Aimable.doc
This report is generated from a file or URL submitted to this webservice on April 28th 2022 15:18:15 (UTC)
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v9.1.1 © Hybrid Analysis
Incident Response
Risk Assessment
- Evasive
- Possibly tries to implement anti-virtualization techniques
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 1
-
General
-
Document spawns new processes
- details
- Document spawned a new process (macro present)
- source
- Indicator Combinations
- relevance
- 7/10
- ATT&CK ID
- T1204.002 (Show technique in the MITRE ATT&CK™ matrix)
-
Document spawns new processes
-
Suspicious Indicators 5
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
-
"@0R:K3c>#M&oS3l"5l@1qEMuMBG$7hDbDnHdjq;[Dh-Lj6&.>7:)uYTC-pjKDfBt
W@;[j6*]T2" (Indicator: "qemu") - source
- File/Memory
- relevance
- 4/10
- ATT&CK ID
- T1497 (Show technique in the MITRE ATT&CK™ matrix)
-
Possibly tries to implement anti-virtualization techniques
-
Exploit/Shellcode
-
Found URL in decoded VBA string
- details
-
Heuristic match: "opdfread.ps"
Heuristic match: "ExtGState.ca"
Heuristic match: "JhT.gd"
Heuristic match: "9O.bs"
Heuristic match: "aJ.cf"
Pattern match: "0pj8a.cd/XA2*?8Ac1e"
Heuristic match: "bpJ.ml"
Heuristic match: "72.ua"
Heuristic match: "meZ9WA.td"
Heuristic match: "Kja.gi"
Heuristic match: "Vh.tk"
Heuristic match: "a7.sm"
Heuristic match: "4q.bs"
Heuristic match: "E.C.pn"
Heuristic match: "en.kr"
Heuristic match: "YfiWBCTtf.ge"
Heuristic match: "XLb7M.gn"
Heuristic match: "oHZ1.d9982.np"
Heuristic match: "dYY0M.eg"
Heuristic match: "aF-T.cu" - source
- File/Memory
- relevance
- 10/10
-
Found URL in decoded VBA string
-
General
-
Found a potential E-Mail address in binary/memory
- details
-
Pattern match: "ff0@kmqyhp.5"
Pattern match: "ef@x2g.w"
Pattern match: "lb@lba.nruk92m"
Pattern match: "os@-.rc4"
Pattern match: "nj-hsc@8i.f"
Pattern match: "r@g.ogi"
Pattern match: "qu@o.9sb"
Pattern match: "aj@enulkyrzja.dy"
Pattern match: "voou@hgor.ku"
Pattern match: "q@3w.n"
Pattern match: "mpq@3qb.6mk"
Pattern match: "g-@nmrb.ldcvg"
Pattern match: "s4f@oj6.zkqjmlu"
Pattern match: "8r@h.z0ik"
Pattern match: "oh@.kf.t"
Pattern match: "t3jo-a8@lpn6dz.ap"
Pattern match: "a@o.j0h.f"
Pattern match: "_@u.5"
Pattern match: "mlgoi5rwgzavga9@r.s"
Pattern match: "mko-0sahz@_p.g9w8mxw3y5c" - source
- File/Memory
- relevance
- 3/10
- ATT&CK ID
- T1114 (Show technique in the MITRE ATT&CK™ matrix)
-
Found a potential E-Mail address in binary/memory
-
Unusual Characteristics
-
Contains embedded VBA macros with interesting strings
- details
-
Found pattern type "E-mail address" with value: "r@g.Ogi"
Found pattern type "E-mail address" with value: "aJ@EnUlKYRZjA.DY"
Found pattern type "E-mail address" with value: "VOoU@HGoR.KU"
Found pattern type "E-mail address" with value: "G-@nMRb.ldCVg"
Found pattern type "E-mail address" with value: "s4F@OJ6.ZKqJMLU"
Found pattern type "E-mail address" with value: "t3jo-A8@LPn6DZ.Ap"
Found pattern type "E-mail address" with value: "B@E.C.pn"
Found pattern type "E-mail address" with value: "F@cnN.HU"
Found pattern type "E-mail address" with value: "mmYqqFG54@2.DOZCEataC"
Found pattern type "E-mail address" with value: "h@u2.MdP"
Found pattern type "E-mail address" with value: "HB0fE@A9.fH"
Found pattern type "E-mail address" with value: "r1WtM-Ft@p.Vkoe"
Found pattern type "E-mail address" with value: "85dkf@6.EK.BM"
Found pattern type "E-mail address" with value: "3c@X.lIY"
Found pattern type "E-mail address" with value: "PTYVa@VA.RT"
Found pattern type "E-mail address" with value: "o98D@d.KgrV"
Found pattern type "E-mail address" with value: "nA-4a@K6j.YeeF"
Found pattern type "E-mail address" with value: "8H@fJWp.MSDYQN"
Found pattern type "E-mail address" with value: "YA8@h-Rh.Th"
Found pattern type "E-mail address" with value: "8BXe.R9O@iu.PH"
