58a726f2717feeb4e979e1a32c0781bc1890300df74781242227d7be082a7033_1530080702240_PTB-G-800-MA-0091-001-A_ID.docx
This report is generated from a file or URL submitted to this webservice on June 27th 2018 08:25:44 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1, Office 2010 v14.0.4
Report generated by
Falcon Sandbox v8.10 © Hybrid Analysis
Additional Context
Related Sandbox Artifacts
- Associated SHA256s
- ea2319dd48f93d587a26bba24f03aad277ca6c5701385e737562c8b8091cadfa
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Suspicious Indicators 1
-
General
-
Found a potential E-Mail address in binary/memory
- details
-
Pattern match: "cn@_m8.nict3"
Pattern match: "l@hf--.qxl2gw"
Pattern match: "rr@qvych.5z1"
Pattern match: "ta8@r.ul"
Pattern match: "y0qu@x.a"
Pattern match: "i@xkc.egarmt8gp8csnr4bt"
Pattern match: "ltoc4@j.i1"
Pattern match: "sqm@ughrjk.ao1xzqdzst4eh51a"
Pattern match: "asrpo@aot4u7yb.w"
Pattern match: "szo@wuygq.r"
Pattern match: "00@dk.uorysx4q"
Pattern match: "as--h@x4o0zk-.lo66"
Pattern match: "6a_5avzv8tz@mxv.kcqg" - source
- File/Memory
- relevance
- 3/10
-
Found a potential E-Mail address in binary/memory
-
Informative 12
-
General
-
Additional Submission Context
- details
- Submission context: "From: Jeroen Russel <Jeroen.Russel@bluewater.com> To: Helpdesk <helpdesk@bluewater.com> CC: Subject: FW: Delivery Note - Date: Tue, 26 Jun 2018 18:30:03 +0200 Message: Ref. the below and attached? Did not open attachments yet. Trustworthy? Kind regards, Jeroen Russel Legal Contracts Engineer T. +31 (0)23 711 6552 From: steffi.rakow@rws.com [mailto:steffi.rakow@rws.com] Sent: 26 June 2018 17:26 To: Jeroen Russel <Jeroen.Russel@bluewater.com> Subject: Delivery Note - Dear Jeroen, Please find attached the relevant files for order number: O-1045106 Your Ref.: Please do not hesitate to contact us if you have any queries and please confirm receipt. Please take a moment to complete our short questionnaire: https://www.surveymonkey.com/r/Eclipse-questionnaire Your feedback is important to us. Kind regards, Steffi Rakow | Project Manager | RWS Birch Close, Lionheart Enterprise Park, Alnwick, Northumberland, NE66 2EP, England T: +44 (0) 1665 511055 www.rws.com ________________________________ This message and any attachments, contains confidential information and is intended only for jeroen.russel@bluewater.com. If you are not jeroen.russel@bluewater.com you should not disseminate, distribute or copy this e-mail. Please notify RWS immediately if you have received this e-mail by mistake and delete from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. - V.011017A"
- source
- File/Memory
- relevance
- 10/10
-
Creates a writable file in a temporary directory
- details
- "WINWORD.EXE" created file "%TEMP%\mso3192.tmp"
- source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\10MU_ACBPIDS_S-1-5-5-0-59428"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACB10_S-1-5-5-0-59428"
"\Sessions\1\BaseNamedObjects\Global\552FFA80-3393-423d-8671-7BA046BB5906"
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\Global\MsoShellExtRegAccess_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Local\ZoneAttributeCacheCounterMutex"
"Local\ZonesCacheCounterMutex"
"Global\552FFA80-3393-423d-8671-7BA046BB5906"
"Local\ZonesCounterMutex"
"Local\10MU_ACBPIDS_S-1-5-5-0-59428"
"Local\10MU_ACB10_S-1-5-5-0-59428"
"Local\ZonesLockedCacheCounterMutex"
"Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000" - source
