Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
cbH3TvDB3v

Overview

General Information

Sample Name:cbH3TvDB3v (renamed file extension from none to doc)
Analysis ID:647425
MD5:4d5da2273e2d7cce6ac37027afd286af
SHA1:85a659971ad5aea58ff20a078532e688f7e1659b
SHA256:5dcbffef867b44bbb828cfb4a21c9fb1fa3404b4d8b6f4e8118c62addbf859da
Tags:matanbuchusmsisignedWesteastTechConsultingCorp
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Document contains OLE streams with names of living off the land binaries
PE / OLE file has an invalid certificate
Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 1300 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: cbH3TvDB3v.docVirustotal: Detection: 12%Perma Link
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: cbH3TvDB3v.doc, ~WRD0000.doc.0.dr, ~DFCFAC4359F737332B.TMP.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: cbH3TvDB3v.doc, ~WRD0000.doc.0.dr, ~DFCFAC4359F737332B.TMP.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: cbH3TvDB3v.doc, ~WRD0000.doc.0.dr, ~DFCFAC4359F737332B.TMP.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: cbH3TvDB3v.doc, ~WRD0000.doc.0.dr, ~DFCFAC4359F737332B.TMP.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: cbH3TvDB3v.doc, ~WRD0000.doc.0.dr, ~DFCFAC4359F737332B.TMP.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: cbH3TvDB3v.doc, ~WRD0000.doc.0.dr, ~DFCFAC4359F737332B.TMP.0.drString found in binary or memory: http://ocsp.digicert.com0
Source: cbH3TvDB3v.doc, ~WRD0000.doc.0.dr, ~DFCFAC4359F737332B.TMP.0.drString found in binary or memory: http://ocsp.digicert.com0A
Source: cbH3TvDB3v.doc, ~WRD0000.doc.0.dr, ~DFCFAC4359F737332B.TMP.0.drString found in binary or memory: http://www.digicert.com/CPS0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{86E0087D-F291-472A-A1A1-6F1E38491318}.tmpJump to behavior

System Summary

barindex
Document contains OLE streams with names of living off the land binaries
Source: cbH3TvDB3v.docStream path '\x18496\x16191\x17783\x17516\x15210\x17892\x18468' : NameTableTypeColumnIdentifier_ValidationValueNPropertyId_SummaryInformationDescriptionSetCategoryKeyTableMaxValueNullableKeyColumnMinValueName of tableName of columnY;NWhether the column is nullableYMinimum value allowedMaximum value allowedFor foreign key, Name of table to which data must linkColumn to which foreign key connectsText;Formatted;Template;Condition;Guid;Path;Version;Language;Identifier;Binary;UpperCase;LowerCase;Filename;Paths;AnyPath;WildCardFilename;RegPath;CustomSource;Property;Cabinet;Shortcut;FormattedSDDLText;Integer;DoubleInteger;TimeDate;DefaultDirString categoryTextSet of values that are permittedDescription of columnAdminExecuteSequenceActionName of action to invoke, either in the engine or the handler DLL.ConditionOptional expression which skips the action if evaluates to expFalse.If the expression syntax is invalid, the engine will terminate, returning iesBadActionData.SequenceNumber that determines the sort order in which the actions are to be executed. Leave blank to suppress action.AdminUISequenceAdvtExecuteSequenceComponentPrimary key used to identify a particular component record.ComponentIdGuidA string GUID unique to this component, version, and language.Directory_DirectoryRequired key of a Directory table record. This is actually a property name whose value contains the actual path, set either by the AppSearch action or with the default setting obtained from the Directory table.AttributesRemote execution option, one of irsEnumA conditional statement that will disable this component if the specified condition evaluates to the 'True' state. If a component is disabled, it will not be installed, regardless of the 'Action' state associated with the component.KeyPathFile;Registry;ODBCDataSourceEither the primary key into the File table, Registry table, or ODBCDataSource table. This extract path is stored when the component is installed, and is used to detect the presence of the component and to return the path to it.CustomActionPrimary key, name of action, normally appears in sequence table unless private use.The numeric custom action type, consisting of source location, code type, entry, option flags.SourceCustomSourceThe table reference of the source of the code.TargetFormattedExcecution parameter, depends on the type of custom actionExtendedTypeA numeric custom action type that extends code type or option flags of the Type column.Unique identifier for directory entry, primary key. If a property by this name is defined, it contains the full path to the directory.Directory_ParentReference to the entry in this table specifying the default parent directory. A record parented to itself or with a Null parent represents a root of the install tree.DefaultDirThe default sub-path under parent's path.FeaturePrimary key used to identify a particular feature record.Feature_ParentOptional key of a parent record in the same table. If the parent is not selected, then the record will not be installed. Null indicates a root item.Titl
Source: ~DFCFAC4359F737332B.TMP.0.drStream path '\x18496\x16191\x17783\x17516\x15210\x17892\x18468' : NameTableTypeColumnIdentifier_ValidationValueNPropertyId_SummaryInformationDescriptionSetCategoryKeyTableMaxValueNullableKeyColumnMinValueName of tableName of columnY;NWhether the column is nullableYMinimum value allowedMaximum value allowedFor foreign key, Name of table to which data must linkColumn to which foreign key connectsText;Formatted;Template;Condition;Guid;Path;Version;Language;Identifier;Binary;UpperCase;LowerCase;Filename;Paths;AnyPath;WildCardFilename;RegPath;CustomSource;Property;Cabinet;Shortcut;FormattedSDDLText;Integer;DoubleInteger;TimeDate;DefaultDirString categoryTextSet of values that are permittedDescription of columnAdminExecuteSequenceActionName of action to invoke, either in the engine or the handler DLL.ConditionOptional expression which skips the action if evaluates to expFalse.If the expression syntax is invalid, the engine will terminate, returning iesBadActionData.SequenceNumber that determines the sort order in which the actions are to be executed. Leave blank to suppress action.AdminUISequenceAdvtExecuteSequenceComponentPrimary key used to identify a particular component record.ComponentIdGuidA string GUID unique to this component, version, and language.Directory_DirectoryRequired key of a Directory table record. This is actually a property name whose value contains the actual path, set either by the AppSearch action or with the default setting obtained from the Directory table.AttributesRemote execution option, one of irsEnumA conditional statement that will disable this component if the specified condition evaluates to the 'True' state. If a component is disabled, it will not be installed, regardless of the 'Action' state associated with the component.KeyPathFile;Registry;ODBCDataSourceEither the primary key into the File table, Registry table, or ODBCDataSource table. This extract path is stored when the component is installed, and is used to detect the presence of the component and to return the path to it.CustomActionPrimary key, name of action, normally appears in sequence table unless private use.The numeric custom action type, consisting of source location, code type, entry, option flags.SourceCustomSourceThe table reference of the source of the code.TargetFormattedExcecution parameter, depends on the type of custom actionExtendedTypeA numeric custom action type that extends code type or option flags of the Type column.Unique identifier for directory entry, primary key. If a property by this name is defined, it contains the full path to the directory.Directory_ParentReference to the entry in this table specifying the default parent directory. A record parented to itself or with a Null parent represents a root of the install tree.DefaultDirThe default sub-path under parent's path.FeaturePrimary key used to identify a particular feature record.Feature_ParentOptional key of a parent record in the same table. If the parent is not selected, then the record will not be installed. Null indicates a root item.Titl
Source: cbH3TvDB3v.docStatic PE information: invalid certificate
Source: cbH3TvDB3v.docOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~WRF{EF825FBA-D225-41ED-8810-8C00E821558A}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DFCFAC4359F737332B.TMP.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: cbH3TvDB3v.docVirustotal: Detection: 12%
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR4F47.tmpJump to behavior
Source: classification engineClassification label: mal52.winDOC@1/18@0/0
Source: cbH3TvDB3v.docOLE document summary: edited time not present or 0
Source: ~WRF{EF825FBA-D225-41ED-8810-8C00E821558A}.tmp.0.drOLE document summary: title field not present or empty
Source: ~WRF{EF825FBA-D225-41ED-8810-8C00E821558A}.tmp.0.drOLE document summary: author field not present or empty
Source: ~WRF{EF825FBA-D225-41ED-8810-8C00E821558A}.tmp.0.drOLE document summary: edited time not present or 0
Source: ~DFCFAC4359F737332B.TMP.0.drOLE document summary: edited time not present or 0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: cbH3TvDB3v.LNK.0.drLNK file: ..\..\..\..\..\Desktop\cbH3TvDB3v.doc
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$H3TvDB3v.docJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: cbH3TvDB3v.docInitial sample: OLE summary comments = Adobe Font Pack
Source: cbH3TvDB3v.docInitial sample: OLE summary template = Intel;1033
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: cbH3TvDB3v.docInitial sample: OLE summary keywords = Installer
Source: cbH3TvDB3v.docInitial sample: OLE summary subject = Adobe Font Pack 3.0.12.9
Source: cbH3TvDB3v.docInitial sample: OLE indicators vbamacros = False
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: cbH3TvDB3v.docStream path '\x16944\x17191\x14436\x16830\x16740' entropy: 7.99804442398 (max. 8.0)
Source: ~DFCFAC4359F737332B.TMP.0.drStream path '\x16944\x17191\x14436\x16830\x16740' entropy: 7.99804442398 (max. 8.0)

