5c9a27645f428c4479f33cab9c05f70a6b6778b902a2cb53842d7506918d1c93

Analysis

max time kernel
9s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 12:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

file.vbs
Size

933B
MD5

21107479a0b22f97279331776497f424
SHA1

d7661427c9ba6a05d1a3fac3738db427b21473c7
SHA256

5c9a27645f428c4479f33cab9c05f70a6b6778b902a2cb53842d7506918d1c93
SHA512

e05374e11edff902eaaee3101e2bd8d19f6b92663b97ba8cb3c5dd8843607c04d78fc29782bf9f558a6c66392bf2f635085a2fedc760d41cc923a70bb248cc81

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	wscript.exe

Process spawned suspicious child process 1 IoCs

This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE is not expected to spawn this process	9668	9348	DW20.EXE	478

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\intl.cpl,-2#immutable1 = "Customize settings for the display of languages, numbers, times, and dates."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-103#immutable1 = "Customize your keyboard settings, such as the cursor blink rate and the character repeat rate."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\colorcpl.exe,-6#immutable1 = "Color Management"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\FirewallControlPanel.dll,-12122#immutable1 = "Windows Defender Firewall"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\RADCUI.dll,-15301#immutable1 = "Manage your RemoteApp and Desktop Connections"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\srchadmin.dll,-602#immutable1 = "Change how Windows indexes to search faster"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\inetcpl.cpl,-4313#immutable1 = "Configure your Internet display and connection settings."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fvecpl.dll,-2#immutable1 = "Protect your PC using BitLocker Drive Encryption."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\mmsys.cpl,-301#immutable1 = "Configure your audio devices or change the sound scheme for your computer."	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\intl.cpl,-3#immutable1 = "Region"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\appwiz.cpl,-159#immutable1 = "Programs and Features"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\inetcpl.cpl,-4312#immutable1 = "Internet Options"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fvecpl.dll,-1#immutable1 = "BitLocker Drive Encryption"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\powercpl.dll,-2#immutable1 = "Conserve energy or maximize performance by choosing how your computer manages power."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\netcenter.dll,-1#immutable1 = "Network and Sharing Center"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\recovery.dll,-2#immutable1 = "Recovery"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\accessibilitycpl.dll,-10#immutable1 = "Ease of Access Center"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\accessibilitycpl.dll,-45#immutable1 = "Make your computer easier to use."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\FirewallControlPanel.dll,-12123#immutable1 = "Set firewall security options to help protect your computer from hackers and malicious software."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\DeviceCenter.dll,-1000#immutable1 = "Devices and Printers"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sud.dll,-10#immutable1 = "Choose which programs you want Windows to use for activities like web browsing, editing photos, sending e-mail, and playing music."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-102#immutable1 = "Keyboard"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\timedate.cpl,-52#immutable1 = "Set the date, time, and time zone for your computer."	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings	control.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\powercpl.dll,-1#immutable1 = "Power Options"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sud.dll,-1#immutable1 = "Default Programs"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sdcpl.dll,-100#immutable1 = "Recover copies of your files backed up in Windows 7"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fhcpl.dll,-52#immutable1 = "File History"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings	control.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\netcenter.dll,-2#immutable1 = "Check network status, change network settings and set preferences for sharing files and printers."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3000#immutable1 = "Sync Center"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\colorcpl.exe,-7#immutable1 = "Change advanced color management settings for displays, scanners, and printers."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\systemcpl.dll,-1#immutable1 = "System"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\telephon.cpl,-1#immutable1 = "Phone and Modem"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\RADCUI.dll,-15300#immutable1 = "RemoteApp and Desktop Connections"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\Speech\SpeechUX\speechuxcpl.dll,-2#immutable1 = "Configure how speech recognition works on your computer."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\usercpl.dll,-2#immutable1 = "Change user account settings and passwords for people who share this computer."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\devmgr.dll,-4#immutable1 = "Device Manager"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\autoplay.dll,-1#immutable1 = "AutoPlay"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\DeviceCenter.dll,-2000#immutable1 = "View and manage devices, printers, and print jobs"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-100#immutable1 = "Mouse"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\systemcpl.dll,-2#immutable1 = "View information about your computer, and change settings for hardware, performance, and remote connections."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\DiagCpl.dll,-1#immutable1 = "Troubleshooting"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\DiagCpl.dll,-15#immutable1 = "Troubleshoot and fix common computer problems."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\timedate.cpl,-51#immutable1 = "Date and Time"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\usercpl.dll,-1#immutable1 = "User Accounts"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\autoplay.dll,-2#immutable1 = "Change default settings for CDs, DVDs, and devices so that you can automatically play music, view pictures, install software, and play games."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\mmsys.cpl,-300#immutable1 = "Sound"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fhcpl.dll,-2#immutable1 = "Keep a history of your files"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\Vault.dll,-2#immutable1 = "Manage your Windows credentials."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\Vault.dll,-1#immutable1 = "Credential Manager"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\srchadmin.dll,-601#immutable1 = "Indexing Options"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3001#immutable1 = "Sync files between your computer and network folders"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\recovery.dll,-101#immutable1 = "Recovery"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\appwiz.cpl,-160#immutable1 = "Uninstall or change programs on your computer."	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings	control.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-101#immutable1 = "Customize your mouse settings, such as the button configuration, double-click speed, mouse pointers, and motion speed."	explorer.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
1672	WINWORD.EXE
1672	WINWORD.EXE
2320	explorer.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1888	mspaint.exe
1888	mspaint.exe
3176	mspaint.exe
3176	mspaint.exe
1016	mspaint.exe
1016	mspaint.exe
1496	mspaint.exe
1496	mspaint.exe
3596	mspaint.exe
3596	mspaint.exe
5332	mspaint.exe
5332	mspaint.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2320	explorer.exe
Token: SeCreatePagefilePrivilege	2320	explorer.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1672	WINWORD.EXE
1672	WINWORD.EXE
2320	explorer.exe