Found pattern type "E-mail address" with value: "H0Lp2m@O.CKDEugAL"
Found pattern type "E-mail address" with value: "uAK@f7t.rQ"
Found pattern type "E-mail address" with value: "r8j%@jq.apDJp"
Found pattern type "E-mail address" with value: "F094At5W@G3U.ZK"
Found pattern type "E-mail address" with value: "s1L@ZA.C.ctSD"
Found pattern type "Executable file name" with value: "XJM.JS" - source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1204 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains embedded VBA macros with suspicious keywords
- details
-
Found suspicious keyword "Chr" which indicates: "May attempt to obfuscate specific strings (use option --deobf to deobfuscate)"
Found suspicious keyword "Xor" which indicates: "May attempt to obfuscate specific strings (use option --deobf to deobfuscate)"
Found suspicious keyword "sample" which indicates: "May detect Anubis Sandbox"
Found suspicious keyword "Lib" which indicates: "May run code from a DLL"
Found suspicious keyword "Windows" which indicates: "May enumerate application windows (if combined with Shell.Application object)"
Found suspicious keyword "command" which indicates: "May run PowerShell commands"
Found suspicious keyword "Put" which indicates: "May write to a file (if combined with Open)" - source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1204 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains embedded VBA macros with interesting strings
-
Informative 28
-
Environment Awareness
-
Contains ability to read software policies
- details
-
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS"; Key: "AUTHENTICODEENABLED")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS"; Key: "TRANSPARENTENABLED")
"splwow64.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS"; Key: "TRANSPARENTENABLED") - source
- Registry Access
- relevance
- 1/10
- ATT&CK ID
- T1082 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries the installation properties of user installed products
- details
-
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INSTALLER\USERDATA\S-1-5-18\PRODUCTS\00004109110000000000000000F01FEC\INSTALLPROPERTIES"; Key: "WINDOWSINSTALLER")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INSTALLER\USERDATA\S-1-5-18\PRODUCTS\00004109110000000000000000F01FEC\INSTALLPROPERTIES") - source
- Registry Access
- relevance
- 10/10
-
Reads the active computer name
- details
-
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"splwow64.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
- "WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1082 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the registry for installed applications
- details
-
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\WINWORD.EXE"; Key: "DONTUSEDESKTOPCHANGEROUTER")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\WINWORD.EXE")
"WINWORD.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\WINWORD.EXE") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Tries to sleep for a long time (more than two minutes)
- details
- "splwow64.exe" sleeping for "00120000" milliseconds
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1497.003 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to read software policies
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/57 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Contains embedded VBA macros
- details
- details too long to display
- source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1204 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains embedded VBA macros (normalized)
- details
-
Normalized macro string: "httparser"
Normalized macro string: "exch//TTParser"
Normalized macro string: "httpn"
Normalized macro string: "/ideographiccongratulationparen"
Normalized macro string: "httpfqrqa;5*="
