Analysis Report COVID19open_closedPodsVACCINE_LETTER2B.docx

Overview

General Information

Sample Name:	COVID19open_closedPodsVACCINE_LETTER2B.docx
Analysis ID:	353581
MD5:	e65769cca6ce8214adf674a8001d83b4
SHA1:	d3800da27e0aa660f04da269b5392fb3f4c26eb5
SHA256:	b0ecb837f4df662ff941ce2cdb64cea78b07c22b1e9ad0d328229aa9dd9f1996
Most interesting Screenshot:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

JA3 SSL client fingerprint seen in connection with other malware

Classification

Signatures

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 199.192.8.2:443 -> 192.168.2.22:49169 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.192.8.2:443 -> 192.168.2.22:49189 version: TLS 1.2

Networking:

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B4CD7B63-97C0-4A14-814E-1968BCE52029}.tmp

Jump to behavior

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Accept: text/html, application/xhtml+xml, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.dhhs.nh.govDNT: 1Connection: Keep-Alive

Source: 4MUVPDOK.htm.3.dr

String found in binary or memory: <div class="social-media"><span><a href="media/pr/index.htm">News Archive</a></span><a href="https://www.facebook.com/NHDepartmentOfHealthAndHumanServices"><img src="graphics/icon-fb-like.gif" alt="Facebook Icon" width="42" height="20" /></a> equals www.facebook.com (Facebook)