Suspicious use of SetWindowsHookEx 43 IoCs

pid	Process
1888	mspaint.exe
2616	wordpad.exe
2616	wordpad.exe
2616	wordpad.exe
2616	wordpad.exe
2616	wordpad.exe
1672	WINWORD.EXE
1672	WINWORD.EXE
3176	mspaint.exe
1672	WINWORD.EXE
1888	mspaint.exe
1888	mspaint.exe
1888	mspaint.exe
5096	wordpad.exe
5096	wordpad.exe
5096	wordpad.exe
1016	mspaint.exe
3176	mspaint.exe
3176	mspaint.exe
3176	mspaint.exe
4296	wordpad.exe
5096	wordpad.exe
5096	wordpad.exe
4296	wordpad.exe
4296	wordpad.exe
1016	mspaint.exe
1016	mspaint.exe
1016	mspaint.exe
1672	WINWORD.EXE
1496	mspaint.exe
3168	wordpad.exe
3168	wordpad.exe
3168	wordpad.exe
3596	mspaint.exe
1496	mspaint.exe
1496	mspaint.exe
1496	mspaint.exe
5332	mspaint.exe
3168	wordpad.exe
3168	wordpad.exe
5516	wordpad.exe
5516	wordpad.exe
5516	wordpad.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 1672	2880	WScript.exe	87
PID 2880 wrote to memory of 1672	2880	WScript.exe	87
PID 2880 wrote to memory of 1888	2880	WScript.exe	88
PID 2880 wrote to memory of 1888	2880	WScript.exe	88
PID 2880 wrote to memory of 1608	2880	WScript.exe	89
PID 2880 wrote to memory of 1608	2880	WScript.exe	89
PID 2880 wrote to memory of 2616	2880	WScript.exe	90
PID 2880 wrote to memory of 2616	2880	WScript.exe	90
PID 2880 wrote to memory of 224	2880	WScript.exe	91
PID 2880 wrote to memory of 224	2880	WScript.exe	91
PID 2880 wrote to memory of 4528	2880	WScript.exe	93
PID 2880 wrote to memory of 4528	2880	WScript.exe	93
PID 2880 wrote to memory of 4368	2880	WScript.exe	94
PID 2880 wrote to memory of 4368	2880	WScript.exe	94
PID 2880 wrote to memory of 1128	2880	WScript.exe	96
PID 2880 wrote to memory of 1128	2880	WScript.exe	96
PID 2880 wrote to memory of 5008	2880	WScript.exe	97
PID 2880 wrote to memory of 5008	2880	WScript.exe	97
PID 2880 wrote to memory of 4740	2880	WScript.exe	155
PID 2880 wrote to memory of 4740	2880	WScript.exe	155
PID 2880 wrote to memory of 3176	2880	WScript.exe	99
PID 2880 wrote to memory of 3176	2880	WScript.exe	99
PID 2880 wrote to memory of 5028	2880	WScript.exe	102
PID 2880 wrote to memory of 5028	2880	WScript.exe	102
PID 2880 wrote to memory of 5096	2880	WScript.exe	104
PID 2880 wrote to memory of 5096	2880	WScript.exe	104
PID 5008 wrote to memory of 884	5008	wscript.exe	105
PID 5008 wrote to memory of 884	5008	wscript.exe	105
PID 5008 wrote to memory of 1016	5008	wscript.exe	109
PID 5008 wrote to memory of 1016	5008	wscript.exe	109
PID 2880 wrote to memory of 2680	2880	WScript.exe	108
PID 2880 wrote to memory of 2680	2880	WScript.exe	108
PID 2880 wrote to memory of 4364	2880	WScript.exe	111
PID 2880 wrote to memory of 4364	2880	WScript.exe	111
PID 5008 wrote to memory of 5052	5008	wscript.exe	112
PID 5008 wrote to memory of 5052	5008	wscript.exe	112
PID 2880 wrote to memory of 4692	2880	WScript.exe	113
PID 2880 wrote to memory of 4692	2880	WScript.exe	113
PID 5008 wrote to memory of 4296	5008	wscript.exe	114
PID 5008 wrote to memory of 4296	5008	wscript.exe	114
PID 2880 wrote to memory of 1544	2880	WScript.exe	115
PID 2880 wrote to memory of 1544	2880	WScript.exe	115
PID 5008 wrote to memory of 4320	5008	wscript.exe	116
PID 5008 wrote to memory of 4320	5008	wscript.exe	116
