GRADE DE CANAIS ULTIMATE HD - NORMAL.docx
This report is generated from a file or URL submitted to this webservice on November 9th 2017 15:11:27 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1, Office 2010 v14.0.4
Report generated by
Falcon Sandbox v7.00 © Hybrid Analysis
Incident Response
Risk Assessment
- Network Behavior
- Contacts 2 hosts. View all details
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 2
-
Network Related
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "95.101.39.51" (ASN: , Owner: ): ...
File SHA256: 560065a220bede14bb89875a23e6181d945b66050d403cdb4ea02003135c461a (AV positives: 6/68 scanned on 11/09/2017 00:05:52)
File SHA256: 74dc8543ff35fc9dc9f15c719854e0d6330549de06f73c147ec830ee8db80ce1 (AV positives: 5/67 scanned on 11/08/2017 22:49:31)
File SHA256: 22878b959dac465f3602b7de08b9a542e58241b2d62b72f1688e4086a1515cc6 (AV positives: 1/67 scanned on 11/08/2017 14:59:55)
File SHA256: 8a3e3e27e4da9362b9cff28b6660ef5143a2afb6fa82098a6b03807e9bc54d2a (AV positives: 5/68 scanned on 11/08/2017 05:04:24)
File SHA256: ff6e4dc74a172a6218114e82174abbd5f1e7223fb6fd9eb2b996643ddbe0aac1 (AV positives: 6/68 scanned on 11/08/2017 03:33:17)
File SHA256: 59a921c72016f52ffbddbb3e346e506252aee2affa74123a4844e3f0a5ae821d (Scanned on 11/07/2017 07:28:47)
File SHA256: fb13e127313291255947e4356d5fffb133cab6ad606af4f2df91fbefe666ef01 (Scanned on 11/06/2017 10:10:56)
File SHA256: c5bcfc4dc14aa2807e0cc7ae02f1e12e3acab236179955bccb8565b6705dc659 (Scanned on 11/06/2017 09:48:08)
File SHA256: 33947e7eef60ad3228962811499e36e4b1ada248410594c993d8c6a410306d0b (Scanned on 11/06/2017 09:45:04)
File SHA256: cacb9214e825094171f41f5950c2db6a9842edcde8f7b7a31064727e347dec0f (Scanned on 11/05/2017 13:21:45)
Found malicious artifacts related to "92.122.122.138" (ASN: , Owner: ): ...
File SHA256: 1b47db30792f33e110d45227b790d6d0366fcb57eb52ba0350c2dc39e3e275ec (AV positives: 60/62 scanned on 11/09/2017 13:11:20)
File SHA256: 8d5ee21865b192c063ef64514eaac79c8c83d2cb77e13e88c6e7536fe697650e (AV positives: 63/68 scanned on 11/08/2017 19:22:59)
File SHA256: 055f6d5c4f8c6fd4378beaed5bd3d64dd6c95023918e4c7039914fcd10b12301 (AV positives: 39/68 scanned on 11/08/2017 19:11:17)
File SHA256: 656e33294d21cfb421ae3b05fa61fab0922d7897f34607714e156ab26e91350b (AV positives: 26/68 scanned on 11/08/2017 18:32:03)
File SHA256: 2d85912740596020c00602733dae47919b5b01b7d5bf139444c64ebbc8987712 (AV positives: 59/68 scanned on 11/08/2017 18:18:41)
File SHA256: 3f5c260abbe31b1fa4c335af3e0207a6ca4aa8a2d7df3c29e1574e734fe57df1 (Scanned on 11/08/2017 11:03:15)
File SHA256: 6cc52ee3864bd5466a6e28ce0dcc66e0d334e194817f55beb9d26ca8987169ca (Scanned on 11/07/2017 19:06:54)
File SHA256: e2b17dc68f89f1026401fbc6a54a3c36ec660c5486f6fd7eea4c7add8ca234ee (Scanned on 11/07/2017 18:57:12)
File SHA256: 10a179eb382d40b0591be0a9b9a641b8e17b021f4184347601c1c5ef3e07ac6d (Scanned on 11/07/2017 10:42:33)
File SHA256: 94886881615d88ba20b78b4fe0ee50db60382b43d3ffd1aa8d6b5948fc25fc11 (Scanned on 11/07/2017 10:36:36) - source
- Network Traffic
- relevance
- 10/10
-
Multiple malicious artifacts seen in the context of different hosts
- details
-
Found malicious artifacts related to "95.101.39.51" (ASN: , Owner: ): ...