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
Masquerading		OS Credential Dumping1
File and Directory Discovery		Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
Ingress Tool Transfer		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Obfuscated Files or Information		LSASS Memory1
System Information Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
cbH3TvDB3v.doc12%VirustotalBrowse
cbH3TvDB3v.doc3%MetadefenderBrowse
cbH3TvDB3v.doc5%ReversingLabsWin32.Trojan.Matanbuchus

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
windowsupdatebg.s.llnwi.net0%VirustotalBrowse

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
windowsupdatebg.s.llnwi.net
95.140.236.128
truefalseunknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:35.0.0 Citrine
Analysis ID:647425
Start date and time: 17/06/202208:34:292022-06-17 08:34:29 +02:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 23s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:cbH3TvDB3v (renamed file extension from none to doc)
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal52.winDOC@1/18@0/0
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Scroll down
  • Close Viewer

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe
  • Excluded IPs from analysis (whitelisted): 173.222.108.226, 173.222.108.210
  • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-bg-shim.trafficmanager.net, download.windowsupdate.com.edgesuite.net
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
windowsupdatebg.s.llnwi.netZ0f5UVwE70.docGet hashmaliciousBrowse
  • 178.79.242.0
6nNz7V2S9v.dllGet hashmaliciousBrowse
  • 178.79.242.128
EtI9NZvCkS.dllGet hashmaliciousBrowse
  • 95.140.236.0
23Nwu2k9Ul.dllGet hashmaliciousBrowse
  • 178.79.225.128
hGCXPVq7ks.dllGet hashmaliciousBrowse
  • 41.63.96.0
oi6ZMCVd4J.dllGet hashmaliciousBrowse
  • 178.79.225.0
pack 264922.zipGet hashmaliciousBrowse
  • 95.140.236.0
INVOICE COPY P0001191.exeGet hashmaliciousBrowse
  • 178.79.242.0
PL9CfKollg.dllGet hashmaliciousBrowse
  • 95.140.236.128
454611358_6735469256_20220613_2150111.exeGet hashmaliciousBrowse
  • 95.140.230.128
Purchase Order_ #U91c7#U8d2d#U8ba2#U5355 PO963296.xlsxGet hashmaliciousBrowse
  • 95.140.236.128
doXb0Z5I.dllGet hashmaliciousBrowse
  • 178.79.242.128
tjqZxFhKr7oi7MgHKT6svJ.dllGet hashmaliciousBrowse
  • 178.79.242.0
2PO5wqmAcEJN2tpbPP.dllGet hashmaliciousBrowse
  • 41.63.96.0
D5tjydUStt.exeGet hashmaliciousBrowse
  • 178.79.242.128
nGV7ohb78y.dllGet hashmaliciousBrowse
  • 41.63.96.128
ochNFW8OBn.dllGet hashmaliciousBrowse
  • 178.79.242.128
Utd0orYgZq.dllGet hashmaliciousBrowse
  • 41.63.96.128
z1RoNViVkO.dllGet hashmaliciousBrowse
  • 41.63.96.0
FWncfpgbxZ.dllGet hashmaliciousBrowse
  • 178.79.242.0

