MR - Performance TOP-1801220818.doc
This report is generated from a file or URL submitted to this webservice on March 22nd 2018 15:05:38 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1, Office 2010 v14.0.4
Report generated by
Falcon Sandbox v8.00 © Hybrid Analysis
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 2
-
Unusual Characteristics
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
- details
- Found keyword "AutoClose" which indicates: "Runs when the Word document is closed"
- source
- Static Parser
- relevance
- 10/10
-
Contains embedded string that indicates auto-execute behavior
- details
- Found keyword "AutoClose" which indicates: "Runs when the Word document is closed"
- source
- File/Memory
- relevance
- 10/10
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
-
Suspicious Indicators 5
-
Exploit/Shellcode
-
Found URL in decoded VBA string
- details
-
Pattern match: "www.cpearson.com"
Heuristic match: "cpearson.com" - source
- File/Memory
- relevance
- 10/10
-
Found URL in decoded VBA string
-
General
-
Found a potential E-Mail address in binary/memory
- details
-
Pattern match: "kathleen.bush@siemens-healthineers.comsold"
Pattern match: "t@fzv.aj7"
Pattern match: "u@a.i"
Pattern match: "t@z.p"
Pattern match: "x@k.v"
Pattern match: "ms@28kg.activex"
Pattern match: "le@eqdr.t"
Pattern match: "xh8@8.initeos"
Pattern match: "n@w.es.e"
Pattern match: "4b@dnt.savk"
Pattern match: "d@11.crc"
Pattern match: "pff@8vba.n"
Pattern match: "6@2.cl"
Pattern match: "_1-@p82.r"
Pattern match: "8@8.p"
Pattern match: "i@637.1.11o"
Pattern match: "tw@j.1"
Pattern match: "ndk@thema.inie5"
Pattern match: "alr@eadyruh.de"
Pattern match: "r@s.book" - source
- File/Memory
- relevance
- 3/10
-
Found a potential E-Mail address in binary/memory
-
Network Related
-
Found potential IP address in binary/memory
- details
-
"1.3.2.25"
"1.3.2.26"
"1.3.2.27"
"1.3.2.29"
"1.3.2.30"
"1.3.2.31"
"1.3.2.32"
"1.3.2.33"
"1.3.2.34"
"1.3.2.35"
"1.3.2.36"
"1.3.2.37"
"1.3.2.38"
"1.3.2.39"
"1.3.2.40"
"1.3.2.41"
"1.3.2.42"
"1.3.2.43"
"1.3.2.44"
"1.3.2.45"
"1.3.2.46"
"1.3.2.47"
"1.3.2.48"
"1.3.2.49"
"1.3.2.50"
"1.3.2.51"
"1.3.2.52"
"1.3.2.53"
"1.3.2.54"
"1.3.2.55"
"1.3.2.56"
"1.3.2.57"
"1.3.2.58"
"1.3.3.10"
"1.3.3.11"
"1.3.3.12"
"1.3.3.13"
"1.3.3.14"
"1.3.3.20"
"1.3.3.21"
"1.3.3.22"
"1.3.3.23"
"1.3.3.24"
"1.3.3.25"
"1.3.3.26"
"1.3.3.27"
"1.3.3.28"
"1.3.3.41"
"1.3.3.42"
"1.3.3.43"
"1.3.3.44"
"1.3.3.45"
"1.3.3.46"
"1.3.3.47"
"1.3.3.48"
"1.3.3.49"
"1.3.3.50"
"1.3.3.51"
"1.3.3.52"
"1.3.3.53"
"1.3.3.54"
"1.3.3.55"
"1.3.3.56"
"1.3.4.10"
"1.3.4.11"
"1.3.4.12"
"1.3.4.13"
"1.3.4.14"
"1.3.4.15"
"1.3.4.16"
"1.3.4.17"
"1.3.4.18"
"1.3.4.19"
"1.3.4.20"
"1.3.4.21"
"1.5.1.10"
"1.5.1.11"
"1.5.1.15"
"1.5.1.16"
"1.5.1.17"
"1.5.1.18"
"1.7.1.10"
"1.7.1.11"
"1.7.1.13"
"1.7.1.14"
"1.7.1.15"
"1.7.1.20"
"1.7.1.21"
"1.7.1.22"
"1.7.1.24"
"1.7.1.25"
"1.7.3.30"
"1.7.3.31"
"1.7.3.40"
"1.7.3.41"
"1.7.3.42"
"1.7.3.43"
"1.7.3.44"
"1.7.3.45"
"1.7.3.46"
"1.7.3.47"
"1.7.3.65"
"1.7.3.66"
"1.7.3.67"
"1.7.3.68"
"1.7.3.69"
"1.7.3.70"
"1.7.3.71"
"1.7.3.72"
"1.7.3.73"
"1.7.3.74"
"1.7.3.75"
"2.1.7.5"
Heuristic match: "Zm0,I)tI\!Nas1NdMOM 2.1.7.5: ExhibjA Va-yb29'a"re a0seven vavs ofg4t" - source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Unusual Characteristics
-
Contains embedded VBA macros with interesting strings
- details
-
Found pattern type "E-mail address" with value: "chip@cpearson.com"
Found pattern type "Executable file name" with value: "cpearson.com"
Found pattern type "Executable file name" with value: "SSEUNZIP.EXE"
Found pattern type "IPv4 address" with value: "2.1.7.5"
Found pattern type "Executable file name" with value: "winmm.dll" - source
- Static Parser
- relevance
- 10/10
-
Contains embedded VBA macros with suspicious keywords
- details
-
