hmnvabpj.docx
This report is generated from a file or URL submitted to this webservice on October 29th 2019 08:03:24 (UTC)
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Suspicious Indicators 1
-
General
-
Found a potential E-Mail address in binary/memory
- details
-
Pattern match: "bct@o.i"
Pattern match: "0ei@e.a"
Pattern match: "cs4d4@_tzss.qr9.rw"
Pattern match: "le@r.urnrtc"
Pattern match: "r@u3.g"
Pattern match: "jy@cqztr.nqsmp"
Pattern match: "1qzivivry@5.kz"
Pattern match: "oaz@chi.vgn"
Pattern match: "1@rgi.xjrd"
Pattern match: "vur@pj2zpv.g7va8u"
Pattern match: "yyjip2@gr..ls645k"
Pattern match: "aesd@ck.m"
Pattern match: "zrcgg@..rkgyp"
Pattern match: "izerqlwz9e@rd.flgvyzsr"
Pattern match: "lh@fscb.lbg"
Pattern match: "qh@g.t"
Pattern match: "26@26xy.a5hov"
Pattern match: "b@xr.t"
Pattern match: "yyo@-.uw"
Pattern match: "g@jfdh.rfc" - source
- File/Memory
- relevance
- 3/10
- ATT&CK ID
- T1114 (Show technique in the MITRE ATT&CK™ matrix)
-
Found a potential E-Mail address in binary/memory
-
Informative 13
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/60 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\10MU_ACBPIDS_S-1-5-5-0-65875"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACB10_S-1-5-5-0-65875"
"\Sessions\1\BaseNamedObjects\Global\552FFA80-3393-423d-8671-7BA046BB5906"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_Formal1_S-1-5-21-2092356043-4041700817-663127204-1001"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_AdHoc1_S-1-5-21-2092356043-4041700817-663127204-1001"
"Global\MTX_MSO_Formal1_S-1-5-21-2092356043-4041700817-663127204-1001"
"Local\ZonesCacheCounterMutex"
"Global\552FFA80-3393-423d-8671-7BA046BB5906"
"Local\10MU_ACB10_S-1-5-5-0-65875"
"Local\10MU_ACBPIDS_S-1-5-5-0-65875"
"Local\ZonesLockedCacheCounterMutex"
"Global\MTX_MSO_AdHoc1_S-1-5-21-2092356043-4041700817-663127204-1001"
"\Sessions\1\BaseNamedObjects\Global\_MSIExecute" - source
- Created Mutant
- relevance
- 3/10
-
Document contains embedded files
- details
- "N655.pdf.bin" has type "PDF document version 1.6" and the context is "N655.pdf" ("https://github.com/ssmaura2017/books/raw/master/xjy/N655.zip") ...
- source
- Binary File
- relevance
- 10/10
- ATT&CK ID
- T1064 (Show technique in the MITRE ATT&CK™ matrix)
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "~_nvabpj.docx" as clean (type is "data")
- source
- Binary File
- relevance
- 10/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\microsoft shared\OFFICE14\RICHED20.DLL" at 6C450000
- source
- Loaded Module
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Opened the service control manager
- details
- "WINWORD.EXE" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1)
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1035 (Show technique in the MITRE ATT&CK™ matrix)
-
Removes Office resiliency keys (often used to avoid problems opening documents)
- details
-
"WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: "W'%")
"WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: "?+%")
"WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: "4%%")
"WINWORD.EXE" (Access type: "DELETE"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Scanning for window names
- details
-
"WINWORD.EXE" searching for class "mspim_wnd32"
"WINWORD.EXE" searching for class "MSOBALLOON"
"WINWORD.EXE" searching for class "MsoHelp10"
"WINWORD.EXE" searching for class "AgentAnim" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates mutants
-
Installation/Persistance
-
Dropped files
- details
-
"N655.pdf.bin" has type "PDF document version 1.6"
"~_nvabpj.docx" has type "data"
"hmnvabpj.LNK" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Archive ctime=Tue Oct 29 08:04:27 2019 mtime=Tue Oct 29 08:04:27 2019 atime=Tue Oct 29 08:04:36 2019 length=1142357 window=hide"