- Created Mutant
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\microsoft shared\OFFICE14\RICHED20.DLL" at 61D10000
- source
- Loaded Module
-
Removes Office resiliency keys (often used to avoid problems opening documents)
- details
-
"WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: "?~`")
"WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: "<MA")
"WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: "!Y`")
"WINWORD.EXE" (Access type: "DELETE"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS") - source
- Registry Access
- relevance
- 10/10
-
Scanning for window names
- details
-
"WINWORD.EXE" searching for class "mspim_wnd32"
"WINWORD.EXE" searching for class "MSOBALLOON"
"WINWORD.EXE" searching for class "MsoHelp10"
"WINWORD.EXE" searching for class "AgentAnim" - source
- API Call
- relevance
- 10/10
-
Additional Submission Context
-
Installation/Persistance
-
Dropped files
- details
-
"~$a726f2717feeb4e979e1a32c0781bc1890300df74781242227d7be082a7033_1530080702240_PTB-G-800-MA-0091-001-A_ID.docx" has type "data"
"58a726f2717feeb4e979e1a32c0781bc1890300df74781242227d7be082a7033_1530080702240_PTB-G-800-MA-0091-001-A_ID.LNK" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Archive ctime=Wed Jun 27 06:26:47 2018 mtime=Wed Jun 27 06:26:47 2018 atime=Wed Jun 27 06:27:23 2018 length=560528 window=hide"
"FAB9C9D.png" has type "PNG image data 400 x 400 8-bit colormap non-interlaced"
"6FE9CA7D.jpeg" has type "JPEG image data JFIF standard 1.01"
"E12DDD29.jpeg" has type "JPEG image data JFIF standard 1.01"
"777281FA.jpeg" has type "JPEG image data JFIF standard 1.01"
"D15DF434.png" has type "PNG image data 638 x 110 8-bit/color RGBA non-interlaced"
"F6A38AF2.jpeg" has type "JPEG image data JFIF standard 1.01"
"620435B3.jpeg" has type "JPEG image data JFIF standard 1.01"
"index.dat" has type "data"
"~WRS{0F8335D7-C008-4717-9B37-E131D9751E9F}.tmp" has type "data"
"DDBFFBE7.jpeg" has type "JPEG image data JFIF standard 1.01"
"F3EB9220.jpeg" has type "JPEG image data JFIF standard 1.01"
"BC3E6F4.jpeg" has type "JPEG image data JFIF standard 1.01"
"3DE5B58D.jpeg" has type "JPEG image data JFIF standard 1.01"
"D4953B81.jpeg" has type "JPEG image data JFIF standard 1.01"
"7D667ECE.jpeg" has type "JPEG image data JFIF standard 1.01"
"34CBF265.jpeg" has type "JPEG image data JFIF standard 1.01"
"414C7A4B.jpeg" has type "JPEG image data JFIF standard 1.01"
"8CF07DB1.jpeg" has type "JPEG image data JFIF standard 1.01" - source
- Binary File
- relevance
- 3/10
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
- "WINWORD.EXE" opened "\Device\MountPointManager"
- source
- API Call
- relevance
- 5/10
-
Touches files in the Windows directory
- details
-
"WINWORD.EXE" touched file "C:\Windows\AppPatch\sysmain.sdb"
"WINWORD.EXE" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"WINWORD.EXE" touched file "C:\Windows\Fonts\StaticCache.dat"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\user32.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\setupapi.dll.mui"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000c.db"
"WINWORD.EXE" touched file "C:\Windows\System32\rsaenh.dll"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\KernelBase.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\System32\msxml6r.dll" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "https://www.surveymonkey.com/r/Eclipse-questionnaire"
Pattern match: "Bfp.KHU/;K7vB^J~e-He&b`-%ti"
