMEpMM'j(1eM^EPu3C]txMulM2MEEPhMEPMMu(jh|,M]EM]&EPG0Mjh|,]ME&Ej90*MueEPu"tIMu=M;EPhMEPMqEMuuuMM9&Aj<2ZMeEPMtMPE-ME%Mot3MM|Mh9.3FVL$5t3%t$ntL$L$P-3@^jMMM)eEPutxMulMMEMEME0^PMUPVMMEMEMM$MM$3jMMMOeEPutvMujMMEMEuMPM}PVMMEMEMM#MM#3j1ejh0M)eEPEPuMM#j1ejh0M=)eEPEPuMM=#ED$VtV^Y^j1AjMYjhHME(eEPEPuYMM"j1ejhHM{(eEPEPuMM{"#E|j1jYjhhME(eEPEPuMM"&j1?ejhhM'eEPEPu8MM!#Ej`'2eMu3Ch]6t~jPMU'hMEB)MEPMEPME(ME7!MPM)MEM]!>EPVEu!EMEP')KPMT)hM(MEP*M]E Ej1ujh0ME]&eEPEPuMM_ ij1uEP3MutMM (uL3FjFu+<Y}3}W<|u+Q|WW4uW;SVWjYt$3+;+Xt$H3@3;_^[j R2ouEPMeP&MMMuPMht?uEP(M3FPuc&MMEE3j02Mu3M]hMEPEPEPEPuE];thMu\MuPSMOuEuMPE0EPEMEoM]MM3@M]MM3j<2MReEPM2jhME3EMMMjx3eM;M3C]tMEP&]|2jSu|EuMEP\&]|tEPhMEwu<ht$MQPME0$MEMMEP%M]Eu|]ME[EbUl$3hF3`EDVh;jj\3P}EPE}PP;uKVjj\PEM3Md" (Indicator: "qemu")
- source
- File/Memory
- relevance
- 4/10
-
Possibly tries to implement anti-virtualization techniques
-
Installation/Persistance
-
Creates/touches files in windows directory
- details
-
"WINWORD.EXE" created file "%WINDIR%\AppPatch\AcSpecfc.DLL"
"WINWORD.EXE" created file "C:\Windows\Globalization\Sorting\sortdefault.nls"
"WINWORD.EXE" created file "C:\Windows\Fonts\staticcache.dat"
"WINWORD.EXE" created file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"WINWORD.EXE" created file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"WINWORD.EXE" created file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"WINWORD.EXE" created file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"WINWORD.EXE" created file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"WINWORD.EXE" created file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
"WINWORD.EXE" created file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll"
"WINWORD.EXE" created file "C:\Windows\system32\spool\DRIVERS\W32X86\3\mxdwdui.BUD"
"WINWORD.EXE" created file "C:\Windows\system32\spool\DRIVERS\W32X86\3\mxdwdui.gpd"
"WINWORD.EXE" created file "C:\Windows\system32\spool\DRIVERS\W32X86\3\StdNames.gpd"
"WINWORD.EXE" created file "C:\Windows\system32\spool\DRIVERS\W32X86\3\mxdwdui.ini"
"WINWORD.EXE" created file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"WINWORD.EXE" created file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
"WINWORD.EXE" created file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000007.db" - source
- API Call
- relevance
- 7/10
-
Creates/touches files in windows directory
-
System Destruction
-
Marks file for deletion
- details
-
"%PROGRAMFILES%\Microsoft Office\Office12\WINWORD.EXE" marked "%TEMP%\tst5267.tmp" for deletion
"%PROGRAMFILES%\Microsoft Office\Office12\WINWORD.EXE" marked "%TEMP%\tst52E5.tmp" for deletion