PID 2880 wrote to memory of 5056	2880	WScript.exe	117
PID 2880 wrote to memory of 5056	2880	WScript.exe	117
PID 2880 wrote to memory of 1036	2880	WScript.exe	120
PID 2880 wrote to memory of 1036	2880	WScript.exe	120
PID 5008 wrote to memory of 2036	5008	wscript.exe	119
PID 5008 wrote to memory of 2036	5008	wscript.exe	119
PID 5008 wrote to memory of 5044	5008	wscript.exe	121
PID 5008 wrote to memory of 5044	5008	wscript.exe	121
PID 2880 wrote to memory of 1496	2880	WScript.exe	122
PID 2880 wrote to memory of 1496	2880	WScript.exe	122
PID 5008 wrote to memory of 4052	5008	wscript.exe	123
PID 5008 wrote to memory of 4052	5008	wscript.exe	123
PID 2880 wrote to memory of 2944	2880	WScript.exe	124
PID 2880 wrote to memory of 2944	2880	WScript.exe	124
PID 5008 wrote to memory of 5068	5008	wscript.exe	125
PID 5008 wrote to memory of 5068	5008	wscript.exe	125
PID 2880 wrote to memory of 3168	2880	WScript.exe	127
PID 2880 wrote to memory of 3168	2880	WScript.exe	127
PID 5008 wrote to memory of 3848	5008	wscript.exe	470
PID 5008 wrote to memory of 3848	5008	wscript.exe	470

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1672
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1888
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:1608
- C:\Program Files\Windows NT\Accessories\wordpad.exe
  "C:\Program Files\Windows NT\Accessories\wordpad.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2616
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:224
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:4528
- C:\Windows\System32\control.exe
  "C:\Windows\System32\control.exe"
  2⤵
  - Modifies registry class
  PID:4368
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:1128
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
    3⤵
    PID:884
- - C:\Windows\System32\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1016
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:5052
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:4296
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:4320
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Modifies registry class
    PID:2036
- - C:\Windows\System32\control.exe
    "C:\Windows\System32\control.exe"
    3⤵
    - Modifies registry class
    PID:5044
- - C:\Windows\System32\calc.exe
    "C:\Windows\System32\calc.exe"
    3⤵
    PID:4052
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
    3⤵
    - Checks computer location settings
    PID:5068
  - - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
      4⤵
      PID:5504
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:5660
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:5904
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:4740
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5620
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:5208
  - - C:\Windows\System32\control.exe
      "C:\Windows\System32\control.exe"
      4⤵
      PID:6268
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:6544
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
      4⤵
      PID:6832
    - - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
        