Heuristic match: "V*y?QqP7%F^K^ub_JV!yW!yg@O?HW!yWb1]i6\C1]OH'ZUTUH^UH^UHbU@|Emy.dk"
Pattern match: "5e.mA/fxB"
Heuristic match: "&om2)}#l%$0!_$NX~]=JoY(gryB2Bo;C(YsHD_.TK"
Pattern match: "a..word/media/image11.jpegJFIF``C" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Hooks API calls
- details
-
"VariantChangeType@OLEAUT32.DLL" in "WINWORD.EXE"
"OleLoadFromStream@OLE32.DLL" in "WINWORD.EXE"
"SysAllocStringByteLen@OLEAUT32.DLL" in "WINWORD.EXE"
"SysFreeString@OLEAUT32.DLL" in "WINWORD.EXE"
"VariantClear@OLEAUT32.DLL" in "WINWORD.EXE" - source
- Hook Detection
- relevance
- 10/10
-
Hooks API calls
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "20db8e5b" to virtual address "0x61C042C4" (part of module "MSPROOF7.DLL")
"WINWORD.EXE" wrote bytes "1c0b2fbb" to virtual address "0x67E578E4" (part of module "OART.DLL")
"WINWORD.EXE" wrote bytes "e5aa65ba" to virtual address "0x61D59904" (part of module "RICHED20.DLL")
"WINWORD.EXE" wrote bytes "8d3d2fbb" to virtual address "0x6918CA70" (part of module "GFX.DLL")
"WINWORD.EXE" wrote bytes "e923996bf0" to virtual address "0x765A5DEE" ("VariantChangeType@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "e9c53215f1" to virtual address "0x76086143" ("OleLoadFromStream@OLE32.DLL")
"WINWORD.EXE" wrote bytes "e9603369f0" to virtual address "0x765A4731" ("SysAllocStringByteLen@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "166647bb" to virtual address "0x66E50BA8" (part of module "MSO.DLL")
"WINWORD.EXE" wrote bytes "c4ca677680bb6776aa6e68769fbb677608bb677646ce677661386876de2f6876d0d96776000000001779a7754f91a7757f6fa775f4f7a77511f7a775f283a775857ea77500000000" to virtual address "0x6FB51000" (part of module "MSIMG32.DLL")
"WINWORD.EXE" wrote bytes "d44928bb" to virtual address "0x6950F530" (part of module "WWLIB.DLL")
"WINWORD.EXE" wrote bytes "cdfd6cba" to virtual address "0x61E610AC" (part of module "MSPTLS.DLL")
"WINWORD.EXE" wrote bytes "e99a5468f0" to virtual address "0x765A3E59" ("SysFreeString@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "1ad86eb7" to virtual address "0x2FAE1B94" (part of module "WINWORD.EXE")
"WINWORD.EXE" wrote bytes "e99e4857f0" to virtual address "0x76683D01" ("SetUnhandledExceptionFilter@KERNEL32.DLL")
"WINWORD.EXE" wrote bytes "e9365569f0" to virtual address "0x765A3EAE" ("VariantClear@OLEAUT32.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Installs hooks/patches the running process
File Details
58a726f2717feeb4e979e1a32c0781bc1890300df74781242227d7be082a7033_1530080702240_PTB-G-800-MA-0091-001-A_ID.docx
- Filename
- 58a726f2717feeb4e979e1a32c0781bc1890300df74781242227d7be082a7033_1530080702240_PTB-G-800-MA-0091-001-A_ID.docx
- Size
- 547KiB (560528 bytes)
- Type
- docx office
- Description
- Microsoft Word 2007+
- Architecture
- WINDOWS
- SHA256
- 58a726f2717feeb4e979e1a32c0781bc1890300df74781242227d7be082a7033
- MD5
- 13945d4a113c9d57a7f13e7646abe436
- SHA1
- 7ca78dbbc969394f24245f2e14a1a394d281c49c
Classification (TrID)
- 88.7% (.DOCX) Word Microsoft Office Open XML Format document
- 11.2% (.ZIP) ZIP compressed archive
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total.
- WINWORD.EXE /n "C:\58a726f2717feeb4e979e1a32c0781bc1890300df74781242227d7be082a7033_1530080702240_PTB-G-800-MA-0091-001-A_ID.docx" (PID: 2740)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
Displaying 50 extracted file(s). The remaining 31 file(s) are available in the full version and XML/JSON reports.