Source: unknown

DNS traffic detected: queries for: www.dhhs.nh.gov

Source: 4MUVPDOK.htm.3.dr	String found in binary or memory: http://coveringnewhampshire.org/
Source: jquery.jshowoff.min[1].js.3.dr	String found in binary or memory: http://ekallevig.com/jshowoff
Source: 4MUVPDOK.htm.3.dr	String found in binary or memory: http://thedoorway.nh.gov/
Source: textsizer[1].js.3.dr	String found in binary or memory: http://txkang.com
Source: element_main[1].js.3.dr	String found in binary or memory: http://www.broofa.com
Source: ~WRS{A7F4CFE5-FD14-491B-BD17-FD822CEDA35F}.tmp.0.dr	String found in binary or memory: http://www.dhhs.nh.gov/
Source: textsizer[1].js.3.dr	String found in binary or memory: http://www.dynamicdrive.com)
Source: index[1].htm0.3.dr	String found in binary or memory: http://www.recovery.gov
Source: seniors[1].htm.3.dr	String found in binary or memory: http://www.servicelink.nh.gov/
Source: seniors[1].htm.3.dr, disabilities[1].htm.3.dr	String found in binary or memory: http://www.ssa.gov/
Source: 4MUVPDOK.htm.3.dr, index[1].htm0.3.dr	String found in binary or memory: https://business.nh.gov/Sign_Up/cal.asp?w=grid&y=7
Source: 4MUVPDOK.htm.3.dr	String found in binary or memory: https://nheasy.nh.gov/dcyf/#/
Source: ~WRS{A7F4CFE5-FD14-491B-BD17-FD822CEDA35F}.tmp.0.dr	String found in binary or memory: https://prd.blogs.nh.gov/dos/hsem/?page_id=11170
Source: 4MUVPDOK.htm.3.dr	String found in binary or memory: https://schoolsafetyresources.nh.gov/
Source: 4MUVPDOK.htm.3.dr	String found in binary or memory: https://search.nh.gov/dhhs-search.htm
Source: element_main[1].js.3.dr	String found in binary or memory: https://translate.google.com
Source: 4MUVPDOK.htm.3.dr	String found in binary or memory: https://translate.google.com/translate_a/element.js?cb=googleTranslateElementInit
Source: 4MUVPDOK.htm.3.dr	String found in binary or memory: https://twitter.com/NHDHHSPIO
Source: seniors[1].htm.3.dr, disabilities[1].htm.3.dr	String found in binary or memory: https://www.cms.gov/
Source: {0B411F16-70B5-11EB-ADCF-ECF4BBB5915B}.dat.2.dr	String found in binary or memory: https://www.dhhs.nh.go
Source: {0B411F16-70B5-11EB-ADCF-ECF4BBB5915B}.dat.2.dr	String found in binary or memory: https://www.dhhs.nh.gov/
Source: {0B411F16-70B5-11EB-ADCF-ECF4BBB5915B}.dat.2.dr	String found in binary or memory: https://www.dhhs.nh.gov/#skip
Source: ~DF18054AB76B5B25D5.TMP.2.dr	String found in binary or memory: https://www.dhhs.nh.gov/#skip/www.dhhs.nh.gov/favicon.ico
Source: ~DF18054AB76B5B25D5.TMP.2.dr	String found in binary or memory: https://www.dhhs.nh.gov/#skipj
Source: {0B411F16-70B5-11EB-ADCF-ECF4BBB5915B}.dat.2.dr	String found in binary or memory: https://www.dhhs.nh.gov/#translate
Source: ~DF18054AB76B5B25D5.TMP.2.dr	String found in binary or memory: https://www.dhhs.nh.gov/#translateilities.htm
Source: ~DF18054AB76B5B25D5.TMP.2.dr	String found in binary or memory: https://www.dhhs.nh.gov/#translateilities.htmt
Source: {0B411F16-70B5-11EB-ADCF-ECF4BBB5915B}.dat.2.dr	String found in binary or memory: https://www.dhhs.nh.gov/R
Source: {0B411F16-70B5-11EB-ADCF-ECF4BBB5915B}.dat.2.dr	String found in binary or memory: https://www.dhhs.nh.gov/Root
Source: {0B411F16-70B5-11EB-ADCF-ECF4BBB5915B}.dat.2.dr	String found in binary or memory: https://www.dhhs.nh.gov/about/index.htm
Source: ~DF18054AB76B5B25D5.TMP.2.dr	String found in binary or memory: https://www.dhhs.nh.gov/about/index.htmies.htmp
Source: imagestore.dat.3.dr	String found in binary or memory: https://www.dhhs.nh.gov/favicon.ico
Source: imagestore.dat.3.dr	String found in binary or memory: https://www.dhhs.nh.gov/favicon.ico~
Source: {0B411F16-70B5-11EB-ADCF-ECF4BBB5915B}.dat.2.dr	String found in binary or memory: https://www.dhhs.nh.gov/foryou/adults.htm
Source: ~DF18054AB76B5B25D5.TMP.2.dr	String found in binary or memory: https://www.dhhs.nh.gov/foryou/adults.htmm
Source: ~DF18054AB76B5B25D5.TMP.2.dr	String found in binary or memory: https://www.dhhs.nh.gov/foryou/adults.htmmt
Source: {0B411F16-70B5-11EB-ADCF-ECF4BBB5915B}.dat.2.dr, ~DF18054AB76B5B25D5.TMP.2.dr	String found in binary or memory: https://www.dhhs.nh.gov/foryou/disabilities.htm
Source: {0B411F16-70B5-11EB-ADCF-ECF4BBB5915B}.dat.2.dr	String found in binary or memory: https://www.dhhs.nh.gov/foryou/disabilitiesRoot
Source: {0B411F16-70B5-11EB-ADCF-ECF4BBB5915B}.dat.2.dr	String found in binary or memory: https://www.dhhs.nh.gov/foryou/families.htm
Source: ~DF18054AB76B5B25D5.TMP.2.dr	String found in binary or memory: https://www.dhhs.nh.gov/foryou/families.htmx
Source: {0B411F16-70B5-11EB-ADCF-ECF4BBB5915B}.dat.2.dr, ~DF18054AB76B5B25D5.TMP.2.dr	String found in binary or memory: https://www.dhhs.nh.gov/foryou/seniors.htm
Source: ~DF18054AB76B5B25D5.TMP.2.dr	String found in binary or memory: https://www.dhhs.nh.gov/foryou/seniors.htmv
Source: {0B411F16-70B5-11EB-ADCF-ECF4BBB5915B}.dat.2.dr	String found in binary or memory: https://www.dhhs.nh.gov/foryou/teens.htm
Source: ~DF18054AB76B5B25D5.TMP.2.dr	String found in binary or memory: https://www.dhhs.nh.gov/foryou/teens.htmm
Source: ~DF18054AB76B5B25D5.TMP.2.dr	String found in binary or memory: https://www.dhhs.nh.gov/foryou/teens.htmmr
Source: {0B411F16-70B5-11EB-ADCF-ECF4BBB5915B}.dat.2.dr	String found in binary or memory: https://www.dhhs.nh.gov/foryou/women.htm
Source: ~DF18054AB76B5B25D5.TMP.2.dr	String found in binary or memory: https://www.dhhs.nh.gov/foryou/women.htmm
Source: ~DF18054AB76B5B25D5.TMP.2.dr	String found in binary or memory: https://www.dhhs.nh.gov/foryou/women.htmmr
Source: {0B411F16-70B5-11EB-ADCF-ECF4BBB5915B}.dat.2.dr	String found in binary or memory: https://www.dhhs.nh.gov/index.htm
Source: ~DF18054AB76B5B25D5.TMP.2.dr	String found in binary or memory: https://www.dhhs.nh.gov/index.htmilities.htm
Source: {0B411F16-70B5-11EB-ADCF-ECF4BBB5915B}.dat.2.dr	String found in binary or memory: https://www.dhhs.nh.gov/index.htmjNew
Source: {0B411F16-70B5-11EB-ADCF-ECF4BBB5915B}.dat.2.dr	String found in binary or memory: https://www.dhhs.nh.gov/jNew
Source: ~DF18054AB76B5B25D5.TMP.2.dr	String found in binary or memory: https://www.dhhs.nh.gov/ps://www.dhhs.nh.gov/favicon.ico
Source: element_main[1].js.3.dr	String found in binary or memory: https://www.google.com/images/cleardot.gif
Source: element_main[1].js.3.dr	String found in binary or memory: https://www.google.com/support/translate
Source: element_main[1].js.3.dr	String found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/1x/googlelogo_color_42x16dp.png
Source: element_main[1].js.3.dr	String found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/1x/googlelogo_color_68x28dp.png
Source: element_main[1].js.3.dr	String found in binary or memory: https://www.gstatic.com/images/branding/product/1x/translate_24dp.png
Source: 4MUVPDOK.htm.3.dr, index[1].htm0.3.dr	String found in binary or memory: https://www.nh.gov
Source: {0B411F16-70B5-11EB-ADCF-ECF4BBB5915B}.dat.2.dr	String found in binary or memory: https://www.nh.gov/cov
Source: {0B411F16-70B5-11EB-ADCF-ECF4BBB5915B}.dat.2.dr	String found in binary or memory: https://www.nh.gov/covid19
Source: 4MUVPDOK.htm.3.dr	String found in binary or memory: https://www.nh.gov/covid19/index.htm
Source: ~WRS{A7F4CFE5-FD14-491B-BD17-FD822CEDA35F}.tmp.0.dr, document.xml	String found in binary or memory: https://www.nh.gov/covid19/resources-guidance/vaccination-planning.htm
Source: {0B411F16-70B5-11EB-ADCF-ECF4BBB5915B}.dat.2.dr	String found in binary or memory: https://www.nh.gov/covid198This
Source: ~DF18054AB76B5B25D5.TMP.2.dr	String found in binary or memory: https://www.nh.gov/covid19://www.dhhs.nh.gov/favicon.ico
Source: {0B411F16-70B5-11EB-ADCF-ECF4BBB5915B}.dat.2.dr	String found in binary or memory: https://www.nh.gov/covid19R
Source: {0B411F16-70B5-11EB-ADCF-ECF4BBB5915B}.dat.2.dr	String found in binary or memory: https://www.nh.gov/covv/R
Source: 4MUVPDOK.htm.3.dr, index[1].htm0.3.dr	String found in binary or memory: https://www.nh.gov/disclaimer.html
Source: 4MUVPDOK.htm.3.dr, index[1].htm0.3.dr	String found in binary or memory: https://www.nh.gov/wai/index.html
Source: 4MUVPDOK.htm.3.dr	String found in binary or memory: https://www.nhcarepath.dhhs.nh.gov/
Source: women[1].htm.3.dr	String found in binary or memory: https://www.servicelink.nh.gov
Source: adults[1].htm.3.dr, disabilities[1].htm.3.dr	String found in binary or memory: https://www.servicelink.nh.gov/
Source: 4MUVPDOK.htm.3.dr	String found in binary or memory: https://www.servicelink.nh.gov/locator/index.htm
Source: disabilities[1].htm.3.dr	String found in binary or memory: https://www.stablenh.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49189
Source: unknown	Network traffic detected: HTTP traffic on port 49181 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49189 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49182
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49181
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49180
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49197 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49199 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49179
Source: unknown	Network traffic detected: HTTP traffic on port 49180 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49199
Source: unknown	Network traffic detected: HTTP traffic on port 49182 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49197
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49196
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49196 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49179 -> 443

