3.6
中危
DACN
0.14
FACILE
1.00
IMCLNet
0.64
MFGraph
0.00
反病毒引擎
未检测
暂无反病毒引擎检测结果
静态指标
观察到命令行控制台输出
(36 个事件)
检查系统中的内存量,这可以用于检测可用内存较少的虚拟机
(4 个事件)
动态指标
在文件系统上创建可执行文件
(1 个事件)
| file | C:\Users\Administrator\AppData\Roaming\Mozilla\WINWORD.exe |
创建可疑进程
(2 个事件)
| cmdline | "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 2&del "C:\Users\Administrator\AppData\Roaming\Mozilla\WINWORD.exe"&ping 127.0.0.1 -n 2&rename "C:\Users\Administrator\AppData\Roaming\Mozilla\00003269" WINWORD.exe&ping 127.0.0.1 -n 2&"C:\Users\Administrator\AppData\Roaming\Mozilla\WINWORD.exe" \r |
| cmdline | cmd.exe /c ping 127.0.0.1 -n 2&del "C:\Users\Administrator\AppData\Roaming\Mozilla\WINWORD.exe"&ping 127.0.0.1 -n 2&rename "C:\Users\Administrator\AppData\Roaming\Mozilla\00003269" WINWORD.exe&ping 127.0.0.1 -n 2&"C:\Users\Administrator\AppData\Roaming\Mozilla\WINWORD.exe" \r |
投放一个二进制文件并执行它
(1 个事件)
| file | C:\Users\Administrator\AppData\Roaming\Mozilla\WINWORD.exe |
将可执行文件投放到用户的 AppData 文件夹
(1 个事件)
| file | C:\Users\Administrator\AppData\Roaming\Mozilla\WINWORD.exe |
一个进程创建了一个隐藏窗口
(2 个事件)
读取系统的用户代理并随后执行请求
(2 个事件)
使用 Windows 工具进行基本 Windows 功能
(3 个事件)
| cmdline | "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 2&del "C:\Users\Administrator\AppData\Roaming\Mozilla\WINWORD.exe"&ping 127.0.0.1 -n 2&rename "C:\Users\Administrator\AppData\Roaming\Mozilla\00003269" WINWORD.exe&ping 127.0.0.1 -n 2&"C:\Users\Administrator\AppData\Roaming\Mozilla\WINWORD.exe" \r |
| cmdline | cmd.exe /c ping 127.0.0.1 -n 2&del "C:\Users\Administrator\AppData\Roaming\Mozilla\WINWORD.exe"&ping 127.0.0.1 -n 2&rename "C:\Users\Administrator\AppData\Roaming\Mozilla\00003269" WINWORD.exe&ping 127.0.0.1 -n 2&"C:\Users\Administrator\AppData\Roaming\Mozilla\WINWORD.exe" \r |
| cmdline | ping 127.0.0.1 -n 2 |
网络通信
与未执行 DNS 查询的主机进行通信
(1 个事件)
| host | 114.114.114.114 | |||
在 Windows 启动时自我安装以实现自动运行
(1 个事件)
| reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WINWORD | reg_value | C:\Users\Administrator\AppData\Roaming\Mozilla\WINWORD.exe -r | ||||||
由意外的父进程创建了命令行或脚本进程
(1 个事件)
| parent_process | winword.exe | martian_process | cmd.exe /c ping 127.0.0.1 -n 2&del "C:\Users\Administrator\AppData\Roaming\Mozilla\WINWORD.exe"&ping 127.0.0.1 -n 2&rename "C:\Users\Administrator\AppData\Roaming\Mozilla\00003269" WINWORD.exe&ping 127.0.0.1 -n 2&"C:\Users\Administrator\AppData\Roaming\Mozilla\WINWORD.exe" \r | ||||||
创建了一个或多个未在安全列表中的进程
(2 个事件)
| parent_process | winword.exe | martian_process | "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 2&del "C:\Users\Administrator\AppData\Roaming\Mozilla\WINWORD.exe"&ping 127.0.0.1 -n 2&rename "C:\Users\Administrator\AppData\Roaming\Mozilla\00003269" WINWORD.exe&ping 127.0.0.1 -n 2&"C:\Users\Administrator\AppData\Roaming\Mozilla\WINWORD.exe" \r | ||||||
| parent_process | winword.exe | martian_process | cmd.exe /c ping 127.0.0.1 -n 2&del "C:\Users\Administrator\AppData\Roaming\Mozilla\WINWORD.exe"&ping 127.0.0.1 -n 2&rename "C:\Users\Administrator\AppData\Roaming\Mozilla\00003269" WINWORD.exe&ping 127.0.0.1 -n 2&"C:\Users\Administrator\AppData\Roaming\Mozilla\WINWORD.exe" \r | ||||||
进程 winword.exe 将可执行文件写入磁盘
(1 个事件)
| file | C:\Users\Administrator\AppData\Roaming\Mozilla\WINWORD.exe |
连接到不再响应请求的 IP 地址(合法服务通常会保持运行)
(1 个事件)
| dead_host | 153.248.10.165:80 |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2018-08-15 11:06:11
PE Imphash
