e3a040bc-d34d-11e8-ba3d-f8a0da3da901-d1be6ec83425fcab06e0c4bf42fdb98ad5fafcfa14905ec52eb9362c2b882a5a
This report is generated from a file or URL submitted to this webservice on August 19th 2019 07:29:30 (UTC)
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1, Office 2010 v14.0.4
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 2
-
External Systems
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 1/59 Antivirus vendors marked sample as malicious (1% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by at least one Antivirus engine
-
Unusual Characteristics
-
Document contains embedded script file
- details
- "AppDeployment.ps1.txt.bin" with context "oleObject1.bin_AppDeployment.ps1.txt" ("AppDeployment.ps1.txt") ...
- source
- Binary File
- relevance
- 10/10
-
Document contains embedded script file
-
Suspicious Indicators 2
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
-
"5dgdl gd_gd Any Windows 10 reference image captured using the task sequence above must be targeted at a UEFI enabled system. The recommended approach is to target a UEFI enable VMWare virtual machine or a Generation 2 Hyper-V virtual machine." (Indicator: "hyper-v")
"5dgdl gd_gd Any Windows 10 reference image captured using the task sequence above must be targeted at a UEFI enabled system. The recommended approach is to target a UEFI enable VMWare virtual machine or a Generation 2 Hyper-V virtual machine." (Indicator: "vmware")
"t0ssssssssssss5555aRf4p(ytActivation((Named Pipe Activation((TCP Activation((TCP Port Sharing((Embedded Boot Experience((Embedded Logon((Embedded Shell Launcher((Active Directory Lightweight Directory Services((Hyper-V((Hyper-V Management |a$a$gdl i$$If!vh#v#v#v#v:Vl4" (Indicator: "hyper-v")
"t0ssssssssssss5555aRf4p(yta$a$gdl Tools((Hyper-V GUI Management Tools((Hyper-V Module for Windows PowerShell((Hyper-V Platform((Hyper-V Hypervisor((Hyper-V Services((Internet Explorer 11*((Internet Information Services((FTP Server((FTP" (Indicator: "hyper-v")
"Power options setback to default.Antivirus installed and Hyper-v feature enabled for credential guard./" (Indicator: "hyper-v") - source
- File/Memory
- relevance
- 4/10
-
Possibly tries to implement anti-virtualization techniques
-
General
-
Found a potential E-Mail address in binary/memory
- details
-
Pattern match: "x@.yep0.l"
Pattern match: "f@ch.1p"
Pattern match: "cs85i@j.l"
Pattern match: "t@h.a"
Pattern match: "tjui@qrroc.3op"
Pattern match: "f@_.i0"
Pattern match: "p@w.qw"
Pattern match: "b@h0weju.b"
Pattern match: "ficm@w.q" - source
- File/Memory
- relevance
- 3/10
- ATT&CK ID
- T1114 (Show technique in the MITRE ATT&CK™ matrix)
-
Found a potential E-Mail address in binary/memory
-
Informative 13
-
General
-
Creates a writable file in a temporary directory
- details
- "WINWORD.EXE" created file "%TEMP%\mso7260.tmp"
- source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\10MU_ACBPIDS_S-1-5-5-0-62234"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACB10_S-1-5-5-0-62234"
"\Sessions\1\BaseNamedObjects\Global\552FFA80-3393-423d-8671-7BA046BB5906"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_Formal1_S-1-5-21-2092356043-4041700817-663127204-1001"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_AdHoc1_S-1-5-21-2092356043-4041700817-663127204-1001"
"\Sessions\1\BaseNamedObjects\Global\MsoShellExtRegAccess_S-1-5-21-2092356043-4041700817-663127204-1001"
"Local\ZonesLockedCacheCounterMutex"
"Local\ZonesCacheCounterMutex"
"Global\MTX_MSO_Formal1_S-1-5-21-2092356043-4041700817-663127204-1001"
"Global\552FFA80-3393-423d-8671-7BA046BB5906"
"Global\MTX_MSO_AdHoc1_S-1-5-21-2092356043-4041700817-663127204-1001"
"Local\10MU_ACB10_S-1-5-5-0-62234"
"Local\10MU_ACBPIDS_S-1-5-5-0-62234" - source
- Created Mutant
- relevance
- 3/10
-
Document contains embedded files
- details
-
"AppDeployment.ps1.txt.bin" has type "Non-ISO extended-ASCII text with very long lines with CRLF line terminators" and the context is "oleObject1.bin_AppDeployment.ps1.txt" ("AppDeployment.ps1.txt") ...