Source: unknown	HTTPS traffic detected: 199.192.8.2:443 -> 192.168.2.22:49169 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.192.8.2:443 -> 192.168.2.22:49189 version: TLS 1.2

System Summary:

Source: classification engine

Classification label: clean0.winDOCX@4/90@2/3

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$VID19open_closedPodsVACCINE_LETTER2B.docx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC6D7.tmp

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2420 CREDAT:275457 /prefetch:2
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2420 CREDAT:275457 /prefetch:2	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: COVID19open_closedPodsVACCINE_LETTER2B.docx

Initial sample: OLE zip file path = docProps/custom.xml

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
199.192.8.2	unknown	United States		19713	STATE-OF-NH-USAUS	false

Private

IP
192.168.2.22
192.168.2.255

Contacted Domains

Name	IP	Active
www.dhhs.state.nh.us	199.192.8.2	true
www.dhhs.nh.gov	unknown	unknown

Contacted URLs

Name	Malicious	Reputation
https://www.dhhs.nh.gov/	false	high
https://www.dhhs.nh.gov/foryou/teens.htm	false	high
https://www.dhhs.nh.gov/about/index.htm	false	high
https://www.nh.gov/covid19	false	high
https://www.dhhs.nh.gov/foryou/families.htm	false	high
https://www.dhhs.nh.gov/foryou/women.htm	false	high
https://www.dhhs.nh.gov/foryou/disabilities.htm	false	high
https://www.dhhs.nh.gov/#translate	false	high
https://www.dhhs.nh.gov/index.htm	false	high
https://www.dhhs.nh.gov/foryou/adults.htm	false	high
http://www.dhhs.nh.gov/	false	high
https://www.dhhs.nh.gov/#skip	false	high
https://www.dhhs.nh.gov/foryou/seniors.htm	false	high