File SHA256: 560065a220bede14bb89875a23e6181d945b66050d403cdb4ea02003135c461a (AV positives: 6/68 scanned on 11/09/2017 00:05:52)
File SHA256: 74dc8543ff35fc9dc9f15c719854e0d6330549de06f73c147ec830ee8db80ce1 (AV positives: 5/67 scanned on 11/08/2017 22:49:31)
File SHA256: 22878b959dac465f3602b7de08b9a542e58241b2d62b72f1688e4086a1515cc6 (AV positives: 1/67 scanned on 11/08/2017 14:59:55)
File SHA256: 8a3e3e27e4da9362b9cff28b6660ef5143a2afb6fa82098a6b03807e9bc54d2a (AV positives: 5/68 scanned on 11/08/2017 05:04:24)
File SHA256: ff6e4dc74a172a6218114e82174abbd5f1e7223fb6fd9eb2b996643ddbe0aac1 (AV positives: 6/68 scanned on 11/08/2017 03:33:17)
File SHA256: 59a921c72016f52ffbddbb3e346e506252aee2affa74123a4844e3f0a5ae821d (Scanned on 11/07/2017 07:28:47)
File SHA256: fb13e127313291255947e4356d5fffb133cab6ad606af4f2df91fbefe666ef01 (Scanned on 11/06/2017 10:10:56)
File SHA256: c5bcfc4dc14aa2807e0cc7ae02f1e12e3acab236179955bccb8565b6705dc659 (Scanned on 11/06/2017 09:48:08)
File SHA256: 33947e7eef60ad3228962811499e36e4b1ada248410594c993d8c6a410306d0b (Scanned on 11/06/2017 09:45:04)
File SHA256: cacb9214e825094171f41f5950c2db6a9842edcde8f7b7a31064727e347dec0f (Scanned on 11/05/2017 13:21:45)
Found malicious artifacts related to "92.122.122.138" (ASN: , Owner: ): ...
File SHA256: 1b47db30792f33e110d45227b790d6d0366fcb57eb52ba0350c2dc39e3e275ec (AV positives: 60/62 scanned on 11/09/2017 13:11:20)
File SHA256: 8d5ee21865b192c063ef64514eaac79c8c83d2cb77e13e88c6e7536fe697650e (AV positives: 63/68 scanned on 11/08/2017 19:22:59)
File SHA256: 055f6d5c4f8c6fd4378beaed5bd3d64dd6c95023918e4c7039914fcd10b12301 (AV positives: 39/68 scanned on 11/08/2017 19:11:17)
File SHA256: 656e33294d21cfb421ae3b05fa61fab0922d7897f34607714e156ab26e91350b (AV positives: 26/68 scanned on 11/08/2017 18:32:03)
File SHA256: 2d85912740596020c00602733dae47919b5b01b7d5bf139444c64ebbc8987712 (AV positives: 59/68 scanned on 11/08/2017 18:18:41)
File SHA256: 3f5c260abbe31b1fa4c335af3e0207a6ca4aa8a2d7df3c29e1574e734fe57df1 (Scanned on 11/08/2017 11:03:15)
File SHA256: 6cc52ee3864bd5466a6e28ce0dcc66e0d334e194817f55beb9d26ca8987169ca (Scanned on 11/07/2017 19:06:54)
File SHA256: e2b17dc68f89f1026401fbc6a54a3c36ec660c5486f6fd7eea4c7add8ca234ee (Scanned on 11/07/2017 18:57:12)
File SHA256: 10a179eb382d40b0591be0a9b9a641b8e17b021f4184347601c1c5ef3e07ac6d (Scanned on 11/07/2017 10:42:33)
File SHA256: 94886881615d88ba20b78b4fe0ee50db60382b43d3ffd1aa8d6b5948fc25fc11 (Scanned on 11/07/2017 10:36:36) - source
- Network Traffic
- relevance
- 10/10
-
Malicious artifacts seen in the context of a contacted host
-
Informative 16
-
Environment Awareness
-
Reads the active computer name
- details
- "WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
- source
- Registry Access
- relevance
- 5/10
-
Reads the cryptographic machine GUID
- details
- "WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
-
Reads the registry for installed applications
- details
-
"WINWORD.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\WINWORD.EXE")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\WINWORD.EXE")