"GTSBuild and Capture - BSPACS.zip" has type "Zip archive data at least v1.0 to extract" and the context is "G:\TS\Build and Capture - BSPACS.zip" ...
"GTSBuild and Capture - CINSW.zip" has type "Zip archive data at least v1.0 to extract" and the context is "G:\TS\Build and Capture - CINSW.zip" ...
"GTSWindows 10 ENT - BSPACS.zip" has type "Zip archive data at least v1.0 to extract" and the context is "G:\TS\Windows 10 ENT - BSPACS.zip" ...
"GTSWindows 10 ENT - CINSW.zip" has type "Zip archive data at least v1.0 to extract" and the context is "G:\TS\Windows 10 ENT - CINSW.zip" ... - source
- Binary File
- relevance
- 10/10
- ATT&CK ID
- T1064 (Show technique in the MITRE ATT&CK™ matrix)
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "~_a040bc-d34d-11e8-ba3d-f8a0da3da901-d1be6ec83425fcab06e0c4bf42fdb98ad5fafcfa14905ec52eb9362c2b882a5a.doc" as clean (type is "data")
- source
- Binary File
- relevance
- 10/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\microsoft shared\OFFICE14\RICHED20.DLL" at 6CB40000
- source
- Loaded Module
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Opened the service control manager
- details
- "WINWORD.EXE" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1)
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1035 (Show technique in the MITRE ATT&CK™ matrix)
-
Removes Office resiliency keys (often used to avoid problems opening documents)
- details
-
"WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: "RBT")
"WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: "7FT")
"WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: " `T")
"WINWORD.EXE" (Access type: "DELETE"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Scanning for window names
- details
-
"WINWORD.EXE" searching for class "MSOBALLOON"
"WINWORD.EXE" searching for class "MsoHelp10"
"WINWORD.EXE" searching for class "AgentAnim"
"WINWORD.EXE" searching for class "NetUICtrlNotifySink"
"WINWORD.EXE" searching for class "REListbox20W"
"WINWORD.EXE" searching for class "OfficeTooltip"
"WINWORD.EXE" searching for class "MsoCommandBarPopup"
"WINWORD.EXE" searching for class "mspim_wnd32" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates a writable file in a temporary directory
-
Installation/Persistance
-
Dropped files
- details
-
"AppDeployment.ps1.txt.bin" has type "Non-ISO extended-ASCII text with very long lines with CRLF line terminators"
"Build and Capture - BSPACS.zip.bin" has type "Zip archive data at least v1.0 to extract"
"Windows 10 ENT - BSPACS.zip.bin" has type "Zip archive data at least v1.0 to extract"
"~_a040bc-d34d-11e8-ba3d-f8a0da3da901-d1be6ec83425fcab06e0c4bf42fdb98ad5fafcfa14905ec52eb9362c2b882a5a.doc" has type "data"
"e3a040bc-d34d-11e8-ba3d-f8a0da3da901-d1be6ec83425fcab06e0c4bf42fdb98ad5fafcfa14905ec52eb9362c2b882a5a.LNK" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Archive ctime=Mon Aug 19 07:30:27 2019 mtime=Mon Aug 19 07:30:27 2019 atime=Mon Aug 19 07:30:35 2019 length=472888 window=hide"
"GTSBuild and Capture - BSPACS.zip" has type "Zip archive data at least v1.0 to extract"
"GTSBuild and Capture - CINSW.zip" has type "Zip archive data at least v1.0 to extract"
"GTSWindows 10 ENT - BSPACS.zip" has type "Zip archive data at least v1.0 to extract"
"GTSWindows 10 ENT - CINSW.zip" has type "Zip archive data at least v1.0 to extract"