-
Informative Selection 33
-
-
F6A38AF2.jpeg
- Size
- 6KiB (6187 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01
- MD5
- 0e609689c3e79d6e17c2fcff92547ad7
- SHA1
- 5f566bb7aec274192e1b70c9f3afa5c53ee51a09
- SHA256
- 6c9d2bc6c071888961be549941d75dde7c7ec1d9ead3bbab3cd88ad80ec59169
-
F3EB9220.jpeg
- Size
- 6.4KiB (6576 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01
- MD5
- c7f1e0fc4a4ddae70aeb0d93c3b6b441
- SHA1
- 87ef1eedee3d688b6f3919db04a6d5ca8537f8ab
- SHA256
- f9daf426656bb79f96a9078daf3c8915e79a9e49bee018be08627584318a665c
-
BC3E6F4.jpeg
- Size
- 6.4KiB (6576 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01
- MD5
- c7f1e0fc4a4ddae70aeb0d93c3b6b441
- SHA1
- 87ef1eedee3d688b6f3919db04a6d5ca8537f8ab
- SHA256
- f9daf426656bb79f96a9078daf3c8915e79a9e49bee018be08627584318a665c
-
7D667ECE.jpeg
- Size
- 6.4KiB (6576 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01
- MD5
- c7f1e0fc4a4ddae70aeb0d93c3b6b441
- SHA1
- 87ef1eedee3d688b6f3919db04a6d5ca8537f8ab
- SHA256
- f9daf426656bb79f96a9078daf3c8915e79a9e49bee018be08627584318a665c
-
8CF07DB1.jpeg
- Size
- 6KiB (6187 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01
- MD5
- 0e609689c3e79d6e17c2fcff92547ad7
- SHA1
- 5f566bb7aec274192e1b70c9f3afa5c53ee51a09
- SHA256
- 6c9d2bc6c071888961be549941d75dde7c7ec1d9ead3bbab3cd88ad80ec59169
-
39D24919.jpeg
- Size
- 6KiB (6187 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01
- MD5
- 0e609689c3e79d6e17c2fcff92547ad7
- SHA1
- 5f566bb7aec274192e1b70c9f3afa5c53ee51a09
- SHA256
- 6c9d2bc6c071888961be549941d75dde7c7ec1d9ead3bbab3cd88ad80ec59169
-
65C5662A.jpeg
- Size
- 6KiB (6187 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01
- MD5
- 0e609689c3e79d6e17c2fcff92547ad7
- SHA1
- 5f566bb7aec274192e1b70c9f3afa5c53ee51a09
- SHA256
- 6c9d2bc6c071888961be549941d75dde7c7ec1d9ead3bbab3cd88ad80ec59169
-
64C10AC0.jpeg
- Size
- 6KiB (6187 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01
- MD5
- 0e609689c3e79d6e17c2fcff92547ad7
- SHA1
- 5f566bb7aec274192e1b70c9f3afa5c53ee51a09
- SHA256
- 6c9d2bc6c071888961be549941d75dde7c7ec1d9ead3bbab3cd88ad80ec59169
-
4BA219DB.jpeg
- Size
- 6KiB (6187 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01
- MD5
- 0e609689c3e79d6e17c2fcff92547ad7
- SHA1
- 5f566bb7aec274192e1b70c9f3afa5c53ee51a09
- SHA256
- 6c9d2bc6c071888961be549941d75dde7c7ec1d9ead3bbab3cd88ad80ec59169
-
FF98D995.jpeg
- Size
- 6KiB (6187 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01
- MD5
- 0e609689c3e79d6e17c2fcff92547ad7
- SHA1
- 5f566bb7aec274192e1b70c9f3afa5c53ee51a09
- SHA256
- 6c9d2bc6c071888961be549941d75dde7c7ec1d9ead3bbab3cd88ad80ec59169
-
F7D3FA1C.jpeg
- Size
- 6KiB (6187 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01
- MD5
- 0e609689c3e79d6e17c2fcff92547ad7
