Page 1
5/6/2016 feca4ffca4701fdaa076625269946d71
https://amptools.cisco.com/report.php?id=feca4ffca4701fdaa076625269946d71 1/24
Severity: 90 Confidence: 90
Severity: 70 Confidence: 85
Analysis ReportID feca4ffca4701fdaa076625269946d71
OS 7601.17514.x86fre.win7sp1_rtm.101119-1850
Started 5/6/16 11:45:38
Ended 5/6/16 11:52:17
Duration 0:06:39
Sandbox phl-work-03 (pilot-d)
Filename e5cbeeaec2935cc0008353ea304af53ea243da98d359699a634fd1faa62c6fce.doc
Magic Type Composite Document File V2 - DOC
Analyzed As cdf
SHA256 e5cbeeaec2935cc0008353ea304af53ea243da98d359699a634fd1faa62c6fceSHA1 93ba5346bcd03a3223c7ad6ca1c3fbd2dc2cc0d5MD5 35c2ea75be38d1d1cb902bef11d83993
Behavioral IndicatorsVBA Macro Loads a COM Object
VBA Macro Has Action on Open
Metadata Behavioral Indicators Processes Artifacts Registry Activity File ActivityNetwork Activity
A VBA macro was discovered that loads a COM object. Office files support a modified form of VisualBasic that can
perform operations on a document. In this case, the macro imports a COM object. COM objects can be used to
communicate with other APIs on the system and extend functionality for the parent process. Malware may use this to
import Windows APIs that allow more freedom for exection, such as WMI.
Categories forensics
Tags vba, macro, embedded, com, api
Artifact ID SHA256 Path
11 e5cbeeaec2935cc0008353ea304af53ea243da98d3596
99a634fd1faa62c6fce
⧵TEMP⧵e5cbeeaec2935cc0008353ea304af53ea243da9
8d359699a634fd1faa62c6fce.doc
40 e5cbeeaec2935cc0008353ea304af53ea243da98d3596
99a634fd1faa62c6fce
e5cbeeaec2935cc0008353ea304af53ea243da98d3596
99a634fd1faa62c6fce.doc
A VBA macro was discovered that uses a function to perform an action when its parent document is opened. Office
files support a modified form of VisualBasic that can perform operations on a document. In this case, it has hooked a
function that is called when the Office program or document is opened. This is not necessarily malicious. Legitimate
uses include pulling in the latest data from an external source, alerting the user of the last modified time and so on.
Malware uses this as a launch point to execute external programs as soon as the malicious document is opened.
Page 2
5/6/2016 feca4ffca4701fdaa076625269946d71
https://amptools.cisco.com/report.php?id=feca4ffca4701fdaa076625269946d71 2/24
Severity: 70 Confidence: 80
Severity: 70 Confidence: 80
Severity: 50 Confidence: 50
Process Modified File in a User Directory
Office Document Contains a VBA Macro
Artifact Flagged by Antivirus
Check the artifact data for further information.
Categories forensics
Tags vba, macro, auto, embedded
Artifact ID SHA256 Path
11 e5cbeeaec2935cc0008353ea304af53ea243da98d3596
99a634fd1faa62c6fce
⧵TEMP⧵e5cbeeaec2935cc0008353ea304af53ea243da9
8d359699a634fd1faa62c6fce.doc
40 e5cbeeaec2935cc0008353ea304af53ea243da98d3596
99a634fd1faa62c6fce
e5cbeeaec2935cc0008353ea304af53ea243da98d3596
99a634fd1faa62c6fce.doc
Malware will modify files in user directories to hide logs or other evidence. Also, by modifying various files it can disable
functionality in the system which may detect or hamper the operation of the malware. Lastly, it may be attempting to
hide an executable, so that it appears to be a legitimate file. Please review the 'Disk Artifacts' section in order to view
additional details about this file.
Categories file
Tags executable, file, process
Path Process Name Process ID
⧵Users⧵ADMINI~1⧵AppData⧵Local⧵Temp⧵VBE⧵MSForms.
exd
WINWORD.EXE 1104 (WINWORD.EXE)
A Microsoft Office document was found that contains embedded macros. Office files support a modified form of
VisualBasic that can perform operations on a document. Macros are not necessarily malicious. Legitimate uses include
auto-saving a document, loading the latest data from a remote file and so on. Malware often uses macros as a
springboard, launching other processes when the user opens or closes the document.
Categories file
Tags vba, macro, embedded
Artifact ID SHA256 Path
11 e5cbeeaec2935cc0008353ea304af53ea243da98d3596
99a634fd1faa62c6fce
⧵TEMP⧵e5cbeeaec2935cc0008353ea304af53ea243da9
8d359699a634fd1faa62c6fce.doc
40 e5cbeeaec2935cc0008353ea304af53ea243da98d3596
99a634fd1faa62c6fce
e5cbeeaec2935cc0008353ea304af53ea243da98d3596
99a634fd1faa62c6fce.doc
An antivirus engine flagged an artifact as potentially malicious. This may be a false positive as Antivirus programs will
also flag packed or encrypted software with a signature. Please confirm the file is indeed malicious. Checking other
indicators and outbound communications will help to confirm this.
Categories forensics
Tags file
Path Antivirus Result
Antivirus
Product Artifact ID
Page 3
5/6/2016 feca4ffca4701fdaa076625269946d71
https://amptools.cisco.com/report.php?id=feca4ffca4701fdaa076625269946d71 3/24
Severity: 20 Confidence: 20
Stream: 3 Query: 45542
Stream: 4 Query: 49059
Executable Imported the IsDebuggerPresent Symbol
HTTP Traffic
DNS Traffic
Query Type: *, Query Data: workstationTTL: -Timestamp: +68.657s
Query Type: *, Query Data: workstationTTL: -Timestamp: +71.933s
Path Antivirus Result Product Artifact ID⧵TEMP⧵e5cbeeaec2935cc0008353ea304af53ea243da98d359699a634fd1faa62c6fce.doc
Doc.Dropper.Agent-1398065
ClamAV 11
e5cbeeaec2935cc0008353ea304af53ea243da98d359699a634fd1faa62c6fce.doc
Doc.Dropper.Agent-1398065
ClamAV 40
The IsDebuggerPresent function can be used by a process to check if a debugger has been attached to it, or iscurrently active on the system. Malware authors often check for the presence of a debugger as this is an indication thatthe malware is being analysed. The Malware may not run, or it may function differently, if a debugger is present, tomake it more difficult to reverse-engineer its behavior. This is not an indicator of malicious activity as often legitimateprograms import this function.