Found suspicious keyword "Chr" which indicates: "May attempt to obfuscate specific strings (use option --deobf to deobfuscate)"
Found suspicious keyword "system" which indicates: "May run an executable file or a system command on a Mac (if combined with libc.dylib)"
Found suspicious keyword "VBProject" which indicates: "May attempt to modify the VBA code (self-modification)"
Found suspicious keyword "VBComponents" which indicates: "May attempt to modify the VBA code (self-modification)"
Found suspicious keyword "CodeModule" which indicates: "May attempt to modify the VBA code (self-modification)"
Found suspicious keyword "Application.Visible" which indicates: "May hide the application"
Found suspicious keyword "Run" which indicates: "May run an executable file or a system command"
Found suspicious keyword "command" which indicates: "May run PowerShell commands"
Found suspicious keyword "Put" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Shell" which indicates: "May run an executable file or a system command"
Found suspicious keyword "vbHide" which indicates: "May run an executable file or a system command"
Found suspicious keyword "Windows" which indicates: "May enumerate application windows (if combined with Shell.Application object)"
Found suspicious keyword "Lib" which indicates: "May run code from a DLL"
Found suspicious keyword "Output" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Print #" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Open" which indicates: "May open a file"
Found suspicious keyword "CreateObject" which indicates: "May create an OLE object"
Found suspicious keyword "Environ" which indicates: "May read system environment variables"
Found suspicious keyword "MkDir" which indicates: "May create a directory" - source
- Static Parser
- relevance
- 10/10
-
Contains embedded VBA macros with interesting strings
-
Informative 13
-
General
-
Contains embedded VBA macros
- details
- details too long to display
- source
- Static Parser
- relevance
- 10/10
-
Contains embedded VBA macros (normalized)
- details
-
Normalized macro string: "1.3.2.25"
Normalized macro string: "1.3.2.26"
Normalized macro string: "1.3.2.27"
Normalized macro string: "1.3.2.29"
Normalized macro string: "1.3.2.30"
Normalized macro string: "1.3.2.31"
Normalized macro string: "1.3.2.32"
Normalized macro string: "1.3.2.33"
Normalized macro string: "1.3.2.34"
Normalized macro string: "1.3.2.35"
Normalized macro string: "1.3.2.36"
Normalized macro string: "1.3.2.37"
Normalized macro string: "1.3.2.38"
Normalized macro string: "1.3.2.39"
Normalized macro string: "1.3.2.40"
Normalized macro string: "1.3.2.41"
Normalized macro string: "1.3.2.42"
Normalized macro string: "1.3.2.43"
Normalized macro string: "1.3.2.44"
Normalized macro string: "1.3.2.45" - source
- File/Memory
- relevance
- 10/10
-
Creates a writable file in a temporary directory
- details
- "WINWORD.EXE" created file "%TEMP%\~DF4DF6A7ACBFB750F0.TMP"
- source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Global\552FFA80-3393-423d-8671-7BA046BB5906"
"Global\552FFA80-3393-423d-8671-7BA046BB5906"
"Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Local\ZonesCacheCounterMutex"
"Local\10MU_ACBPIDS_S-1-5-5-0-59580"
"Local\10MU_ACB10_S-1-5-5-0-59580"
"Local\ZonesLockedCacheCounterMutex"
"Local\ZoneAttributeCacheCounterMutex"
"Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACBPIDS_S-1-5-5-0-59580"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACB10_S-1-5-5-0-59580"
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\Global\MsoShellExtRegAccess_S-1-5-21-4162757579-3804539371-4239455898-1000" - source
- Created Mutant
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\microsoft shared\OFFICE14\RICHED20.DLL" at 6C050000
- source
- Loaded Module
-