"4C26FB75.jpeg" has type "JPEG image data JFIF standard 1.01 resolution (DPI) density 96x96 segment length 16 baseline precision 8 384x171 frames 3"
"1B576522.jpeg" has type "JPEG image data JFIF standard 1.01 resolution (DPI) density 96x96 segment length 16 baseline precision 8 383x420 frames 3"
"579B6A8A.jpeg" has type "JPEG image data JFIF standard 1.01 resolution (DPI) density 96x96 segment length 16 baseline precision 8 384x256 frames 3"
"272D027D.jpeg" has type "JPEG image data JFIF standard 1.01 resolution (DPI) density 96x96 segment length 16 baseline precision 8 651x271 frames 3"
"F49862F2.jpeg" has type "JPEG image data JFIF standard 1.01 resolution (DPI) density 96x96 segment length 16 baseline precision 8 384x246 frames 3"
"D00CF693.jpeg" has type "JPEG image data JFIF standard 1.01 resolution (DPI) density 96x96 segment length 16 baseline precision 8 431x287 frames 3"
"~WRS_A71F5A4B-95F4-4E0F-9C59-2B77151B1767_.tmp" has type "data"
"D2FD896C.jpeg" has type "JPEG image data JFIF standard 1.01 resolution (DPI) density 100x100 segment length 16 baseline precision 8 451x600 frames 3"
"D7FEAB76.jpeg" has type "JPEG image data JFIF standard 1.01 resolution (DPI) density 96x96 segment length 16 baseline precision 8 480x297 frames 3"
"2A7BEE5A.png" has type "PNG image data 460 x 7 2-bit colormap non-interlaced"
"index.dat" has type "data"
"6EC1B8F.jpeg" has type "JPEG image data JFIF standard 1.02 aspect ratio density 71x73 segment length 16 Exif Standard: [TIFF image data big-endian direntries=7 orientation=upper-left xresolution=98 yresolution=106 resolutionunit=2 software=Adobe Photoshop CS3 Windows datetime=2019:06:20 17:32:07] baseline precision 8 621x1004 frames 3"
"9F31AFD0.jpeg" has type "JPEG image data JFIF standard 1.01 resolution (DPI) density 96x96 segment length 16 baseline precision 8 384x216 frames 3"
"642C5328.jpeg" has type "JPEG image data JFIF standard 1.01 resolution (DPI) density 96x96 segment length 16 baseline precision 8 384x216 frames 3"
"CCCB724B.jpeg" has type "JPEG image data JFIF standard 1.01 resolution (DPI) density 96x96 segment length 16 baseline precision 8 366x383 frames 3"
"2EC5B8FF.jpeg" has type "JPEG image data JFIF standard 1.01 resolution (DPI) density 96x96 segment length 16 baseline precision 8 431x282 frames 3"
"26B36C7.jpeg" has type "JPEG image data JFIF standard 1.01 resolution (DPI) density 96x96 segment length 16 baseline precision 8 384x235 frames 3" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"WINWORD.EXE" touched file "C:\Windows\AppPatch\sysmain.sdb"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\user32.dll.mui"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000020.db"
"WINWORD.EXE" touched file "C:\Windows\System32\rsaenh.dll"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\KernelBase.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\System32\msxml6r.dll"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A71F5A4B-95F4-4E0F-9C59-2B77151B1767}.tmp"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\msctf.dll.mui" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "https://github.com/ssmaura2017/books/raw/master/xjy/N655.zip"
Pattern match: "https://bit.ly/2T8nQe8?fbclid=IwAR2gaIoWAbnYa5oD0QZT-zdzhPR4jdpRo8gABcSbzazjoQaCathJMydX_lY"
Pattern match: "https://www.epochweekly.com/"
Pattern match: "https://github.com/etweekly/china/blob/master/README.md"
Pattern match: "https://git.io/ogate2"
Pattern match: "qSbi.cbv/$1g7AS0\]w"
Heuristic match: "6=zNd>pz]+h\i\eq9_A.LI"
Heuristic match: "i[}-m/=0Jf6vpG_0q(kwx-rnp:kv=WM+3u!P3'*x%D+<wR8AaiR(#/#9$7ZMr.VG"
Pattern match: "E..word/media/image24.jpegJFIF``C"
Pattern match: "ns.adobe.com/xap/1.0/"
Pattern match: "RJV.jr/ScJ"
Pattern match: "nPDx.Rk/o?M::t"
Pattern match: "X.hcCc/2.\.d5*Aa"
Pattern match: "Iw3ru.Gc/|/{w7wp"
Pattern match: "JocQi.Uhi/;ei\tMTDOn=sd"
Heuristic match: "3Rms*;.$<NQ0p9Y#i$}yyO@-.Uw>?1FySs6H}i<by@@rW2T9oOw7G9Yf}@)vFG>w*$%]OGJpT =zX`iBd~u*7i^8wD7ujM'@ff&o.hT"