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0000.doc

Download File
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:data
Category:dropped
Size (bytes):458752
Entropy (8bit):4.735992448126498
Encrypted:false
SSDEEP:6144:R9pfkFilPaCymEsnOammmZmyPQGzzDiYIEjEPJDkBhQuaVuzyyVqZ0VDN7Axv1pb:Rrfk/sEsnOEmZkGziYjKG8yzVU0
MD5:2C989C2AE2B1DAFAB5DB082552AE7F66
SHA1:AE0EE664217D93637263E4D08F85B9C1272E6C88
SHA-256:A55D6F948C8D4B264A534AE18F76D5F0C3D81DF09BE67CBDE8025F0F06BD7552
SHA-512:79A75D89CE0C6C0ADF7A3D36203C8B6744F2DFA31CB48204BD4C82F3B8EF96B9B6DF5766607083A84BCB28ABD3C651C758EDEAD77BD739B00B4ED5CD8711E3FE
Malicious:false
Reputation:low
Preview:................................................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{EF825FBA-D225-41ED-8810-8C00E821558A}.tmp

Download File
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):2560
Entropy (8bit):1.4218425773348333
Encrypted:false
SSDEEP:12:rl3lTpFQ9zITdx4Tdx4CITdx4Tdx4CICICb77:rnMsSQS
MD5:494CAF9C738E716D3AB4E45D7B96D0EC
SHA1:D25901404B00AA483FD40D3F72D8E4D567AB2E02
SHA-256:0657260D3DD27D847A64429A3C1C7ACC1719E1E695F8C323510092D21DFA3F55
SHA-512:291415F22CDA11A3EAB2481B41AE9F2664DE611C1927E17D4D7371E6656CC4AE1C18DD22ABFE184207FC37EA341ADD13940241ECC199CBCD90098EAD0CCC166C
Malicious:false
Reputation:low
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0A41982D-0DE7-49E2-91D7-2CAB52C73798}.tmp

Download File
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:data
Category:dropped
Size (bytes):1536
Entropy (8bit):1.3586208805849453
Encrypted:false
SSDEEP:3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbl:IiiiiiiiiifdLloZQc8++lsJe1Mz4ln
MD5:DA2580321E202DDEB38F4D0E29274736
SHA1:0AF25FAE28EF1A8B410B0A35737537F9F981052D
SHA-256:B3A63382F9756071CB68BAF81020F94C4E6056A6FB568F52C345F8F1FA27D1AE
SHA-512:BE3D65114554C1CD2D24489FAA3DFF49F29068202E3D712065C94B3D55FE91A3B988106677282F7013BC79FF2F798A2F5E84627F69740A9AB39E889F6A9CEE30
Malicious:false
Reputation:low
Preview:..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{86E0087D-F291-472A-A1A1-6F1E38491318}.tmp

Download File
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:data
Category:dropped
Size (bytes):1024
Entropy (8bit):0.05390218305374581
Encrypted:false
SSDEEP:3:ol3lYdn:4Wn
MD5:5D4D94EE7E06BBB0AF9584119797B23A
SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:false
Reputation:high, very likely benign file
Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF1CADFA05493ACF52.TMP

Download File
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:data
Category:dropped
Size (bytes):512
Entropy (8bit):0.0
Encrypted:false
SSDEEP:3::
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:false
Reputation:high, very likely benign file
Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF284A8B9707C89825.TMP

Download File
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:data
Category:dropped
Size (bytes):512
Entropy (8bit):0.0
Encrypted:false
SSDEEP:3::
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:false
Reputation:high, very likely benign file
Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF2DA25969847DD094.TMP

Download File
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:data
Category:dropped
Size (bytes):512
Entropy (8bit):0.0
Encrypted:false
SSDEEP:3::
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:false
Reputation:high, very likely benign file
Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF2FA714AB39BD624A.TMP

Download File
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:data
Category:dropped
Size (bytes):512
Entropy (8bit):0.0
Encrypted:false
SSDEEP:3::
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:false
Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF4D47212460854302.TMP

Download File
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:data
Category:dropped
Size (bytes):512
Entropy (8bit):0.0
Encrypted:false
SSDEEP:3::
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:false
Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF9B4A5A35E9DCFF4E.TMP

Download File
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:data
Category:dropped
Size (bytes):512
Entropy (8bit):0.0
Encrypted:false
SSDEEP:3::
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:false
Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFA9B3A0F712249C78.TMP

Download File
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:data
Category:dropped
Size (bytes):512
Entropy (8bit):0.0
Encrypted:false
SSDEEP:3::
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:false
Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFCFAC4359F737332B.TMP