"WINWORD.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADDRESSBOOK")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADOBE FLASH PLAYER NPAPI")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\AUTOITV3")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CONNECTION MANAGER")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DIRECTDRAWEX")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DXM_RUNTIME")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FONTCORE")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IE40")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IE4DATA")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IE5BAKEX")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA0")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA1")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA10")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA100")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA101") - source
- Registry Access
- relevance
- 10/10
-
Reads the active computer name
-
General
-
Contacts server
- details
-
"95.101.39.51:80"
"92.122.122.138:80" - source
- Network Traffic
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Global\552FFA80-3393-423d-8671-7BA046BB5906"
"Local\ZoneAttributeCacheCounterMutex"
"Local\ZonesLockedCacheCounterMutex"
"Global\552FFA80-3393-423d-8671-7BA046BB5906"
"Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Local\ZonesCacheCounterMutex"
"Local\ZonesCounterMutex"
"Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Local\10MU_ACB10_S-1-5-5-0-61147"
"Local\10MU_ACBPIDS_S-1-5-5-0-61147"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACBPIDS_S-1-5-5-0-61147"
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACB10_S-1-5-5-0-61147"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\Global\MsoShellExtRegAccess_S-1-5-21-4162757579-3804539371-4239455898-1000" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "~$6f7f9265d112e29c73faed76bf1c109d097e4c90072d4520364212e6b1099b.docx" as clean (type is "data")
- source
- Binary File
- relevance
- 10/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\microsoft shared\OFFICE14\RICHED20.DLL" at 680C0000
- source
- Loaded Module
-
Scanning for window names
- details
-
"WINWORD.EXE" searching for class "MSOBALLOON"
"WINWORD.EXE" searching for class "MsoHelp10"
"WINWORD.EXE" searching for class "AgentAnim"
"WINWORD.EXE" searching for class "mspim_wnd32" - source
- API Call
- relevance
- 10/10
-
Contacts server
-
Installation/Persistance
-
Dropped files
- details
-
"~$6f7f9265d112e29c73faed76bf1c109d097e4c90072d4520364212e6b1099b.docx" has type "data"
"946f7f9265d112e29c73faed76bf1c109d097e4c90072d4520364212e6b1099b.LNK" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Archive ctime=Thu Nov 9 22:11:15 2017 mtime=Thu Nov 9 22:17:17 2017 atime=Thu Nov 9 22:17:18 2017 length=1458477 window=hide"
"index.dat" has type "data"
"~WRS{C83FAC32-E9C6-4424-8F92-A3DD905982D2}.tmp" has type "data"
"~WRD0001.tmp" has type "Microsoft Word 2007+"
"~WRS{2C0CF390-1364-46CE-AED0-8B0043BECB42}.tmp" has type "data"
"MSO1046.acl" has type "data"
"~$Normal.dotm" has type "data" - source
- Binary File
- relevance
- 3/10
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
- "WINWORD.EXE" opened "\Device\MountPointManager"