170193414cc4abf0ae27dc2a19d74879
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .text | 0x00001000 | 0x00004d32 | 0x00004e00 | 6.431004013596767 |
| .rdata | 0x00006000 | 0x00000cea | 0x00000e00 | 4.768189503772601 |
| .data | 0x00007000 | 0x0001124c | 0x00000400 | 6.409756927142066 |
| .rsrc | 0x00019000 | 0x0000146c | 0x00001600 | 3.6368184290530503 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_ICON | 0x000190ec | 0x000010a8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_GROUP_ICON | 0x0001a194 | 0x00000016 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_VERSION | 0x0001a1ac | 0x000002c0 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
Imports
Library KERNEL32.dll:
• 0x40602c CreateDirectoryW
• 0x406030 MoveFileW
• 0x406034 ReadFile
• 0x406038 SetFilePointer
• 0x40603c CreateFileW
• 0x406040 WriteFile
• 0x406044 GetDriveTypeW
• 0x406048 GetSystemDirectoryW
• 0x40604c GetProcAddress
• 0x406050 GetModuleHandleW
• 0x406054 GetSystemDefaultLangID
• 0x406058 GetTickCount
• 0x40605c GetCurrentProcessId
• 0x406060 GetComputerNameW
• 0x406064 FreeLibrary
• 0x406068 LoadLibraryW
• 0x40606c GetVersionExW
• 0x406070 GetCurrentProcess
• 0x406074 OpenProcess
• 0x406078 GetVolumeInformationA
• 0x40607c Process32NextW
• 0x406080 TerminateProcess
• 0x406084 Process32FirstW
• 0x406088 CreateProcessW
• 0x40608c lstrlenW
• 0x406090 SetFileTime
• 0x406094 GetFileSize
• 0x406098 DeleteFileW
• 0x40609c Sleep
• 0x4060a0 WinExec
• 0x4060a4 GetModuleFileNameA
• 0x4060a8 MultiByteToWideChar
• 0x4060ac PeekNamedPipe
• 0x4060b0 GetStartupInfoW
• 0x4060b4 CreatePipe
• 0x4060b8 WaitForSingleObject
• 0x4060bc CreateThread
• 0x4060c0 RemoveDirectoryW
• 0x4060c4 GetTempPathW
• 0x4060c8 ExitProcess
• 0x4060cc SetStdHandle
• 0x4060d0 DuplicateHandle
• 0x4060d4 WideCharToMultiByte
• 0x4060d8 SetLastError
• 0x4060dc LoadLibraryA
• 0x4060e0 GetModuleHandleA
• 0x4060e4 CloseHandle
• 0x4060e8 GetModuleFileNameW
• 0x4060ec SetErrorMode
• 0x4060f0 FindClose
• 0x4060f4 GetLogicalDriveStringsW
• 0x4060f8 GetVolumeInformationW
• 0x4060fc GetDiskFreeSpaceExW
• 0x406100 FindFirstFileW
• 0x406104 FindNextFileW
• 0x406108 GetLastError
• 0x40610c CreateToolhelp32Snapshot
• 0x406110 GetStartupInfoA
Library USER32.dll:
• 0x4061cc ExitWindowsEx
Library ADVAPI32.dll:
• 0x406000 GetTokenInformation
• 0x406004 RegDeleteValueW
• 0x406008 RegSetValueExW
• 0x40600c RegCloseKey
• 0x406010 LookupPrivilegeValueW
• 0x406014 AdjustTokenPrivileges
• 0x406018 OpenProcessToken
• 0x40601c LookupAccountSidW
• 0x406020 GetUserNameW
• 0x406024 RegOpenKeyW
Library SHELL32.dll:
• 0x4061b8 SHFileOperationW
Library MSVCRT.dll:
• 0x406118 _controlfp
• 0x40611c __set_app_type
• 0x406120 __p__fmode
• 0x406124 swprintf
• 0x406128 wcslen
• 0x40612c wcscpy
• 0x406130 memset
• 0x406134 memcpy
• 0x406138 ??2@YAPAXI@Z
• 0x40613c wcscmp
• 0x406140 __CxxFrameHandler
• 0x406144 _EH_prolog
• 0x406148 wcscat
• 0x40614c wcsrchr
• 0x406150 _wcsnicmp
• 0x406154 _except_handler3
• 0x406158 _wcslwr
• 0x40615c sprintf
• 0x406160 strcpy
• 0x406164 strcmp
• 0x406168 rand
• 0x40616c srand
• 0x406170 strlen
• 0x406174 time
• 0x406178 atoi
• 0x40617c free
• 0x406180 _stricmp
• 0x406184 _exit
• 0x406188 _XcptFilter
• 0x40618c exit
• 0x406190 _acmdln
• 0x406194 __getmainargs
• 0x406198 _initterm
• 0x40619c __setusermatherr
• 0x4061a0 _adjust_fdiv
• 0x4061a4 __p__commode
L!This program cannot be run in DOS mode.