Categories forensicsTags process, artifact, static, import, PE
Path Artifact ID448-lsm.exe 17
Query ID 45542Timestamp +68.657sType *Data workstation
Answers
Query ID Timestamp Type Data TTL
Query ID 49059Timestamp +71.933sType *Data workstation
Answers
Query ID Timestamp Type Data TTL
Page 4
5/6/2016 feca4ffca4701fdaa076625269946d71
https://amptools.cisco.com/report.php?id=feca4ffca4701fdaa076625269946d71 4/24
TCP/IP StreamsNetwork Stream: 0
Src. IP 0.0.0.0Src. Port 68Dest. IP 255.255.255.255Dest. Port 67Transport UDPArtifacts 0Packets 3Bytes 1002Timestamp +68.086s
Network Stream: 1 (DHCP)
Src. IP 172.16.185.18Src. Port 68Dest. IP 172.16.1.1Dest. Port 67Transport UDPArtifacts 0Packets 2Bytes 656Timestamp +68.288s
Network Stream: 2
Src. IP 172.16.185.18Src. Port 137Dest. IP 172.16.255.255Dest. Port 137Transport UDPArtifacts 0Packets 16Bytes 1536Timestamp +68.505s
Network Stream: 3 (DNS)
Src. IP 172.16.185.18Src. Port 56187Dest. IP 224.0.0.252Dest. Port 5355Transport UDPArtifacts 0Packets 2Bytes 114Timestamp +68.56s
Network Stream: 4 (DNS)
Query ID Timestamp Type Data TTL
Page 5
5/6/2016 feca4ffca4701fdaa076625269946d71
https://amptools.cisco.com/report.php?id=feca4ffca4701fdaa076625269946d71 5/24
Src. IP 172.16.185.18Src. Port 53314Dest. IP 224.0.0.252Dest. Port 5355Transport UDPArtifacts 0Packets 2Bytes 114Timestamp +71.827s
Network Stream: 5
Src. IP 172.16.185.18Src. Port 138Dest. IP 172.16.255.255Dest. Port 138Transport UDPArtifacts 0Packets 5Bytes 1069Timestamp +74.7s
ProcessesName: WINWORD.EXE
PID: 1104Children: 0File Actions: 10Registry Actions: 618Analysis Reason: Is target sample.
Name: winlogon.exe
PID: 388Children: 0File Actions: 0Registry Actions: 0Analysis Reason: Process activity after target sample started.
Name: services.exe
PID: 432Children: 0File Actions: 0Registry Actions: 0Analysis Reason: Process activity after target sample started.
Name: lsass.exe
PID: 440Children: 0File Actions: 1Registry Actions: 0Analysis Reason: Process activity after target sample started.
Page 6
5/6/2016 feca4ffca4701fdaa076625269946d71
https://amptools.cisco.com/report.php?id=feca4ffca4701fdaa076625269946d71 6/24
Name: lsm.exe
PID: 448Children: 0File Actions: 0Registry Actions: 0Analysis Reason: Process activity after target sample started.
Name: svchost.exe
PID: 560Children: 0File Actions: 0Registry Actions: 1Analysis Reason: Process activity after target sample started.
Name: svchost.exe
PID: 624Children: 0File Actions: 0Registry Actions: 3Analysis Reason: Process activity after target sample started.
Name: svchost.exe
PID: 676Children: 0File Actions: 4Registry Actions: 0Analysis Reason: Process activity after target sample started.
Name: svchost.exe
PID: 788Children: 0File Actions: 0Registry Actions: 0Analysis Reason: Process activity after target sample started.
Name: svchost.exe
PID: 824Children: 0File Actions: 1Registry Actions: 0Analysis Reason: Process activity after target sample started.
Name: wmiprvse.exe
PID: 904Children: 0File Actions: 2Registry Actions: 0Analysis Reason: Process activity after target sample started.
Name: OSPPSVC.EXE
PID: 912Children: 0File Actions: 0
Page 7
5/6/2016 feca4ffca4701fdaa076625269946d71
https://amptools.cisco.com/report.php?id=feca4ffca4701fdaa076625269946d71 7/24
Registry Actions: 0Analysis Reason: Process activity after target sample started.
Name: svchost.exePID: 1008Children: 0File Actions: 0Registry Actions: 0Analysis Reason: Process activity after target sample started.
Name: Explorer.EXEPID: 1160Children: 0File Actions: 0Registry Actions: 1Analysis Reason: Process activity after target sample started.