- source
- API Call
- relevance
- 5/10
-
Touches files in the Windows directory
- details
-
"WINWORD.EXE" touched file "C:\Windows\AppPatch\sysmain.sdb"
"WINWORD.EXE" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"WINWORD.EXE" touched file "C:\Windows\Fonts\StaticCache.dat"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\user32.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\setupapi.dll.mui"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000c.db"
"WINWORD.EXE" touched file "C:\Windows\System32\rsaenh.dll"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\KernelBase.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\System32\msxml6r.dll" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "HEAD /edgedl/release2/Hcq1Yqsih2A/57.0.2987.133_56.0.2924.87_chrome_updater.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x80042194
X-Last-HTTP-Status-Code: 404
"
Pattern match: "ns.adobe.com/xap/1.0/"
Pattern match: "http://www.iec.chIEC"
Pattern match: "http://ns.adobe.com/xap/1.0/"
Pattern match: "http://www.w3.org/1999/02/22-rdf-syntax-ns#"
Pattern match: "http://ns.adobe.com/xap/1.0/rights/"
Pattern match: "http://purl.org/dc/elements/1.1/"
Pattern match: "http://ns.adobe.com/photoshop/1.0/"
Pattern match: "http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/"
Heuristic match: "6'fNT4h1C~f9X45.9fGH(-\\6N~aqi$6E2.+p(#E>\;6y91>`e{A5 9OI&,/k`d.Gf"
Heuristic match: "3d!#57|I[HG2l}#KiYYN&)LnaU0P{ 5%G])e^-3F$T+=3X63EZ$vZ%<E)jk{?=0->Ge|\bhiWM.aI"
Pattern match: "w-8.WOg/=:|u1ARts!yh_;F6"
Pattern match: "BUouv.mN/0O$3kn_}!Q.]IjDiS`hHUG}4"
Heuristic match: "}S'&#SgAT'4ZQo\z}V4,{^|93JcTzx4*T yJ&<.Pk"
Pattern match: "W2JpXwG16B.pAZr/gOk|y%;`K~_k?f^wV"
Pattern match: "L.TDR/8Qm\qW/8UNTva6IC"
Heuristic match: "Z4'<ozKt]9K @'FsS~Fd.Is"
Pattern match: "okyeeM.aXwK/[wdcv4td'G@MM"
Heuristic match: "+/|AQ.Vt7cG*?Kh~a4n`'(d>G1sL&R7S.q893TGlR [n\ f0RNdb_p$rF$lAI@G7L^4I/Yp s%A5$i)'t\[0;.Au"
Pattern match: "U.mm/[sy]rc[E|i^r',HqF"
Heuristic match: "p;XC rxo(Kjw&V-M&wE0%[YF?|,Sj)22Y|UWV/Ey0A|7\t7Lt&z)eq|8(;vLG)kzkRXm.Y/.iO"
Pattern match: "o.sM/lf=6KSZ4"
Pattern match: "U.PJ/]8l-7=w9Kuf;eL_x?NMv[Vo*._Kr"
Heuristic match: "QS(DObMDzur>@9K9M8QP9{n>.sY"
Pattern match: "z.vxc/l^]Vg{5"
Pattern match: "qh.word/media/image24.jpegPK-"
Heuristic match: "c_.b.Bd" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Hooks API calls
- details
-
"SysAllocStringByteLen@OLEAUT32.DLL" in "WINWORD.EXE"
"VariantChangeType@OLEAUT32.DLL" in "WINWORD.EXE"
"SysFreeString@OLEAUT32.DLL" in "WINWORD.EXE"
"OleLoadFromStream@OLE32.DLL" in "WINWORD.EXE"
"VariantClear@OLEAUT32.DLL" in "WINWORD.EXE" - source
- Hook Detection
- relevance
- 10/10
-
Queries sensitive IE security settings
- details
- "WINWORD.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
- source
- Registry Access
- relevance
- 8/10
-
Hooks API calls
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "e99e48e6ef" to virtual address "0x75373D01" ("SetUnhandledExceptionFilter@KERNEL32.DLL")
"WINWORD.EXE" wrote bytes "30cb4912" to virtual address "0x67D742C4" (part of module "MSPROOF7.DLL")