Download File
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Adobe Font Pack 3.0.12.9, Author: Adobe Inc., Keywords: Installer, Comments: Adobe Font Pack, Template: Intel;1033, Revision Number: {20BC971C-913C-4948-9C90-6E85B0BF418C}, Create Time/Date: Thu Jun 16 10:55:20 2022, Last Saved Time/Date: Thu Jun 16 10:55:20 2022, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
Category:dropped
Size (bytes):229376
Entropy (8bit):7.61117273001489
Encrypted:false
SSDEEP:6144:zi4SAoa1aq9oOGwFVL4/QUDDNHdOxOzd5:zi4SAoal9ogFVCDnNHdO+3
MD5:4D5DA2273E2D7CCE6AC37027AFD286AF
SHA1:85A659971AD5AEA58FF20A078532E688F7E1659B
SHA-256:5DCBFFEF867B44BBB828CFB4A21C9FB1FA3404B4D8B6F4E8118C62ADDBF859DA
SHA-512:8BFEA7FA9DE79312239C1B4F042E3955D31A12483DD7770F71F145FC8ABD3DEBA35257386F1D3048B3203945017494317E237AD887039CF4B5547103EB2E03C1
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFD769752DB3460C4F.TMP

Download File
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:data
Category:dropped
Size (bytes):512
Entropy (8bit):0.0
Encrypted:false
SSDEEP:3::
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:false
Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\cbH3TvDB3v.LNK

Download File
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Jun 17 14:37:59 2022, mtime=Fri Jun 17 14:37:59 2022, atime=Fri Jun 17 14:38:10 2022, length=229376, window=hide
Category:dropped
Size (bytes):1014
Entropy (8bit):4.536289001877021
Encrypted:false
SSDEEP:12:8CFgXg/XAlCPCHaXRBktB/fJUX+WHcc4J/5xcicvbCbiZxoDtZ3YilMMEpxRljK+:8u/XThO0pIJ/PembhDv3qz4Y7h
MD5:5734C98CA1B9E648AEE2327ABB1A930A
SHA1:5EF3571B7AF7A8945CDD607C715110B1A27B3D6E
SHA-256:F21C944D2B2E89CC13894DC60E960D515F564F59C64A048775858A328C9CD755
SHA-512:B616513D1DC29600D64F851807E9905F529B5749175EF36D01C440A86FAB2567C28D57F55DC26B018604989FA66528A3E01556CC406DB471C040587EC27DCB31
Malicious:false
Preview:L..................F.... .....Q9`.....Q9`....W.?`................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....hT....user.8......QK.XhT..*...&=....U...............A.l.b.u.s.....z.1......T.|..Desktop.d......QK.X.T.|*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....f.2......T.| .CBH3TV~1.DOC..J.......T.|.T.|*.........................c.b.H.3.T.v.D.B.3.v...d.o.c.......x...............-...8...[............?J......C:\Users\..#...................\\210979\Users.user\Desktop\cbH3TvDB3v.doc.%.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.c.b.H.3.T.v.D.B.3.v...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......210979..........D_....3N...W...9...N..... .....[D_....3N...W...9...N..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):71
Entropy (8bit):4.71294052135898
Encrypted:false
SSDEEP:3:bDuMJle+QTpuYCmX1QkVQTpuYCv:bC8GYkVGC
MD5:034F2FD31ECE3536B42E92C038548F4B
SHA1:7F3D42C3DD8A10ADF6B38CED645CE78C669348C7
SHA-256:6B25FAF0DBE8471169F024D6B9BFAE2EBEE92EA38791F2CF5803CCE68140EF8D
SHA-512:668169E2A8F05B766B1B26E13CBA3355A20C0BCA466D69571619014EFF9C06983F1DB6F8BF6AC97A3D8C411B2248B0A9862F16DC2A1A7195283E905DFCE589AB
Malicious:false
Preview:[folders]..Templates.LNK=0..cbH3TvDB3v.LNK=0..[doc]..cbH3TvDB3v.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:data
Category:dropped
Size (bytes):162
Entropy (8bit):2.503835550707525
Encrypted:false
SSDEEP:3:vrJlaCkWtVyEJbiJk/p2TKWWhMGHiV/ln:vdsCkWttViJkh2TKHM9V/l
MD5:C5E24006AFAC8C2659023AD09A07EB0F
SHA1:4B7B834BEDADFD0A2764743E021D40C55A51F284
SHA-256:7C9E6D71E3F53D37A78CCE23FA21D259365A9571C6C3A01E8D216586177BA87E
SHA-512:673649AF8318514414758F92756D408FB6F0CA4859CB2994A921E288126561A7B4EB3C7D824CC90352D939952EA167A473A4282838362B36E85B701A4B582396
Malicious:false
Preview:.user..................................................A.l.b.u.s.............p........16..............26.............@36..............36.....z.......p46.....x...

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Download File
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:Little-endian UTF-16 Unicode text, with no line terminators
Category:dropped
Size (bytes):2
Entropy (8bit):1.0
Encrypted:false
SSDEEP:3:Qn:Qn
MD5:F3B25701FE362EC84616A93A45CE9998
SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:false
Preview:..

C:\Users\user\Desktop\~$H3TvDB3v.doc

Download File
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:data
Category:dropped
Size (bytes):162
Entropy (8bit):2.503835550707525
Encrypted:false
SSDEEP:3:vrJlaCkWtVyEJbiJk/p2TKWWhMGHiV/ln:vdsCkWttViJkh2TKHM9V/l
MD5:C5E24006AFAC8C2659023AD09A07EB0F
SHA1:4B7B834BEDADFD0A2764743E021D40C55A51F284
SHA-256:7C9E6D71E3F53D37A78CCE23FA21D259365A9571C6C3A01E8D216586177BA87E
SHA-512:673649AF8318514414758F92756D408FB6F0CA4859CB2994A921E288126561A7B4EB3C7D824CC90352D939952EA167A473A4282838362B36E85B701A4B582396
Malicious:false
Preview:.user..................................................A.l.b.u.s.............p........16..............26.............@36..............36.....z.......p46.....x...