"9FBDFB12.png" has type "PNG image data 199 x 178 8-bit/color RGB non-interlaced"
"8679BC33.emf" has type "Windows Enhanced Metafile (EMF) image data version 0x10000"
"ExcludeDictionaryEN0809.lex" has type "Little-endian UTF-16 Unicode text with no line terminators"
"~WRS_E83FDC6B-780D-4A5B-B50D-E93A4E963B69_.tmp" has type "data"
"ExcludeDictionaryEN0c09.lex" has type "Little-endian UTF-16 Unicode text with no line terminators"
"C8600C15.png" has type "PNG image data 271 x 223 8-bit/color RGB non-interlaced"
"~WRS_5373790D-5B04-4DB6-A402-1D09DB42B501_.tmp" has type "data"
"~WRS_4E461667-913C-438B-B8D7-4DA2CC7F2573_.tmp" has type "data"
"FC45407E.png" has type "PNG image data 218 x 79 8-bit/color RGB non-interlaced"
"index.dat" has type "data"
"B3847A67.png" has type "PNG image data 259 x 223 8-bit/color RGB non-interlaced" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"WINWORD.EXE" touched file "C:\Windows\AppPatch\sysmain.sdb"
"WINWORD.EXE" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"WINWORD.EXE" touched file "C:\Windows\Fonts\StaticCache.dat"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\user32.dll.mui"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000001b.db"
"WINWORD.EXE" touched file "C:\Windows\System32\rsaenh.dll"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\KernelBase.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\System32\msxml6r.dll" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://sccm01prd.ad.cancerinstitute.org.au/SCCMWebService/SCCMWebservice.asmx?WSDL"
Heuristic match: "uVd5Qb]DenFD6jD.Ml"
Heuristic match: "pP<*IlEA@uX>$DW[;}Mz\$&R]~k.es"
Heuristic match: "!2xi([SRW?+]GAmso%P7GU t0|Igd7^enTM@\@{2XU<3xk/5v.$*Z_A%#+jT:{Kgl;pRSKMt=WE[xC3zwch6/#UEO*}+xsH4XcT\v5rX`~:hwiE=L<Vaxb|=d`0<WeZe]m=Ecd4oLnzkh?@_*?Q?zxF;\j1?g}^D&.CV"
Pattern match: "i.FI/^/" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Hooks API calls
- details
-
"SysFreeString@OLEAUT32.DLL" in "WINWORD.EXE"
"SysAllocStringByteLen@OLEAUT32.DLL" in "WINWORD.EXE"
"OleLoadFromStream@OLE32.DLL" in "WINWORD.EXE"
"VariantClear@OLEAUT32.DLL" in "WINWORD.EXE"
"VariantChangeType@OLEAUT32.DLL" in "WINWORD.EXE" - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Hooks API calls
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "4d1f399d" to virtual address "0x6B33F530" (part of module "WWLIB.DLL")
"WINWORD.EXE" wrote bytes "68130000" to virtual address "0x76051680" (part of module "WS2_32.DLL")
"WINWORD.EXE" wrote bytes "d5d9d07530c6d075e0c2d07542c6d07510c6d075acdcd075a0dfd07536dad07587f1d0750000000091770975c09009757f6f09751ffa0975def40975f2820975857d097500000000" to virtual address "0x72461000" (part of module "MSIMG32.DLL")
"WINWORD.EXE" wrote bytes "b8c0154072ffe0" to virtual address "0x74B211F8" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "e9848e57f2" to virtual address "0x75D0F71B" ("SetUnhandledExceptionFilter@KERNEL32.DLL")
"WINWORD.EXE" wrote bytes "f811b274" to virtual address "0x74B383E0" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "4812b274" to virtual address "0x74B38364" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "60124072" to virtual address "0x75B3E324" (part of module "WININET.DLL")