Heuristic match: "6O<Mc<vX5m.GU"
Pattern match: "I.gW/wix8"
Heuristic match: "6UFXQ$ShFwxr%-f+EO'zNU>V>5m<C{c}v)9PGR6Qf4jF*NWb[(UQzvYMt5ihNp' Z#pr~uPJ7R5u-XX?8n9e-)wTn@}}v5.`}}V*?.hT"
Pattern match: "D.cGNv/EO=[myOj:|$^" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Hooks API calls
- details
-
"SysFreeString@OLEAUT32.DLL" in "WINWORD.EXE"
"OleLoadFromStream@OLE32.DLL" in "WINWORD.EXE"
"SysAllocStringByteLen@OLEAUT32.DLL" in "WINWORD.EXE"
"VariantClear@OLEAUT32.DLL" in "WINWORD.EXE"
"VariantChangeType@OLEAUT32.DLL" in "WINWORD.EXE" - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Hooks API calls
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "f8110675" to virtual address "0x750783C4" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "48120675" to virtual address "0x750783C0" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "6012c371" to virtual address "0x75ADE324" (part of module "WININET.DLL")
"WINWORD.EXE" wrote bytes "f8110000" to virtual address "0x750612CC" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "f30b2d5b" to virtual address "0x2FDF1B94" (part of module "WINWORD.EXE")
"WINWORD.EXE" wrote bytes "d827015a" to virtual address "0x6D2710AC" (part of module "MSPTLS.DLL")
"WINWORD.EXE" wrote bytes "f8110675" to virtual address "0x7507834C" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "d3cb0d5a" to virtual address "0x6C499904" (part of module "RICHED20.DLL")
"WINWORD.EXE" wrote bytes "f8110000" to virtual address "0x75061408" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "b84013c371ffe0" to virtual address "0x75061248" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "c04e307720543177e0653177b53832770000000000d0c97500000000c5eac9750000000088eac97500000000e968337582283277ee29327700000000d2693375000000007dbbc9750000000009be337500000000ba18c97500000000" to virtual address "0x760F1000" (part of module "NSI.DLL")
"WINWORD.EXE" wrote bytes "48120675" to virtual address "0x75078348" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "68130000" to virtual address "0x75511680" (part of module "WS2_32.DLL")
"WINWORD.EXE" wrote bytes "e9848ea7ee" to virtual address "0x75C9F71B" ("SetUnhandledExceptionFilter@KERNEL32.DLL")
"WINWORD.EXE" wrote bytes "e9695364ee" to virtual address "0x76103F8A" ("SysFreeString@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "48120000" to virtual address "0x7506139C" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "48120000" to virtual address "0x750612DC" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "48120675" to virtual address "0x750783DC" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "e9fef379ee" to virtual address "0x7655A00A" ("OleLoadFromStream@OLE32.DLL")
"WINWORD.EXE" wrote bytes "48120675" to virtual address "0x75078364" (part of module "SSPICLI.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Installs hooks/patches the running process
File Details
hmnvabpj.docx
- Filename
- hmnvabpj.docx
- Size
- 1.1MiB (1142357 bytes)
- Type
- docx office
- Description
- Zip archive data, at least v2.0 to extract
- Architecture
- WINDOWS
- SHA256
- e6f9f0f445ce1609df01fbaf424d0fe5cc5d4687d8eee69b6fdd89eaf575eabd
- MD5
- 24540ff02606d1050fe7b4de01cb7c4f
- SHA1
- a20401183d1445f6eb60b17b82d7809110107075
- ssdeep
- 24576:F4vzPY1dts1y73ttgxm53p7z+VrrZx9MlvlrZw+rTCTGtXC:FWY1jvYY7z+9n9MRZZ/FhC
Classification (TrID)
- 51.0% (.DOCX) Word Microsoft Office Open XML Format document
- 38.0% (.ZIP) Open Packaging Conventions container
- 8.6% (.ZIP) ZIP compressed archive
- 2.1% (.BIN) PrintFox/Pagefox bitmap (var. P)
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total.
- WINWORD.EXE /n "C:\hmnvabpj.docx" (PID: 1612)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
Displaying 21 extracted file(s). The remaining 18 file(s) are available in the full version and XML/JSON reports.