Normalized macro string: ":hV]lTg/[6&tf7maRp04U1=Flf0gBqgAhW7rQtg4QK&%CXAc]6AF;')mh#5cprjT*_c@AA=E:4"
Normalized macro string: "httpjz>kq`"
Normalized macro string: "R0X4Oh@B>_%HQ'3R6PIg-(4O,ReaFEGFrZ:Xef)C%Mp@AJF/DCT5)t`QPV`J3TZ`\>QLK4Vq.n`"
Normalized macro string: "http+k!.4`i"
Normalized macro string: "M]`3V!#WEM@h8[TE[4Q(tJ[sEWptJciD+.'H]fk!WZU6!rsGV!.\GY!T44i!$E`kN=LZi0E`W*"
Normalized macro string: "http)n"
Normalized macro string: "r=D)+L`6JYVIo>NN,OU+(!L%h4>=$A+X(UU^kJDVoDhT#SAHYT@C1_YPsbB(.)RYWiJNe>R?A"
Normalized macro string: "httplf2.[;#mob4"
Normalized macro string: "!$DIG+:/#j$ihC\!$DmS+;Fl$+2D+cJ.P49fDu,&O+`1IKT(tFP`LKfO2-.'K[Z;[#]mQO+bH4"
Normalized macro string: "http'"
Normalized macro string: "6i[5$_:VQb/'7X):12a:fQ@7hPZj/HTKb.i6h^[J.<)T3'[K%aod8=%Lgp]#6oNSe1G&<%H'3*"
Normalized macro string: "http1"
Normalized macro string: "foJ,4Xch@R@brRgS&r>AN$QRt<;V\F=^[*e$6%.tHO&nI$-q&>Nf;hPI*Rd5(deAX??[1^==m'"
Normalized macro string: "http%"
Normalized macro string: "46<U$n1$N(52R$>k9<'H&nsZL.F;;MI#q5Q1s'Vptp5i?[LcA^t]5*`eoltLPU/0J6iE+?%Y[(" - source
- File/Memory
- relevance
- 10/10
- ATT&CK ID
- T1137 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\WinSpl64To32Mutex_116b3_0_3000"
"Local\WinSpl64To32Mutex_116b3_0_3000"
"Global\552FFA80-3393-423d-8671-7BA046BB5906"
"Global\MTX_MSO_AdHoc1_S-1-5-21-686412048-2446563785-1323799475-1001"
"Global\MsoShellExtRegAccess_S-1-5-21-686412048-2446563785-1323799475-1001"
"Local\10MU_ACBPIDS_S-1-5-5-0-71253"
"Local\10MU_ACB10_S-1-5-5-0-71253"
"Global\MTX_MSO_Formal1_S-1-5-21-686412048-2446563785-1323799475-1001"
"Local\ZonesCacheCounterMutex"
"Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\552FFA80-3393-423d-8671-7BA046BB5906"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACBPIDS_S-1-5-5-0-71253"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACB10_S-1-5-5-0-71253"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_Formal1_S-1-5-21-686412048-2446563785-1323799475-1001"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_AdHoc1_S-1-5-21-686412048-2446563785-1323799475-1001"
"\Sessions\1\BaseNamedObjects\Global\MsoShellExtRegAccess_S-1-5-21-686412048-2446563785-1323799475-1001" - source
- Created Mutant
- relevance
- 3/10
-
Found API related strings
- details
-
"Found API string" (Indicator: "bind")
"Found API string" (Indicator: "select")
"Found API string" (Indicator: "Escape") - source
- File/Memory
- relevance
- 1/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%PROGRAMFILES%\(x86)\Common Files\microsoft shared\OFFICE14\RICHED20.DLL" at 69DA0000
- source
- Loaded Module
-
Overview of unique CLSIDs touched in registry
- details
-
"WINWORD.EXE" touched "Shortcut" (Path: "HKCU\WOW6432NODE\CLSID\{00021401-0000-0000-C000-000000000046}\TREATAS")
"WINWORD.EXE" touched "Microsoft Word 97-2003-Dokument" (Path: "HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{00020906-0000-0000-C000-000000000046}\IMPLEMENTED CATEGORIES\{00021490-0000-0000-C000-000000000046}")
"WINWORD.EXE" touched "Computer" (Path: "HKCU\WOW6432NODE\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\SHELLFOLDER")
"WINWORD.EXE" touched "Memory Mapped Cache Mgr" (Path: "HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\PROGID")
"WINWORD.EXE" touched "SAX XML Reader 6.0" (Path: "HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{88D96A0C-F192-11D4-A65F-0040963251E5}\TREATAS")
"WINWORD.EXE" touched "MXXMLWriter 6.0" (Path: "HKCU\WOW6432NODE\CLSID\{88D96A0F-F192-11D4-A65F-0040963251E5}\INPROCSERVER32")
"WINWORD.EXE" touched "OneNote Word Add-In Take Notes Content Service Class" (Path: "HKCU\WOW6432NODE\CLSID\{C580A1B2-5915-4DC3-BE93-8A51F4CAB320}\INPROCSERVER32")
"WINWORD.EXE" touched "PersistentZoneIdentifier" (Path: "HKLM\SOFTWARE\CLASSES\CLSID\{0968E258-16C7-4DBA-AA86-462DD61E31A3}\PROGID")