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	PNG image data, 16 x 16, 4-bit colormap, non-interlaced	9FB559A691078558E77D6848202F6541	EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31	6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0B411F14-70B5-11EB-ADCF-ECF4BBB5915B}.dat	Microsoft Word Document	0918AB22B611EEF104CECACA7B22E8C9	9E80332E5617430D6C0DDCB65630EEB1228DBEF5	FB3E5A3AA1F52681A52E5A3EA325DCDE344F89B058B7F5DE333830AB08F05B86
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{0B411F16-70B5-11EB-ADCF-ECF4BBB5915B}.dat	Microsoft Word Document	71AEAA2C5B76D051DC481B9413F06413	24A3F0A6DC6F4055E54F0DEA763E2FC9D2BA4EAB	3C15D8C313D0D428900A3C54EA274B2C85ABB7F6EB7DD7177D7D71A9EFD6708C
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{21E37B5F-70B5-11EB-ADCF-ECF4BBB5915B}.dat	Microsoft Word Document	9F0B533C3B760EB3EE6FF716CA3D9654	DA15809DD9A45921169EB8B1B7D1D12132C59F1A	002BAD70688470D152254BA8108BE6646AF4007240F4E856DC4F2F2473F67B2A
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\lr5drzg\imagestore.dat	data	92E9CE310D6E921325AFCFFF5EBF6FCA	18BB4F0B83994025410D19A3868ACC8C8545D4B4	33D739327DFAC015E56168CD9041B36F83DE17D739A703BD92E4BFEA433064C5
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\NewErrorPageTemplate[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	CDF81E591D9CBFB47A7F97A2BCDB70B9	8F12010DFAACDECAD77B70A3E781C707CF328496	204D95C6FB161368C795BB63E538FE0B11F9E406494BB5758B3B0D60C5F651BD
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\arrow_blue0[1].gif	GIF image data, version 89a, 11 x 11	8B3611F88D6E07154DFE8D4A742873E1	614D6285952ECF50A5F0F1440E9D21BBAFD1CB2E	A3933D871CF7DAD771954B3BF4FB984C0212903943C88873F0E3439E85285F06
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\arrow_ltblue[1].gif	GIF image data, version 89a, 11 x 11	481110EE043514D98BD1293AF5C9AB25	3E578D2A402635332D857D4A5C3FD007A4A9AEEB	5A25D796794B161D9F544F007A2BF016CF724D9EA39E3DF0EA704CCC3768843E
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\button-glencliff[1].gif	GIF image data, version 89a, 149 x 121	C39C3037DA3701E35E53688A1BE5D566	D7CEF2CF7147252F060E80939F18B4557903129A	1DAE627C236A85D5A1C4E0B5BDC8E8D086A0A4BD613670E75A9AC6FB04D702A2
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\button-nhh[1].gif	GIF image data, version 89a, 162 x 127	8DF72335578FD65D2DA9759530E147FB	140CC7ACE1A5883659674FA2679C47F89B744412	2790E88A1BF3D336DBDD2200DF5D072A6B7B9BC64EA577AFF2739DAC924FC840
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\favicon[1].ico	MS Windows icon resource - 2 icons, 16x16, 32x32	819BA8DE904F2B86056DCC32A92874A4	5128B5AC8EC1CE19E81A928A516FDEE3C1DDA332	5762EB82D249E88BAE39E8B719EB5F577EEA6C611313332721D7D3079C1ABB7D
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\granite-advantage[1].jpg	[TIFF image data, little-endian, direntries=0], baseline, precision 8, 150x95, frames 3	6C3A8F80884C06933EAFB4EC5FA06097	E76940F48B89C65B91384FB2F13BBBDE7897C419	6494DEFEDB24BDCFA6D32AD4DEBC58BB064ADB5A55F03E3A6DE2DE7CEF24D04A
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\httpErrorPagesScripts[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	3F57B781CB3EF114DD0B665151571B7B	CE6A63F996DF3A1CCCB81720E21204B825E0238C	46E019FA34465F4ED096A9665D1827B54553931AD82E98BE01EDB1DDBC94D3AD
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\iconseal[1].gif	GIF image data, version 89a, 25 x 25	3EF0AE339337F22320D8CCAC504A8449	C747754A317B308869186DEBB10DDB77E756D7E5	33A14A6CB3939700FE78DEAAFD649992667C7247A84639E627B7168902557367
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\index[1].htm	HTML document, ASCII text, with very long lines, with CRLF line terminators	7FAC353FD6E72A2C75820F2276D522D5	DEEC13C8F8CFB6A44E92FE15A5BBB4D18D1EB539	B8FF55F1551A2611F3890196A3E6EA69D579D2DF441AA6AD6141F84F39511238
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\jshowoff[1].css	ASCII text, with CRLF line terminators	EA8F627844489B0D84EA383588E13730	D86649EC726D7009B075FEA0DD76C87B73F28857	28BBAE52F137499A252D25447764FB3A84EE0E6A1C46406C3A62B5E494A6BBBE
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\largeA[1].gif	GIF image data, version 89a, 16 x 13	BD22ACECC5B91E4BC9207FC9D6EAD4AB	C0503CC700CFBD52477ABBE82987B1A15E4C7AA7	3FB0331CA28F01CAA741C42F84B0ABED4928B3BD2EF108666C6A1CA08CDD323A
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\search-icon[1].gif	GIF image data, version 89a, 18 x 18	5BE960805AA62A3CFB8CFDC14C115507	32A3B1D41AC4289D2F5D20927049E5F14BB75250	48173769D629B75D62E6AF43347CFBAA504A8A40B96B01D59B81149775235B91
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\seniors[1].htm	HTML document, ASCII text, with very long lines, with CRLF line terminators	884814DBA14EF841EC18FADE7145DDF7	F8B9924FD70BA0B42959DF852C0FDB2F6B6980B3	D2A61C184CC788FC32DCE676C1E0D8FB6DE2EA465981069C875E50A60812EA76