"%PROGRAMFILES%\Microsoft Office\Office12\WINWORD.EXE" marked "%TEMP%\tst5343.tmp" for deletion
"%PROGRAMFILES%\Microsoft Office\Office12\WINWORD.EXE" marked "%TEMP%\tst53B2.tmp" for deletion
"%PROGRAMFILES%\Microsoft Office\Office12\WINWORD.EXE" marked "%TEMP%\tst5614.tmp" for deletion
"%PROGRAMFILES%\Microsoft Office\Office12\WINWORD.EXE" marked "%TEMP%\tst5683.tmp" for deletion - source
- API Call
- relevance
- 10/10
-
Marks file for deletion
-
Unusual Characteristics
-
Contains embedded string with suspicious keywords
- details
-
Found suspicious keyword "Put" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "FindWindow" which indicates: "May enumerate application windows (if combined with Shell.Application object)"
Found suspicious keyword "ShowWindow" which indicates: "May hide the application"
Found suspicious keyword "Windows" which indicates: "May enumerate application windows (if combined with Shell.Application object)"
Found suspicious keyword "Shell" which indicates: "May run an executable file or a system command" - source
- File/Memory
- relevance
- 10/10
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "66142ef9" to virtual address "0x66EDF69C" (part of module "RICHED20.DLL")
"WINWORD.EXE" wrote bytes "e92319a1f1" to virtual address "0x766E3D01" ("SetUnhandledExceptionFilter@KERNEL32.DLL")
"WINWORD.EXE" wrote bytes "b86402fb" to virtual address "0x6A0DEC08" (part of module "WWLIB.DLL")
"WINWORD.EXE" wrote bytes "40539b7758589c77186a9c77653c9d770000000000bf6d760000000056cc6d76000000007cca6d76000000003768b5756a2c9d77d62d9d77000000002069b5750000000029a66d7600000000a48db57500000000f70e6d7600000000" to virtual address "0x761E1000" (part of module "NSI.DLL")
"WINWORD.EXE" wrote bytes "c1e80cfb" to virtual address "0x6922E718" (part of module "OART.DLL")
"WINWORD.EXE" wrote bytes "47c3eef8" to virtual address "0x6865A980" (part of module "MSO.DLL")
"WINWORD.EXE" wrote bytes "2abfd6f8" to virtual address "0x6FF810AC" (part of module "MSPTLS.DLL")
"WINWORD.EXE" wrote bytes "629bb7fb" to virtual address "0x2F0E1634" (part of module "WINWORD.EXE") - source
- Hook Detection
- relevance
- 10/10
-
Contains embedded string with suspicious keywords
-
Hiding 2 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 5
-
General
-
Contains PDB pathways
- details
-
"d:\Conduit\RnD\Client\IE\Dev\5.4\SingleComponent\Alert\Release\Alert.pdb"