- SHA1
- 5f566bb7aec274192e1b70c9f3afa5c53ee51a09
- SHA256
- 6c9d2bc6c071888961be549941d75dde7c7ec1d9ead3bbab3cd88ad80ec59169
-
30B928A.jpeg
- Size
- 6KiB (6187 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01
- MD5
- 0e609689c3e79d6e17c2fcff92547ad7
- SHA1
- 5f566bb7aec274192e1b70c9f3afa5c53ee51a09
- SHA256
- 6c9d2bc6c071888961be549941d75dde7c7ec1d9ead3bbab3cd88ad80ec59169
-
39FEDE5E.jpeg
- Size
- 6KiB (6187 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01
- MD5
- 0e609689c3e79d6e17c2fcff92547ad7
- SHA1
- 5f566bb7aec274192e1b70c9f3afa5c53ee51a09
- SHA256
- 6c9d2bc6c071888961be549941d75dde7c7ec1d9ead3bbab3cd88ad80ec59169
-
9CCC8D22.jpeg
- Size
- 6KiB (6187 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01
- MD5
- 0e609689c3e79d6e17c2fcff92547ad7
- SHA1
- 5f566bb7aec274192e1b70c9f3afa5c53ee51a09
- SHA256
- 6c9d2bc6c071888961be549941d75dde7c7ec1d9ead3bbab3cd88ad80ec59169
-
4E739116.jpeg
- Size
- 6KiB (6187 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01
- MD5
- 0e609689c3e79d6e17c2fcff92547ad7
- SHA1
- 5f566bb7aec274192e1b70c9f3afa5c53ee51a09
- SHA256
- 6c9d2bc6c071888961be549941d75dde7c7ec1d9ead3bbab3cd88ad80ec59169
-
D760D4C2.jpeg
- Size
- 6KiB (6187 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01
- MD5
- 0e609689c3e79d6e17c2fcff92547ad7
- SHA1
- 5f566bb7aec274192e1b70c9f3afa5c53ee51a09
- SHA256
- 6c9d2bc6c071888961be549941d75dde7c7ec1d9ead3bbab3cd88ad80ec59169
-
B103716C.jpeg
- Size
- 6KiB (6187 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01
- MD5
- 0e609689c3e79d6e17c2fcff92547ad7
- SHA1
- 5f566bb7aec274192e1b70c9f3afa5c53ee51a09
- SHA256
- 6c9d2bc6c071888961be549941d75dde7c7ec1d9ead3bbab3cd88ad80ec59169
-
BA453870.jpeg
- Size
- 6KiB (6187 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01
- MD5
- 0e609689c3e79d6e17c2fcff92547ad7
- SHA1
- 5f566bb7aec274192e1b70c9f3afa5c53ee51a09
- SHA256
- 6c9d2bc6c071888961be549941d75dde7c7ec1d9ead3bbab3cd88ad80ec59169
-
70217109.jpeg
- Size
- 6KiB (6187 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01
- MD5
- 0e609689c3e79d6e17c2fcff92547ad7
- SHA1
- 5f566bb7aec274192e1b70c9f3afa5c53ee51a09
- SHA256
- 6c9d2bc6c071888961be549941d75dde7c7ec1d9ead3bbab3cd88ad80ec59169
-
4093E7FE.jpeg
- Size
- 6KiB (6187 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01
- MD5
- 0e609689c3e79d6e17c2fcff92547ad7
- SHA1
- 5f566bb7aec274192e1b70c9f3afa5c53ee51a09
- SHA256
- 6c9d2bc6c071888961be549941d75dde7c7ec1d9ead3bbab3cd88ad80ec59169
-
3EF0B6BB.jpeg
- Size
- 6KiB (6187 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01
- MD5
- 0e609689c3e79d6e17c2fcff92547ad7
- SHA1
- 5f566bb7aec274192e1b70c9f3afa5c53ee51a09
- SHA256
- 6c9d2bc6c071888961be549941d75dde7c7ec1d9ead3bbab3cd88ad80ec59169
-
E9D5376.jpeg