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\the-doorway[1].jpg	[TIFF image data, little-endian, direntries=0], baseline, precision 8, 150x112, frames 3	C258A4DB13A03F1076CBD63293759F48	D710F07E70044D66A5021F9FC5A1D72DD7856670	1482933B0E678AAB9D19132EE458E09FCB16A01712D9755BBA31A74B4A76FEE7
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\translateelement[1].css	ASCII text, with very long lines	DBC4C9FA52A475411EB75595DA532797	099407F8C66BC19CC7DA10EFB2715EAE0373C966	6149F95C1EBDDE5391898E22A79821A810336F6BD74318291B4F49F23FBF0FA8
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\women[1].htm	HTML document, ASCII text, with very long lines, with CRLF line terminators	86AB93FC9FDDA269C5974261A1D1EB1E	3A0B4753FE80FD8D67F965DED7906DA9C996EBD1	57BBA8778C55549B83883E7750D4D5E2D18459E8F6C77106063B08ADE2C7B4A3
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\400x25officialsite[1].gif	GIF image data, version 89a, 400 x 25	C242FCDA1B5DAA99D53BAD09E619D169	36C3FA7B2EFDD718550348B7E3E445782C912341	90E1AE9F18C3A094D16CC4ED11AC93E3561ABB41308B0FEB0B30C166DC15D130
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\4MUVPDOK.htm	HTML document, ASCII text, with very long lines, with CRLF line terminators	5E7BD12E328C4AE593734E1AE2AB3317	5E1CF57202212E5A99323A7728FD8D2B5489C244	D0E97980D5E7C8609F31EDD59D321A0F9A22E44464929387251959EAEFF56069
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\arrow_green0[1].gif	GIF image data, version 89a, 11 x 11	FBD0E6E9B04C2C0F0DE3B9B372EB91FF	FF07B76F9896AF9DCFD72E2DB5167C5C7064B0C9	595D5753D57518C1235FAE639F2665608B8639BB8E12D12DE33339EC4CC9760A
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\bullet02[1].gif	GIF image data, version 89a, 10 x 10	13124C1D196F71BFBDBF3B68247C2621	23A19F2D059EE561894A7384CBE9CEA240365902	AF96E242BC1EEA19BFBC52436761ACD8D1E7B4BA4307BD051D2EDD1E04C026AC
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\button-sysc[1].gif	GIF image data, version 89a, 149 x 121	BCF9D8B990427A3FD6076D8B828DC634	249E51075BA8E049CF92373FB31175F03950A54F	2CADB2795C254C1BC18A7FC3E766D5AB760C9566F323E2DA3A60629E8028A88C
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\calendar-graphic[1].png	PNG image data, 170 x 126, 8-bit/color RGBA, non-interlaced	6452F1EC1866D5ED498BAC41660565B5	B1232C23FCC3A911400E6E6AB9437C14D20D72DD	87D61DAD66681572B3AC12B40CC346BB37D0FFDB9BB83CCF9482C55CED44386C
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\carbon-monoxide[1].jpg	[TIFF image data, little-endian, direntries=12, height=292, bps=158, PhotometricIntepretation=RGB, orientation=upper-left, width=600], baseline, precision 8, 515x251, frames 3	C83AD720C9E8C9FF4099CD8A74F63990	EB99ADBE8DC292769D7550A97A0236BDC2F46592	176E7581B8833A56D160D6CA01B0C29D4951086689BB1293C767DC6F30725181
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\covid-alert[1].png	PNG image data, 730 x 50, 8-bit/color RGBA, non-interlaced	59B7681053FC2B1C2C65959FB27A4070	DB31AAE7E08B2094C011ACA0A5154440D65ACB83	7749ED0E11D5E9D973396ED23D5D430BEB9EE9A0211F5A6B341E716FD38A6C18
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\disabilities[1].htm	HTML document, ASCII text, with very long lines, with CRLF line terminators	2E6BFC98C1A69CF7AF7CB106EEACF2C5	B63D9DA9EB752D4D9D796C52C4BC486649181B7D	21391118F3550181965D8E741186A81F40D3C9D7F769FD2697D1399125914E48
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\dnserror[1]	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators	73C70B34B5F8F158D38A94B9D7766515	E9EAA065BD6585A1B176E13615FD7E6EF96230A9	3EBD34328A4386B4EBA1F3D5F1252E7BD13744A6918720735020B4689C13FCF4
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\errorPageStrings[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	6B26ECFA58E37D4B5EC861FCDD3F04FA	B69CD71F68FE35A9CE0D7EA17B5F1B2BAD9EA8FA	7F7D1069CA8A852C1C8EB36E1D988FE6A9C17ECB8EFF1F66FC5EBFEB5418723A
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\families[1].htm	HTML document, ASCII text, with very long lines, with CRLF line terminators	0E04DAF9A1FBC9411CAA3AE7B492F94F	0D34BD0339F12ECCBDAAAA8ABD0A0059878F7035	5943A3D48401734486E22AA810F54D142DB12E3F94847981F80B416113B937CD
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\icon-sp[1].gif	GIF image data, version 89a, 19 x 29	BE84D93A3126CAFBBA9E92D25F139F7B	55F18DA72A71AC3F4CF7B4A6FB3053ED0169FFA1	B264D426F9B80C2C02B49123C628B62AC446AAEAD5F4874780F900AB024228AA
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\icon_flash[1].gif	GIF image data, version 89a, 16 x 16	F39970CEE0E709A2C6225C686E877E23	37193D45B1BD8C7B81F2B50B5BAF80DC3DFA998D	74F8DF3D7341D6CD60F342F3EFD6433FEA89B34AB60BEBEE6EA17AD728B05360