R{R{R{
P{)wS{
&_{Rz!{
pU{}S{RichR{
`.rdata
@.data
SV3W9^
Yf]jsfMXfMj
fEfEfE\
f]fMfEfMfEfMfEf]
j(pSPH
]j(PSSS jPPE]P]
ESPEPEP
EjPSPpH
j(SPNH
f|G\EWt
f|G\Ys@
QPEWPP
^ M_^[d
U SVWu
]P]]u]E
YYt4PPC
UXV3jDEVP C
PEPVVVVVVVu
uuMMSQPVE
6xqQP?
9]YYt4PPi>
MMSQPWE
EVPE3f!uPfEk
EWEoEwE6E4EEEnEaEbElEeEWEoEwE6E4EFEsEREeEdEiErEeEcEtEiEoEn
;}Et++}t
_^[U,VW}
MQPEREtElEGEeEtENEtEVEeErEsEiEoEnENEuEmEbEeErEs
EVPEfEk
EIEsEWEoEwE6E4EPErEoEcEeEsEs
E^Ujha@
E9v|/5
3VPPPMPQPEPEPEcE:E\
_^[V=w@
@U<EVPj 3
PEPVfES
PEPfEs
XfUfEfEfEfEEfEM
fMfUfER
f0WVP,
tF;t.h,p@
X_^[U fe
PEPfEh
ESEhEeElElEEExEeEcEuEtEeEW
PEPfEh
ESEHEGEeEtESEpEeEcEiEaElEFEoElEdEeErEPEaEtEhEW
fut EPP**
WPP}4p@
EfuPPH)
VVPPVV(j
PEPPEcEmEdE E/EcE EpEiEnEgE E1E2E7E.E0E.E0E.E1E E-EnE E1E&EdEeElE E"E%EsE"(
uuhhq@
EPSuMW%
X_^[Md
USV3WS=`@
_^[]Ut8
SVWhs@
PEPSSSVSSu
SESPVP5{@
ESPVP5{@
t~9]vyE]PP"WP;$
ufuufu
EPEPVVVVVVu
E]PuuWS65{@
feWPD]
EMPEP}
EPEPG P
EPEPG P
QMQPMB
QMQPM&
QMQPM7
YEP3PSh7@
EPuuuu65{@
M_^3[d
E+tFHt,Ht
W W3h{@
YY,h{@
EPSVh7@
HtVHt HudV
PPPhr@
PPPhr@
HVPuuS
XVQuuP
EPVQPuLP
TXVPTj
tF;t.$h,p@
uj fEr
Zfuj%fEp
jefU[fE1
f`fbfdf
fnfpfrftfvf
f]fUf}fMfEf}fUfMfEfE&
fMfEfE&
f}fMfEf}fUfE\
fMfEfuEPPEPP
PPEPPEP\PP'
VVPEfEc
PVVfEm
f]fu"@V
YYu&>/u
SV3WESP]]
#3f98E
u.9E t
9M u$9E$t
F0^3[U
;wUH!Ew
+AA;u#+E
SV3W=`@
RQPjDE[SWPw
P|PfEc
YEYPEPWWWj
EESPu]
SESPVPEp
ESPVuPv
9]vzEPP]
E8]YYt
^USV3WS=`@
USV3WVVV
U8SVWj
EE%E0E4EXE%E0E8EXE%E0E8EXE%E0E4EXRWuUSPEPL
SSSu]EPEOESET]<PEPv
EaEcEhjPv
EeE-ECEoEnEtErEoElE:E EnEoE-EcEaEcEhEe]$
EPPEcElEoEsEe
YSUVW=`@
tzh$s@
thh4s@
tVhHs@
tDh`s@
_^][Vj
XPPPPPPPj
@;>rSo
AJu[h0@
hSVWe3
EEP50A
EPEPEP
0u>"u:Fu
<"u>"u
> vFuj
MM7M(uY
Feb 04 2015
FindClose
GetLastError
FindNextFileW
FindFirstFileW
GetDiskFreeSpaceExW
GetVolumeInformationW
GetLogicalDriveStringsW
SetErrorMode
GetModuleFileNameW
CloseHandle
CreateProcessW
CreateDirectoryW
MoveFileW
ReadFile
SetFilePointer
CreateFileW
WriteFile
GetDriveTypeW
GetSystemDirectoryW
GetProcAddress
GetModuleHandleW
GetSystemDefaultLangID
GetTickCount
GetCurrentProcessId
GetComputerNameW
FreeLibrary
LoadLibraryW
GetVersionExW
GetCurrentProcess
OpenProcess
GetVolumeInformationA
Process32NextW
TerminateProcess
Process32FirstW
CreateToolhelp32Snapshot
lstrlenW
SetFileTime
GetFileSize
DeleteFileW
WinExec
GetModuleFileNameA
MultiByteToWideChar
PeekNamedPipe
GetStartupInfoW
CreatePipe
WaitForSingleObject
CreateThread
RemoveDirectoryW
GetTempPathW
ExitProcess
SetStdHandle
DuplicateHandle
WideCharToMultiByte
SetLastError
LoadLibraryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GetUserNameW
LookupAccountSidW
GetTokenInformation
OpenProcessToken
AdjustTokenPrivileges