Removes Office resiliency keys (often used to avoid problems opening documents)
- details
-
"WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: "L{G")
"WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: "BKH")
"WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: "<WG")
"WINWORD.EXE" (Access type: "DELETE"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS") - source
- Registry Access
- relevance
- 10/10
-
Scanning for window names
- details
-
"WINWORD.EXE" searching for class "NetUICtrlNotifySink"
"WINWORD.EXE" searching for class "REListbox20W"
"WINWORD.EXE" searching for class "OfficeTooltip"
"WINWORD.EXE" searching for class "MsoCommandBarPopup"
"WINWORD.EXE" searching for class "MSOBALLOON"
"WINWORD.EXE" searching for class "MsoHelp10"
"WINWORD.EXE" searching for class "AgentAnim"
"WINWORD.EXE" searching for class "mspim_wnd32" - source
- API Call
- relevance
- 10/10
-
Contains embedded VBA macros
-
Installation/Persistance
-
Dropped files
- details
-
"MR - Performance TOP-1801220818.LNK" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Archive ctime=Thu Mar 22 14:07:49 2018 mtime=Thu Mar 22 14:07:49 2018 atime=Thu Mar 22 14:08:09 2018 length=2136576 window=hide"
"~$ - Performance TOP-1801220818.doc" has type "data"
"index.dat" has type "data"
"~WRS{DAE0F021-F3C4-48D0-AE5C-E98090D046B0}.tmp" has type "FoxPro FPT blocks size 0 next free block index 218103808 1st used item "\375""
"~WRS{259639B6-B57A-4512-B5A3-2860A7EE1CF7}.tmp" has type "data"
"~WRS{79DA42D8-F79E-440C-9CCF-A3BE008F4EA3}.tmp" has type "data"
"MSForms.exd" has type "data"
"~$Normal.dotm" has type "data" - source
- Binary File
- relevance
- 3/10
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
- "WINWORD.EXE" opened "\Device\MountPointManager"
- source
- API Call
- relevance
- 5/10
-
Touches files in the Windows directory
- details
-
"WINWORD.EXE" touched file "C:\Windows\AppPatch\sysmain.sdb"
"WINWORD.EXE" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"WINWORD.EXE" touched file "C:\Windows\Fonts\StaticCache.dat"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\user32.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\setupapi.dll.mui"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000c.db"
"WINWORD.EXE" touched file "C:\Windows\System32\rsaenh.dll"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\KernelBase.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\System32\msxml6r.dll"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{DAE0F021-F3C4-48D0-AE5C-E98090D046B0}.tmp" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "www.cpearson.com"
Heuristic match: "cpearson.com"
Pattern match: "www.usa.siemens.com/lifenet"
Pattern match: "http://www.usa.siemens.com/clinicaleducation-cancellation-policy"
Pattern match: "www.usa.siemens.com/clinicaleducation-cancellation-policyyX;H,]'cBDdE8;B"
Pattern match: "http://ns.adobe.com/xap/1.0/"
Pattern match: "http://www.w3.org/1999/02/22-rdf-syntax-ns#"
Pattern match: "http://ns.adobe.com/pdf/1.3/"
Pattern match: "http://purl.org/dc/elements/1.1/"
Pattern match: "http://ns.adobe.com/xap/1.0/t/pg/"
Pattern match: "http://ns.adobe.com/exif/1.0/"
Pattern match: "l.yxp/|k[\Pq3~?/8JLZb;.2tr"
Heuristic match: "(p^T@z.p:X=4.gD"
Pattern match: "http://schemas.openxmlformats.org/drawingml/2006/main"
Pattern match: "www.usa.siemens.com/clinicaleducation-cancellation-policy"
Pattern match: "www.cp.com"
Heuristic match: "On E!@GoTo tndlerC2FnO8.In"
Pattern match: "l.doc/@24"
Heuristic match: "%@66, @128d h]8&P&h& V#Enter PrepareTableForConversionToRSA@ $@76, @122 TQuote Sequencing detectedA@ VSorting table by Sequencing NrA@ $$ error logged by SortTableBySequence No systems found in table.Az bad data!!!kf VTable sorting completeA@kff $Quote Nr"
Heuristic match: "dummy = shp.Name"