"WINWORD.EXE" touched "Security Manager" (Path: "HKCU\WOW6432NODE\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\TREATAS")
"WINWORD.EXE" touched "Multi Language Support" (Path: "HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\PROGID")
"WINWORD.EXE" touched "Microsoft Word-Vorlage mit Makros" (Path: "HKCU\WOW6432NODE\CLSID\{8A624388-AA27-43E0-89F8-2A12BFF7BCCD}\IMPLEMENTED CATEGORIES\{00021490-0000-0000-C000-000000000046}")
"WINWORD.EXE" touched "TF_ThreadMgr" (Path: "HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{529A9E6B-6587-4F23-AB9E-9C7D683E3C50}\TREATAS")
"WINWORD.EXE" touched "TF_DisplayAttributeMgr" (Path: "HKCU\WOW6432NODE\CLSID\{3CE74DE4-53D3-4D74-8B83-431B3828BA53}\INPROCSERVER32")
"WINWORD.EXE" touched "TF_InputProcessorProfiles" (Path: "HKCU\WOW6432NODE\CLSID\{33C53A50-F456-4884-B049-85FD643ECFED}\INPROCSERVER32")
"WINWORD.EXE" touched "TF_CategoryMgr" (Path: "HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{A4B544A1-438D-4B41-9325-869523E2D6C7}\TREATAS")
"WINWORD.EXE" touched "Microsoft Word-Dokument" (Path: "HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\PROGID")
"WINWORD.EXE" touched "Microsoft Word-Dokument mit Makros" (Path: "HKCU\WOW6432NODE\CLSID\{18A06B6B-2F3F-4E2B-A611-52BE631B2D22}\INPROCHANDLER32")
"WINWORD.EXE" touched "Microsoft Word-Vorlage" (Path: "HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\PROGID")
"WINWORD.EXE" touched "Microsoft Word-Vorschau" (Path: "HKCU\WOW6432NODE\CLSID\{84F66100-FF7C-4FB4-B0C0-02CD7FB668FE}\TREATAS")
"WINWORD.EXE" touched "OpenDocument-Text" (Path: "HKCU\WOW6432NODE\CLSID\{1B261B22-AC6A-4E68-A870-AB5080E8687B}\TREATAS") - source
- Registry Access
- relevance
- 3/10
-
Process launched with changed environment
- details
- Process "splwow64.exe" (Show Process) was launched with new environment variables: "WecVersionForRosebud.3F4="4""
- source
- Monitored Target
- relevance
- 10/10
-
Removes Office resiliency keys (often used to avoid problems opening documents)
- details
-
"WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: "A7%")
"WINWORD.EXE" (Access type: "DELETE"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS")
"WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: "G$%")
"WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: "{E%")
"WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\DOCUMENTRECOVERY\36156F56"; Key: "36156F56")
"WINWORD.EXE" (Access type: "DELETE"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\DOCUMENTRECOVERY\36156F56")
"WINWORD.EXE" (Access type: "DELETE"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\DOCUMENTRECOVERY")
"WINWORD.EXE" (Access type: "DELETE"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Scanning for window names
- details
-
"WINWORD.EXE" searching for class "mspim_wnd32"
"WINWORD.EXE" searching for class "MSOBALLOON"
"WINWORD.EXE" searching for class "MsoHelp10"
"WINWORD.EXE" searching for class "AgentAnim"
"WINWORD.EXE" searching for class "REListbox20W"
"WINWORD.EXE" searching for class "MsoCommandBarPopup"
"WINWORD.EXE" searching for class "NetUICtrlNotifySink"
"WINWORD.EXE" searching for class "OfficeTooltip" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns new processes
- details
- Spawned process "splwow64.exe" with commandline "12288" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Contains embedded VBA macros
-
Installation/Persistence
-
Dropped files
- details
-
"~WRD0003.doc" has type "PostScript document text conforming DSC level 3.0 Level 2"
"~_imable.doc" has type "data"
"~WRD0002.doc" has type "PostScript document text conforming DSC level 3.0 Level 2"
"Aimable.LNK" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Archive ctime=Thu Apr 28 13:19:46 2022 mtime=Thu Apr 28 13:19:46 2022 atime=Thu Apr 28 13:19:06 2022 length=1024612 window=hide"
"~WRD0000.doc" has type "data"