"WINWORD.EXE" wrote bytes "e9695319f3" to virtual address "0x75123F8A" ("SysFreeString@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "f811b274" to virtual address "0x74B38368" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "0ff6f79d" to virtual address "0x6CCC10AC" (part of module "MSPTLS.DLL")
"WINWORD.EXE" wrote bytes "07a3c29d" to virtual address "0x684E0BA8" (part of module "MSO.DLL")
"WINWORD.EXE" wrote bytes "e9d7321af3" to virtual address "0x751247BA" ("SysAllocStringByteLen@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "0e04e39e" to virtual address "0x2F7D1B94" (part of module "WINWORD.EXE")
"WINWORD.EXE" wrote bytes "e9fef3a2f2" to virtual address "0x75E3A00A" ("OleLoadFromStream@OLE32.DLL")
"WINWORD.EXE" wrote bytes "a137399d" to virtual address "0x694E78E4" (part of module "OART.DLL")
"WINWORD.EXE" wrote bytes "b830124072ffe0" to virtual address "0x76051368" (part of module "WS2_32.DLL")
"WINWORD.EXE" wrote bytes "48120000" to virtual address "0x74B2139C" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "48120000" to virtual address "0x74B212DC" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "4812b274" to virtual address "0x74B383DC" (part of module "SSPICLI.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Installs hooks/patches the running process
File Details
e3a040bc-d34d-11e8-ba3d-f8a0da3da901-d1be6ec83425fcab06e0c4bf42fdb98ad5fafcfa14905ec52eb9362c2b882a5a
- Filename
- e3a040bc-d34d-11e8-ba3d-f8a0da3da901-d1be6ec83425fcab06e0c4bf42fdb98ad5fafcfa14905ec52eb9362c2b882a5a
- Size
- 462KiB (472888 bytes)
- Type
- docx office
- Description
- Microsoft Word 2007+
- Architecture
- WINDOWS
- SHA256
- d1be6ec83425fcab06e0c4bf42fdb98ad5fafcfa14905ec52eb9362c2b882a5a
- MD5
- 717c9fab19a58a46ab82053f2c437067
- SHA1
- 093e64cebe48392a500fe5edefee94df5102f1c0
- ssdeep
- 12288:hbmnWjuBPAUGgJ8jSUdddddsVy8jPB/4dX8z8cUYE2:hqnGuBP2gJ8j2pbOXPX2
Classification (TrID)
- 51.0% (.DOCX) Word Microsoft Office Open XML Format document
- 38.0% (.ZIP) Open Packaging Conventions container
- 8.6% (.ZIP) ZIP compressed archive
- 2.1% (.BIN) PrintFox/Pagefox bitmap (var. P)
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total.
- WINWORD.EXE /n "C:\e3a040bc-d34d-11e8-ba3d-f8a0da3da901-d1be6ec83425fcab06e0c4bf42fdb98ad5fafcfa14905ec52eb9362c2b882a5a.doc" (PID: 2528)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
Displaying 21 extracted file(s). The remaining 22 file(s) are available in the full version and XML/JSON reports.
-
Clean 1
-
-
~_a040bc-d34d-11e8-ba3d-f8a0da3da901-d1be6ec83425fcab06e0c4bf42fdb98ad5fafcfa14905ec52eb9362c2b882a5a.doc
- Size
- 162B (162 bytes)
- Type
- data
- AV Scan Result
- 0/54
- Runtime Process
- WINWORD.EXE (PID: 2528)
- MD5
- b60c0bb79b4b53294d99905c973caba3
- SHA1
- a7716d014025ca03b5324c8220e2459eea70b6b1
- SHA256
- a101d3605f8d1ca5cfb10c48dbdb24c45f2627c48f44a2bd2604b88c7b90d5f0
-
-
Informative Selection 1
-
-
GTSBuild and Capture - BSPACS.zip
- Size
- 68KiB (69549 bytes)
- Type
- data compressed zip
- Description
- Zip archive data, at least v1.0 to extract
- Runtime Process
- WINWORD.EXE (PID: 2528)
- Context
- G:\TS\Build and Capture - BSPACS.zip
- MD5
- b08feb7c1fd642547914658c7182825a
- SHA1
- f2931474bad091f82833229b371e9270cd1cd49d
- SHA256
- cee5f6a61b9b4e76f471d2096afbb09f59b19e6d7800df96fdd16697a23c2e04
-
-
Informative 19
-
-
e3a040bc-d34d-11e8-ba3d-f8a0da3da901-d1be6ec83425fcab06e0c4bf42fdb98ad5fafcfa14905ec52eb9362c2b882a5a.LNK