        "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
        5⤵
        
        PID:5304
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:7272
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:7672
    - - C:\Program Files\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:8068
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:7900
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:8292
    - - C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe"
        5⤵
        
        PID:8840
    - - C:\Windows\System32\calc.exe
        
        "C:\Windows\System32\calc.exe"
        5⤵
        
        PID:6964
    - - C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
        5⤵
        
        PID:9332
      - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
        
        "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
        6⤵
        
        PID:11076
      - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        6⤵
        
        PID:10644
      - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        6⤵
        
        PID:12716
    - - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
        
        "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
        5⤵
        
        PID:9444
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:10636
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:10576
    - - C:\Program Files\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:12232
  - - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
      4⤵
      PID:7072
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:6768
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:1540
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:5140
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7520
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:7904
  - - C:\Windows\System32\control.exe
      "C:\Windows\System32\control.exe"
      4⤵
      PID:7608
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:6456
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
      4⤵
      PID:8756
    - - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
        
        "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
        5⤵
        
        PID:9872
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:10412
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:11212
    - - C:\Program Files\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:12240
  - - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
      4⤵
      PID:5964
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:4132
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:9860
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:10120
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:11156
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:11908
  - - C:\Windows\System32\control.exe
      "C:\Windows\System32\control.exe"
      4⤵
      PID:4976
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:13256
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
      4⤵
      PID:8112
    - - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
        
        "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
        5⤵
        
        PID:9348
      - C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 2148
        6⤵
        Process spawned suspicious child process
        
        PID:9668
        
        C:\Windows\system32\dwwin.exe
        
        C:\Windows\system32\dwwin.exe -x -s 2148
        7⤵
        
        PID:12140
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:1864
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:1508
  - - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
      4⤵
      PID:11584
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:7704
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:12484
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:13104
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:13164
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:2444
  - - C:\Windows\System32\control.exe
      "C:\Windows\System32\control.exe"
      4⤵
      PID:10908
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:1880
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
      4⤵
      PID:8052
- - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
    3⤵
    PID:3848
- - C:\Windows\System32\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3596
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:5316
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:5516
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:5696
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    PID:5872
- - C:\Windows\System32\control.exe
    "C:\Windows\System32\control.exe"
    3⤵
    PID:4540
- - C:\Windows\System32\calc.exe
    "C:\Windows\System32\calc.exe"
    3⤵
    PID:5212
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
    3⤵
    PID:5476
  - - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
      4⤵
      PID:6860
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:7132
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:6612
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:2856
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5716
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:7396
  - - C:\Windows\System32\control.exe
      "C:\Windows\System32\control.exe"
      4⤵
      PID:7804
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:8188
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
      4⤵
      PID:7648
    - - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
        
        "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
        5⤵
        
        PID:9180
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:9564
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:7940
    - - C:\Program Files\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:10712
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:11344
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:2428
    - - C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe"
        5⤵
        
        PID:12776
    - - C:\Windows\System32\calc.exe
        
        "C:\Windows\System32\calc.exe"
        5⤵
        
        PID:10816
    - - C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
        5⤵
        
        PID:10800
      - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
        
        "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
        6⤵
        
        PID:1984
      - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        6⤵
        
        PID:12692
      - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        6⤵
        
        PID:1708
    - - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
        
        "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
        5⤵
        
        PID:12700
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:9196
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:10820
    - - C:\Program Files\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:12980
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:11996
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:13208
    - - C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe"
        5⤵
        
        PID:4040
    - - C:\Windows\System32\calc.exe
        
        "C:\Windows\System32\calc.exe"
        5⤵
        
        PID:11292
    - - C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
        5⤵
        