"~WRS_7BE99EF8-618F-4B23-86BD-B09F60C20F6E_.tmp" has type "data"
"index.dat" has type "data"
"~WRD0001.tmp" has type "PostScript document text conforming DSC level 3.0 Level 2"
"~WRS_229754D4-07B9-4491-A7AB-9BD71B167B04_.tmp" has type "data"
"ExcludeDictionaryEN0409.lex" has type "Little-endian UTF-16 Unicode text with no line terminators"
"~WRS_48B3A745-61F2-4611-B522-4128949B24C1_.tmp" has type "data"
"~_Normal.dotm" has type "data" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"WINWORD.EXE" touched file "%WINDIR%\AppPatch\sysmain.sdb"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "opdfread.ps"
Heuristic match: "ExtGState.ca"
Heuristic match: "JhT.gd"
Heuristic match: "9O.bs"
Heuristic match: "aJ.cf"
Pattern match: "0pj8a.cd/XA2*?8Ac1e"
Heuristic match: "bpJ.ml"
Heuristic match: "72.ua"
Heuristic match: "meZ9WA.td"
Heuristic match: "Kja.gi"
Heuristic match: "Vh.tk"
Heuristic match: "a7.sm"
Heuristic match: "4q.bs"
Heuristic match: "E.C.pn"
Heuristic match: "en.kr"
Heuristic match: "YfiWBCTtf.ge"
Heuristic match: "XLb7M.gn"
Heuristic match: "oHZ1.d9982.np"
Heuristic match: "dYY0M.eg"
Heuristic match: "aF-T.cu"
Heuristic match: "eWSO.cl"
Heuristic match: "aQ.5.sn"
Heuristic match: "ChqS.mq"
Heuristic match: "LTE.gm"
Heuristic match: "atMM.ru"
Heuristic match: "mbFZnf.fr"
Heuristic match: "JT3.kg"
Heuristic match: "RE.V4.ai"
Heuristic match: "3fOM9BA.ge"
Heuristic match: "1MHPjU;;G>r]$0W5TM\PZT]g@*M,m4VeJ@=>\E?3Ci<'SqBKOdWdQB#B$4%MW*1RBYdAPU.DK"
Pattern match: "Y42oZ.KkND/pK0At[q;mAgc&Nt0D/$hB&Q?t&=JN?u0p\dno-7r_/.?SSBp1JqF,`lq5ZL"
Pattern match: "0pj8a.cd/XA2*?8Ac1e-]E#mF@r9rHNP&5&11"
Pattern match: "rLcrK..FtIM/,!kTom4T'LrpC0IRTGATPE7M6tGE6nr"
Pattern match: "TMRqmUG.Ic/BZ"
Heuristic match: ";#s;^!!%%.'Q$;r;#qp&79i94)rq%T-NOnA!R,<Z5QCgHf)Q,A!GkTO3OV@=*<6pZ`J>%[G[.FO"
Pattern match: "Re8.RF/Q,Nip'c5"
Pattern match: "Tas.VY/g#h#Jl3YGhn[XP_NM\i1u`h&K?ON"
Heuristic match: "jh`aH!Cm^2;8Z#>J.2-K#9?]u)Gj.`9=]DH0agg1WnZ<r@p'lJi<2H4)*3J$M=!:QT=Dpal.MO"
Pattern match: "d.LgMs/NP3YcXCZI8h"
Heuristic match: "-G)5Q>kLNcIltbrOrTl((bUFrD6)=@e'k6,ZU.%5oULU]\o+9s+Gh@>dA)'X!+I\;r=q`].Ws"
Heuristic match: "JcN+j7a+XLO[W5&@Jj6gOLBBW-ZFk(A6:Cg2KbhnAQ($f`K$E27/h`j%6;5nn6nXgN_cpc.FR"
Pattern match: "Id.eb/i.6qUA5O0fBICu_RB=Gs[[,@fPmmn,rDL[8bp5aZ5Cn"
Pattern match: "El5D.LOa/q5^8%!FGGZiLKJeUpiZn0ES-"
Pattern match: "P5C.QD/c.u1jgU3[lT\gus`2o5"
Heuristic match: "QAWpBh.[XgBi^R7QC9EWqUA4Nj5NniC,b$<9(h<m1%Z]f0J9C>A2O+jBR4NK3'o`8)3QjR.mV"
Pattern match: "Z3nRP.uS/8HXbjl8TmEe1C]o2k_c?+h@u2.MdP,&4&tl"
Pattern match: "9.WW/.qB9mjg!j=W/;RI_,20s"
Heuristic match: "!)?a/&ME8Z5QS:2]MRPOl<rfgNe$?ojQ[lM'&-e+cG]&Z]t#)K\PBg(K_c9BTMMBY%IUCe%c.ge"
Pattern match: "P6.SI/nHp-;-p*AQjL['IfR"
Heuristic match: "_OM.qF;\II%RmK@)`]P=Wp&tQ@SDfp08;dLfjs9J3pBY.j7_`%>,m%Fmh@,_bdZk:t\&g.Af"
Pattern match: "dYY0M.eg/%m"
Pattern match: "b.DupJ/uK2@kXQj-NX3dTuJQJYT@6B"
Heuristic match: "'^U!a7P<ZqBZWCK,`'`3qe-$(6m;9n0R3&=&H$$g1X?X%;efBPBkse+-S5lh`'Df&]OK2u?+.aD"
Heuristic match: "0ZH,5A#VXfPU@']EUsUUcd1@'=mtpNB%aan'SS7#30&AW]IsZpkdiGH_[kf'rk)U1k](J$`J.It"
Heuristic match: "![00_j=KVMZ4gZ>!GX\mma$*.-[3L]GW1AnQ\lEbO8?>LH!r(GY3gNOV0\K1HPa%+J.*(LTE.gm"
Pattern match: "Bgk.pq/;@"
Pattern match: "QBh.ILHln..XDf/TfjJ%o"
Pattern match: "mP.BoVp/U^CBjk95W!Xoq_?L[p/OG"
Heuristic match: "0PCU!C'O0?#=*Ee3EI]B*kfXE#I+@qL'cFe4tBM'F=<J^hA4nr>HO[NjI^bkaf9rD25J:[.Ae"
Pattern match: "GL.Gm/Qq;t5i#nHk5=tslN!l"
Pattern match: "QB.GQuL/K#=s&p4"
Pattern match: "D.RYGR/i5gYQl9?P9FUt--3d!I'4W^$M'6g?`.52t"
Heuristic match: "T0_gNmat%Q<pPC&0+%8@a-8Q;rj]i7R#jEg68&4I@P8n]7jDUf_:n<D(i?=04/6LC'Zj%JV^.MS"
Pattern match: "oSKge.ABc/i99e0jbk#%'3DC1V"
Pattern match: "R.CsjJ/(?)V?`0;@DC" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Destruction
-
Marks file for deletion
- details
-