ArtifactsArtifact 1: � ⧵Users⧵Administrator⧵AppData⧵Local⧵Te...8CABC5EC36A6B3C7.TMP
Src: diskImports: 0Type: SHA256: 076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560Size: 512Exports: 0AV Sigs: 0MD5: bf619eac0cdf3f68d496ea9344137e8b
Artifact 2: � ⧵Users⧵Administrator⧵AppData⧵Local⧵Te...8D9CF3849F6D4680.TMPSrc: diskImports: 0Type: SHA256: 076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560Size: 512Exports: 0AV Sigs: 0MD5: bf619eac0cdf3f68d496ea9344137e8b
Artifact 3: � ⧵Users⧵Administrator⧵AppData⧵Local⧵Te...AA4107F584A03207.TMPSrc: diskImports: 0Type: SHA256: 076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560Size: 512Exports: 0AV Sigs: 0MD5: bf619eac0cdf3f68d496ea9344137e8b
Artifact 4: � ⧵Users⧵Administrator⧵AppData⧵Local⧵Te...1780D88CFBDA0CAD.TMPSrc: disk
Page 8
5/6/2016 feca4ffca4701fdaa076625269946d71
https://amptools.cisco.com/report.php?id=feca4ffca4701fdaa076625269946d71 8/24
Imports: 0Type: SHA256: 4fe7b59af6de3b665b67788cc2f99892ab827efae3a467342b3bb4e3bc8e5bfeSize: 16384Exports: 0AV Sigs: 0MD5: ce338fe6899778aacfc28414f2d9498b
Artifact 5: � ⧵Users⧵Administrator⧵ntuser.dat.LOG1
Src: diskImports: 0Type: MS Windows registry file, NT/2000 or aboveSHA256: 7c9408da03fa57630c1db72c0a1f5fe9df26db49e30781f3785f5ab067c80f5bSize: 262144Exports: 0AV Sigs: 0MD5: f46de1325fca7c39dd79d4af9fe2906e
Artifact 6: � ⧵Windows⧵rescache⧵rc0004⧵ResCache.hit
Src: diskImports: 0Type: dataSHA256: 8e1278c3c633cdc242f95165d5ee25b6794094b0b4c4610c5228f23d1860fdb6Size: 4224Exports: 0AV Sigs: 0MD5: 9a4c29f899626568bb88f0c9e8a4451b
Artifact 7: � ⧵Users⧵Administrator⧵AppData⧵Local⧵Temp⧵VBE⧵MSForms.exd
Src: diskImports: 0Type: dataSHA256: bb4bbe039d58179d23d912bbb2922345973a66cc6dee8f69be6a53017664e03aSize: 147284Exports: 0AV Sigs: 0MD5: 169365d0096a8c63837aa4b2894baed6
Artifact 8: � ⧵Users⧵Administrator⧵AppData⧵Local⧵Mi...B2-DE2176E172F4}.tmp
Src: diskImports: 0Type: SHA256: de2f256064a0af797747c2b97505dc0b9f3df0de4f489eac731c23ae9ca9cc31Size: 65536Exports: 0AV Sigs: 0MD5: fcd6bcb56c1689fcef28b57c22475bad
Artifact 9: � ⧵Users⧵Administrator⧵AppData⧵Local⧵Mi...CE-9518D2BE8E0B}.tmp
Src: diskImports: 0Type: SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Page 9
5/6/2016 feca4ffca4701fdaa076625269946d71
https://amptools.cisco.com/report.php?id=feca4ffca4701fdaa076625269946d71 9/24
Related to: artifact 41
Modified by: 1104 (WINWORD.EXE)
Modified by: 1104 (WINWORD.EXE)
Modified by: 1104 (WINWORD.EXE)
Size: 0
Exports: 0
AV Sigs: 0
MD5: d41d8cd98f00b204e9800998ecf8427e
Artifact 10: � ⧵Users⧵Administrator⧵AppData⧵Local⧵Temp⧵CVR494B.tmp.cvrSrc: disk
Imports: 0
Type:
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Size: 0
Exports: 0
AV Sigs: 0
MD5: d41d8cd98f00b204e9800998ecf8427e
Artifact 11: � ⧵TEMP⧵e5cbeeaec2935cc0008353ea304af53...634fd1faa62c6fce.docSrc: disk
Imports: 0
Type: DOC - Composite Document File V2 Document, Little Endian,...
SHA256: e5cbeeaec2935cc0008353ea304af53ea243da98d359699a634fd1faa62c6fce
Size: 110080
Exports: 0
AV Sigs: 1
MD5: 35c2ea75be38d1d1cb902bef11d83993
Artifact 12: � ⧵Users⧵Administrator⧵AppData⧵Roaming⧵...plates⧵~$Normal.dotmSrc: disk
Imports: 0
Type: DOTX - data
SHA256: 95e3109930d9f672b868d08edcaae494427b9e916dc0e39a05335bedcae07c29
Size: 162
Exports: 0
AV Sigs: 0
MD5: 90ce4d001f66f72d01b76e72d54dd4ff
Artifact 13: � ⧵Users⧵Administrator⧵AppData⧵Roaming⧵...d1faa62c6fce.doc.LNKSrc: disk
Imports: 0
Type: LNK - MS Windows shortcut, Item id list present, Points t...
SHA256: fc0a4d6447d50b2c068cf550df5920e54d96f871504df5f920e79e4fbf301f54
Size: 822
Exports: 0
AV Sigs: 0
MD5: 30be0991d24e79b431de8ceef40f1cb2
Artifact 14: � ⧵Users⧵Administrator⧵AppData⧵Local⧵Mi...1B-5E2E3B2B0184}.tmpSrc: disk
Imports: 0
Type: data
Page 10
5/6/2016 feca4ffca4701fdaa076625269946d71
https://amptools.cisco.com/report.php?id=feca4ffca4701fdaa076625269946d71 10/24
Modified by: 1104 (WINWORD.EXE)
Related to: 432 (services.exe)
Related to: 448 (lsm.exe)
SHA256: 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
Size: 1024
Exports: 0
AV Sigs: 0
MD5: 5d4d94ee7e06bbb0af9584119797b23a
Artifact 15: � ⧵Users⧵Administrator⧵AppData⧵Roaming⧵...ice⧵Recent⧵index.datSrc: disk
Imports: 0
Type: data