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\jquery.jshowoff.min[1].js	ASCII text, with very long lines, with CRLF line terminators	AF1015158867ECB3BC8B923ABA626215	DE5FB1BB2BF305F070A706DFBEFF57249753ECF3	F40473668CB3C72EF3AC8EDDC7945A672DFF271BF54351F639E704FDE2101237
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\office[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, progressive, precision 8, 300x150, frames 3	D8CDC6D6E056F4A1FEED452196E47D89	E10CE7AB1ED5ED55BBE46EE18C2BF9DCBAEDAB32	D803225F1F2A6E5B267C8DCF448605D5F7122DD30FF37FAAAC185E044FA291C2
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\print[1].css	ASCII text, with CRLF line terminators	32C7EB2120D98C96C282E7A824E7694E	7CDB846962FC7D84DEDE41B922AF71AB8E652134	9136B91FAF455180E6E18CB97C04C2B79E812DA891B83EB84E30DE87E7BC108F
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\teens[1].htm	HTML document, ASCII text, with very long lines, with CRLF line terminators	2705710F50F1FCD80BBE013CFAF39709	31A4D90A2A00B3C49F16FB0997601E47C2B53E01	7DDE0955645983167AD367FA1C4997027D8DC8743E7DD25556DFAB48C8FF680F
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\textsizer[1].js	ASCII text, with CRLF line terminators	62BC4FEA155137DB1B998918DD1E30BF	D91108573500AD5AF21159209A97A4C097B43737	6C4417DE30F53EB52ED26D95EB080F7A14F9F3DA1E522901443A8EAC5B3A8F0D
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\1000x100-jpg-header06[1].jpg	[TIFF image data, little-endian, direntries=0], baseline, precision 8, 1000x100, frames 3	5A2DC4F484EF0A7390493900283BF3EE	051CBC0963BB50413B4D30F156B4C4356A82F924	6BBDA937684C997DDE4E58722C1E6A3EF7850689E47F774E8B36FA02E5ED10F9
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\adults[1].htm	HTML document, ASCII text, with very long lines, with CRLF line terminators	85B0F79695E7ED054B29DB8302CA25D5	658F62645B373DFDBEC811C65C03EC4C86251468	191244EEE601C101C32E698C4D89F0AF93254DD857A98C205EC63F68985FEEA1
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\blkbk[1].gif	GIF image data, version 89a, 10 x 1500	5DF60B7A94DFBA01BC3D5BA68D251FE8	E565D5D502D3D67A21BF6F1F9E548A8B001D31EC	1EAC78A2FF61CA6D0C15A9F234AE8F7D9A3F5DB355CCC6ED6E076C8CE9DC63B1
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\contribute[1].css	ASCII text, with CRLF line terminators	F4AA7DC965F75669BA81E2FCADB6C90C	ED92B90179E71ED3FB69524E04E4CB4F3C0BE012	D618BD7BB0D1C11CAC61D9C0B4EA612A48489373A6438E22605B084B15CFEDD1
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\ds[1].gif	GIF image data, version 89a, 1 x 3	45FAFCED0B565CC5670032533B890B13	91CE14BEAE79694AC4E4BAA8961E92F8BA54A2CE	7DF51310F47487A4B39B74D302FCDE64FE1AAFCA56299E3D05280965FC659C5F
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\emergency[1].jpg	[TIFF image data, little-endian, direntries=0], baseline, precision 8, 515x250, frames 3	C60B197F794D1EB6EF8D8A73033E969D	4AF6B6DAA296BC4CDC72EDB6A268EF335A5CD8CC	BFD7FE7E41D9E55BD6BF4B0D9914AC28A93260F09F6D932ED2177BA2178F8956
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\flags[1].gif	GIF image data, version 89a, 133 x 27	CEFACB60C7B755E1A53603D7CEAB1BB3	435E52E63BEC97DCC13C2B42A25D5AE761B346A4	258CC7FC6046B5AB054B2072DE33F2911711C33F49E69651E6012BE6AE33C27C
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\flu-fighters[1].jpg	[TIFF image data, little-endian, direntries=0], baseline, precision 8, 515x250, frames 3	C6E205CAA1F6106D3F67425E4C6E8E70	4FA3F989BE28B335B08F71A84F9B9DC13172A76E	4D07033D5B68191D651197A33C485FE6C650B1B01F8D1588F7B82BD8B12AB432
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\heart-month[1].jpg	[TIFF image data, little-endian, direntries=0], baseline, precision 8, 515x250, frames 3	138058CA58F83B75F25F09454E7BF9BA	AD842387E5B44D3B08EB30A63E34D558AF87BF83	F677978867311882735247A034E6A16E237992510302412FC3F1FEC723586246
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\icon-fb-like[1].gif	GIF image data, version 89a, 42 x 20	E8DFCB236B83526AF6EB96348B06F0C9	B741A536E0D2AE5C828D55DED39E17A60D5E1FA3	614EB76A4DD29D91EA72883E702C609CE3E2AE3E12C2E5F96B2FCD32AA87860D
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\icon-twitter-bird[1].gif	GIF image data, version 89a, 21 x 20	E102D568E8974BB0951E4196BA687BFF	4D019064F21C2322E537DE510F1649418FF573CA	67DC276FFF422D3FD9A118EC00E8375CBD3BC036BB31507CFD5DF3D4B479D4C6
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\icon_pdf[1].gif	GIF image data, version 89a, 16 x 16	47FD53FA9278B645A64B42C31F0A7068	E4293C1BA08413FBCCCA5CC67733F2A972A31869	72293FE33F7F462A579E0297AB625D20AA53470ABF7A77B5E0AE5112FADA4F4C
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\index[1].htm	HTML document, ASCII text, with very long lines, with CRLF line terminators	5E7BD12E328C4AE593734E1AE2AB3317	5E1CF57202212E5A99323A7728FD8D2B5489C244	D0E97980D5E7C8609F31EDD59D321A0F9A22E44464929387251959EAEFF56069