"!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~HH:mm:ssdddd, MMMM dd, yyyyMM/dd/yyPMAMDecemberNovemberOctoberSeptemberAugustJulyJuneAprilMarchFebruaryJanuaryDecNovOctSepAugJulJunMayAprMarFebJanSaturdayFridayThursdayWednesdayTuesdayMondaySundaySatFriThuWedTueMonSun1#QNAN1#INF1#IND1#SNAN_nextafter_logb_yn_y1_y0frexpfmod_hypot_cabsldexpfabssqrtatan2tanhcoshsinhCONOUT$string too longinvalid string positionIEIsProtectedModeURLgdiplus.dll OsC*0[a>On4eJ M-P0%P0)P0%P0%D,3&OP0P0Lr?RJ{,@Qm6t4`#?>;FFFFFFF"hN@Gp44#N-+.{20FP0P0BPO6#\'G7?Fd8+O]hXNW#Fj#\'G7?F3)6{O>`3)6{O>`yK:?OHRSDS8cCER d:\Conduit\RnD\Client\IE\Dev\5.4\SingleComponent\Alert\Release\Alert.pdbpuuuuup@u$p@uuuu@p@v$vuXp#@Hv$Xv,vvP|wwPxlxxy4yyyz ztzzz{T{p{{{4|l|}}}~,~H~d~~~(D|p@wwvtwwwPxlxxy4yyyz ztzzz{T{p{{{4|p@wwtwwp@wwwpBwp@x(x4xwp@xpBwp@xxxxwp@xq@xxxwqBxpBw$q@Py`ytyyxw$q@PyDq@yyyxwDq@yqBxpBwhq@<zLzXzwhq@<zpBwq@zzzwq@zpBwq@{,{8{wq@{pBwq @{{{wq@{p Bwq$@{||wq@{p$BwpBwrP@||||tww}Pxl}r@|,r@|}|tww}PxHr@4}D}P}wHr@4}`r@}}}`r@},rP@|pPBwpPBwHrX@4}pXBw`r\@}tr@~~~wtr@~pBwr@~wr@~pBwr@`p|wr@`pBwrr@r@,sHX`s@H4s4s@TsTs@ts 08ts@ shxs@hss@ss@tL\dt@Ltt@<t<t@`t$4@`t@$xtpxt@p$putLt@t@,<Lt@hxLu@uLu@Hu@,<Lxudt|xu@duu@u0uu@u@L\0uLv|Lv@|v(,vvP|wwPxlxxy4yyyz ztzzz{T{p{{{4|l|}}}~,~H~d~~~(Dpv'@u&@',vvP|wwPxlxxy4yyyz ztzzz{T{p{{{4|l|}}}~,~H~d~~~(Dplv @wlv@p Bwvvvvvv v$vPvXv\vvvv vv 08v@ vhx(}v@hv@(}v@(}w@DT(}px,w@`XwxXw@tw8(}tw@w@Td8(}ww@w@w,uuw@x\lx@\Hx@hx@x$4D`x@$x@|`x@x@y@ 0,yL\t(},y@LPy@(}pypy@y@8HHxyxy@xy@zz@x|0z\lt0z@\TzwTz@pz@wz,<Dz@,ztw,z@tz@wz@ wz@,zt{p}{@p,{@}H{}H{@h{HXh}h{@H{}{@{{@y{HXd{@H{@{{@|@,4|HX`4|@HX|X|@||}||@|$4@|@$|p}|@p|@|@}$}@v }hx }@hy8@pvux,{D}$4}D}@d}dt4}d}@dXpHvXpHvXpHvXpHvXpHvXpHvXpHv XpHv$XpHvPXpHvXXpHv\XpHvXpHvXpHvXpHv|pw|pw|pw|pw|pw|pw|pw |pw$|pwr|r|r|pw,r|,r|} (}@}Xhp}@X`r}}}}@}}}@~L\d~@LwD,~},~@v|{h~4DLh~@4~|~@|~~@~$~@~Tdp}~@T@,},@L8H\4}L@8Pyhxt,lLl@,DL@Hu,thy uL@uuuuuuu u$uPuXu\uuuu uP`h@P@@0(8Dh0@(LthL@thhh@(h@Xhth@Xh@(}@@Pd(}@@(}@X(}X@|<L`(}|@<@wTw@HX`@Hx@@<8HP<@8\(}\@x(}x@(8D@(t@t4}@$,@\lt@\44@LL@l4DPll@4@l@}@L\h}@L@@44DL4@4T|LT@|||@$4<@$r@@(8@dhxd@h{}", "!"#$%&'()*+
-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~ & ! 0 `9 R} " "!a: S~xHH:mm:ssdddd
MMMM dd
yyyyMM/dd/yyPMAMDecemberNovemberOctoberSeptemberAugustJulyJuneAprilMarchFebruaryJanuaryDecNovOctSepAugJulJunMayAprMarFebJanSaturdayFridayThursdayWednesdayTuesdayMondaySundaySatFriThuWedTueMonSun1#QNAN1#INF1#IND1#SNAN_nextafter_logb_yn_y1_y0frexpfmod_hypot_cabsldexpfabssqrtatan2tanhcoshsinhCONOUT$string too longinvalid string positionIEIsProtectedModeURLgdiplus.dll OsC*0[a`>On4! e J M-P0 %P0 )P0 %P0 %D
3&OP0 P0 Lr?RJ{