SHA256: e63ae18c3f5e56219212e1c2d9c0a2272967de9cd62d132079e6530c16ee2db3
Size: 1076
Exports: 0
AV Sigs: 0
MD5: 824742e880e32b80d35e011ef9414473
Artifact 16: � 432-services.exeSrc: memory
Imports: 299
Type: PE - PE32 executable (GUI) Intel 80386, for MS Windows
SHA256: 0a890a122ab8d09e4e48505f8beab9233c25e69c789e04dc858ef29585ea7725
Size: 259072
Exports: 0
AV Sigs: 0
MD5: 003697e1a2120659d51cfe3abcd52ed6
Artifact 17: � 448-lsm.exeSrc: memory
Imports: 245
Type: PE - PE32 executable (console) Intel 80386, for MS Windows
SHA256: 272fb520e9682f2a0a1e6eea43f4dd3edd0e4eb94850655f90001930c2f06bfd
Size: 267776
Exports: 0
AV Sigs: 0
MD5: 44200f2dcbb69fa1baa440a64777b95b
Artifact 18: � executable.1148.exeSrc: memory
Imports: 0
Type: PE - PE32 executable (GUI) Intel 80386, for MS Windows
SHA256: 2b7880e8d3af254897b9c4531f917f303d0bbcbcbd85c587b54fc054a6b8b464
Size: 92672
Exports: 0
AV Sigs: 0
MD5: 7a289315e62ebe3094bfffe4cc3a65df
Artifact 19: � executable.340.exeSrc: memory
Imports: 0
Type: PE - PE32 executable (GUI) Intel 80386, for MS Windows
SHA256: 3202e16f49037d52f938ce2ad100335acc0655e2c264d98bdf5f451efa35e2f9
Size: 96256
Page 11
5/6/2016 feca4ffca4701fdaa076625269946d71
https://amptools.cisco.com/report.php?id=feca4ffca4701fdaa076625269946d71 11/24
Related to: 624 (svchost.exe)
Related to: 676 (svchost.exe)
Exports: 0AV Sigs: 0MD5: a4d935bcc4a4cb1045b22f74740e6587
Artifact 20: � 624-svchost.exeSrc: memoryImports: 98Type: PE - PE32 executable (GUI) Intel 80386, for MS WindowsSHA256: 3b224f97bf352fa6406ec72e39d254cc8aa388cf00ba5ae84d14ec6ec6478e48Size: 20992Exports: 0AV Sigs: 0MD5: 92b91920efe0421a2baf44ae2923a49e
Artifact 21: � executable.884.exeSrc: memoryImports: 0Type: PE - PE32 executable (GUI) Intel 80386, for MS WindowsSHA256: 4b7cfe0aabe9832096dd97ba3bcb07106c3c8eb2ee3018a2f05cb43a95b0f84dSize: 20992Exports: 0AV Sigs: 0MD5: 33501164f9565f7f2b678d61e5edbcc3
Artifact 22: � executable.1976.exeSrc: memoryImports: 0Type: PE - PE32 executable (GUI) Intel 80386, for MS WindowsSHA256: 50cc1b6dabcb827d2c0d87ed72e84252fcfd056570dfe76cafb16722c99b57edSize: 20992Exports: 0AV Sigs: 0MD5: 4bd2d60a5531d0e02a5609aa738531d3
Artifact 23: � 676-svchost.exeSrc: memoryImports: 98Type: PE - PE32 executable (GUI) Intel 80386, for MS WindowsSHA256: 5d943a0d5231a19f06e166f53cbf42072ba72ece0c4464c5eb95ce30fe7c6c85Size: 20992Exports: 0AV Sigs: 0MD5: 75d1d84939021d5e28484a05c856063f
Artifact 24: � executable.540.exeSrc: memoryImports: 0Type: PE - PE32 executable (GUI) Intel 80386, for MS WindowsSHA256: 5df31b0a945534b70520ca6bf6a836a295090d036758ff3c93d4528d5b1d527eSize: 141824Exports: 0AV Sigs: 0MD5: 9d62d4a1d97323269d29208ed4971552
Page 12
5/6/2016 feca4ffca4701fdaa076625269946d71
https://amptools.cisco.com/report.php?id=feca4ffca4701fdaa076625269946d71 12/24
Related to: 788 (svchost.exe)
Related to: 560 (svchost.exe)
Related to: 1104 (WINWORD.EXE)
Artifact 25: � executable.348.exeSrc: memory
Imports: 0
Type: PE - PE32 executable (native) Intel 80386, for MS Windows
SHA256: 60f42c2127ad04f84b3ec0b58bad59710c23b459d33762e32a9cbdeb045453eb
Size: 6144
Exports: 0
AV Sigs: 0
MD5: 0be80e8147962cc776054f9780270fac
Artifact 26: � 788-svchost.exeSrc: memory
Imports: 98
Type: PE - PE32 executable (GUI) Intel 80386, for MS Windows
SHA256: 879da756ff518b7908fa90f4e323f17f78bb5a3aadf5d3a6f73515c11004043c
Size: 20992
Exports: 0
AV Sigs: 0
MD5: 26d71a676c7a77ffa4cba826c08e9016
Artifact 27: � 560-svchost.exeSrc: memory
Imports: 98
Type: PE - PE32 executable (GUI) Intel 80386, for MS Windows
SHA256: 898ecaad4941e1b41b26a5fe3104e8ffb94a005a82b71f17f9593604288d045b
Size: 20992
Exports: 0
AV Sigs: 0
MD5: 74db76f94a70bc633aed2a94ae10a5f5
Artifact 28: � 1104-WINWORD.EXE
Src: memory
Imports: 57
Type: PE - PE32 executable (GUI) Intel 80386, for MS Windows
SHA256: 8aa46afb000892b40198c1498ad2f69432bda64c9e5aaaf5f1f847f6f6531e27
Size: 1416192
Exports: 0
AV Sigs: 0
MD5: 28d0fcf57721351f7224ed461e4c7232
Artifact 29: � executable.208.exeSrc: memory
Imports: 0
Type: PE - PE32 executable (native) Intel 80386, for MS Windows
SHA256: 8c4883c367ce250ad150ac104fd14d94ff58c413ce341dfd0098927a4a0a3968
Size: 69632
Exports: 0
AV Sigs: 0
MD5: 6b673f258a38c5a68828d477ecc8ace5