LookupPrivilegeValueW
RegCloseKey
RegSetValueExW
RegDeleteValueW
RegOpenKeyW
ADVAPI32.dll
SHFileOperationW
SHELL32.dll
GetModuleFileNameExW
EnumProcessModules
PSAPI.DLL
swprintf
wcslen
wcscpy
memset
memcpy
??2@YAPAXI@Z
wcscmp
__CxxFrameHandler
_EH_prolog
wcscat
wcsrchr
_wcsnicmp
_except_handler3
_wcslwr
sprintf
strcpy
strcmp
strlen
_stricmp
MSVCRT.dll
_XcptFilter
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_controlfp
PathFileExistsW
PathFindFileNameW
SHLWAPI.dll
GetModuleHandleA
GetStartupInfoA
bZJbAH
XGTS+h+\d)
TfT?XdKr
;)Tgx=
gCdeOHM>qZ
BBBBBBBBXBBBSBB-G
x}|JZ)
&sa~S.dI/4R=g XzK
6*BPC0tn/6#&
bFb&FLBBBBB][aep:Z
\9 >BKHNd
Lf]7yeZ
H+l#11/+-l!-/BbBB@/l#11bABFBB
BBBCBBzWBB\E
wininet.dll
urlmon.dll
InternetOpenA
InternetConnectA
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
InternetReadFile
ObtainUserAgentString
InternetCloseHandle
InternetSetOptionW
HttpSendRequestExA
HttpEndRequestA
x^tPU)U)
U)U)U)U)U)U)U)U)U)U)U)
U)U)U)U)U)U)U)U)U)U)U)U)U)
U)U)U)U)U)U)U)U)U)U)U)U)U)
U)U)U)U)U)U)U)U)U)U)U)U)U)
U)U)U)
xU)U)U)
U)U)U)
U)U)U)
U)U)_5U)U)U)U)
U)U)]xiCU)U)
U)U)U)_5
U)U)U)
U)U)U)
U)U)U)
U)U)U)U)U)U)U)U)U)U)U)U)U)
U)U)U)U)U)U)U)U)U)U)U)U)U)
U)U)U)U)U)U)U)U)U)U)U)U)U)
U)U)T)
U)U)U)U)U)U)U)U)U)
^^U)U)
fgfhgfhgfhgfhgfh
f;;>o
f;;>o
fgfh;;>o
f;;>o
f;;>o
f;;>o
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGp{
%�s�\�%�x�%�d�
%�s�\�%�0�8�X�
V�S�_�V�E�R�S�I�O�N�_�I�N�F�O�
S�t�r�i�n�g�F�i�l�e�I�n�f�o�
0�4�0�9�0�4�b�0�
C�o�m�p�a�n�y�N�a�m�e�
M�i�c�r�o�s�o�f�t� �C�o�r�p�.�
F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
M�i�c�r�o�s�o�f�t� �W�o�r�d�
F�i�l�e�V�e�r�s�i�o�n�
1�6�.�0�.�4�2�6�6�.�1�0�0�1�
L�e�g�a�l�C�o�p�y�r�i�g�h�t�
C�o�p�y�r�i�g�h�t� �(�C�)� �2�0�1�4�
O�r�i�g�i�n�a�l�F�i�l�e�n�a�m�e�
W�I�N�W�O�R�D�.�e�x�e�
P�r�o�d�u�c�t�N�a�m�e�
M�i�c�r�o�s�o�f�t� �O�f�f�i�c�e� �2�0�1�6�
P�r�o�d�u�c�t�V�e�r�s�i�o�n�
1�6�.�0�.�4�2�6�6�.�1�0�0�1�
V�a�r�F�i�l�e�I�n�f�o�
T�r�a�n�s�l�a�t�i�o�n�
Process Tree
-
04515f0960dc474cd50b0267c7fb8057b037188dda9ec45f4dd712d07c1f62fe.exe (3028)
"C:\Users\Administrator\AppData\Local\Temp\04515f0960dc474cd50b0267c7fb8057b037188dda9ec45f4dd712d07c1f62fe.exe"
-
WINWORD.exe (2064)
"C:\Users\Administrator\AppData\Roaming\Mozilla\WINWORD.exe" -r
-
cmd.exe (2228)
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 2&del "C:\Users\Administrator\AppData\Roaming\Mozilla\WINWORD.exe"&ping 127.0.0.1 -n 2&rename "C:\Users\Administrator\AppData\Roaming\Mozilla\00003269" WINWORD.exe&ping 127.0.0.1 -n 2&"C:\Users\Administrator\AppData\Roaming\Mozilla\WINWORD.exe" \r
- PING.EXE (2124) ping 127.0.0.1 -n 2
- PING.EXE (1988) ping 127.0.0.1 -n 2