@Qm6t 4`#?>0 ;FFFFFFF"hN@Gp S40 S4 #N-+. {29 0FP0 P0 B9 P0 O6#\'G7x? Fd8+O]ahXNW#FajS#\'G7x? F3)6{O>`3)6{O>`yR K :?0 OH RSDS8cCE R d:\Conduit\RnD\Client\IE\Dev\5.4\SingleComponent\Alert\Release\Alert.pdbp u uuuup@ u$p@uuuu@p@v$vuXp#@Hv$Xv,vvP|wwPxlxxy4yyyz ztzzz{T{p{{{4|l|}}}~,~H~d~~~(D|p@wwvtwwwPxlxxy4yyyz ztzzz{T{p{{{4|p@wwtwwp@wwwpBwp@x(x4xwp@xpBwp@xxxxwp@xq@xxxwqBxpBw$q@Py`ytyyxw$q@PyDq@yyyxwDq@yqBxpBwhq@<zLzXzwhq@<zpBwq@zzzwq@zpBwq@{,{8{wq@{pBwq @R{S{{wq@R{p Bwq$@{||wq@{p$BwpBwrP@||||tww}Pxl}r@|,r@|}|tww}PxHr@4}D}P}wHr@4}`r@}}}`r@},rP@|pPBwpPBwHrX@4}pXBw`r\@}tr@ ~~S~wtr@ ~pBw r@~w r@~pBwr@`p|wr@`pBwr r@r@ , sH X ` s@H 4s 4s@ Ts Ts@ ts 08ts@ Sshx Ss@hs s@s s@tL \ d t@L t t@ <t <t@ `t$4@ `t@$xtp R xt@p$put L t@t@, < L t@h x L u@ u & L u@ Hu@,& <& & L xud& t& |& xu@d& u& & & u@& u& 0 uu@& u@L \ 0 uLv| R S Lv@| v ( ! ! ,vvP|wwPxlxxy4yyyz ztzzz{T{p{{{4|l|}}}~,~H~d~~~(Dpv'@ u&@! '! ! ,vvP|wwPxlxxy4yyyz ztzzz{T{p{{{4|l|}}}~,~H~d~~~(Dplv @RSwlv@Rp Bwv v v v v v v $v Pv Xv \v v v v v v `0`8`v@ `vh`x````(9 }v@h`v@````(9 }v@9 9 `(9 }w@D9 T9 (9 }p9 x9 ,w@`9 Xw9 9 9 x9 Xw@9 tw9 RR8R`(9 }tw@9 w@TRdR8R`(9 }wRRSRRRw@RRw@RRRw,uuw@x\l S x@\Hx@S hx@} x$}4}D}`}}x@$}x@|}R}`}}x@}}}x@}}}y@ 0,yL\t`(9 },y@LPy@`(9 }pypy@y@8HHxyx y@xy@z }z@x|}0z\ l t 0z@\ Tz wTz@ pz@ wz, < D z@, zt S w, z@t z@ wz@ wz@, zt {p }{@p ,{@ }H{ }H{@ h{H X h }h{@H { } {@ { " {@ y{H" X" d" " {@H" {@S" " " {" " " {@" |@
4|H X ` 4|@H X| X|@ || }||@ S|$ 4 @ S|@$ |p R }|@p |@ |@ }$}@v9 }hx }@hy8@pvu x}
{ D}"!$"!4"! }D}@"!d}d"!t"!"!4"! }d}@d"!XpHvXpHvXpHvXpHvXpHvXpHvXpHv XpHv$XpHvPXpHvXXpHv\XpHvXpHvXpHvXpHv|pw|pw|pw|pw|pw|pw|pw |pw$|pwr|r|r|pw,r|,r|}S S(S}@S}XShSpS}@XS`r}}SSS}}@S}}}@~L\d~@LwD9 ,~},~@v`| {S" h~4~D~L~h~@4~~|~R~ ~~@|~~~~~~@~~xx$x~@x~Txdxpx}~@Txxxx@x
xx }
@xL8H\4"! }L@8Pyhxt, l L l@ ,D L @Hu,& th y uL @u! u! u! u! u! u! u! u! $u! Pu! Xu! \u! u! u! u! u! P`h@P@ @0 (8Dh0 @(L t hL @th hh @ (h @S XhthS @X h @ (9 } @ @Pd`(9 } @@ (9 }@ X(9 }X@|<L`(9 }|@<SS@wTRwR@HX`@Hx}@ @< 8HP< @8\ `(9 }\ @ x `(9 }x @S (8D S @( t @t 4"! } @ $
@\lt@\44@LL@l4DPll@4 @lSS@ }@L\h}@L @ @4 4DL4 @4T |RLT @|| | @ $4< @$r S @ @& (8 & @d hx d @hR{}" - source
- File/Memory
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\KYIMEShareCachedData.MutexObject.PSPUBWS"
"\Sessions\1\BaseNamedObjects\KYTransactionServer.MutexObject.PSPUBWS"
"\Sessions\1\BaseNamedObjects\Local\MidiMapper_modLongMessage_RefCnt"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000" - source
- Created Mutant
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\microsoft shared\OFFICE12\RICHED20.DLL" at 66E80000
- source
- Loaded Module
-
Contains PDB pathways
-
Installation/Persistance
-
Dropped files
- details
-
"opa12.dat.911241580" has type "data"
"~$ert.dll.doc.1303079170" has type "data"
"~WRD0000.doc.1560234626" has type "data"
"~WRD0001.doc.1627343522" has type "data"
"index.dat.1647014572" has type "data"
"~WRD0002.doc.1694452418" has type "data"
