General Info

File name

4a3e496581bc6ca886da55e67c566441

Full analysis
https://app.any.run/tasks/d9b5fc9d-1376-4918-ab8b-6fe79df67b31
Verdict
Malicious activity
Analysis date
9/11/2019, 09:55:53
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

MIME:
application/msword
File info:
Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 936, Author: User, Template: Normal.dot, Last Saved By: User, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 03:00, Create Time/Date: Thu Sep 28 18:06:00 2006, Last Saved Time/Date: Thu Sep 28 18:09:00 2006, Number of Pages: 1, Number of Words: 5, Number of Characters: 35, Security: 0
MD5

4a3e496581bc6ca886da55e67c566441

SHA1

6376c63bae114d171ab1b0557d7cedd8ea5382b9

SHA256

55ec9749e0692951ce38c02a3410a99cc38eab94724649851744ff3b5268e3fc

SSDEEP

3072:P84pq6AmakExyrsWl4h3QNycFlKEWUmGCv3ZLyqGq:JOzkExyuQNycFlKEWUmj3Zh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Unusual execution from Microsoft Office
  • WINWORD.EXE (PID: 3424)

No suspicious indicators.

Creates files in the user directory
  • WINWORD.EXE (PID: 3424)
Reads Microsoft Office registry keys
  • WINWORD.EXE (PID: 3424)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.doc
|   Microsoft Word document (80%)
EXIF
FlashPix
Title:
null
Subject:
null
Author:
User
Keywords:
null
Template:
Normal.dot
LastModifiedBy:
User
RevisionNumber:
2
Software:
Microsoft Office Word
TotalEditTime:
3.0 minutes
CreateDate:
2006:09:28 17:06:00
ModifyDate:
2006:09:28 17:09:00
Pages:
1
Words:
5
Characters:
35
Security:
None
CodePage:
Windows Simplified Chinese (PRC, Singapore)
Company:
HOME
Lines:
1
Paragraphs:
1
CharCountWithSpaces:
39
AppVersion:
11.9999
ScaleCrop:
No
LinksUpToDate:
No
SharedDoc:
No
HyperlinksChanged:
No
TitleOfParts:
null
HeadingPairs
null
null
CompObjUserTypeLen:
31
CompObjUserType:
Microsoft Office Word Document

Screenshots

Processes

Total processes
34
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

+
start winword.exe no specs dw20.exe no specs dwwin.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3424
CMD
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\4a3e496581bc6ca886da55e67c566441.doc"
Path
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft Word
Version
14.0.6024.1000
Modules
Image
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\microsoft office\office14\wwlib.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msimg32.dll
c:\program files\microsoft office\office14\oart.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\program files\microsoft office\office14\1033\wwintl.dll
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dwmapi.dll
c:\program files\common files\microsoft shared\office14\msptls.dll
c:\windows\system32\uxtheme.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\winspool.drv
c:\windows\system32\shell32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\program files\microsoft office\office14\gkword.dll
c:\program files\common files\microsoft shared\office14\usp10.dll
c:\progra~1\common~1\micros~1\vba\vba7\vbe7.dll
c:\windows\system32\spool\drivers\w32x86\3\unidrvui.dll
c:\windows\system32\spool\drivers\w32x86\3\sendtoonenoteui.dll
c:\windows\system32\msiltcfg.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mscomctl.ocx
c:\windows\system32\comdlg32.dll
c:\progra~1\common~1\micros~1\vba\vba7\1033\vbe7intl.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\program files\microsoft office\office14\msproof7.dll
c:\progra~1\common~1\micros~1\dw\dw20.exe

PID
2516
CMD
"C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 1356
Path
C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE
Indicators
No indicators
Parent process
WINWORD.EXE
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft Application Error Reporting
Version
14.0.6015.1000
Modules
Image
c:\progra~1\common~1\micros~1\dw\dw20.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acspecfc.dll
c:\windows\system32\mscms.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\ddraw.dll
c:\windows\system32\dciman32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\msi.dll
c:\windows\system32\dwwin.exe