Heuristic match: "xxx see if wepnvCSV%sta0im, p!:ndk@thema.inie5[dADO3@bjO@ll,, also[4:a;c9s roughly keepn(lizr`s except ASUktip1, 'ter t!F@(tIdqbha.tp"
Heuristic match: "`# or assignsaefo be discardedbEvFirxstPAO not currly dealPublic&-( As Word.Do"
Pattern match: "http://'%_"
Heuristic match: "ParentID=' &'A@ Keep going anyway.kp"
Heuristic match: ".On ErrGoTo`B`ndlerCFn.In"
Pattern match: "www.usa.siemens.com/clinicaleducation-cancellation-policyv$MR"
Heuristic match: "_ph8r_8.GA" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Hooks API calls
- details
-
"VariantChangeType@OLEAUT32.DLL" in "WINWORD.EXE"
"OleLoadFromStream@OLE32.DLL" in "WINWORD.EXE"
"SysAllocStringByteLen@OLEAUT32.DLL" in "WINWORD.EXE"
"SysFreeString@OLEAUT32.DLL" in "WINWORD.EXE"
"VariantClear@OLEAUT32.DLL" in "WINWORD.EXE" - source
- Hook Detection
- relevance
- 10/10
-
Hooks API calls
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "e923997aed" to virtual address "0x774A5DEE" ("VariantChangeType@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "c3fa2f70" to virtual address "0x2F7B1B94" (part of module "WINWORD.EXE")
"WINWORD.EXE" wrote bytes "e9c532ffee" to virtual address "0x761D6143" ("OleLoadFromStream@OLE32.DLL")
"WINWORD.EXE" wrote bytes "e9603378ed" to virtual address "0x774A4731" ("SysAllocStringByteLen@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "99c16d73" to virtual address "0x6734F530" (part of module "WWLIB.DLL")
"WINWORD.EXE" wrote bytes "e99a5477ed" to virtual address "0x774A3E59" ("SysFreeString@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "f745ac6c" to virtual address "0x6DC242C4" (part of module "MSPROOF7.DLL")
"WINWORD.EXE" wrote bytes "ba64679109b98b7bdc6bffe1" to virtual address "0x0036ACBA"
"WINWORD.EXE" wrote bytes "9f491b10" to virtual address "0x6BE91F20" (part of module "GKWORD.DLL")
"WINWORD.EXE" wrote bytes "e99e48adee" to virtual address "0x76113D01" ("SetUnhandledExceptionFilter@KERNEL32.DLL")
"WINWORD.EXE" wrote bytes "a7206f73" to virtual address "0x65E478E4" (part of module "OART.DLL")
"WINWORD.EXE" wrote bytes "e9365578ed" to virtual address "0x774A3EAE" ("VariantClear@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "427eec73" to virtual address "0x6C099904" (part of module "RICHED20.DLL")
"WINWORD.EXE" wrote bytes "9be06e73" to virtual address "0x6D8FCA70" (part of module "GFX.DLL")
"WINWORD.EXE" wrote bytes "f17d2772" to virtual address "0x64E40BA8" (part of module "MSO.DLL")
"WINWORD.EXE" wrote bytes "c4ca107680bb1076aa6e11769fbb107608bb107646ce107661381176de2f1176d0d9107600000000177907764f9107767f6f0776f4f7077611f70776f2830776857e077600000000" to virtual address "0x6E761000" (part of module "MSIMG32.DLL")
"WINWORD.EXE" wrote bytes "7135cc73" to virtual address "0x6C1A10AC" (part of module "MSPTLS.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Installs hooks/patches the running process
File Details
MR - Performance TOP-1801220818.doc
- Filename
- MR - Performance TOP-1801220818.doc
- Size
- 2MiB (2136576 bytes)
- Type
- doc office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Service Proposal, Author: David Horowitz, Comments: Service Proposal v1.7.3.75_V011_01_01_20171207_Release.doc, Template: CurrentfirstPage.dot, Last Saved By: Z003MPUF-S01, Revision Number: 6, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Jan 22 13:19:00 2018, Last Saved Time/Date: Mon Jan 22 14:15:00 2018, Number of Pages: 1, Number of Words: 10488, Number of Characters: 59787,
- Architecture
- WINDOWS
- SHA256
- 774fd50cb45704bc7e774b4816213a4007de80ac3d6f5b749cefe96d1bca34a5
- MD5
- a87f972949c2f04b5c87a4f9ee7311c0
- SHA1
- c68b17f82ac7366a2592804e8d6672908acd653b
Classification (TrID)
- 35.9% (.DOC) Microsoft Word document
- 33.7% (.XLS) Microsoft Excel sheet
- 21.3% (.DOC) Microsoft Word document (old ver.)