"WINWORD.EXE" wrote bytes "e96033c2ef" to virtual address "0x755F4731" ("SysAllocStringByteLen@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "af28a63b" to virtual address "0x65430BA8" (part of module "MSO.DLL")
"WINWORD.EXE" wrote bytes "e92399c4ef" to virtual address "0x755F5DEE" ("VariantChangeType@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "3756a53b" to virtual address "0x6A2ACA70" (part of module "GFX.DLL")
"WINWORD.EXE" wrote bytes "c4ca367580bb3675aa6e37759fbb367508bb367546ce367561383775de2f3775d0d9367500000000177975754f9175757f6f7575f4f7757511f77575f2837575857e757500000000" to virtual address "0x6A281000" (part of module "MSIMG32.DLL")
"WINWORD.EXE" wrote bytes "4d4fa53b" to virtual address "0x664378E4" (part of module "OART.DLL")
"WINWORD.EXE" wrote bytes "e99a54c1ef" to virtual address "0x755F3E59" ("SysFreeString@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "e9c53201f0" to virtual address "0x757A6143" ("OleLoadFromStream@OLE32.DLL")
"WINWORD.EXE" wrote bytes "e93655c2ef" to virtual address "0x755F3EAE" ("VariantClear@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "ba4b803b" to virtual address "0x682110AC" (part of module "MSPTLS.DLL")
"WINWORD.EXE" wrote bytes "2e888d3b" to virtual address "0x68109904" (part of module "RICHED20.DLL")
"WINWORD.EXE" wrote bytes "f7f31d38" to virtual address "0x2F0D1B94" (part of module "WINWORD.EXE")
"WINWORD.EXE" wrote bytes "9716a53b" to virtual address "0x68B3F530" (part of module "WWLIB.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Reads information about supported languages
- details
-
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000401")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000040D")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000041E")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000042A")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000439")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000420")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000429")
"WINWORD.EXE" (Path: "HKCU\CONTROL PANEL\INTERNATIONAL"; Key: "NUMSHAPE")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000402")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000403")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000404")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000405")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000406")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000407")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000408") - source
- Registry Access
- relevance
- 3/10
-
Installs hooks/patches the running process
File Details
GRADE DE CANAIS ULTIMATE HD - NORMAL.docx
- Filename
- GRADE DE CANAIS ULTIMATE HD - NORMAL.docx
- Size
- 1.4MiB (1461242 bytes)
- Type
- docx office
- Description
- Microsoft Word 2007+
- Architecture
- WINDOWS
- SHA256
- 946f7f9265d112e29c73faed76bf1c109d097e4c90072d4520364212e6b1099b
- MD5
- f532eed15d41a3abfa71e55ad09a62eb
- SHA1
- 780463c42d4578f6ef77215431e214c493b67dd0
Classification (TrID)
- 91.8% (.DOCX) Word Microsoft Office Open XML Format document
- 8.1% (.ZIP) ZIP compressed archive
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- WINWORD.EXE /n "C:\946f7f9265d112e29c73faed76bf1c109d097e4c90072d4520364212e6b1099b.docx" (PID: 3052)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