- Size
- 918B (918 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 19 07:30:27 2019, mtime=Mon Aug 19 07:30:27 2019, atime=Mon Aug 19 07:30:35 2019, length=472888, window=hide
- Runtime Process
- WINWORD.EXE (PID: 2528)
- MD5
- d98b9cf828afd81d1d81c68773540195
- SHA1
- 7bd1e0200b07a260e4ef666a3adfb6d19432be99
- SHA256
- 6f9a000683fe2937cc8fca312fc9187f519daa2e46f75e5eb8a257224af4d636
-
index.dat
- Size
- 298B (298 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 2528)
- MD5
- 7f0dd55bbe7d90dc0684a8bab1c680f5
- SHA1
- 3d7bbd57f08f572cd7c77e1fbd35cde141d8ebc1
- SHA256
- 53afd5af8923becacdfa50dfc39fdbcb95258081f13d22ed5a5eef35e2c0e9c1
-
4401708C.emf
- Size
- 5.1KiB (5256 bytes)
- Type
- img image
- Description
- Windows Enhanced Metafile (EMF) image data version 0x10000
- Runtime Process
- WINWORD.EXE (PID: 2528)
- MD5
- 3045802f7e0921a11c0ef295661185e7
- SHA1
- 601812926e3417f1b1f78daab223651fac09d151
- SHA256
- b2624ba5acdaf67f58ed28ddc2953beeefb1fb7b271b83b12a48b68d8ec47920
-
4640F7B9.jpeg
- Size
- 120KiB (123183 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 1374x1944, frames 3
- Runtime Process
- WINWORD.EXE (PID: 2528)
- MD5
- e36b775305c899cc8857221a3f8baff6
- SHA1
- 084ad502bda2b0fbaaab3bf71abd973fe658872e
- SHA256
- dd0888d50268346afd3f9745cf53c9a2d12abb34080ae6127852b83da6eaf0f1
-
4967F1D.emf
- Size
- 5KiB (5112 bytes)
- Type
- img image
- Description
- Windows Enhanced Metafile (EMF) image data version 0x10000
- Runtime Process
- WINWORD.EXE (PID: 2528)
- MD5
- 3b08ad7f32a85f9cb11c22b87e5002ce
- SHA1
- c426a1992693374bc25232282c4176a782800cfa
- SHA256
- 37d9cdfe3befef5d4af28e2c506c841b510c0e5cf3a262cad4b41db7bc746e4f
-
8679BC33.emf
- Size
- 5KiB (5096 bytes)
- Type
- img image
- Description
- Windows Enhanced Metafile (EMF) image data version 0x10000
- Runtime Process
- WINWORD.EXE (PID: 2528)
- MD5
- 3b4bef0cd93099d67c2a359b8af545cc
- SHA1
- ed8ffe4ab42c2e27595a38339d4dfdc9d16e792c
- SHA256
- 38cb716c3224a43d64c8a8b67d1ba9fbdf11799ba5c6cc4fc419f246ed65ed2d
-
9C1F027A.emf
- Size
- 5KiB (5108 bytes)
- Type
- img image
- Description
- Windows Enhanced Metafile (EMF) image data version 0x10000
- Runtime Process
- WINWORD.EXE (PID: 2528)
- MD5
- 3c605020d452cc5b8b191736774a8ac7
- SHA1
- adc819a9310be1cbd4274bd86937efa880637651
- SHA256
- bc14ec0c846d9dee294a56cdd2befb8c1f622259ae60f38994d9caa512aa6306
-
B625E098.emf
- Size
- 5KiB (5088 bytes)
- Type
- img image
- Description
- Windows Enhanced Metafile (EMF) image data version 0x10000
- Runtime Process
- WINWORD.EXE (PID: 2528)
- MD5
- 4c9b65333e80936c439c5a7d3e62924e
- SHA1
- da20431b698b869ba3a2658184a6b8822da55f16
- SHA256
- fff37d24c79c7bd0f603167385078e027da70a8b842d0fef043016e3cf5e5806
-
AppDeployment.ps1.txt.bin
- Size
- 3KiB (3028 bytes)
- Type
- text
- Description
- Non-ISO extended-ASCII text, with very long lines, with CRLF line terminators
- Runtime Process
- WINWORD.EXE (PID: 2528)
- Context
- oleObject1.bin_AppDeployment.ps1.txt
- Additional Context
- AppDeployment.ps1.txt
- MD5
- 09f3bd82b2e3f398f6a5e20e26cb5dc9
- SHA1
- 02b3844a5240cb15fd68cb858e666930a2487fb3
- SHA256
- c8e20dd4c6f8304b4e4002163eb46fc2d3a6a4c1633688ebbe418dbdab61116f
-
Build and Capture - BSPACS.zip.bin
- Size
- 68KiB (69549 bytes)
- Type