Artifact 30: � executable.1604.exeSrc: memory
Page 13
5/6/2016 feca4ffca4701fdaa076625269946d71
https://amptools.cisco.com/report.php?id=feca4ffca4701fdaa076625269946d71 13/24
Related to: 388 (winlogon.exe)
Related to: 824 (svchost.exe)
Related to: 1008 (svchost.exe)
Related to: 1160 (Explorer.EXE)
Imports: 0Type: PE - PE32 executable (GUI) Intel 80386, for MS WindowsSHA256: 8d5e184df895b4fec4d0f6a513bcba252022e4679f5c92cf1b18729104370ac6Size: 49152Exports: 0AV Sigs: 0MD5: 21e05b77c7d0c262fae72932f65b646d
Artifact 31: � 388-winlogon.exeSrc: memoryImports: 338Type: PE - PE32 executable (GUI) Intel 80386, for MS WindowsSHA256: 8e20ea3184bf7bb065ad51d26159f386d551a5ddde646b0669fa2d58c9cfe7bdSize: 286720Exports: 0AV Sigs: 0MD5: 217ae145e13184357ff7cf7191a1fb7a
Artifact 32: � executable.292.exeSrc: memoryImports: 0Type: PE - PE32 executable (native) Intel 80386, for MS WindowsSHA256: aada648873c89f8c7fdabb5c94672c1db6c8d878748abf43bcc6010965b1f5a2Size: 6144Exports: 0AV Sigs: 0MD5: 60e8fb609b096db6a11cc1ce2129faa1
Artifact 33: � 824-svchost.exeSrc: memoryImports: 98Type: PE - PE32 executable (GUI) Intel 80386, for MS WindowsSHA256: ae5080cac58b1faf8f0841c0e1e85a3f6a7a55d626368c1f150ed6377884ed06Size: 20992Exports: 0AV Sigs: 0MD5: f07b8e93568ca5ecb9a7d66a04147f98
Artifact 34: � 1008-svchost.exeSrc: memoryImports: 98Type: PE - PE32 executable (GUI) Intel 80386, for MS WindowsSHA256: bab30518bdb484b53871a1737d7d56c19962991c176869c170bce7b04839c8e3Size: 20992Exports: 0AV Sigs: 0MD5: a7ec42706419643dfeb82aba34ec12d4
Artifact 35: � 1160-Explorer.EXESrc: memoryImports: 500Type: PE - PE32 executable (GUI) Intel 80386, for MS WindowsSHA256: bc00bcf96b757db683e962fc9ad5d0ce8c9c40bdcb4ae6e6d500ea7d46f480a2
Page 14
5/6/2016 feca4ffca4701fdaa076625269946d71
https://amptools.cisco.com/report.php?id=feca4ffca4701fdaa076625269946d71 14/24
Related to: 912 (OSPPSVC.EXE)
Related to: 440 (lsass.exe)
Related to: artifact 65
Size: 2616320
Exports: 0
AV Sigs: 0
MD5: 4b846e12badc6bbf2ee9301bfe3e89e4
Artifact 36: � 912-OSPPSVC.EXESrc: memory
Imports: 215
Type: PE - PE32 executable (console) Intel 80386, for MS Windows
SHA256: dd399d329b7609863ccdc0c31e0b71285967563950418987346c2d35efbcd301
Size: 4633088
Exports: 0
AV Sigs: 0
MD5: 530ea7d84c8adb3c31899abc93afa748
Artifact 37: � executable.1300.exeSrc: memory
Imports: 0
Type: PE - PE32 executable (GUI) Intel 80386, for MS Windows
SHA256: e4ee98c0cbe5beea324a4c22d32b1e0cdbef05f0ea7da7c2a3d1a98d8b40ab8b
Size: 20992
Exports: 0
AV Sigs: 0
MD5: 9162f2459c6e468f250a95f31466436d
Artifact 38: � 440-lsass.exeSrc: memory
Imports: 91
Type: PE - PE32 executable (GUI) Intel 80386, for MS Windows
SHA256: e64e492005ca0ae44ed67937666a5ececdb68b836a96ddd8009c83a2e357c38c
Size: 22528
Exports: 0
AV Sigs: 0
MD5: 205ad3669c371e43b969ebc82c8e9396
Artifact 39: � executable.1688.exeSrc: memory
Imports: 0
Type: PE - PE32 executable (GUI) Intel 80386, for MS Windows
SHA256: f02ae58e4aaf00714172f165a054ab3adb4c3b3eaea5e6faf14a5dd9f7ac3c0c
Size: 20992
Exports: 0
AV Sigs: 0
MD5: 443caf7b57db8841b19f20dee7f34fd9
Artifact 40: � e5cbeeaec2935cc0008353ea304af53ea243d...634fd1faa62c6fce.doc
Src: submitted
Imports: 0
Type: DOC - Composite Document File V2 Document, Little Endian,...
SHA256: e5cbeeaec2935cc0008353ea304af53ea243da98d359699a634fd1faa62c6fce
Size: 110080
Exports: 0
Page 15
5/6/2016 feca4ffca4701fdaa076625269946d71
https://amptools.cisco.com/report.php?id=feca4ffca4701fdaa076625269946d71 15/24
Related to: artifact 11
Related to: artifact 11
Related to: artifact 11
Related to: artifact 11
Related to: artifact 11
AV Sigs: 1MD5: 35c2ea75be38d1d1cb902bef11d83993
Artifact 41: � ⧵dataSrc: extractedImports: 0Type: dataSHA256: cf171cc1c525c7e8069ae1d6e0e42a4593ec934d7721364a0b926ce806a52845Size: 11413Exports: 0AV Sigs: 0MD5: 644a29d62742fb2b4390d8e9ac05265d
Artifact 42: � ⧵1tableSrc: extractedImports: 0Type: dataSHA256: ab31e984ffe872ab579f6f3540c321584002d545c8cd005972f24704da1d2adcSize: 14005Exports: 0AV Sigs: 0MD5: 7f56724b4a25a76dea8aa693a0f3a1d3
Artifact 43: � ⧵worddocumentSrc: extractedImports: 0Type: dataSHA256: 9fab2a3ea625db4f60a71d98ef9ce7e36b76fb5a1daf0964edc6885da793888fSize: 13984Exports: 0AV Sigs: 0MD5: 99afc824fe8bc37b51f37094c88d0a7a
Artifact 44: � ⧵s⧵⧵5summaryinformationSrc: extractedImports: 0Type: dataSHA256: fb149c6c04c691d966e79ac721baa60594e0080b7aad9e5ee333b09dabfd83aeSize: 4096Exports: 0AV Sigs: 0MD5: abc6163c6f064e5b3fba76533fcf6e8d
Artifact 45: � ⧵s⧵⧵5documentsummaryinformationSrc: extractedImports: 0Type: dataSHA256: 138794ad0e2b2547cd4607eaf6c7ea80066488b51e355c5601fc974c40975365Size: 4096Exports: 0AV Sigs: 0MD5: 7ae8730c9fd5e7a1764fd7cb548ff325
Page 16
5/6/2016 feca4ffca4701fdaa076625269946d71
https://amptools.cisco.com/report.php?id=feca4ffca4701fdaa076625269946d71 16/24
Related to: artifact 11
Related to: artifact 11
Related to: artifact 11
Related to: artifact 11
Related to: artifact 11
Related to: artifact 11
Artifact 46: � ⧵macros⧵vba⧵thisdocumentSrc: extractedImports: 0Type: dataSHA256: a2948ce234760f39b55eee26875c77d2cb0c89899847afabf2273a3ffe554540Size: 7814Exports: 0AV Sigs: 0MD5: 1d4ac259729f17a70b969d6119b6d984
Artifact 47: � ⧵macros⧵vba⧵__srp_2Src: extractedImports: 0Type: dataSHA256: 5b1135837c41d13bfbb0268570ac5b33aecda81b4bc1d8e8d2dcc19241200b4bSize: 3112Exports: 0AV Sigs: 0MD5: 77fc0fc2c43bc1c8a86d74241e86980b
Artifact 48: � ⧵macros⧵vba⧵__srp_3Src: extractedImports: 0Type: dataSHA256: 52e5272bf4b5089e132b837e0dc995e131258ad137d32e47ad6a2472fd617993Size: 1430Exports: 0AV Sigs: 0MD5: 1cda4e58359f3a1d8004a7c3c31d7afc
Artifact 49: � ⧵macros⧵vba⧵kadlcyihkSrc: extractedImports: 0Type: dataSHA256: 40340db6e6e1d28089cf9738d5d40795031b8c7812adb35e62619e32bd02897bSize: 1181Exports: 0AV Sigs: 0MD5: a9be4ede135e6d9360f6dc1503f85af8
Artifact 50: � ⧵macros⧵vba⧵xesuifuquqjcprlSrc: extractedImports: 0Type: dataSHA256: f2c0f9b893a4487b31bc61baa385e00e7962d5c7918d71872e6b5217caee19b5Size: 5169Exports: 0AV Sigs: 0MD5: c4ce549dacf4d66d1f4685814fe5508b
Artifact 51: � ⧵macros⧵vba⧵tckkopvxvcxbSrc: extracted
Page 17
5/6/2016 feca4ffca4701fdaa076625269946d71
https://amptools.cisco.com/report.php?id=feca4ffca4701fdaa076625269946d71 17/24
Related to: artifact 11
Related to: artifact 11
Related to: artifact 11
Related to: artifact 11
Related to: artifact 11
Imports: 0Type: dataSHA256: 919eb71476c664d33c2f66ff9a387871d7f27ff1970bf7a85850a2dc0f087f59Size: 5602Exports: 0AV Sigs: 0MD5: fe698826aeaa43b22bab08d76e9724cc
Artifact 52: � ⧵macros⧵vba⧵zzqurfe1Src: extractedImports: 0Type: dataSHA256: f9de38ee5b50f6e7cf9e9d0945e5e2bdf178b682a56ac2af9ad245d809061bf4Size: 3645Exports: 0AV Sigs: 0MD5: a8aa2b121b18cc867df8aba5dd578806
Artifact 53: � ⧵macros⧵vba⧵ygkkmfpvlSrc: extractedImports: 0Type: dataSHA256: af65895afc2735887bb090c7eb3726bffbfd2f1b2db7d8391a7cb4e2418ecd42Size: 4007Exports: 0AV Sigs: 0MD5: d5faf98cefff312e8721f0f1e6fc49e3
Artifact 54: � ⧵macros⧵vba⧵_vba_projectSrc: extractedImports: 0Type: dataSHA256: e9d688db1f738942534b298fb38ce371d086cb37ef1f96d77a8ecfdaa3b002e9Size: 7830Exports: 0AV Sigs: 0MD5: e8f82685ef9283077b91968d2fe4dccc
Artifact 55: � ⧵macros⧵vba⧵dirSrc: extractedImports: 0Type: dataSHA256: bbc5a0603ce661c12f76999cc8ed276549454ad91ef6de55cfd2baa0f075165bSize: 1057Exports: 0AV Sigs: 0MD5: 399873f862464a45f38e7fb3a1da1280
Artifact 56: � ⧵macros⧵vba⧵__srp_0Src: extractedImports: 0Type: dataSHA256: a3df7bba43243b315c30db226ad95a22ac4c6d70fe79ad411371b05ac7f1df69
Page 18
5/6/2016 feca4ffca4701fdaa076625269946d71
https://amptools.cisco.com/report.php?id=feca4ffca4701fdaa076625269946d71 18/24
Related to: artifact 11
Related to: artifact 11
Related to: artifact 11
Related to: artifact 11
Related to: artifact 11
Size: 2988Exports: 0AV Sigs: 0MD5: 8b955f3a2b8386848a1ec1722b2ad6fb
Artifact 57: � ⧵macros⧵vba⧵__srp_1Src: extractedImports: 0Type: dataSHA256: 124fc78beac03408cb19978deb3f15fb38f792e00570fa57df3de564a43c52ecSize: 537Exports: 0AV Sigs: 0MD5: 1855eb0c4b91ed82a1f964b6363a4e81
Artifact 58: � ⧵macros⧵kadlcyihk⧵fSrc: extractedImports: 0Type: dataSHA256: 1122b587307c15f6bc14fe6c9b2a499cc505cda826f81671ca784d8cbbcb16e1Size: 2386Exports: 0AV Sigs: 0MD5: 3b5d20900a1943776037babc69821da4
Artifact 59: � ⧵macros⧵kadlcyihk⧵oSrc: extractedImports: 0Type: dataSHA256: b0635c9dcebe4d35240ff49fd9252438149ec75317a059a51123c096811823fbSize: 4492Exports: 0AV Sigs: 0MD5: 3c5a87c70e0e25dd5a0de39a8ce60d0f
Artifact 60: � ⧵macros⧵kadlcyihk⧵s⧵⧵1compobjSrc: extractedImports: 0Type: dataSHA256: 057e3d39cd6e6b882c9cebfb56920db712f49cd628b35bf58e1fd544c0bea20bSize: 97Exports: 0AV Sigs: 0MD5: 8b485527ad9d96fe72d3fba385f0ad95
Artifact 61: � ⧵macros⧵kadlcyihk⧵s⧵⧵3vbframeSrc: extractedImports: 0Type: ASCII text, with CRLF line terminatorsSHA256: a29a3aed6332864847289f3b9c0bfb0f6bbcf533a52fdebf7375e8626f92552cSize: 296Exports: 0AV Sigs: 0
Page 19
5/6/2016 feca4ffca4701fdaa076625269946d71
https://amptools.cisco.com/report.php?id=feca4ffca4701fdaa076625269946d71 19/24
Related to: artifact 11
Related to: artifact 11
Related to: artifact 11
Related to: artifact 40
Related to: artifact 40
Related to: artifact 40
MD5: 9644d7f5a99bc93fa45867e6d54e7329
Artifact 62: � ⧵macros⧵projectwmSrc: extractedImports: 0Type: dataSHA256: aacc2c9c7b95c254d9cfec5965022f160c676080b9fe1a47320fb29ed927d4a0Size: 215Exports: 0AV Sigs: 0MD5: 7f6bc44e5b93723c31e18ed591dfaf87
Artifact 63: � ⧵macros⧵projectSrc: extractedImports: 0Type: ASCII text, with CRLF line terminatorsSHA256: bb21fcdda8d0ad7fcf20895542c3f5b88039cfb8bcf49d97325d8117ceb1454dSize: 702Exports: 0AV Sigs: 0MD5: dc177f6ab2b99e1af9db963574b7a011
Artifact 64: � ⧵s⧵⧵1compobjSrc: extractedImports: 0Type: dataSHA256: f70fe384c672865fff4bb8ab60d73098bc751e8f2aa915b8aff2e2085648b428Size: 114Exports: 0AV Sigs: 0MD5: 367e9d6e505ece35eba2c1469c5cd664
Artifact 65: � ⧵dataSrc: extractedImports: 0Type: dataSHA256: cf171cc1c525c7e8069ae1d6e0e42a4593ec934d7721364a0b926ce806a52845Size: 11413Exports: 0AV Sigs: 0MD5: 644a29d62742fb2b4390d8e9ac05265d
Artifact 66: � ⧵1tableSrc: extractedImports: 0Type: dataSHA256: ab31e984ffe872ab579f6f3540c321584002d545c8cd005972f24704da1d2adcSize: 14005Exports: 0AV Sigs: 0MD5: 7f56724b4a25a76dea8aa693a0f3a1d3
Artifact 67: � ⧵worddocument
Page 20
5/6/2016 feca4ffca4701fdaa076625269946d71
https://amptools.cisco.com/report.php?id=feca4ffca4701fdaa076625269946d71 20/24
Related to: artifact 40
Related to: artifact 40
Related to: artifact 40
Related to: artifact 40
Related to: artifact 40
Src: extractedImports: 0Type: dataSHA256: 9fab2a3ea625db4f60a71d98ef9ce7e36b76fb5a1daf0964edc6885da793888fSize: 13984Exports: 0AV Sigs: 0MD5: 99afc824fe8bc37b51f37094c88d0a7a
Artifact 68: � ⧵s⧵⧵5summaryinformationSrc: extractedImports: 0Type: dataSHA256: fb149c6c04c691d966e79ac721baa60594e0080b7aad9e5ee333b09dabfd83aeSize: 4096Exports: 0AV Sigs: 0MD5: abc6163c6f064e5b3fba76533fcf6e8d
Artifact 69: � ⧵s⧵⧵5documentsummaryinformationSrc: extractedImports: 0Type: dataSHA256: 138794ad0e2b2547cd4607eaf6c7ea80066488b51e355c5601fc974c40975365Size: 4096Exports: 0AV Sigs: 0MD5: 7ae8730c9fd5e7a1764fd7cb548ff325
Artifact 70: � ⧵macros⧵vba⧵thisdocumentSrc: extractedImports: 0Type: dataSHA256: a2948ce234760f39b55eee26875c77d2cb0c89899847afabf2273a3ffe554540Size: 7814Exports: 0AV Sigs: 0MD5: 1d4ac259729f17a70b969d6119b6d984
Artifact 71: � ⧵macros⧵vba⧵__srp_2Src: extractedImports: 0Type: dataSHA256: 5b1135837c41d13bfbb0268570ac5b33aecda81b4bc1d8e8d2dcc19241200b4bSize: 3112Exports: 0AV Sigs: 0MD5: 77fc0fc2c43bc1c8a86d74241e86980b
Artifact 72: � ⧵macros⧵vba⧵__srp_3Src: extractedImports: 0Type: data
Page 21
5/6/2016 feca4ffca4701fdaa076625269946d71
https://amptools.cisco.com/report.php?id=feca4ffca4701fdaa076625269946d71 21/24
Related to: artifact 40
Related to: artifact 40
Related to: artifact 40
Related to: artifact 40
Related to: artifact 40
SHA256: 52e5272bf4b5089e132b837e0dc995e131258ad137d32e47ad6a2472fd617993Size: 1430Exports: 0AV Sigs: 0MD5: 1cda4e58359f3a1d8004a7c3c31d7afc
Artifact 73: � ⧵macros⧵vba⧵kadlcyihkSrc: extractedImports: 0Type: dataSHA256: 40340db6e6e1d28089cf9738d5d40795031b8c7812adb35e62619e32bd02897bSize: 1181Exports: 0AV Sigs: 0MD5: a9be4ede135e6d9360f6dc1503f85af8
Artifact 74: � ⧵macros⧵vba⧵xesuifuquqjcprlSrc: extractedImports: 0Type: dataSHA256: f2c0f9b893a4487b31bc61baa385e00e7962d5c7918d71872e6b5217caee19b5Size: 5169Exports: 0AV Sigs: 0MD5: c4ce549dacf4d66d1f4685814fe5508b
Artifact 75: � ⧵macros⧵vba⧵tckkopvxvcxbSrc: extractedImports: 0Type: dataSHA256: 919eb71476c664d33c2f66ff9a387871d7f27ff1970bf7a85850a2dc0f087f59Size: 5602Exports: 0AV Sigs: 0MD5: fe698826aeaa43b22bab08d76e9724cc
Artifact 76: � ⧵macros⧵vba⧵zzqurfe1Src: extractedImports: 0Type: dataSHA256: f9de38ee5b50f6e7cf9e9d0945e5e2bdf178b682a56ac2af9ad245d809061bf4Size: 3645Exports: 0AV Sigs: 0MD5: a8aa2b121b18cc867df8aba5dd578806
Artifact 77: � ⧵macros⧵vba⧵ygkkmfpvlSrc: extractedImports: 0Type: dataSHA256: af65895afc2735887bb090c7eb3726bffbfd2f1b2db7d8391a7cb4e2418ecd42Size: 4007Exports: 0
Page 22
5/6/2016 feca4ffca4701fdaa076625269946d71
https://amptools.cisco.com/report.php?id=feca4ffca4701fdaa076625269946d71 22/24
Related to: artifact 40
Related to: artifact 40
Related to: artifact 40
Related to: artifact 40
Related to: artifact 40
AV Sigs: 0MD5: d5faf98cefff312e8721f0f1e6fc49e3
Artifact 78: � ⧵macros⧵vba⧵_vba_projectSrc: extractedImports: 0Type: dataSHA256: e9d688db1f738942534b298fb38ce371d086cb37ef1f96d77a8ecfdaa3b002e9Size: 7830Exports: 0AV Sigs: 0MD5: e8f82685ef9283077b91968d2fe4dccc
Artifact 79: � ⧵macros⧵vba⧵dirSrc: extractedImports: 0Type: dataSHA256: bbc5a0603ce661c12f76999cc8ed276549454ad91ef6de55cfd2baa0f075165bSize: 1057Exports: 0AV Sigs: 0MD5: 399873f862464a45f38e7fb3a1da1280
Artifact 80: � ⧵macros⧵vba⧵__srp_0Src: extractedImports: 0Type: dataSHA256: a3df7bba43243b315c30db226ad95a22ac4c6d70fe79ad411371b05ac7f1df69Size: 2988Exports: 0AV Sigs: 0MD5: 8b955f3a2b8386848a1ec1722b2ad6fb
Artifact 81: � ⧵macros⧵vba⧵__srp_1Src: extractedImports: 0Type: dataSHA256: 124fc78beac03408cb19978deb3f15fb38f792e00570fa57df3de564a43c52ecSize: 537Exports: 0AV Sigs: 0MD5: 1855eb0c4b91ed82a1f964b6363a4e81
Artifact 82: � ⧵macros⧵kadlcyihk⧵fSrc: extractedImports: 0Type: dataSHA256: 1122b587307c15f6bc14fe6c9b2a499cc505cda826f81671ca784d8cbbcb16e1Size: 2386Exports: 0AV Sigs: 0MD5: 3b5d20900a1943776037babc69821da4
Page 23
5/6/2016 feca4ffca4701fdaa076625269946d71
https://amptools.cisco.com/report.php?id=feca4ffca4701fdaa076625269946d71 23/24
Related to: artifact 40
Related to: artifact 40
Related to: artifact 40
Related to: artifact 40
Related to: artifact 40
Related to: artifact 40
Artifact 83: � ⧵macros⧵kadlcyihk⧵oSrc: extractedImports: 0Type: dataSHA256: b0635c9dcebe4d35240ff49fd9252438149ec75317a059a51123c096811823fbSize: 4492Exports: 0AV Sigs: 0MD5: 3c5a87c70e0e25dd5a0de39a8ce60d0f
Artifact 84: � ⧵macros⧵kadlcyihk⧵s⧵⧵1compobjSrc: extractedImports: 0Type: dataSHA256: 057e3d39cd6e6b882c9cebfb56920db712f49cd628b35bf58e1fd544c0bea20bSize: 97Exports: 0AV Sigs: 0MD5: 8b485527ad9d96fe72d3fba385f0ad95
Artifact 85: � ⧵macros⧵kadlcyihk⧵s⧵⧵3vbframeSrc: extractedImports: 0Type: ASCII text, with CRLF line terminatorsSHA256: a29a3aed6332864847289f3b9c0bfb0f6bbcf533a52fdebf7375e8626f92552cSize: 296Exports: 0AV Sigs: 0MD5: 9644d7f5a99bc93fa45867e6d54e7329
Artifact 86: � ⧵macros⧵projectwmSrc: extractedImports: 0Type: dataSHA256: aacc2c9c7b95c254d9cfec5965022f160c676080b9fe1a47320fb29ed927d4a0Size: 215Exports: 0AV Sigs: 0MD5: 7f6bc44e5b93723c31e18ed591dfaf87
Artifact 87: � ⧵macros⧵projectSrc: extractedImports: 0Type: ASCII text, with CRLF line terminatorsSHA256: bb21fcdda8d0ad7fcf20895542c3f5b88039cfb8bcf49d97325d8117ceb1454dSize: 702Exports: 0AV Sigs: 0MD5: dc177f6ab2b99e1af9db963574b7a011
Artifact 88: � ⧵s⧵⧵1compobjSrc: extracted
Page 24
5/6/2016 feca4ffca4701fdaa076625269946d71
https://amptools.cisco.com/report.php?id=feca4ffca4701fdaa076625269946d71 24/24
Files Created: 1 Files Read: 22 Files Modified: 13 Files Deleted: 2
Imports: 0Type: dataSHA256: f70fe384c672865fff4bb8ab60d73098bc751e8f2aa915b8aff2e2085648b428Size: 114Exports: 0AV Sigs: 0MD5: 367e9d6e505ece35eba2c1469c5cd664
Registry ActivityCreated Keys
Deleted Keys
Modified Keys
Deleted Key Values
FilesystemActivity
All information contained in this report is confidential and proprietary information belonging solely to ThreatGRID,Inc.
This document is client confidential and is intended for internal customer use only. The information contained hereinis the property of ThreatGRID and may not be copied, used or disclosed in whole or in part, stored in a retrievalsystem or transmitted in any form or by any means (electronic, mechanical, reprographic, recording or otherwise)without the prior written permission of ThreatGRID.
Generated by ThreatBRAIN