- Size
- 6KiB (6187 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01
- MD5
- 0e609689c3e79d6e17c2fcff92547ad7
- SHA1
- 5f566bb7aec274192e1b70c9f3afa5c53ee51a09
- SHA256
- 6c9d2bc6c071888961be549941d75dde7c7ec1d9ead3bbab3cd88ad80ec59169
-
E4B24844.jpeg
- Size
- 6KiB (6187 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01
- MD5
- 0e609689c3e79d6e17c2fcff92547ad7
- SHA1
- 5f566bb7aec274192e1b70c9f3afa5c53ee51a09
- SHA256
- 6c9d2bc6c071888961be549941d75dde7c7ec1d9ead3bbab3cd88ad80ec59169
-
14F11591.jpeg
- Size
- 6KiB (6187 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01
- MD5
- 0e609689c3e79d6e17c2fcff92547ad7
- SHA1
- 5f566bb7aec274192e1b70c9f3afa5c53ee51a09
- SHA256
- 6c9d2bc6c071888961be549941d75dde7c7ec1d9ead3bbab3cd88ad80ec59169
-
86205D2E.jpeg
- Size
- 6KiB (6187 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01
- MD5
- 0e609689c3e79d6e17c2fcff92547ad7
- SHA1
- 5f566bb7aec274192e1b70c9f3afa5c53ee51a09
- SHA256
- 6c9d2bc6c071888961be549941d75dde7c7ec1d9ead3bbab3cd88ad80ec59169
-
3F50EFC8.jpeg
- Size
- 6KiB (6187 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01
- MD5
- 0e609689c3e79d6e17c2fcff92547ad7
- SHA1
- 5f566bb7aec274192e1b70c9f3afa5c53ee51a09
- SHA256
- 6c9d2bc6c071888961be549941d75dde7c7ec1d9ead3bbab3cd88ad80ec59169
-
6C8CFE93.jpeg
- Size
- 6KiB (6187 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01
- MD5
- 0e609689c3e79d6e17c2fcff92547ad7
- SHA1
- 5f566bb7aec274192e1b70c9f3afa5c53ee51a09
- SHA256
- 6c9d2bc6c071888961be549941d75dde7c7ec1d9ead3bbab3cd88ad80ec59169
-
35B8BEC7.jpeg
- Size
- 6KiB (6187 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01
- MD5
- 0e609689c3e79d6e17c2fcff92547ad7
- SHA1
- 5f566bb7aec274192e1b70c9f3afa5c53ee51a09
- SHA256
- 6c9d2bc6c071888961be549941d75dde7c7ec1d9ead3bbab3cd88ad80ec59169
-
AD861085.jpeg
- Size
- 6KiB (6187 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01
- MD5
- 0e609689c3e79d6e17c2fcff92547ad7
- SHA1
- 5f566bb7aec274192e1b70c9f3afa5c53ee51a09
- SHA256
- 6c9d2bc6c071888961be549941d75dde7c7ec1d9ead3bbab3cd88ad80ec59169
-
14D60BC1.jpeg
- Size
- 6KiB (6187 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01
- MD5
- 0e609689c3e79d6e17c2fcff92547ad7
- SHA1
- 5f566bb7aec274192e1b70c9f3afa5c53ee51a09
- SHA256
- 6c9d2bc6c071888961be549941d75dde7c7ec1d9ead3bbab3cd88ad80ec59169
-
CE430F57.jpeg
- Size
- 6KiB (6187 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01
- MD5
- 0e609689c3e79d6e17c2fcff92547ad7
- SHA1
- 5f566bb7aec274192e1b70c9f3afa5c53ee51a09
- SHA256
- 6c9d2bc6c071888961be549941d75dde7c7ec1d9ead3bbab3cd88ad80ec59169
-
9F96BB28.jpeg
- Size
- 6KiB (6187 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01
- MD5
- 0e609689c3e79d6e17c2fcff92547ad7
- SHA1
- 5f566bb7aec274192e1b70c9f3afa5c53ee51a09