Static File Info

General

File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Adobe Font Pack 3.0.12.9, Author: Adobe Inc., Keywords: Installer, Comments: Adobe Font Pack, Template: Intel;1033, Revision Number: {20BC971C-913C-4948-9C90-6E85B0BF418C}, Create Time/Date: Thu Jun 16 10:55:20 2022, Last Saved Time/Date: Thu Jun 16 10:55:20 2022, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
Entropy (8bit):7.61117273001489
TrID:
  • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:cbH3TvDB3v.doc
File size:229376
MD5:4d5da2273e2d7cce6ac37027afd286af
SHA1:85a659971ad5aea58ff20a078532e688f7e1659b
SHA256:5dcbffef867b44bbb828cfb4a21c9fb1fa3404b4d8b6f4e8118c62addbf859da
SHA512:8bfea7fa9de79312239c1b4f042e3955d31a12483dd7770f71f145fc8abd3deba35257386f1d3048b3203945017494317e237ad887039cf4b5547103eb2e03c1
SSDEEP:6144:zi4SAoa1aq9oOGwFVL4/QUDDNHdOxOzd5:zi4SAoal9ogFVCDnNHdO+3
TLSH:1E24024A7B044538D01667392FDBF6E687367C8C8EAB49526297F32C2DB31A051735F8
File Content Preview:........................>......................................................................................................................................................................................................................................

File Icon

Icon Hash:e4eea2aaa4b4b4a4

Static OLE Info

General

Document Type:OLE
Number of OLE Files:1

Authenticode Signature

Signature Valid:false
Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file
Error Number:-2146762495
Not Before, Not After
  • 5/17/2022 5:00:00 PM 5/11/2023 4:59:59 PM
Subject Chain
  • CN="Westeast Tech Consulting, Corp.", O="Westeast Tech Consulting, Corp.", L=NORTHRIDGE, S=California, C=US, SERIALNUMBER=4088386, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=California, OID.1.3.6.1.4.1.311.60.2.1.3=US
Version:3
Thumbprint MD5:0E4E3D01B136D4F9120A1333A90F111F
Thumbprint SHA-1:2A40875C895B648C9583925C7DAD694A2A11D7DD
Thumbprint SHA-256:9ED703BA7033AF5F88A5F5EF0155ADC41715D3175EEC836822A09A93D56E4B7F
Serial:061A27A3A3771BB440FC16CADF2675C4

OLE File "cbH3TvDB3v.doc"

Indicators
Has Summary Info:
Application Name:Windows Installer XML Toolset (3.11.2.4516)
Encrypted Document:False
Contains Word Document Stream:False
Contains Workbook/Book Stream:False
Contains PowerPoint Document Stream:False
Contains Visio Document Stream:False
Contains ObjectPool Stream:False
Flash Objects Count:0
Contains VBA Macros:False
Summary
Code Page:1252
Title:Installation Database
Subject:Adobe Font Pack 3.0.12.9
Author:Adobe Inc.
Keywords:Installer
Comments:Adobe Font Pack
Template:Intel;1033
Revion Number:{20BC971C-913C-4948-9C90-6E85B0BF418C}
Create Time:2022-06-16 09:55:20
Last Saved Time:2022-06-16 09:55:20
Number of Pages:200
Number of Words:10
Creating Application:Windows Installer XML Toolset (3.11.2.4516)
Security:2