"%PROGRAMFILES%\(x86)\Microsoft Office\Office14\WINWORD.EXE" marked "%TEMP%\tstD490.tmp" for deletion
"%PROGRAMFILES%\(x86)\Microsoft Office\Office14\WINWORD.EXE" marked "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Office\Recent\Aimable.LNK" for deletion
"%PROGRAMFILES%\(x86)\Microsoft Office\Office14\WINWORD.EXE" marked "C:\Users\%USERNAME%\AppData\Local\Temp\tstD441.tmp" for deletion
"%PROGRAMFILES%\(x86)\Microsoft Office\Office14\WINWORD.EXE" marked "C:\Users\%USERNAME%\AppData\Local\Temp\tstD4DF.tmp" for deletion
"%PROGRAMFILES%\(x86)\Microsoft Office\Office14\WINWORD.EXE" marked "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0002.doc" for deletion
"%PROGRAMFILES%\(x86)\Microsoft Office\Office14\WINWORD.EXE" marked "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0000.doc" for deletion
"%PROGRAMFILES%\(x86)\Microsoft Office\Office14\WINWORD.EXE" marked "C:\~$imable.doc" for deletion
"%PROGRAMFILES%\(x86)\Microsoft Office\Office14\WINWORD.EXE" marked "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7BE99EF8-618F-4B23-86BD-B09F60C20F6E}.tmp" for deletion
"%PROGRAMFILES%\(x86)\Microsoft Office\Office14\WINWORD.EXE" marked "C:\Users\%USERNAME%\AppData\Local\Temp\CVRB0D8.tmp.cvr" for deletion - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1070.004 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens file with deletion access rights
- details
-
"WINWORD.EXE" opened "%APPDATA%\Microsoft\Office\Recent\AIMABLE.LNK" with delete access
"WINWORD.EXE" opened "%APPDATA%\Microsoft\Office\Recent\Aimable.LNK" with delete access
"WINWORD.EXE" opened "%TEMP%\tstD3F1.tmp" with delete access
"WINWORD.EXE" opened "C:\Users\%USERNAME%\AppData\Local\Temp\tstD609.tmp" with delete access
"WINWORD.EXE" opened "C:\Users\%USERNAME%\AppData\Local\Microsoft\SCHEMAS\MS WORD_RESTART.XML" with delete access - source
- API Call
- relevance
- 7/10
- ATT&CK ID
- T1070.004 (Show technique in the MITRE ATT&CK™ matrix)
-
Marks file for deletion
-
System Security
-
Hooks API calls
- details
-
"VariantClear@OLEAUT32.DLL" in "WINWORD.EXE"
"VariantChangeType@OLEAUT32.DLL" in "WINWORD.EXE"
"SysAllocStringByteLen@OLEAUT32.DLL" in "WINWORD.EXE"
"OleLoadFromStream@OLE32.DLL" in "WINWORD.EXE"
"SysFreeString@OLEAUT32.DLL" in "WINWORD.EXE" - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1056.004 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries sensitive IE security settings
- details
- "WINWORD.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
- source
- Registry Access
- relevance
- 8/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries the display settings of system associated file extensions
- details
-
"WINWORD.EXE" (Access type: "QUERYVAL"; Path: "HKLM\SOFTWARE\CLASSES\SYSTEMFILEASSOCIATIONS\.DOC"; Key: "NEVERSHOWEXT")
"WINWORD.EXE" (Access type: "QUERYVAL"; Path: "HKLM\SOFTWARE\CLASSES\SYSTEMFILEASSOCIATIONS\.DOC"; Key: "ALWAYSSHOWEXT")
"WINWORD.EXE" (Access type: "QUERYVAL"; Path: "HKLM\SOFTWARE\CLASSES\SYSTEMFILEASSOCIATIONS\.DOTM"; Key: "ALWAYSSHOWEXT")
"WINWORD.EXE" (Access type: "QUERYVAL"; Path: "HKLM\SOFTWARE\CLASSES\SYSTEMFILEASSOCIATIONS\.DOTM"; Key: "NEVERSHOWEXT") - source
- Registry Access
- relevance
- 7/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Hooks API calls
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "e97f56e6f7" to virtual address "0x76A03F20" ("VariantClear@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "ff0fb7c0" to virtual address "0x69A67FA4" (part of module "MSCORWKS.DLL")
"WINWORD.EXE" wrote bytes "f811d2762014d2764cbcd476f516d276a911d2768548d276b934d276a934d2766834d27600000000a56bfd75e485fd75e04dfd759cc0fd75a3bffd7592aefd750c7dfd7500000000" to virtual address "0x73831000" (part of module "MSIMG32.DLL")
"WINWORD.EXE" wrote bytes "dcad90da" to virtual address "0x69EF10AC" (part of module "MSPTLS.DLL")