- SHA256
- 6c9d2bc6c071888961be549941d75dde7c7ec1d9ead3bbab3cd88ad80ec59169
-
B47CC375.jpeg
- Size
- 6KiB (6187 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01
- MD5
- 0e609689c3e79d6e17c2fcff92547ad7
- SHA1
- 5f566bb7aec274192e1b70c9f3afa5c53ee51a09
- SHA256
- 6c9d2bc6c071888961be549941d75dde7c7ec1d9ead3bbab3cd88ad80ec59169
-
-
Informative 17
-
-
58a726f2717feeb4e979e1a32c0781bc1890300df74781242227d7be082a7033_1530080702240_PTB-G-800-MA-0091-001-A_ID.LNK
- Size
- 943B (943 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Jun 27 06:26:47 2018, mtime=Wed Jun 27 06:26:47 2018, atime=Wed Jun 27 06:27:23 2018, length=560528, window=hide
- Runtime Process
- WINWORD.EXE (PID: 2740)
- MD5
- 7cd9e656b719076e8e740f993e7ed9fd
- SHA1
- 9811281e2692677cfe2ec23725156fda05eb5b42
- SHA256
- 454a829bd05c66447cfd9000c38c338161843bb85e2ea6d8cc542982f9dab37e
-
index.dat
- Size
- 332B (332 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 2740)
- MD5
- 70cffdfb286e801fc73fcff39fb30f78
- SHA1
- 9876e0663e137dd3ab3b8f3e39223b72353fb031
- SHA256
- f7859fa714ee9beeea7ab9c7197b7adcb1dc34773b404d3164d50823aef04689
-
~$Normal.dotm
- Size
- 162B (162 bytes)
- Runtime Process
- WINWORD.EXE (PID: 2740)
- MD5
- 02503ab9ceb68dc2af1d027d4e333ff0
- SHA1
- 648526f91d4609f942f9e8f7128666d9a6c023e1
- SHA256
- ca81ffadccead1211b85d1142087bb07e3d01d08cce025a7b19a8b7ec9b6555d
-
280BFEB6.png
- Size
- 8.5KiB (8750 bytes)
- Type
- img image
- Description
- PNG image data, 573 x 143, 8-bit/color RGBA, non-interlaced
- Runtime Process
- WINWORD.EXE (PID: 2740)
- MD5
- f7fc1a92979dcff743f70069581c815c
- SHA1
- ba235a09886bec266b1e8188fd17d108540d4635
- SHA256
- 120ff71032eac63538041a4b0dbf7e8e68019c29e304852d0c96e62045d42b1c
-
AFDE733F.png
- Size
- 48KiB (48722 bytes)
- Runtime Process
- WINWORD.EXE (PID: 2740)
- MD5
- 5d7744f6b8523c98a358f512a98ed6b1
- SHA1
- 85cda83c60deacd24e9c9b011c838d29368cb3ec
- SHA256
- 0610de375adc9920e1ef79719b51d9986f3097ca2bf80245e40b80135fc47698
-
D15DF434.png
- Size
- 16KiB (16691 bytes)
- Type
- img image
- Description
- PNG image data, 638 x 110, 8-bit/color RGBA, non-interlaced
- Runtime Process
- WINWORD.EXE (PID: 2740)
- MD5
- 16745c9e9ea87056e28d2dcb15afd92c
- SHA1
- 978d8fbc4d0912eae49b6f78d6e4e4f567b8cef9
- SHA256
- 1219985df4d805c9dd443617640e33a222a690418852d65ab7bf22da92b1a0b6
-
~WRS{0F8335D7-C008-4717-9B37-E131D9751E9F}.tmp
- Size
- 1.5KiB (1536 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 2740)
- MD5
- d85bc85c4cc51df806141567c50318a5
- SHA1
- 5ebac71444001f51759ddc725e99aad427e9885e
- SHA256
- 0bfd5b37ca867f7f7bef70a9fe53b5b95271c1acb605daac3243a0e0cd71f766
-
~WRS{45BD9225-E6F9-4126-80AE-9AED5AEB7637}.tmp
- Size
- 963KiB (986112 bytes)
- Runtime Process