-
Clean 1
-
-
~_nvabpj.docx
- Size
- 162B (162 bytes)
- Type
- data
- AV Scan Result
- 0/57
- Runtime Process
- WINWORD.EXE (PID: 1612)
- MD5
- b60c0bb79b4b53294d99905c973caba3
- SHA1
- a7716d014025ca03b5324c8220e2459eea70b6b1
- SHA256
- a101d3605f8d1ca5cfb10c48dbdb24c45f2627c48f44a2bd2604b88c7b90d5f0
-
-
Informative 20
-
-
hmnvabpj.LNK
- Size
- 458B (458 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Oct 29 08:04:27 2019, mtime=Tue Oct 29 08:04:27 2019, atime=Tue Oct 29 08:04:36 2019, length=1142357, window=hide
- Runtime Process
- WINWORD.EXE (PID: 1612)
- MD5
- 8245b60f15855c4b7fdcb951cea482d7
- SHA1
- dd0a4cd3b35b8559a2dbb23e32b02a0221fa0aea
- SHA256
- 744e98f9b05e30efeaf2d0b063a6f3c7eccb1fa0c5f1374e835aad9084572f3a
-
index.dat
- Size
- 105B (105 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 1612)
- MD5
- 254cbd64c01f77c53aa01548916eb0e4
- SHA1
- 5082dbcb55f3f86626e65da47af57d28dc2404e8
- SHA256
- 8b93ae629d174925164132e2fd31d2502edfc5c90c811a512f89fe95343640e9
-
266D0119.jpeg
- Size
- 7.9KiB (8084 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 384x253, frames 3
- Runtime Process
- WINWORD.EXE (PID: 1612)
- MD5
- 33760a467bea047e2eb4852313ead07b
- SHA1
- 883bb10519530765e47ff6784b9d7b4feef8e3fb
- SHA256
- a9c54984f27dfdf4e64d70ef3f202f1daff0a69ca48a2ed9e408e15f7be436b3
-
272D027D.jpeg
- Size
- 40KiB (41117 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 651x271, frames 3
- Runtime Process
- WINWORD.EXE (PID: 1612)
- MD5
- 52f238f4c8f48e91a61f4243671e038a
- SHA1
- a78e7b7a0411468432d603fe756673b6e4ed3ced
- SHA256
- b604b490379e3cb610ec0ea838d21dc7ffac0db45ac70249168512023686b89a
-
2A7BEE5A.png
- Size
- 142B (142 bytes)
- Type
- img image
- Description
- PNG image data, 460 x 7, 2-bit colormap, non-interlaced
- Runtime Process
- WINWORD.EXE (PID: 1612)
- MD5
- ff64b1fd5053ef29e048c32a583380ac
- SHA1
- 0b22d9226ac88a845afaa1438cc0ffce01a52eb5
- SHA256
- fe09fd7c8efe12014abeb63e3f937bfe5e52e2d4911688ff16eff516de4be35b
-
CF421778.jpeg
- Size
- 44KiB (45172 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 480x319, frames 3
- Runtime Process
- WINWORD.EXE (PID: 1612)
- MD5
- 36bea38042a2b45ddf30d40d39f7ef1d
- SHA1
- d46371785ae7ca2e1888de05e914c9eb45c7464f
- SHA256
- de02b6fe10839214bf7d58e6899874232ee09d7b9e324015209d741c2453347d
-
D00CF693.jpeg
- Size
- 20KiB (20557 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 431x287, frames 3
- Runtime Process
- WINWORD.EXE (PID: 1612)
- MD5
- 2156af6ccf6f6a06040bf3a94c1e5cfa
- SHA1
- 616133e179c7233463ebced5f5018315e247dc2f
- SHA256
- 3e1a0abba67c87f8a2ad657f474c15d9499e0aec7ffd0e3b88496748f4adaebf
-
D2FD896C.jpeg
- Size
- 115KiB (117917 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01, resolution (DPI), density 100x100, segment length 16, baseline, precision 8, 451x600, frames 3
- Runtime Process
- WINWORD.EXE (PID: 1612)
- MD5
- d36a6eb05bac720d693e7cbaca476515
- SHA1
- 399006875c154ffb66c1d784de6dff41e6406844
- SHA256
- c90918b851e4dcbf9512fe165cd02bcecc93362d49011d4b4cbbd55388dd8982
-
N655.pdf.bin
- Size
- 6.4MiB (6751423 bytes)
- Type
- Description
- PDF document, version 1.6
- Runtime Process
- WINWORD.EXE (PID: 1612)
- Context
- N655.pdf
- Additional Context
- https://github.com/ssmaura2017/books/raw/master/xjy/N655.zip
- MD5
- aa39badb1f65db3ae4f7015395fd0884
- SHA1
- 8ea6b0a038338b85a6250e6e3dee141ef02d7657
- SHA256
- e03e945b9f6c31229d754f323ccf68d58057dd219847bf174d3fbfd4c9cd88b8
-
4C26FB75.jpeg
- Size
- 14KiB (14750 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 384x171, frames 3
- Runtime Process
- WINWORD.EXE (PID: 1612)