"WINWORD.EXE" wrote bytes "e9ca94e8f7" to virtual address "0x76A05D66" ("VariantChangeType@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "a7a4a2df" to virtual address "0x6FA867E0" (part of module "OART.DLL")
"WINWORD.EXE" wrote bytes "0200a1b0" to virtual address "0x69AD1524" (part of module "MSCORWKS.DLL")
"WINWORD.EXE" wrote bytes "78074adf" to virtual address "0x6EA28A28" (part of module "MSO.DLL")
"WINWORD.EXE" wrote bytes "71116d027a3b6c02ab8b02007f950200fc8c0200729602006cc805001ecd69027d266902" to virtual address "0x74E807E4" (part of module "USER32.DLL")
"WINWORD.EXE" wrote bytes "00000000" to virtual address "0x69AD25E0" (part of module "MSCORWKS.DLL")
"WINWORD.EXE" wrote bytes "47da0900" to virtual address "0x69AA7FA4" (part of module "MSCORWKS.DLL")
"WINWORD.EXE" wrote bytes "1ac083df" to virtual address "0x2F9B1CD4" (part of module "WINWORD.EXE")
"WINWORD.EXE" wrote bytes "2352a5df" to virtual address "0x7310CBC0" (part of module "GFX.DLL")
"WINWORD.EXE" wrote bytes "7cb0a2df" to virtual address "0x70F9D068" (part of module "WWLIB.DLL")
"WINWORD.EXE" wrote bytes "181f76a5" to virtual address "0x695242C4" (part of module "MSCORWKS.DLL")
"WINWORD.EXE" wrote bytes "e9273be6f7" to virtual address "0x76A047BA" ("SysAllocStringByteLen@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "ffe8cfd4" to virtual address "0x69ACC04C" (part of module "MSCORWKS.DLL")
"WINWORD.EXE" wrote bytes "7d0803c7" to virtual address "0x69AC16CC" (part of module "MSCORWKS.DLL")
"WINWORD.EXE" wrote bytes "00000000" to virtual address "0x69AD16CC" (part of module "MSCORWKS.DLL")
"WINWORD.EXE" wrote bytes "5a015a01" to virtual address "0x69A8C04C" (part of module "MSCORWKS.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1056.004 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
-
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000438")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000044E")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000044D")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000044C")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000044B")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000044A")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000449")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000448")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000447")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000446")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000445")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000444")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000443")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000045D")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000045E")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000C01")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000500A")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000540A")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00004C0A") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the windows installation language
- details
- "WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LANGUAGE"; Key: "INSTALLLANGUAGEFALLBACK")
- source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Installs hooks/patches the running process
File Details
Aimable.doc
- Filename
- Aimable.doc
- Size
- 1001KiB (1024612 bytes)
- Type
- doc office
- Description
- PostScript document text conforming DSC level 3.0, Level 2
- Architecture
- WINDOWS
- SHA256
- 039406c830f5046da1daa796095d2f638b45a31190c33c46eb60a02765a3c3ef
- MD5
- 31e1e88f365c42eccfeffbf64819889d
- SHA1
- 4be74a62b7c90f3420b99d0304fba59a64677e04
- ssdeep
- 24576:Dik1eh9p73IrQTbxYYoq9NlzM4ldN6SM7+0Jdo9QM:Dik1eh9p7MibxrjNleDSj
Classification (TrID)
- 100.0% (.PS) Postscript document
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total.