PID
3632
CMD
C:\Windows\system32\dwwin.exe -x -s 1356
Path
C:\Windows\system32\dwwin.exe
Indicators
No indicators
Parent process
DW20.EXE
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Watson Client
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\dwwin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\wer.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\psapi.dll
c:\program files\microsoft office\office14\winword.exe
c:\program files\microsoft office\office14\wwlib.dll
c:\windows\system32\feclient.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\werui.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dui70.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\duser.dll
c:\windows\system32\riched20.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\clbcatq.dll

Registry activity

Total events
1074
Read events
993
Write events
80
Delete events
1

Modification events

PID
Process
Operation
Key
Name
Value
3424
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
3424
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
m~#
6D7E2300600D0000010000000000000000000000
3424
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
3424
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
3424
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
WORDFiles
1328218142
3424
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1328218256
3424
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1328218257
3424
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
MTTT
600D000032F0B95E7668D50100000000
3424
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
t $
74202400600D000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
3424
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3424
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3424
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
m!$
6D212400600D000006000000010000009E000000020000008E0000000400000063003A005C00750073006500720073005C00610064006D0069006E005C0061007000700064006100740061005C006C006F00630061006C005C00740065006D0070005C00340061003300650034003900360035003800310062006300360063006100380038003600640061003500350065003600370063003500360036003400340031002E0064006F006300000000000000
3424
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1328218258
3424
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1328218259
3424
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
ReviewToken
{3EF719B4-27FB-4E0D-8F8D-CB16C15B1E56}
3424
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Max Display
25
3424
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Max Display
25
3424
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
VBAFiles
1328218116
3424
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductNonBootFiles
1328218113
3424
WINWORD.EXE
write
HKEY_CLASSES_ROOT\TypeLib\{052D8B77-9351-4653-A2DC-4D642FF298BA}\2.0
Microsoft Windows Common Controls 6.0 (SP6)
3424
WINWORD.EXE
write
HKEY_CLASSES_ROOT\TypeLib\{052D8B77-9351-4653-A2DC-4D642FF298BA}\2.0\FLAGS
6
3424
WINWORD.EXE
write
HKEY_CLASSES_ROOT\TypeLib\{052D8B77-9351-4653-A2DC-4D642FF298BA}\2.0\0\win32
C:\Users\admin\AppData\Local\Temp\Word8.0\MSComctlLib.exd
3424
WINWORD.EXE
write
HKEY_CLASSES_ROOT\TypeLib\{052D8B77-9351-4653-A2DC-4D642FF298BA}\2.0\HELPDIR
C:\Users\admin\AppData\Local\Temp\Word8.0
3424
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}
IVBDataObject
3424
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}
IVBDataObjectFiles
3424
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{1EFB6594-857C-11D1-B16A-00C0F0283628}
ITabStrip
3424
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{1EFB6595-857C-11D1-B16A-00C0F0283628}
ITabStripEvents
3424
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{1EFB6597-857C-11D1-B16A-00C0F0283628}
ITabs
3424
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{1EFB6599-857C-11D1-B16A-00C0F0283628}
ITab
3424
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{66833FE4-8583-11D1-B16A-00C0F0283628}
IToolbar
3424
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{66833FE5-8583-11D1-B16A-00C0F0283628}
IToolbarEvents
3424
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{66833FE7-8583-11D1-B16A-00C0F0283628}
IButtons
3424
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{66833FE9-8583-11D1-B16A-00C0F0283628}
IButton
3424
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{66833FEB-8583-11D1-B16A-00C0F0283628}
IButtonMenus
3424
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{66833FED-8583-11D1-B16A-00C0F0283628}
IButtonMenu
3424
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8E3867A1-8586-11D1-B16A-00C0F0283628}
IStatusBar
3424
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8E3867A2-8586-11D1-B16A-00C0F0283628}
IStatusBarEvents
3424
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8E3867A4-8586-11D1-B16A-00C0F0283628}
IPanels
3424
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8E3867AA-8586-11D1-B16A-00C0F0283628}
IPanel
3424
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{35053A20-8589-11D1-B16A-00C0F0283628}
IProgressBar
3424
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{35053A21-8589-11D1-B16A-00C0F0283628}
IProgressBarEvents
3424
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{C74190B4-8589-11D1-B16A-00C0F0283628}
ITreeView
3424
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{C74190B5-8589-11D1-B16A-00C0F0283628}
ITreeViewEvents
3424
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{C74190B7-8589-11D1-B16A-00C0F0283628}
INodes
3424
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{C74190B8-8589-11D1-B16A-00C0F0283628}
INode
3424
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{BDD1F049-858B-11D1-B16A-00C0F0283628}
IListView
3424
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{BDD1F04A-858B-11D1-B16A-00C0F0283628}
ListViewEvents
3424
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{BDD1F04C-858B-11D1-B16A-00C0F0283628}
IListItems
3424
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{BDD1F04E-858B-11D1-B16A-00C0F0283628}
IListItem
3424
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{BDD1F050-858B-11D1-B16A-00C0F0283628}
IColumnHeaders
3424
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{BDD1F051-858B-11D1-B16A-00C0F0283628}
IColumnHeader
3424
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{BDD1F053-858B-11D1-B16A-00C0F0283628}
IListSubItems
3424
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{BDD1F055-858B-11D1-B16A-00C0F0283628}
IListSubItem
3424
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{2C247F21-8591-11D1-B16A-00C0F0283628}
IImageList
3424
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{2C247F22-8591-11D1-B16A-00C0F0283628}
ImageListEvents
3424
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{2C247F24-8591-11D1-B16A-00C0F0283628}
IImages
3424
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{2C247F26-8591-11D1-B16A-00C0F0283628}
IImage
3424
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{F08DF952-8592-11D1-B16A-00C0F0283628}
ISlider
3424
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{F08DF953-8592-11D1-B16A-00C0F0283628}
ISliderEvents
3424
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{C8A3DC00-8593-11D1-B16A-00C0F0283628}
IControls
3424
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{DD9DA660-8594-11D1-B16A-00C0F0283628}
IComboItem
3424
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{DD9DA662-8594-11D1-B16A-00C0F0283628}
IComboItems
3424
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{DD9DA664-8594-11D1-B16A-00C0F0283628}
IImageCombo
3424
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{DD9DA665-8594-11D1-B16A-00C0F0283628}
DImageComboEvents
3424
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\16A609
16A609
04000000600D00004600000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C00340061003300650034003900360035003800310062006300360063006100380038003600640061003500350065003600370063003500360036003400340031002E0064006F00630024000000340061003300650034003900360035003800310062006300360063006100380038003600640061003500350065003600370063003500360036003400340031002E0064006F006300000000000100000000000000CA66B05E7668D50109A6160009A6160000000000DB040000000000000000000000000000000000000000000000000000FFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFF
3424
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1328218153
3424
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1328218154
3424
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1328218153
3424
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1328218154
3424
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1328218174
3424
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1328218175
3424
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1328218155
3424
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1328218156
3424
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1328218155
3424
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1328218156
3424
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1328218176
3424
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1328218177
3424
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
MTTF
0
3424
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
MTTA
85