        PID:11436
  - - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
      4⤵
      PID:8460
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:8896
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:8136
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:9572
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9628
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:10648
  - - C:\Windows\System32\control.exe
      "C:\Windows\System32\control.exe"
      4⤵
      PID:5884
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:9996
- - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
    3⤵
    PID:6312
- - C:\Windows\System32\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    PID:6644
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:6884
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:7108
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:6588
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    PID:1272
- - C:\Windows\System32\control.exe
    "C:\Windows\System32\control.exe"
    3⤵
    PID:6568
- - C:\Windows\System32\calc.exe
    "C:\Windows\System32\calc.exe"
    3⤵
    PID:7384
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
    3⤵
    PID:7744
  - - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
      4⤵
      PID:8280
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:5864
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:8584
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:9812
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8236
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:10848
  - - C:\Windows\System32\control.exe
      "C:\Windows\System32\control.exe"
      4⤵
      PID:11392
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:10056
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
      4⤵
      PID:12896
    - - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
        
        "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
        5⤵
        
        PID:4564
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:2968
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:3588
    - - C:\Program Files\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:1736
- - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
    3⤵
    PID:8168
- - C:\Windows\System32\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    PID:7880
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:4424
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:8784
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:7040
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    PID:5004
- - C:\Windows\System32\control.exe
    "C:\Windows\System32\control.exe"
    3⤵
    PID:10072
- - C:\Windows\System32\calc.exe
    "C:\Windows\System32\calc.exe"
    3⤵
    PID:10292
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
    3⤵
    PID:10480
  - - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
      4⤵
      PID:9884
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:12772
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:12388
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:9916
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:12432
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:13256
  - - C:\Windows\System32\control.exe
      "C:\Windows\System32\control.exe"
      4⤵
      PID:9388
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:10400
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
      4⤵
      PID:3848
    - - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
        
        "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
        5⤵
        
        PID:5232
  - - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
      4⤵
      PID:10132
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:9248
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:11000
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:552
- - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
    3⤵
    PID:12092
- - C:\Windows\System32\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    PID:12352
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:12316
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:13176
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:10352
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    PID:12856
- - C:\Windows\System32\control.exe
    "C:\Windows\System32\control.exe"
    3⤵
    PID:11232
- - C:\Windows\System32\calc.exe
    "C:\Windows\System32\calc.exe"
    3⤵
    PID:11488
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
    3⤵
    PID:8720
  - - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
      4⤵
      PID:4468
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:10012
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:5604
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:1780
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5604
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:13968
  - - C:\Windows\System32\control.exe
      "C:\Windows\System32\control.exe"
      4⤵
      PID:13652
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:6464
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
      4⤵
      PID:13476
    - - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
        
        "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
        5⤵
        
        PID:6256
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:14060
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:7596
    - - C:\Program Files\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:2088
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:13528
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:4572
    - - C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe"
        5⤵
        
        PID:13044
    - - C:\Windows\System32\calc.exe
        
        "C:\Windows\System32\calc.exe"
        5⤵
        
        PID:13536
    - - C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
        5⤵
        
        PID:13900
      - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
        
        "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
        6⤵
        
        PID:6672
    - - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
        
        "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
        5⤵
        
        PID:8508
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:2576
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:14052
    - - C:\Program Files\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:3408
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:2528
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:10560
    - - C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe"
        5⤵
        
        PID:2064
    - - C:\Windows\System32\calc.exe
        
        "C:\Windows\System32\calc.exe"
        5⤵
        
        PID:14156
    - - C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
        5⤵
        
        PID:14152
      - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
        
        "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
        6⤵
        
        PID:12360
      - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        6⤵
        
        PID:14220
      - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        6⤵
        
        PID:10112
      - C:\Program Files\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files\Windows NT\Accessories\wordpad.exe"
        6⤵
        
        PID:1980
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        6⤵
        
        PID:10180
      - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        6⤵
        
        PID:13776
      - C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe"
        6⤵
        
        PID:7332
      - C:\Windows\System32\calc.exe
        
        "C:\Windows\System32\calc.exe"
        6⤵
        
        PID:9456
      - C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
        6⤵
        
        PID:5260
    - - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
        
        "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
        5⤵
        
        PID:6936
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:11188
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:2844
    - - C:\Program Files\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:13188
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:4592
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:11312
    - - C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe"
        5⤵
        
        PID:13660
    - - C:\Windows\System32\calc.exe
        
        "C:\Windows\System32\calc.exe"
        5⤵
        
        PID:8704
    - - C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
        5⤵
        