- WINWORD.exe (1056) "C:\Users\Administrator\AppData\Roaming\Mozilla\WINWORD.exe" \r
- PING.EXE (1980) ping 127.0.0.1 -n 2
-
cmd.exe (2228)
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 2&del "C:\Users\Administrator\AppData\Roaming\Mozilla\WINWORD.exe"&ping 127.0.0.1 -n 2&rename "C:\Users\Administrator\AppData\Roaming\Mozilla\00003269" WINWORD.exe&ping 127.0.0.1 -n 2&"C:\Users\Administrator\AppData\Roaming\Mozilla\WINWORD.exe" \r
-
WINWORD.exe (2064)
"C:\Users\Administrator\AppData\Roaming\Mozilla\WINWORD.exe" -r
04515f0960dc474cd50b0267c7fb8057b037188dda9ec45f4dd712d07c1f62fe.exe, PID: 3028, Parent PID: 2600
default registry file network process services synchronisation iexplore office pdf
WINWORD.exe, PID: 2064, Parent PID: 3028
default registry file network process services synchronisation iexplore office pdf
cmd.exe, PID: 2228, Parent PID: 2064
default registry file network process services synchronisation iexplore office pdf
PING.EXE, PID: 1988, Parent PID: 2228
default registry file network process services synchronisation iexplore office pdf
PING.EXE, PID: 1980, Parent PID: 2228
default registry file network process services synchronisation iexplore office pdf
Hosts
| IP |
|---|
| 114.114.114.114 |
| 153.248.10.165 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
| i.assmio.com |
CNAME sinkhole.dynu.net
CNAME a.sinkhole.yourtrap.com A 153.248.10.165 |
153.248.10.165 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
| 192.168.56.101 | 58485 | 114.114.114.114 | 53 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
| Name | 25412c646669f546_winword.exe |
|---|---|
| Filepath | c:\users\administrator\appdata\roaming\mozilla\winword.exe |
| Size | 30.5KB |
| Processes | 2064 (WINWORD.exe) 2228 (cmd.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 86a411501c2ac84c1a7b3c6bea5db2f4 |
| SHA1 | ebf55fab94e0490849102043da977b1d18f4828f |
| SHA256 | 25412c646669f5467c6a8348e0fe241a11667c0904e846280a55b8147f7b47af |
| CRC32 | 581D6129 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 04515f0960dc474c_WINWORD.exe |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Roaming\Mozilla\WINWORD.exe |
| Size | 30.5KB |
| Processes | 3028 (04515f0960dc474cd50b0267c7fb8057b037188dda9ec45f4dd712d07c1f62fe.exe) 2228 (cmd.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | a4e14b434568587094c317037c311fb0 |
| SHA1 | cebe6f9f2c0a8297fd22e6663b1e06017e9c67d1 |
| SHA256 | 04515f0960dc474cd50b0267c7fb8057b037188dda9ec45f4dd712d07c1f62fe |
| CRC32 | 50DBCC18 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
Sorry! No dropped buffers.