Files activity

Executable files
0
Suspicious files
0
Text files
0
Unknown types
4

Dropped files

PID
Process
Filename
Type
3424
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\1484687.cvr
sqm
MD5: 3281476f7bbf9b4e903f2b5c2f8795dd
SHA256: a0ea8af9a0b98fb13dec97e23bcdc107b3271491c96895dd82c28d09cf004ab7
3424
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\Word8.0\MSComctlLib.exd
tlb
MD5: 02d1e35ac9ce08b2f9d48b0c2304881e
SHA256: ecfee038f310ab3dbf4ba7fd24b9f880e8ad02dac1178b850159be5fe402c5e6
3424
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\~DF8D56CCC2117E03B8.TMP
––
MD5:  ––
SHA256:  ––
3424
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\~DFDE7B1D201A6DFA0C.TMP
––
MD5:  ––
SHA256:  ––
3424
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\~$3e496581bc6ca886da55e67c566441.doc
pgc
MD5: 3b7f79898a861395f0ec30a9155fe956
SHA256: b723eede609d5435da75bdf17e7f9c6e1e18ec846912bef50d5a073daebc5400
3424
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
pgc
MD5: c9535aba1891b1364509491f8aaf1240
SHA256: 7b50603f2e47d74137fcf19d260d963f56304288394bf44fb6dffca9ee49b3d7
3424
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\CVR9ADD.tmp.cvr
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

No network activity.

Debug output strings

No debug info.