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\main[1].js	ASCII text, with very long lines	8399EAE5D919815405DAECDA2A1C379E	AC81F99AC35067FDAE2A27EAE6DDD46DB00ECB95	D42383B5324502731C01F9F7A3E006A19287ABD6035519E3DA33F9861FEF1C24
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\mediumA[1].gif	GIF image data, version 89a, 16 x 13	5A98EE12BAD5586737424F8F3F58EDB6	1CC67DA5C621209969D0EE01EDAEDBC505187B0D	43707815C4248E0946B2DB9117290955CB5EB684F8C8D3D45EA467C88EECB197
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\smallA[1].gif	GIF image data, version 89a, 16 x 13	6F8CB4A1EFB4DF5320B6E70E53577E59	22845864135E6938A5DD1B7CE5C7AA44624F1318	0C45128E99EE08762E4CBB4333C5FFB0C95149B8C3BCCED7A84FB37423CE8C33
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\urlblockindex[1].bin	data	FA518E3DFAE8CA3A0E495460FD60C791	E4F30E49120657D37267C0162FD4A08934800C69	775853600060162C4B4E5F883F9FD5A278E61C471B3EE1826396B6D129499AA7
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\1095b[1].jpg	[TIFF image data, little-endian, direntries=0], baseline, precision 8, 515x250, frames 3	0EE5FD39F46045C84BB6EBECBF8035D6	8BC1DEF29E22D9F2480272E0948644564F6480F9	79B552F5C7B43E7184AE479DE4E41DFDF311D326400FAC2AA60A895C02C0E3E9
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\arrow_gold0[1].gif	GIF image data, version 89a, 11 x 11	D7A4D95354A5FFDF666AFFE4F7516A0E	E65484EB06115E888D29C35C3864981BE8EC9D42	3F4D9CC02EB84C4BC1BF181F3452386B2FFC1D64E62FDA21E03F3B6D94CF0866
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\base[1].css	ASCII text, with CRLF line terminators	13E2FB1DBE808B94F25CFD15AEE41B5C	E45D3AC77A426E9D1109B2646733F7CC42FCA786	84DB1D2BE46F6A48520BFC629BF41A4CD1142AD91387836B4764E328F1922233
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\coronavirus[1].jpg	[TIFF image data, little-endian, direntries=0], baseline, precision 8, 525x295, frames 3	956167D6912A4B6EFC08FE7C6A8C1EDB	1B2D9ABD46E8F6CFC2F40D236592149A63AF6439	AFD9A3BD4278B33407F7064C304320416ADF34F1C4CF0FE8198CCCDFD4803001
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\december-hours[1].jpg	[TIFF image data, little-endian, direntries=0], baseline, precision 8, 515x250, frames 3	ECFB185FF12D8F7DE124CF7E8BF0D634	8B2B7B850D1DAFAE39EDF206B31ABB0521A3917C	BDAFEB1081CA5605A9A4CA075B8D2265D1240EBDE0C68975456C9A99DE9955B9
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\element_main[1].js	HTML document, ASCII text, with very long lines	92DFFCE3439552F9ACEC893F2868D717	5C9896BAC2ECE31D9AC9EB06F987868305BBC294	86207A548361E9FCDC830F7CCA9540C7C93FF4132DDE2A72FB38D23151BD46A4
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\favicon[1].ico	PNG image data, 16 x 16, 4-bit colormap, non-interlaced	9FB559A691078558E77D6848202F6541	EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31	6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fostercare[1].jpg	[TIFF image data, little-endian, direntries=0], baseline, precision 8, 515x250, frames 3	6FE5C99F3AD40EBE00993B05EC5D7F32	E860C4ABE558DE616D9397EE7CFE998350E8E3D8	96D49E04118C68C4A484AF79321C1A5A2971BB7CF9D999087907D482DED392AC
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\gcd-seal[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 180x64, frames 3	07C2F782572AD5329109465D24EBD913	225F2226243AFFAF4BD532E5F648B2EFB7FA5ACF	395DD501874DA9003C8A81010C9F8ABF42EAA7E4BE9BFB2012292777B6C088DD
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\icon-html5[1].gif	GIF image data, version 89a, 14 x 16	55CD44DE3D9F59E354724A9B8F596480	E7475B120C2BFA0C2FCA178A529CCAE8CA59C79A	ED67A9A6C7C62F034582E52E78B5D49CD905C7F74826515EB57EF8DE44FE0E9E
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\jquery-1.2.6.min[1].js	ASCII text, with very long lines, with CRLF line terminators	3D5C23458FF980BD76BEE32E76FAAC86	FE16C08BCEF433F057A253330C3548F46F2DFECF	FF8FE30E152C0EDDAABEB0738FD227DABB8BF538773A7D5E58875C49B53A4A25
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mcm-logo[1].jpg	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 150x79, frames 3	E561CBE87F6A44380263CA3ABB7C1E2C	DDD632CDD5F527DDE481A3FED8A2888E08D59045	AFB1AB303CA752AEF90361ABF3F0357B6A84E7B99FD6A8540314A8B737BB9285
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mental-health[1].jpg	[TIFF image data, little-endian, direntries=0], baseline, precision 8, 515x250, frames 3	96D4920CFCAF9ABFDCAA8522656A3137	7B2B2F6ED65D0F633DE370711A2F762D18D9AE59	18F1A2D6CB258D5F92E9EC463EC03D785EBDAC35A24A63B213FAB634871D7570
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\nh-carepath-logo[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 150x120, frames 3	B0C94593EF1C63C0CEAA714BE26132A6	95B1CC7C6E2BE75109866570C9BD0431567A1720	0B25A99E9C77709FF905B89C867095AE8E2572FE981F1C15D6C402D9F01F8A29