"Local Disk (C).LNK.1789590254" has type "MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Hidden, System, Directory, ctime=Tue Jul 14 09:07:54 2009, mtime=Wed Mar 2 18:33:22 2016, atime=Wed Mar 2 18:33:22 2016, length=8192, window=hide"
"~WRS{C46BB34F-BEF2-4EF1-BFAA-058F94ECC31A}.tmp.3093106292" has type "FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375""
"~WRS{9C98AD0C-DAC3-4C5C-B311-81CD81463030}.tmp.4237089844" has type "data"
"Alert.dll.LNK.4247930766" has type "MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Mar 2 18:28:59 2016, mtime=Wed Mar 2 18:28:59 2016, atime=Wed Mar 2 20:27:56 2016, length=638560, window=hide" - source
- Binary File
- relevance
- 3/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "https://www.verisign.com/rpa"
Pattern match: "csc3-2009-2-crl.verisign.com/CSC3-2009-2.crl0D"
Pattern match: "https://www.verisign.com/rpa0"
Pattern match: "http://ocsp.verisign.com0"
Pattern match: "csc3-2009-2-aia.verisign.com/CSC3-2009-2.cer0"
Pattern match: "https://www.verisign.com/cps0*"
Pattern match: "http://logo.verisign.com/vslogo.gif0"
Pattern match: "http://ocsp.verisign.com01"
Pattern match: "http://crl.verisign.com/pca3.crl0"
Pattern match: "AlertServices.asmx/AlertLogin"
Pattern match: "AlertServices.asmx/GetToolbarAlertsInfo"
Pattern match: "AlertServices.asmx/SetAlertUsageRequest"
Pattern match: "http://iealert.conduit-download.com"
Pattern match: "AlertServices.asmx/GetAlertTranslation"
Pattern match: "http://alert.client.conduit.com"
Pattern match: "http://alert.services.conduit.com"
Pattern match: "http://hosting.conduit.com/Alertupdate/update.xml"
Pattern match: "http://hosting.eb.com/Alertupdate/update.xml"
Pattern match: "http://hosting.eb.com/Alertupdate/tbedrs.dll"
Pattern match: "http://services.conduit.com/CommunityRequest.ctp?type=GetCommunity&ct=EB_CTID&CommunityPage=EB_CTID.ourtoolbar.com" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
File Details
Alert.dll
- Filename
- Alert.dll
- Size
- 624KiB (638560 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- f22e58cdfe94d4a5fbbf2795a743b167ed9923e289e14654631e0077dd306c1d
- MD5
- 6796f6e449f90a543dc3345538acc46f
- SHA1
- 97bccd25561f44e9b13f05f6eef083c9ce9ba529
Classification (TrID)
- 55.3% (.AX) DirectShow filter
- 31.9% (.OCX) Windows ActiveX control
- 8.5% (.EXE) Win32 Executable MS Visual C++ (generic)
- 1.8% (.DLL) Win32 Dynamic Link Library (generic)
- 1.2% (.EXE) Win32 Executable (generic)
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- WINWORD.EXE /n /dde (PID: 3780)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Informative 10
-
-
Alert.dll.LNK
- Size
- 458B (458 bytes)
- Type
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Mar 2 18:28:59 2016, mtime=Wed Mar 2 18:28:59 2016, atime=Wed Mar 2 20:27:56 2016, length=638560, window=hide