- MD5
- 8cb89cfdba88ce73818b709b1af4b48a
- SHA1
- 361c81b3e6c9f3dc47dcb2fdf545f46e373fbb18
- SHA256
- bfa4dd6c9e707297335aaaca5ee8fb67a8ca57b4594c87fcb2417be175e565bc
-
1B576522.jpeg
- Size
- 41KiB (42229 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 383x420, frames 3
- Runtime Process
- WINWORD.EXE (PID: 1612)
- MD5
- bf15d31f9ed24b60acd1bfa55827a746
- SHA1
- abc17d0a7bec86a8013890b021b44b0b23801af8
- SHA256
- ad6c5fc3fe195f1ee4d82cfe1939d200fe5d068102c8fe4ff06f280401178e68
-
579B6A8A.jpeg
- Size
- 18KiB (18199 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 384x256, frames 3
- Runtime Process
- WINWORD.EXE (PID: 1612)
- MD5
- a585b363f010ce6d83a043d21eb32e99
- SHA1
- 5f0133b733e39de93b8eef57047a7a060e5818ec
- SHA256
- fb3ee69ab4a69053506aa59043264527f764dca58e7b640d0ca272f28740add2
-
F49862F2.jpeg
- Size
- 23KiB (23445 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 384x246, frames 3
- Runtime Process
- WINWORD.EXE (PID: 1612)
- MD5
- cfe223e2bc0027e9d11c4abb8a160fbc
- SHA1
- 5fc9c9d15bb82a8ada633063dff443e17a520c8c
- SHA256
- 1fdb85df5c578d855374aa03508077ec4933d2ed2bbfbdaac912c3339ce54b12
-
~WRS_A71F5A4B-95F4-4E0F-9C59-2B77151B1767_.tmp
- Size
- 1KiB (1024 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 1612)
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
D7FEAB76.jpeg
- Size
- 42KiB (42701 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 480x297, frames 3
- Runtime Process
- WINWORD.EXE (PID: 1612)
- MD5
- 856fe6f39573e57ed5c7d0e6308bb77d
- SHA1
- b00811f9e48f74ae1854811cc19d79900c5d6ff0
- SHA256
- e63a8feea089726c081b4feeaacde83074b56a81187d619f9b87796e96c907eb
-
6EC1B8F.jpeg
- Size
- 272KiB (278980 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.02, aspect ratio, density 71x73, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS3 Windows, datetime=2019:06:20 17:32:07], baseline, precision 8, 621x1004, frames 3
- Runtime Process
- WINWORD.EXE (PID: 1612)
- MD5
- d1448c71b6d2883a9717926a516c90b5
- SHA1
- 2bb6491e8bec4a21bf865921d09944dd21c910ef
- SHA256
- 5637cac9d3cca4ab3737c3e2cc7e3ddcbbfd368503240a34a59aa5c61243cee5
-
9F31AFD0.jpeg
- Size
- 23KiB (23489 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 384x216, frames 3
- Runtime Process
- WINWORD.EXE (PID: 1612)
- MD5
- 6332a50124ab80ef1906e22716945f58
- SHA1
- 6533b7d1091aa53a501db3288fecae12a1509a32
- SHA256
- f4b8228e946cb8d8149b79c48600c0c354b4997e1f5ad835f47ba43a66381ee4
-
642C5328.jpeg
- Size
- 20KiB (20360 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 384x216, frames 3
- Runtime Process
- WINWORD.EXE (PID: 1612)
- MD5
- 520c10d8269a82249d7235e79c9e189c
- SHA1
- 62678aa26abd538bf45c16d0879896a66b62c039
- SHA256
- 544047d0ff0db085dd35366ece7d08c2be09175f6a0d0abe7eda818da9dfe4a9
-
CCCB724B.jpeg
- Size
- 48KiB (49131 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 366x383, frames 3
- Runtime Process
- WINWORD.EXE (PID: 1612)
- MD5
- 0776316bf34efd850bc7713b3d60cd6b
- SHA1
- ebf2d0b0354caff6f8409b39e05a30356bdcd1c2
- SHA256
- 776d221bdecc7177956dd292f480929ff4f891edd090656e7990ac7298ab8dd8
-
~_Normal.dotm
- Size
- 162B (162 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 1612)
- MD5
- b60c0bb79b4b53294d99905c973caba3
- SHA1
- a7716d014025ca03b5324c8220e2459eea70b6b1
- SHA256
- a101d3605f8d1ca5cfb10c48dbdb24c45f2627c48f44a2bd2604b88c7b90d5f0
-
Notifications
-
Runtime
- Not all Falcon MalQuery lookups completed in time
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "binary-0" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "string-63" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)