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\nheasy-sm[1].jpg	[TIFF image data, little-endian, direntries=0], baseline, precision 8, 150x57, frames 3	62503F5C9E724CE0B0FD8DAE92EEDE35	05C0EC56843E278D8D58907922D5BBC08DE8F7B7	3945CF14451E5306AD82AE641F105BD4EBDEBBD65F1CB0FD6F865D1F39BE7571
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\school-safety[1].png	PNG image data, 150 x 49, 8-bit/color RGBA, non-interlaced	4E5DEEFA8F279F99BB93C9EBECFC7B11	C335E28675D5623D124DB3C6874E09DFCA2E4C0F	51A3393B9B1D0D215CBE3AECC4B772679AFF02C9581B07DF09035B1D0AA2C651
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\trans[1].gif	GIF image data, version 89a, 1 x 1	BF7D3E1972B3FE5BFE8C119FEE05E89D	081AF0BCFECBA29D5C4AC9025A3AEBADF79032A5	5B4B97B224D9827C01D7A887A722F4C2A680195C4A66108559BAA0C65220DF90
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vape[1].jpg	[TIFF image data, little-endian, direntries=0], baseline, precision 8, 515x250, frames 3	BBCCABB443E88E5AFA596CDF3FC323AB	D8CFB0DD1C1E2691C6011D6316EE9B51104A799E	36E3C7459F9614AE918519CCB7C020AAC80C58F3C69300BF5B04ACD3E17F9C3E
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EDE79FE8.png	PNG image data, 293 x 295, 1-bit colormap, non-interlaced	DA0E31545E3B38505B7318C64BDEC26B	48C54C0AA75AAB40686252301EA47FAB74B1190A	EBC4D461F08B5EFAF6A44B314B4DDBA9025D6D6FB6614FED17A5A03010C68330
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A7F4CFE5-FD14-491B-BD17-FD822CEDA35F}.tmp	data	BBF0ACE5B4E6E263E81E31E609B5B25E	93F118AA66A0E2F7FEEDA09E548D3D3E23AAF754	F1848420F03FFE83F59A4F2A4D779ACC906F0E90E733EC8AA010A526FC27C885
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{AD3EC36A-00F7-42F0-AE81-4807857507A1}.tmp	data	32649384730B2D61C9E79D46DE589115	053D8D6CEEBA9453C97D0EE5374DB863E6F77AD4	E545D395BB3FD971F91BF9A2B6722831DF704EFAE6C1AA9DA0989ED0970B77BB
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B4CD7B63-97C0-4A14-814E-1968BCE52029}.tmp	data	5D4D94EE7E06BBB0AF9584119797B23A	DBB111419C704F116EFA8E72471DD83E86E49677	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Temp\~DF18054AB76B5B25D5.TMP	data	E3CE05837CB55C58B3293AD894902DF4	6C25423C1E7AA7CC3F258049BEAFF8904C8C858D	DB5995599C1B4C840CEECD815C6B5147E97248CEA7C664F5344E26EFFB164307
C:\Users\user\AppData\Local\Temp\~DF2979F9B86784BA93.TMP	data	E78B4254B78A3F39978945C7993F9946	4746A8D439D229D7BCFB29411828C00B7D0AFDD1	E635A1059CAB03DF170FAC1461A677BF54F5F5A59D0CA3C66B8A262004BD33AC
C:\Users\user\AppData\Local\Temp\~DF901D34AC6B03FD18.TMP	data	AB93A7D98D5A18E80893085CDDE2CAB4	37A38BA403D2A2E4542E632DE9E698D7D0A009E2	00971DAE2943F1EBA5F9FF80DFC51710033F344D8293544FC8693375C79264D0
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\COVID19open_closedPodsVACCINE_LETTER2B.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:16 2020, mtime=Wed Aug 26 14:08:16 2020, atime=Tue Feb 16 23:13:35 2021, length=22673, window=hide	D8C6EDA74E20B7DF7096E133CE02E0E7	B73E972D36B411DC8F2F4F6D3B5FFCDB4B15DB80	4BA8FBE7A2CBC1D505234F41F41D981D0364F87065789FE95BD5EE2708D9DC32
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	F90450B9BEDBBE7298CFA132E86C4FED	4B3F0F9887698DDFB7C58973F52068A1ADB56F34	268B002D9E13BBA709B6533A2E3B276022AACB56D0CB130A2837E2E12A47BEB9
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	39EB3053A717C25AF84D576F6B2EBDD2	F6157079187E865C1BAADCC2014EF58440D449CA	CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex	Little-endian UTF-16 Unicode text, with no line terminators	F3B25701FE362EC84616A93A45CE9998	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\W8HCR2ZX.txt	ASCII text	6AF9372C72304891BF9A894EFCAEDA00	0ADC9038572F1A6AFA729EE87E8B5E573FEE1080	A25D6EC557C20FA2F9133B27FCEFD5AEA90DDFEF4DD08711D63D969483945184
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GBLNFL6087EMVG9NCJ7Z.temp	data	8A3AB1299008C9A803D3975B0DF5DE11	89986181966C0723C063200ECAC01F5D5D4DFC8C	E043D3D794B0F5E38C8D8633BA0807A349C82139A79536951F2998894B73D0CA
C:\Users\user\Desktop\~$VID19open_closedPodsVACCINE_LETTER2B.docx	data	39EB3053A717C25AF84D576F6B2EBDD2	F6157079187E865C1BAADCC2014EF58440D449CA	CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A

ID:	353581
Product:	CloudBasic
Start time:	16:12:35
Start date:	16.02.2021
Sample:	COVID19open_closedPodsVACCINE_LETTER2B.docx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	e65769cca6ce8214adf674a8001d83b4
SHA1:	d3800da27e0aa660f04da269b5392fb3f4c26eb5
SHA256:	b0ecb837f4df662ff941ce2cdb64cea78b07c22b1e9ad0d328229aa9dd9f1996
Filetype:	Word Microsoft Office Open XML Format document (49504/1) 49.01%

Analysis Report COVID19open_closedPodsVACCINE_LETTER2B.docx

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs