Loading ...

Analysis Report

Overview

General Information

Analysis ID:58944
Start time:23:56:41
Start date:10/03/2015
Overall analysis duration:0h 3m 2s
Report type:full
Sample file name:C2840591748.doc
Cookbook file name:default.jbs
Analysis system description:XP SP3 (Office 2007, Java 1.6.0, Acrobat Reader 9.4.6, Internet Explorer 8, Firefox 8.0.1, Chrome 15)
Number of analysed new started processes analysed:1
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
HCA enabled:true
HCA success:
  • true, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Internet access has been disabled
Warnings:
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtSetInformationProcess calls found.


Detection

StrategyReport FP/FN
Threshold malicious


Signature Overview


Networking:

barindex
Urls found in memory or binary dataShow sources
Source: WINWORD.EXEString found in binary or memory: file://
Source: WINWORD.EXEString found in binary or memory: file:///c:
Source: WINWORD.EXEString found in binary or memory: file:///c:/c2840591748.doc
Source: WINWORD.EXEString found in binary or memory: ftp://
Source: WINWORD.EXEString found in binary or memory: http://
Source: WINWORD.EXEString found in binary or memory: http://crl.microsoft.com/pki/crl/products/codesignpca2.crl0o
Source: WINWORD.EXEString found in binary or memory: http://crl.microsoft.com/pki/crl/products/cspca.crl0h
Source: WINWORD.EXEString found in binary or memory: http://crl.microsoft.com/pki/crl/products/tspca.crl0h
Source: WINWORD.EXEString found in binary or memory: http://crl.verisign.com/thawtetimestampingca.crl0
Source: WINWORD.EXEString found in binary or memory: http://crl.verisign.com/tss-ca.crl0
Source: WINWORD.EXEString found in binary or memory: http://microsoft.com0
Source: WINWORD.EXEString found in binary or memory: http://msdn.microsoft.com/developer/default.htm
Source: WINWORD.EXEString found in binary or memory: http://ocsp.verisign.com0
Source: WINWORD.EXEString found in binary or memory: http://purl.org/dc/dcmitype/
Source: WINWORD.EXEString found in binary or memory: http://purl.org/dc/elements/1.1/
Source: WINWORD.EXEString found in binary or memory: http://purl.org/dc/terms
Source: WINWORD.EXEString found in binary or memory: http://purl.org/dc/terms/
Source: WINWORD.EXEString found in binary or memory: http://sch
Source: WINWORD.EXEString found in binary or memory: http://schemas.microsoft.com/office/2006/relationships/vbaproject
Source: WINWORD.EXEString found in binary or memory: http://schemas.microsoft.com/office/2006/relationships/wordvbadata
Source: WINWORD.EXEString found in binary or memory: http://schemas.microsoft.com/office/2006/relationships/wordvbadatatargetvbadata.xmlargetitemprops1.x
Source: WINWORD.EXE, document.xml, header1.xml, numbering.xmlString found in binary or memory: http://schemas.microsoft.com/office/word/2006/wordml
Source: document.xml, theme1.xmlString found in binary or memory: http://schemas.openxmlformats.org/drawingml/2006/main
Source: document.xmlString found in binary or memory: http://schemas.openxmlformats.org/drawingml/2006/picture
Source: WINWORD.EXE, document.xml, header1.xml, numbering.xmlString found in binary or memory: http://schemas.openxmlformats.org/drawingml/2006/wordprocessingdrawing
Source: WINWORD.EXE, document.xml, header1.xml, numbering.xmlString found in binary or memory: http://schemas.openxmlformats.org/markup-compatibility/2006
Source: WINWORD.EXEString found in binary or memory: http://schemas.openxmlformats.org/officedocument/2006/bibliography
Source: WINWORD.EXE, document.xml, header1.xml, numbering.xmlString found in binary or memory: http://schemas.openxmlformats.org/officedocument/2006/math
Source: WINWORD.EXEString found in binary or memory: http://schemas.openxmlformats.org/officedocument/2006/mathxmlns:vurn:schemas-microsoft-com:vmlxmlns:
Source: WINWORD.EXE, document.xml, header1.xml, numbering.xmlString found in binary or memory: http://schemas.openxmlformats.org/officedocument/2006/relationships
Source: WINWORD.EXEString found in binary or memory: http://schemas.openxmlformats.org/officedocument/2006/relationships/customxml
Source: WINWORD.EXEString found in binary or memory: http://schemas.openxmlformats.org/officedocument/2006/relationships/extended-properties
Source: WINWORD.EXEString found in binary or memory: http://schemas.openxmlformats.org/officedocument/2006/relationships/fonttable
Source: WINWORD.EXEString found in binary or memory: http://schemas.openxmlformats.org/officedocument/2006/relationships/fonttabletargetfonttable.xml.xml
Source: WINWORD.EXEString found in binary or memory: http://schemas.openxmlformats.org/officedocument/2006/relationships/footnotes
Source: WINWORD.EXEString found in binary or memory: http://schemas.openxmlformats.org/officedocument/2006/relationships/header
Source: WINWORD.EXEString found in binary or memory: http://schemas.openxmlformats.org/officedocument/2006/relationships/image
Source: WINWORD.EXEString found in binary or memory: http://schemas.openxmlformats.org/officedocument/2006/relationships/numbering
Source: WINWORD.EXEString found in binary or memory: http://schemas.openxmlformats.org/officedocument/2006/relationships/officedocument
Source: WINWORD.EXEString found in binary or memory: http://schemas.openxmlformats.org/officedocument/2006/relationships/settings
Source: WINWORD.EXEString found in binary or memory: http://schemas.openxmlformats.org/officedocument/2006/relationships/styles
Source: WINWORD.EXEString found in binary or memory: http://schemas.openxmlformats.org/officedocument/2006/relationships/theme
Source: WINWORD.EXEString found in binary or memory: http://schemas.openxmlformats.org/officedocument/2006/relationships/websettings
Source: WINWORD.EXEString found in binary or memory: http://schemas.openxmlformats.org/officedocument/2006/relationshipsxmlns:mhttp://schemas.openxmlform
Source: WINWORD.EXEString found in binary or memory: http://schemas.openxmlformats.org/package/2006/relationships
Source: WINWORD.EXEString found in binary or memory: http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-properties
Source: WINWORD.EXE, document.xml, header1.xml, numbering.xmlString found in binary or memory: http://schemas.openxmlformats.org/wordprocessingml/2006/main
Source: WINWORD.EXEString found in binary or memory: http://www.ilaunchmanager.com/x/wp-content/plugins/fb-infil
Source: vbaProject.binString found in binary or memory: http://www.ilaunchmanager.com/x/wp-content/plugins/fb-infiltrator-personal/dl.php
Source: WINWORD.EXEString found in binary or memory: http://www.microsoft.com/pki/certs/codesignpca2.crt0
Source: WINWORD.EXEString found in binary or memory: http://www.microsoft.com/pki/certs/cspca.crt0
Source: WINWORD.EXEString found in binary or memory: http://www.microsoft.com/pki/certs/tspca.crt0
Source: WINWORD.EXEString found in binary or memory: http://www.w3.org/2001/03/xml.xsd
Source: WINWORD.EXEString found in binary or memory: http://www.w3.org/2001/schema-instance
Source: WINWORD.EXEString found in binary or memory: http://www.w3.org/2001/xmlschema
Source: WINWORD.EXEString found in binary or memory: http://www.w3.org/tr/wd-xsl
Source: WINWORD.EXEString found in binary or memory: http://www.w3.org/xml/1998/namespace
Source: WINWORD.EXEString found in binary or memory: http://www.w3w
Source: WINWORD.EXEString found in binary or memory: https://
Downloads filesShow sources
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEFile created: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.Word\~WRS{281214E6-2F48-4949-A0EC-D8DCA1F7F523}.tmp

System Summary:

barindex
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEKey opened: HKEY_USERS\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEFile opened: C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
Binary contains paths to debug symbolsShow sources
Source: Binary string: t:\oleo\x86\ship\0\Cultures\office.pdb source: WINWORD.EXE
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEFile created: C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Recent\C2840591748.doc.LNK
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEFile created: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tst3.tmp
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEFile read: C:\Documents and Settings\Administrator\Application Data\desktop.ini
Enables driver privilegesShow sources
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess token adjusted: Load Driver
Tries to load missing DLLsShow sources
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXESection loaded: xpsp2res.dll
Document contains an embedded VBA macro which executes code when the document is openedShow sources
Source: vbaProject.binBinary or memory string: Document_Open
Document contains an embedded VBA macro which may execute processesShow sources
Source: vbaProject.binBinary or memory string: ShellExecute
Document contains an embedded VBA macro with suspicious stringsShow sources
Source: vbaProject.binBinary or memory string: ShellExecuteA
Source: vbaProject.binBinary or memory string: URLDownloadToFileA
Source: vbaProject.binBinary or memory string: >urlmonE=
Source: vbaProject.binBinary or memory string: ShellExecute
Source: vbaProject.binBinary or memory string: URLDownloadToFile
Source: vbaProject.binBinary or memory string: urlmonX
Unable to load, office file is protected or invalidShow sources
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEWindow title found: microsoft office word okword cannot start the converter mswrd632.wpc.show h&elp >>

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: WINWORD.EXEBinary or memory string: Progman
Source: WINWORD.EXEBinary or memory string: Program Manager
Source: WINWORD.EXEBinary or memory string: Shell_TrayWnd

Anti Debugging and Sandbox Evasion:

barindex
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEMemory protected: page read and write and page guard
Is looking for software installed on the systemShow sources
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXERegistry key enumerated: More than 282 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXE TID: 1048Thread sleep time: -60000ms >= -60000ms

Virtual Machine Detection:

barindex
May tried to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: WINWORD.EXEBinary or memory string: \??\C:\WINDOWS\system32\VBoxService.exe
Source: WINWORD.EXEBinary or memory string: \??\C:\WINDOWS\system32\VBoxTray.exe

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Monitors certain registry keys / values for changes (often done to protect autostart functionality)Show sources
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXERegistry key monitored for changes: \REGISTRY\USER

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEQeruies volume information: C:\ VolumeInformation
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEQeruies volume information: C:\C2840591748.doc VolumeInformation
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEQeruies volume information: C:\ VolumeInformation
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEQeruies volume information: C:\ VolumeInformation
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEQeruies volume information: C:\Documents and Settings\Administrator\Application Data\Microsoft\UProof\CUSTOM.DIC VolumeInformation
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEQeruies volume information: C:\Documents and Settings\Administrator\Application Data\Microsoft\UProof\CUSTOM.DIC VolumeInformation

Yara Overview

No Yara matches

Screenshot