- WINWORD.EXE (PID: 2740)
- MD5
- c296d674917640137e395fd386ac79c6
- SHA1
- 63e6c7ba3ba93c97ed5594dd1fb2dd7e0abc0ea4
- SHA256
- 2735dc455f664afeb44b73abfe9215e2be03a4474228f0545986a36267960db5
-
~WRS{A0A79EA1-2AD4-4F92-A0C2-76BE25504570}.tmp
- Size
- 1KiB (1024 bytes)
- Runtime Process
- WINWORD.EXE (PID: 2740)
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
~WRS{F51B3227-A78A-4BF4-98DB-DD8EFCCBBA91}.tmp
- Size
- 1.1KiB (1166 bytes)
- Runtime Process
- WINWORD.EXE (PID: 2740)
- MD5
- 96912d1871ee264c9dd1ba8ae52e8958
- SHA1
- 9b34fa4c7f22799e848853f2dcb48fc8bf000c50
- SHA256
- 5d04eeb6a2343bd87e3da28db3ad29e93fe0018be5054bd00ed143e52345c415
-
~$a726f2717feeb4e979e1a32c0781bc1890300df74781242227d7be082a7033_1530080702240_PTB-G-800-MA-0091-001-A_ID.docx
- Size
- 162B (162 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 2740)
- MD5
- 02503ab9ceb68dc2af1d027d4e333ff0
- SHA1
- 648526f91d4609f942f9e8f7128666d9a6c023e1
- SHA256
- ca81ffadccead1211b85d1142087bb07e3d01d08cce025a7b19a8b7ec9b6555d
-
FAB9C9D.png
- Size
- 7.9KiB (8041 bytes)
- Type
- img image
- Description
- PNG image data, 400 x 400, 8-bit colormap, non-interlaced
- MD5
- 58ee14292d4721c1c8da2e0389bba192
- SHA1
- 5070fce9cba0fd64915a756e7baa568a59a768be
- SHA256
- ded18dc4b19eb39655613d1d4e438689f3425532149587e176252775fdca9eb7
-
6FE9CA7D.jpeg
- Size
- 6KiB (6187 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01
- MD5
- 0e609689c3e79d6e17c2fcff92547ad7
- SHA1
- 5f566bb7aec274192e1b70c9f3afa5c53ee51a09
- SHA256
- 6c9d2bc6c071888961be549941d75dde7c7ec1d9ead3bbab3cd88ad80ec59169
-
E12DDD29.jpeg
- Size
- 6.4KiB (6576 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01
- MD5
- c7f1e0fc4a4ddae70aeb0d93c3b6b441
- SHA1
- 87ef1eedee3d688b6f3919db04a6d5ca8537f8ab
- SHA256
- f9daf426656bb79f96a9078daf3c8915e79a9e49bee018be08627584318a665c
-
777281FA.jpeg
- Size
- 8.7KiB (8892 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01
- MD5
- 94dd6deb66996ce26aea21ce6478fe47
- SHA1
- 19ba421a81fee1ad27d6b68d354758e83c6ca0a9
- SHA256
- dd14a32771fce5432b74c630437e060d781baf7734ed23ea1f543ef0198d23fc
-
620435B3.jpeg
- Size
- 6.4KiB (6522 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01
- MD5
- 21eb61481f2dead661593c1f2742fbc2
- SHA1
- 1d05af8493c87850d87505816f70a9046ae8e7c5
- SHA256
- 457fe227826c8898dafc20c8dfe836a3af13cc65b5018808c0cc99b3875a2190
-
DDBFFBE7.jpeg
- Size
- 6.4KiB (6576 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01
- MD5
- c7f1e0fc4a4ddae70aeb0d93c3b6b441
- SHA1
- 87ef1eedee3d688b6f3919db04a6d5ca8537f8ab
- SHA256
- f9daf426656bb79f96a9078daf3c8915e79a9e49bee018be08627584318a665c
-
Notifications
-
Runtime
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "binary-0" are available in the report