Streams

Stream Path: \x5DigitalSignature, File Type: data, Stream Size: 4773
General
Stream Path:\x5DigitalSignature
File Type:data
Stream Size:4773
Entropy:7.602282152400635
Base64 Encoded:True
Data ASCII:0 . . . * H . . . . . 0 . . . . 1 . 0 . . . ` H . e . . . . . . 0 w . . + . . . . 7 . . . i 0 g 0 2 . . + . . . . 7 . . . 0 $ . . . . . . . . . . . . . . . . . . F . . . . . . . . . . . . . . . 0 1 0 . . . ` H . e . . . . . . . Q V . 6 . K e . 0 7 ] x * . } { * y . . 0 . 0 . . . . . . . . @ ` . L ^ . 0 . . . * H . . . . . . 0 b 1 . 0 . . . U . . . . U S 1 . 0 . . . U . . . . D i g i C e r t I n c 1 . 0 . . . U . . . . w w w . d i g i c e r t . c o m 1 ! 0 . . . U . . . . D i g i C e r t T r u s t e d
Data Raw:30 82 12 a1 06 09 2a 86 48 86 f7 0d 01 07 02 a0 82 12 92 30 82 12 8e 02 01 01 31 0f 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 30 77 06 0a 2b 06 01 04 01 82 37 02 01 04 a0 69 30 67 30 32 06 0a 2b 06 01 04 01 82 37 02 01 1e 30 24 02 01 02 04 10 f1 10 0c 00 00 00 00 00 c0 00 00 00 00 00 00 46 02 01 00 02 01 00 02 01 00 02 01 00 02 01 00 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01
Stream Path: \x5MsiDigitalSignatureEx, File Type: data, Stream Size: 32
General
Stream Path:\x5MsiDigitalSignatureEx
File Type:data
Stream Size:32
Entropy:4.9375
Base64 Encoded:False
Data ASCII:. n d 1 y l I . I o u + F . A 3 e . j
Data Raw:bd b2 d8 98 6e 64 31 79 6c c0 49 15 49 a3 bb 6f e3 75 2b 86 46 05 41 88 d4 33 65 fb cc a7 c2 6a
Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 476
General
Stream Path:\x5SummaryInformation
File Type:data
Stream Size:476
Entropy:4.474418592431077
Base64 Encoded:True
Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . . . . . . . . . . . . . . . . . . . I n s t a l l a t i o n D a t a b a s e . . . . . . . . . . . A d o b e F o n t P a c k 3 . 0 . 1 2 . 9 . . . . . . . . . . . . A d o b e I n c . . . . . . . . . . . I n s
Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 ac 01 00 00 0e 00 00 00 01 00 00 00 78 00 00 00 02 00 00 00 80 00 00 00 03 00 00 00 a0 00 00 00 04 00 00 00 c4 00 00 00 05 00 00 00 d8 00 00 00 06 00 00 00 ec 00 00 00 07 00 00 00 04 01 00 00 09 00 00 00 18 01 00 00 0c 00 00 00 48 01 00 00
Stream Path: \x16944\x17191\x14436\x16830\x16740, File Type: Microsoft Cabinet archive data, 185059 bytes, 2 files, Stream Size: 185059
General
Stream Path:\x16944\x17191\x14436\x16830\x16740
File Type:Microsoft Cabinet archive data, 185059 bytes, 2 files
Stream Size:185059
Entropy:7.998044423977934
Base64 Encoded:True
Data ASCII:M S C F . . . . . . . . . . , . . . . . . . . . . . . . . . . . . . ` . . . . . . . . D . . . . . . . . T ' o . m a i n _ d l l . D . . . . D . . . . T 8 M . n o t i f y _ v b s . } 8 . C K | . \\ U . z K . , Z n . h e . . + . + 3 . S @ $ . ) . g p . [ . m l F . . . * . Q . ^ . . . | . . . < . 9 _ u y i . + . . . . W K t 6 k e ; - . . . . ; o y g N s b L l 3 . ~ h | 9 n . i . R = \\ . . ; x X . 5 ~ r . . . e . h . ~ k Q . \\ V . ] \\ & = 3 5 W s O . . . . . { . ^ ; ] . p . . . + . . . . W O . a . . . . 1 W
Data Raw:4d 53 43 46 00 00 00 00 e3 d2 02 00 00 00 00 00 2c 00 00 00 00 00 00 00 03 01 01 00 02 00 00 00 00 00 00 00 60 00 00 00 0d 00 01 00 00 44 06 00 00 00 00 00 00 00 ce 54 27 6f 20 00 6d 61 69 6e 5f 64 6c 6c 00 44 00 00 00 00 44 06 00 00 00 d0 54 38 4d 20 00 6e 6f 74 69 66 79 5f 76 62 73 00 7d 97 9e fa 95 38 00 80 43 4b ec 7c 7f 5c 55 f5 fd ff c5 0b 7a 4b 14 2c 5a 6e 1f b7 68 b9 65 cb
Stream Path: \x18496\x15167\x17394\x17464\x17841, File Type: data, Stream Size: 656
General
Stream Path:\x18496\x15167\x17394\x17464\x17841
File Type:data
Stream Size:656
Entropy:4.728156136205491
Base64 Encoded:False
Data ASCII:. . . . . . . . . . . . . . . . . . . . " . " . " . ) . ) . ) . * . * . * . + . + . + . + . + . + . 1 . 1 . 1 . 9 . 9 . 9 . 9 . 9 . I . I . I . I . I . I . I . I . X . X . ] . ] . ] . ] . ] . ] . ] . ] . k . k . k . l . l . l . m . m . m . m . m . m . x . x . z . z . z . z . z . z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . #
Data Raw:07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 22 00 22 00 22 00 29 00 29 00 29 00 2a 00 2a 00 2a 00 2b 00 2b 00 2b 00 2b 00 2b 00 2b 00 31 00 31 00 31 00 39 00 39 00 39 00 39 00 39 00 49 00 49 00 49 00 49 00 49 00 49 00 49 00 49 00 58 00 58 00 5d 00 5d 00 5d 00 5d 00 5d 00 5d 00 5d 00 5d 00 6b 00 6b 00 6b 00 6c 00 6c 00 6c 00 6d 00 6d 00 6d 00 6d 00 6d 00 6d 00 78 00
Stream Path: \x18496\x16191\x17783\x17516\x15210\x17892\x18468, File Type: ASCII text, with very long lines, with no line terminators, Stream Size: 6703
General
Stream Path:\x18496\x16191\x17783\x17516\x15210\x17892\x18468
File Type:ASCII text, with very long lines, with no line terminators
Stream Size:6703
Entropy:4.830396384462009
Base64 Encoded:True