-
WINWORD.EXE
/n "C:\Aimable.doc"
(PID: 1012)
- splwow64.exe 12288 (PID: 2388)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Informative Selection 1
-
-
~WRD0001.tmp
- Size
- 1001KiB (1024620 bytes)
- Type
- text
- Description
- PostScript document text conforming DSC level 3.0, Level 2
- Runtime Process
- WINWORD.EXE (PID: 1012)
- MD5
- 14cfea4cd0edb5ada3e8c8c1e15435ed
- SHA1
- 9e51978310323567f6433757c057ea003566339b
- SHA256
- 8a7d0c3eff641293636e398ca8e1cc9ac833b01363ceb861eac0dadc0fb03c35
-
-
Informative 11
-
-
Aimable.LNK
- Size
- 446B (446 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Apr 28 13:19:46 2022, mtime=Thu Apr 28 13:19:46 2022, atime=Thu Apr 28 13:19:06 2022, length=1024612, window=hide
- Runtime Process
- WINWORD.EXE (PID: 1012)
- MD5
- a571e4749b588726d5d359373bba5e97
- SHA1
- 883acfa543cda39ff130d98167f81ce7c0d974f8
- SHA256
- 8be99991631ac864224231190a758337dd8b15bfe0fc0f65582a09b9c9582623
-
index.dat
- Size
- 110B (110 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 1012)
- MD5
- 3e100c3d591ee7fcebe11fa1d10ce0e5
- SHA1
- 192762856b080df379d0490f8c95cb7d00bacd19
- SHA256
- 2bdc7f29552eaa33b4e8511df51316968b56d682326e1f859adfbd07bcbf65a9
-
ExcludeDictionaryEN0409.lex
- Size
- 2B (2 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with no line terminators
- Runtime Process
- WINWORD.EXE (PID: 1012)
- MD5
- f3b25701fe362ec84616a93a45ce9998
- SHA1
- d62636d8caec13f04e28442a0a6fa1afeb024bbb
- SHA256
- b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
-
~WRD0000.doc
- Size
- 2MiB (2049224 bytes)
- Type
- doc office
- Description
- data
- Runtime Process
- WINWORD.EXE (PID: 1012)
- MD5
- 44250e23b317524cc650915a32e3c98e
- SHA1
- 7e6c71b7a5c2670eb17e95790510cdc4da503617
- SHA256
- b4c3a113b8f6df6a8f960c16568b9f648cacde4e35d96f257fcb1e2aac12c355
-
~WRD0002.doc
- Size
- 978KiB (1001728 bytes)
- Type
- text
- Description
- PostScript document text conforming DSC level 3.0, Level 2
- Runtime Process
- WINWORD.EXE (PID: 1012)
- MD5
- a1e082c0f47fec5598652ab412790038
- SHA1
- 553c21b0db01a356d8395c36651a4aa8ae581277
- SHA256
- 693bdde939c3e09ca6ecfebea1be4647d37cde94fc5be12d1724cdbc44ac1c59
-
~WRD0003.doc
- Size
- 1001KiB (1024620 bytes)
- Type
- text
- Description
- PostScript document text conforming DSC level 3.0, Level 2
- Runtime Process
- WINWORD.EXE (PID: 1012)
- MD5
- 14cfea4cd0edb5ada3e8c8c1e15435ed
- SHA1
- 9e51978310323567f6433757c057ea003566339b
- SHA256
- 8a7d0c3eff641293636e398ca8e1cc9ac833b01363ceb861eac0dadc0fb03c35
-
~_imable.doc
- Size
- 162B (162 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 1012)
- MD5
- 78f8d0576a44e3ce291be6cb465d868c
- SHA1
- 89891c536b97020f4c9b1b33b6bc6293b80ac5d7
- SHA256
- 32d76bcc1cef6121c9477b68d6e4e59f08ee1c2067734c5b7e9e60f6b52ce9b3
-
~WRS_7BE99EF8-618F-4B23-86BD-B09F60C20F6E_.tmp
- Size
- 1.5KiB (1536 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 1012)
- MD5
- 6e6482b2976496f3d47ba72bbd3a5153
- SHA1
- eed4f7f885eda346bfbf22e7ad74415b80eeff72
- SHA256
- 6fdb5565afc04868379088c85c03dfd1d1b3729f6e5cb7917cda16970a11d6a5
-
~WRS_229754D4-07B9-4491-A7AB-9BD71B167B04_.tmp
- Size
- 1KiB (1024 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 1012)
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
~WRS_48B3A745-61F2-4611-B522-4128949B24C1_.tmp
- Size
- 1KiB (1028 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 1012)
- MD5
- 8576cf2f73829a6c35a3aa159a4c0048
- SHA1
- c2f576e6b676979c311b8d26864910e277e2c235
- SHA256
- ce56828788d90d1ca56857173fc138faf3f183a89d088c3bd98dfa2bc756cb22
-
~_Normal.dotm
- Size
- 162B (162 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 1012)
- MD5
- 78f8d0576a44e3ce291be6cb465d868c
- SHA1
- 89891c536b97020f4c9b1b33b6bc6293b80ac5d7
- SHA256
- 32d76bcc1cef6121c9477b68d6e4e59f08ee1c2067734c5b7e9e60f6b52ce9b3
-
Notifications
-
Runtime
- Not all Falcon MalQuery lookups completed in time
- Not all IP/URL string resources were checked online
- Not all file accesses are visible for splwow64.exe (PID: 2388)
- Not all sources for indicator ID "api-70" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "mutant-0" are available in the report
- Not all sources for indicator ID "registry-25" are available in the report
- Not all sources for indicator ID "registry-72" are available in the report
- Not all sources for indicator ID "string-101" are available in the report
- Not all sources for indicator ID "string-18" are available in the report
- Not all sources for indicator ID "string-50" are available in the report
- Not all sources for indicator ID "string-63" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report