- data compressed zip
- Description
- Zip archive data, at least v1.0 to extract
- Runtime Process
- WINWORD.EXE (PID: 2528)
- MD5
- b08feb7c1fd642547914658c7182825a
- SHA1
- f2931474bad091f82833229b371e9270cd1cd49d
- SHA256
- cee5f6a61b9b4e76f471d2096afbb09f59b19e6d7800df96fdd16697a23c2e04
-
Windows 10 ENT - BSPACS.zip.bin
- Size
- 132KiB (135050 bytes)
- Type
- data compressed zip
- Description
- Zip archive data, at least v1.0 to extract
- Runtime Process
- WINWORD.EXE (PID: 2528)
- MD5
- 9c79c4825dfa493cca9cb1e22e42dca5
- SHA1
- e160d16ba89952cbeb12d76a735b214e8d0dfa89
- SHA256
- 695d11674edf584e424a3b500dc84440e4c1c7c4e163f1760a3bb307c8b116d1
-
GTSBuild and Capture - CINSW.zip
- Size
- 68KiB (69547 bytes)
- Type
- data compressed zip
- Description
- Zip archive data, at least v1.0 to extract
- Runtime Process
- WINWORD.EXE (PID: 2528)
- Context
- G:\TS\Build and Capture - CINSW.zip
- MD5
- 3c4e058fd9c6f05aaebf9b70dd0fa24f
- SHA1
- 350ac8b676083116792438e4e927fdb6a0f04e32
- SHA256
- 5a8460d5f81a231c9df7b98421a2d485a1060bcf3237e3950075b2338cd53d4a
-
GTSWindows 10 ENT - BSPACS.zip
- Size
- 132KiB (135050 bytes)
- Type
- data compressed zip
- Description
- Zip archive data, at least v1.0 to extract
- Runtime Process
- WINWORD.EXE (PID: 2528)
- Context
- G:\TS\Windows 10 ENT - BSPACS.zip
- MD5
- 9c79c4825dfa493cca9cb1e22e42dca5
- SHA1
- e160d16ba89952cbeb12d76a735b214e8d0dfa89
- SHA256
- 695d11674edf584e424a3b500dc84440e4c1c7c4e163f1760a3bb307c8b116d1
-
GTSWindows 10 ENT - CINSW.zip
- Size
- 226KiB (231746 bytes)
- Type
- data compressed zip
- Description
- Zip archive data, at least v1.0 to extract
- Runtime Process
- WINWORD.EXE (PID: 2528)
- Context
- G:\TS\Windows 10 ENT - CINSW.zip
- MD5
- 02f92d841aaafa6bcb722b24c82ecbf0
- SHA1
- 0e5c45364c9ad98f21a950837dcf8bfb28c29748
- SHA256
- 3118b4f4da9d8dcf0747c27ba60a703a82d7ef3ee518d8759bdbda6338fda79a
-
9FBDFB12.png
- Size
- 6.3KiB (6404 bytes)
- Type
- img image
- Description
- PNG image data, 199 x 178, 8-bit/color RGB, non-interlaced
- Runtime Process
- WINWORD.EXE (PID: 2528)
- MD5
- 076e3ee9f90b36cae469816c059fc5d3
- SHA1
- abd6fc037cf9fb925fdec2ff9886267b01b5d129
- SHA256
- 21f8b8876a814230bf12a3d53d581c46917ad8462a2b9302dfba95c7ebaadc45
-
ExcludeDictionaryEN0809.lex
- Size
- 2B (2 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with no line terminators
- Runtime Process
- WINWORD.EXE (PID: 2528)
- MD5
- f3b25701fe362ec84616a93a45ce9998
- SHA1
- d62636d8caec13f04e28442a0a6fa1afeb024bbb
- SHA256
- b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
-
~WRS_E83FDC6B-780D-4A5B-B50D-E93A4E963B69_.tmp
- Size
- 1KiB (1024 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 2528)
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
ExcludeDictionaryEN0c09.lex
- Size
- 2B (2 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with no line terminators
- Runtime Process
- WINWORD.EXE (PID: 2528)
- MD5
- f3b25701fe362ec84616a93a45ce9998
- SHA1
- d62636d8caec13f04e28442a0a6fa1afeb024bbb
- SHA256
- b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
-
~_Normal.dotm
- Size
- 162B (162 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 2528)
- MD5
- b60c0bb79b4b53294d99905c973caba3
- SHA1
- a7716d014025ca03b5324c8220e2459eea70b6b1
- SHA256
- a101d3605f8d1ca5cfb10c48dbdb24c45f2627c48f44a2bd2604b88c7b90d5f0
-