Data ASCII:N a m e T a b l e T y p e C o l u m n I d e n t i f i e r _ V a l i d a t i o n V a l u e N P r o p e r t y I d _ S u m m a r y I n f o r m a t i o n D e s c r i p t i o n S e t C a t e g o r y K e y T a b l e M a x V a l u e N u l l a b l e K e y C o l u m n M i n V a l u e N a m e o f t a b l e N a m e o f c o l u m n Y ; N W h e t h e r t h e c o l u m n i s n u l l a b l e Y M i n i m u m v a l u e a l l o w e d M a x i m u m v a l u e a l l o w e d F o r f o r e i g n k e y
Data Raw:4e 61 6d 65 54 61 62 6c 65 54 79 70 65 43 6f 6c 75 6d 6e 49 64 65 6e 74 69 66 69 65 72 5f 56 61 6c 69 64 61 74 69 6f 6e 56 61 6c 75 65 4e 50 72 6f 70 65 72 74 79 49 64 5f 53 75 6d 6d 61 72 79 49 6e 66 6f 72 6d 61 74 69 6f 6e 44 65 73 63 72 69 70 74 69 6f 6e 53 65 74 43 61 74 65 67 6f 72 79 4b 65 79 54 61 62 6c 65 4d 61 78 56 61 6c 75 65 4e 75 6c 6c 61 62 6c 65 4b 65 79 43 6f 6c 75
Stream Path: \x18496\x16191\x17783\x17516\x15978\x17586\x18479, File Type: data, Stream Size: 852
General
Stream Path:\x18496\x16191\x17783\x17516\x15978\x17586\x18479
File Type:data
Stream Size:852
Entropy:3.2751779270113106
Base64 Encoded:False
Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ' . . . . . . . . . 6 . . . $ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B . . . . . . . . . . . . . . o . . . . . . . . . . . . . . . ; . . . . . . . . . . . > . . . . . . . . . . . . . . . . . . ' . . . . . . . . . . . . . . . . . . . . . S . . . ^ . . . . . . . . . . . . . . . . . . . . . . . :
Data Raw:00 00 00 00 04 00 02 00 05 00 02 00 00 00 00 00 04 00 02 00 06 00 02 00 0a 00 1b 00 0b 00 15 00 05 00 05 00 01 00 2d 00 0a 00 01 00 13 00 02 00 0b 00 04 00 03 00 02 00 08 00 02 00 08 00 02 00 08 00 02 00 08 00 02 00 09 00 02 00 08 00 02 00 0d 00 01 00 0e 00 01 00 03 00 01 00 1e 00 01 00 01 00 27 00 15 00 01 00 15 00 01 00 36 00 01 00 24 00 01 00 f5 00 01 00 0f 00 01 00 04 00 07 00
Stream Path: \x18496\x16255\x16740\x16943\x18486, File Type: data, Stream Size: 34
General
Stream Path:\x18496\x16255\x16740\x16943\x18486
File Type:data
Stream Size:34
Entropy:3.043731420625169
Base64 Encoded:False
Data ASCII:. . " . ) . * . + . 1 . 9 . I . X . ] . k . l . m . x . z . . .
Data Raw:07 00 22 00 29 00 2a 00 2b 00 31 00 39 00 49 00 58 00 5d 00 6b 00 6c 00 6d 00 78 00 7a 00 85 00 8f 00
Stream Path: \x18496\x16383\x17380\x16876\x17892\x17580\x18481, File Type: data, Stream Size: 2016
General
Stream Path:\x18496\x16383\x17380\x16876\x17892\x17580\x18481
File Type:data
Stream Size:2016
Entropy:2.3834058956899153
Base64 Encoded:False
Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . " . " . " . ) . ) . ) . * . * . * . + . + . + . + . + . + . 1 . 1 . 1 . 9 . 9 . 9 . 9 . 9 . I . I . I . I . I . I . I . I . X . X . ] . ] . ] . ] . ] . ] . ] . ] . k . k . k . l . l . l . m . m . m . m . m . m . x . x . z . z . z . z . z . z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . % . ' . # . % . ' . # . % . ' . % . + . - . 0 . 3 . 6 . 1 . E . G . . . # . < . ? . B . . . 0 . 3 . I . K . M . P . R . Y . [ . ' . 3 . [ . ] . `
Data Raw:07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 0b 00 0b 00 22 00 22 00 22 00 29 00 29 00 29 00 2a 00 2a 00 2a 00 2b 00 2b 00 2b 00 2b 00 2b 00 2b 00 31 00 31 00 31 00 39 00 39 00 39 00 39 00 39 00 49 00 49 00 49 00 49 00 49 00 49 00 49 00 49 00 58 00 58 00 5d 00 5d 00 5d 00 5d 00 5d 00 5d 00 5d 00 5d 00 6b 00 6b 00 6b 00 6c 00 6c 00 6c 00 6d 00 6d 00 6d 00 6d 00 6d 00
Stream Path: \x18496\x16842\x17200\x15281\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: data, Stream Size: 48
General
Stream Path:\x18496\x16842\x17200\x15281\x16955\x17958\x16951\x16924\x17972\x17512\x16934
File Type:data
Stream Size:48
Entropy:3.0684210940655055
Base64 Encoded:False
Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . x . < .
Data Raw:9a 00 9b 00 9c 00 9d 00 9e 00 9f 00 a0 00 a1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 83 84 83 e8 83 78 85 dc 85 3c 8f a0 8f c8 99
Stream Path: \x18496\x16842\x17200\x16305\x16146\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 24
General
Stream Path:\x18496\x16842\x17200\x16305\x16146\x17704\x16952\x16817\x18472
File Type:data
Stream Size:24
Entropy:2.594360937770434
Base64 Encoded:False
Data ASCII:. . . . . . . . . . . . .
Data Raw:9a 00 9b 00 9c 00 a2 00 00 00 00 00 00 00 00 00 20 83 84 83 e8 83 14 85
Stream Path: \x18496\x16842\x17913\x18126\x16808\x17912\x16168\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 42
General
Stream Path:\x18496\x16842\x17913\x18126\x16808\x17912\x16168\x17704\x16952\x16817\x18472
File Type:data
Stream Size:42
Entropy:2.865948479683034
Base64 Encoded:False
Data ASCII:. . . . . . . . . . . . . . . . . . . . . x . . .
Data Raw:9a 00 9c 00 9d 00 9e 00 a1 00 a3 00 a4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 83 e8 83 78 85 dc 85 c8 99 9c 98 00 99
Stream Path: \x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486, File Type: data, Stream Size: 4
General
Stream Path:\x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486