- MD5
- 82096a190640d23185a8cf1ccecd80f9
- SHA256
- 278e931d20ea6cecfef374a02625dd4bf215651034b5a778e1eb126c4cf5757e
-
Local Disk (C).LNK
- Size
- 317B (317 bytes)
- Type
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Hidden, System, Directory, ctime=Tue Jul 14 09:07:54 2009, mtime=Wed Mar 2 18:33:22 2016, atime=Wed Mar 2 18:33:22 2016, length=8192, window=hide
- MD5
- efdfe126dc048b0f33d789bc80e8d10a
- SHA256
- 1519e12582bfbf0efca71310dbd24f13d999cd1d78ec07cfbbeaca6decce31a6
-
index.dat
- Size
- 74B (74 bytes)
- Type
- data
- MD5
- 5dfe91459fcd1c5abda0b9442e5d0e34
- SHA1
- 6d346e12262a9c2df2211961615a404cdc9702a2
- SHA256
- a1f4edba9e4046fda4e9150c5805fd80c3026fefa28e9d5b8a404d4476f1d2cc
-
~WRD0000.doc
- Size
- 1.2MiB (1277120 bytes)
- Type
- data
- MD5
- c9ee0ed638640cf00ae012ef53e9a772
- SHA1
- c85d8b1f5868753f9d169a881e749be4f1215a45
- SHA256
- 7e4e625cb93f4ae071bf88f95362bdba627ce670cd8df8a59ecd2213914e060c
-
~WRD0001.doc
- Size
- 1.2MiB (1277120 bytes)
- Type
- data
- MD5
- c9ee0ed638640cf00ae012ef53e9a772
- SHA1
- c85d8b1f5868753f9d169a881e749be4f1215a45
- SHA256
- 7e4e625cb93f4ae071bf88f95362bdba627ce670cd8df8a59ecd2213914e060c
-
~WRD0002.doc
- Size
- 1.2MiB (1245184 bytes)
- Type
- data
- MD5
- e073ab1aee6c767992f931ec9adaf671
- SHA1
- 3d41c3a35b5f4de38bae541cf9621bb5372eb7c7
- SHA256
- 7fd0712cc16eef5a6b37bf61c7df4aacf2dab149f889eddda838bd6738bc7494
-
~WRS{9C98AD0C-DAC3-4C5C-B311-81CD81463030}.tmp
- Size
- 1.5KiB (1536 bytes)
- Type
- data
- MD5
- 53b0b35ef4ba27c8bda910df9a521188
- SHA1
- f4810a9f45824807022ecb9ecd8ca31dde8e7c9a
- SHA256
- 12d2fe61af1c52f8e8bea34eb0803143aa3b6e5ae8d7278fc64bdf1f016cea4a
-
~WRS{C46BB34F-BEF2-4EF1-BFAA-058F94ECC31A}.tmp
- Size
- 1KiB (1024 bytes)
- Type
- FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375"
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
opa12.dat
- Size
- 8.3KiB (8488 bytes)
- Type
- data
- MD5
- 416c9314d146470fd1313250fb4d3b74
- SHA1
- fa98f00852f32750527560076960cef20d06d1a3
- SHA256
- bc784978aa01adf5dcd68765efd37ab4e4dbb687a9d87ebc42bd796c81649f9f
-
~$ert.dll.doc
- Size
- 162B (162 bytes)
- Type
- data
- MD5
- c0d64e8c6fad01aca75733f1a0fc5c56
- SHA1
- 6b0d903b6a88b7612f2912b83b9fdbbcacf32e11
- SHA256
- 55c606246a827f77b64970fba03164f41fb38d57eb94235101095e9733ed5b11
-
Notifications
-
Runtime
- No static analysis parsing on sample was performed
- Not all sources for signature ID "api-55" are available in the report
- Not all sources for signature ID "string-21" are available in the report
- Not all sources for signature ID "string-3" are available in the report