- 8.9% (.) Generic OLE2 / Multistream Compound File
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- WINWORD.EXE /n "C:\MR - Performance TOP-1801220818.doc" (PID: 3128)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Informative 8
-
-
MR - Performance TOP-1801220818.LNK
- Size
- 568B (568 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Mar 22 14:07:49 2018, mtime=Thu Mar 22 14:07:49 2018, atime=Thu Mar 22 14:08:09 2018, length=2136576, window=hide
- Runtime Process
- WINWORD.EXE (PID: 3128)
- MD5
- 41351ef02eda0fb453cbbad24d60f607
- SHA1
- 6ef4f644a87aa27e914865b2eaf57c620eb47a1b
- SHA256
- 6a7492a30b094cdceb4592fc3d04ce9f84d707134a9c5596c1ffcc12f5599585
-
index.dat
- Size
- 191B (191 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3128)
- MD5
- 8f4b66affd43b6c448f4bb60bf5a7c4e
- SHA1
- 2c6df377546b1ac4fef7683ed2cd63975720a692
- SHA256
- 56084177bd462154e35bdc3d9242e7f3e5d4216a53c684baf30bda79057deaa5
-
~$Normal.dotm
- Size
- 162B (162 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3128)
- MD5
- 3d482db4fa6c03062220be9b4eced4e0
- SHA1
- d7c1d6912440c0a4c2be2ff7e2b4416130910702
- SHA256
- fa384958da8de72898e3f0d553e5f3055f256297cbd1cd6085b5453787dc7866
-
~WRS{259639B6-B57A-4512-B5A3-2860A7EE1CF7}.tmp
- Size
- 80B (80 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3128)
- MD5
- 2a8b3cda266e79f70d5bcee1db65f687
- SHA1
- 039b49b11e9640430f877aa3d2abdc66bc4786a9
- SHA256
- a1718fd1e84efd02a2fee7414fce8b94b293fff8345e9658f95de0a324384e53
-
~WRS{79DA42D8-F79E-440C-9CCF-A3BE008F4EA3}.tmp
- Size
- 1.5KiB (1536 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3128)
- MD5
- 6a4b362a82a0572d2f41aecd23bf19cc
- SHA1
- b10dc1d0d87d8a4baafd4ba4da34f9306f2822c6
- SHA256
- 4044d3df290d5c70a451134f17f46d728aa419f1487520d485d417cd1c2c1248
-
~WRS{DAE0F021-F3C4-48D0-AE5C-E98090D046B0}.tmp
- Size
- 1KiB (1024 bytes)
- Type
- unknown
- Description
- FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375"
- Runtime Process
- WINWORD.EXE (PID: 3128)
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
~$ - Performance TOP-1801220818.doc
- Size
- 162B (162 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3128)
- MD5
- 3d482db4fa6c03062220be9b4eced4e0
- SHA1
- d7c1d6912440c0a4c2be2ff7e2b4416130910702
- SHA256
- fa384958da8de72898e3f0d553e5f3055f256297cbd1cd6085b5453787dc7866
-
MSForms.exd
- Size
- 144KiB (147284 bytes)
- Type
- data
- MD5
- 7536ab413631a2d24058bb0137c8478e
- SHA1
- 7c6872d6500ff01aff2bbd99c6cf389d357be36d
- SHA256
- 8b401cc892544008304b093e47752b12ef29d55af0791af6bc0def8294d38973
-
Notifications
-
Runtime
- Although all strings were processed, some are hidden from the report in order to reduce the overall size
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "static-13" are available in the report
- Not all sources for indicator ID "string-50" are available in the report
- Not all sources for indicator ID "string-63" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)