File Type:data
Stream Size:4
Entropy:1.5
Base64 Encoded:False
Data ASCII:. .
Data Raw:b2 00 a5 00
Stream Path: \x18496\x16911\x17892\x17784\x18472, File Type: data, Stream Size: 32
General
Stream Path:\x18496\x16911\x17892\x17784\x18472
File Type:data
Stream Size:32
Entropy:2.472874329980682
Base64 Encoded:False
Data ASCII:. . . . . . . . . . . . . . . . . . .
Data Raw:b2 00 b3 00 b3 00 00 00 b4 00 b6 00 b5 00 00 00 02 80 01 80 01 80 01 80 00 00 a7 00 00 80 00 80
Stream Path: \x18496\x16918\x17191\x18468, File Type: MIPSEB Ucode, Stream Size: 14
General
Stream Path:\x18496\x16918\x17191\x18468
File Type:MIPSEB Ucode
Stream Size:14
Entropy:1.626688849701832
Base64 Encoded:False
Data ASCII:. . . . . . . . . . .
Data Raw:01 80 02 00 00 80 00 00 c6 00 00 00 00 00
Stream Path: \x18496\x16923\x17194\x17910\x18229, File Type: data, Stream Size: 12
General
Stream Path:\x18496\x16923\x17194\x17910\x18229
File Type:data
Stream Size:12
Entropy:2.617492461184755
Base64 Encoded:False
Data ASCII:. . . . . .
Data Raw:a8 00 01 80 d2 00 d3 00 d4 00 a5 00
Stream Path: \x18496\x16923\x17584\x16953\x17167\x16943, File Type: data, Stream Size: 10
General
Stream Path:\x18496\x16923\x17584\x16953\x17167\x16943
File Type:data
Stream Size:10
Entropy:1.9609640474436814
Base64 Encoded:False
Data ASCII:. . . . . .
Data Raw:a7 00 a5 00 00 00 a7 00 02 80
Stream Path: \x18496\x17165\x16949\x17894\x17778\x18492, File Type: data, Stream Size: 18
General
Stream Path:\x18496\x17165\x16949\x17894\x17778\x18492
File Type:data
Stream Size:18
Entropy:2.102187170949333
Base64 Encoded:False
Data ASCII:. . . . . . . . . .
Data Raw:a7 00 ad 00 af 00 ad 00 af 00 00 00 ae 00 b0 00 b1 00
Stream Path: \x18496\x17167\x16943, File Type: data, Stream Size: 40
General
Stream Path:\x18496\x17167\x16943
File Type:data
Stream Size:40
Entropy:2.6659614479285128
Base64 Encoded:False
Data ASCII:. . . . . . . D . D . . . . . . . . . . . . . . . .
Data Raw:b7 00 bb 00 a5 00 a5 00 b8 00 bc 00 00 44 06 80 44 00 00 80 b9 00 00 00 ba 00 00 00 00 82 00 82 01 00 00 80 02 00 00 80
Stream Path: \x18496\x17490\x17910\x17380\x15279\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: data, Stream Size: 120
General
Stream Path:\x18496\x17490\x17910\x17380\x15279\x16955\x17958\x16951\x16924\x17972\x17512\x16934
File Type:data
Stream Size:120
Entropy:3.6961843239779912
Base64 Encoded:False
Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . @ . ( p . y
Data Raw:9a 00 9b 00 9c 00 9d 00 9e 00 a0 00 a1 00 a3 00 a4 00 a9 00 ab 00 bd 00 be 00 bf 00 c0 00 c1 00 c2 00 c3 00 c4 00 c5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 83 84 83 e8 83 78 85 dc 85 a0 8f c8 99 9c 98 00 99 ca 99 c9 99 bc 82 40 86 08 87 28 8a ac 8d 88 93 70 97 d4 97 79 85
Stream Path: \x18496\x17490\x17910\x17380\x16303\x16146\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 30
General
Stream Path:\x18496\x17490\x17910\x17380\x16303\x16146\x17704\x16952\x16817\x18472
File Type:data
Stream Size:30
Entropy:2.794949047732144
Base64 Encoded:False
Data ASCII:. . . . . . . . . . . . . . . .
Data Raw:9a 00 9b 00 9c 00 a2 00 bd 00 00 00 00 00 00 00 00 00 00 00 20 83 84 83 e8 83 14 85 bc 82
Stream Path: \x18496\x17548\x17648\x17522\x17512\x18487, File Type: data, Stream Size: 12
General
Stream Path:\x18496\x17548\x17648\x17522\x17512\x18487
File Type:data
Stream Size:12
Entropy:2.292481250360578
Base64 Encoded:False
Data ASCII:. . . . . . .
Data Raw:a5 00 a6 00 a7 00 04 80 00 00 a8 00
Stream Path: \x18496\x17753\x17650\x17768\x18231, File Type: data, Stream Size: 24
General
Stream Path:\x18496\x17753\x17650\x17768\x18231
File Type:data
Stream Size:24
Entropy:2.792481250360579
Base64 Encoded:False
Data ASCII:. . . . . . . . . . . .
Data Raw:c7 00 c9 00 cb 00 cc 00 ce 00 d0 00 c8 00 ca 00 ba 00 cd 00 cf 00 d1 00
Stream Path: \x18496\x17814\x15340\x17388\x15464\x17828\x18475, File Type: data, Stream Size: 20
General
Stream Path:\x18496\x17814\x15340\x17388\x15464\x17828\x18475
File Type:data
Stream Size:20
Entropy:4.1219280948873624
Base64 Encoded:False
Data ASCII:. . . . A Q f y .
Data Raw:bb 00 00 80 03 08 aa ac 8d ab 8a e9 de 41 f5 51 66 79 bb 1b
Stream Path: \x18496\x17932\x17910\x17458\x16778\x17207\x17522, File Type: data, Stream Size: 24
General
Stream Path:\x18496\x17932\x17910\x17458\x16778\x17207\x17522
File Type:data
Stream Size:24
Entropy:2.1140054628542204
Base64 Encoded:False
Data ASCII:. . . . . . . . . . . . . . .
Data Raw:a9 00 ab 00 e2 80 e2 80 a7 00 a7 00 aa 00 ac 00 00 00 00 00 00 00 00 00

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Target ID:0
Start time:08:38:10
Start date:17/06/2022
Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):false
Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:0x13fb00000
File size:1423704 bytes
MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Disassembly

No disassembly