95.101.39.51 |
80
TCP |
- | European Union |
92.122.122.138 |
80
TCP |
- | European Union |
Contacted Countries
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Clean 1
-
-
~$6f7f9265d112e29c73faed76bf1c109d097e4c90072d4520364212e6b1099b.docx
- Size
- 162B (162 bytes)
- Type
- data
- AV Scan Result
- 0/57
- Runtime Process
- WINWORD.EXE (PID: 3052)
- MD5
- baec7a5dabebe8f2f1f6c4b37c5f8cad
- SHA1
- fb5ae5bd2af60f80e46307ae8ce3851b83d074f3
- SHA256
- 9916f15d2a41d627b783991f19011949dee3b0d200b1895085845f5c79069845
-
-
Informative 7
-
-
946f7f9265d112e29c73faed76bf1c109d097e4c90072d4520364212e6b1099b.LNK
- Size
- 738B (738 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Nov 9 22:11:15 2017, mtime=Thu Nov 9 22:17:17 2017, atime=Thu Nov 9 22:17:18 2017, length=1458477, window=hide
- Runtime Process
- WINWORD.EXE (PID: 3052)
- MD5
- 850237660eadbfde051b5577e642a9b0
- SHA1
- 168f3b63bdc2b64e514b263c0a3315bf9d1c188f
- SHA256
- 146baf035c98bddc85cd3793293e2e0b9a0d50b1cb32c0c15c7ebde390a849a5
-
~$Normal.dotm
- Size
- 162B (162 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3052)
- MD5
- baec7a5dabebe8f2f1f6c4b37c5f8cad
- SHA1
- fb5ae5bd2af60f80e46307ae8ce3851b83d074f3
- SHA256
- 9916f15d2a41d627b783991f19011949dee3b0d200b1895085845f5c79069845
-
~WRS{2C0CF390-1364-46CE-AED0-8B0043BECB42}.tmp
- Size
- 6.5KiB (6656 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3052)
- MD5
- 94c390fc451b54ab0bffda70096cb593
- SHA1
- 8a3dfdbdf062de7a1166a78aebbb6b9515c17cf3
- SHA256
- ec27dc342d5f169d2f2a8c8c353143613eaa675bb9a19ccf6f6b993deb1ad257
-
~WRS{C83FAC32-E9C6-4424-8F92-A3DD905982D2}.tmp
- Size
- 1KiB (1024 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3052)
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
index.dat
- Size
- 250B (250 bytes)
- Type
- data
- MD5
- 88f9b94aed4e7a03a9d91e6b3d2a17ee
- SHA1
- 5eef4ab6043e7a8164745f7bc951d4716cfc882b
- SHA256
- 7b475ebb997ae987ad373bf6eceb44a47f7c11688c1e989b225105f2cc963345
-
~WRD0001.tmp
- Size
- 2MiB (2097152 bytes)
- Type
- docx office
- Description
- Microsoft Word 2007+
- MD5
- 5a2c6bbc0c9259cf15aa6912e15b34e4
- SHA1
- 612a83cc61f3d736b4d9a19abb07a10a9de87ab3
- SHA256
- c1abc7c6c0934d3676a1ed860535a652601f89482a5c0288f40c8b87ae547ae8
-
MSO1046.acl
- Size
- 30B (30 bytes)
- Type
- data
- MD5
- 323df93679337008d0f29fc72850f2d0
- SHA1
- bc467968e2fd0243fb49e1a12cf8318130545a6f
- SHA256
- ac6805b8596b9fd9dda7085b4559b02c6a2f7f527c09aa55da49c87a0ae39447
-
Notifications
-
Runtime
- Extracted file "~WRD0001.tmp" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/c1abc7c6c0934d3676a1ed860535a652601f89482a5c0288f40c8b87ae547ae8/analysis/1510237312/")
- Not all IP/URL string resources were checked online
- Not all sources for signature ID "api-55" are available in the report
- Not all sources for signature ID "registry-25" are available in the report
- Not all sources for signature ID "registry-55" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Sample was unknown to Virus Total, submitted file for scanning (Permalink: "https://www.virustotal.com/file/946f7f9265d112e29c73faed76bf1c109d097e4c90072d4520364212e6b1099b/analysis/1510237300/")