        PID:12868
      - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
        
        "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
        6⤵
        
        PID:6200
    - - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
        
        "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
        5⤵
        
        PID:11328
  - - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
      4⤵
      PID:13596
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:2460
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:10804
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:4040
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:14024
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:14244
  - - C:\Windows\System32\control.exe
      "C:\Windows\System32\control.exe"
      4⤵
      PID:7832
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:6244
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
      4⤵
      PID:12856
    - - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
        
        "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
        5⤵
        
        PID:13360
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:13872
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:2340
  - - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
      4⤵
      PID:2892
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:8624
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:7428
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:5732
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:13956
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:10584
  - - C:\Windows\System32\control.exe
      "C:\Windows\System32\control.exe"
      4⤵
      PID:6616
- - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
    3⤵
    PID:7820
- - C:\Windows\System32\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    PID:12848
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:11008
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:4740
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3176
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:5028
- C:\Program Files\Windows NT\Accessories\wordpad.exe
  "C:\Program Files\Windows NT\Accessories\wordpad.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:5096
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2680
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:4364
- C:\Windows\System32\control.exe
  "C:\Windows\System32\control.exe"
  2⤵
  - Modifies registry class
  PID:4692
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:1544
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
  2⤵
  - Checks computer location settings
  PID:5056
- - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
    3⤵
    PID:1732
- - C:\Windows\System32\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5332
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:5496
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:5708
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:6108
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    PID:5488
- - C:\Windows\System32\control.exe
    "C:\Windows\System32\control.exe"
    3⤵
    PID:5428
- - C:\Windows\System32\calc.exe
    "C:\Windows\System32\calc.exe"
    3⤵
    PID:6288
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
    3⤵
    PID:6536
  - - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
      4⤵
      PID:6284
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:5428
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:2668
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:7640
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7944
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:5004
  - - C:\Windows\System32\control.exe
      "C:\Windows\System32\control.exe"
      4⤵
      PID:6064
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:8640
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
      4⤵
      PID:9120
    - - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
        
        "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
        5⤵
        
        PID:8980
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:11124
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:11848
    - - C:\Program Files\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:6384
  - - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
      4⤵
      PID:8288
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:9832
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:8676
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:10888
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:11364
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:11900
  - - C:\Windows\System32\control.exe
      "C:\Windows\System32\control.exe"
      4⤵
      PID:12800
- - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
    3⤵
    PID:6916
- - C:\Windows\System32\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    PID:7096
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:6724
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:5896
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:7180
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    PID:7580
- - C:\Windows\System32\control.exe
    "C:\Windows\System32\control.exe"
    3⤵
    PID:7988
- - C:\Windows\System32\calc.exe
    "C:\Windows\System32\calc.exe"
    3⤵
    PID:7620
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
    3⤵
    PID:5580
  - - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
      4⤵
      PID:8052
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:10084
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:10448
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:10912
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:12256
- - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
    3⤵
    PID:8824
- - C:\Windows\System32\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    PID:8084
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:9644
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:8984
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:10772
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    PID:11336
- - C:\Windows\System32\control.exe
    "C:\Windows\System32\control.exe"
    3⤵
    PID:10584
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:1036
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1496
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:2944
- C:\Program Files\Windows NT\Accessories\wordpad.exe
  "C:\Program Files\Windows NT\Accessories\wordpad.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3168
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:1872
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:5372
- C:\Windows\System32\control.exe
  "C:\Windows\System32\control.exe"
  2⤵
  PID:5564
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:5748
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
  2⤵
  PID:5948
- - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
    3⤵
    PID:3400
- - C:\Windows\System32\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    PID:6300
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:6528
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:6840
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:7084
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    PID:6508
- - C:\Windows\System32\control.exe
    "C:\Windows\System32\control.exe"
    3⤵
    PID:2132
- - C:\Windows\System32\calc.exe
    "C:\Windows\System32\calc.exe"
    3⤵
    PID:7064
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
    3⤵
    PID:7344
  - - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
      4⤵
      PID:8328
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:9008
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:8572
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:9772
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6148
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:10808
  - - C:\Windows\System32\control.exe
      "C:\Windows\System32\control.exe"
      4⤵
      PID:11356
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:3288
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
      4⤵
      PID:12756
    - - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
        
        "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
        5⤵
        
        PID:12660
    - - C:\Windows\System32\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:11620
    - - C:\Windows\System32\notepad.exe
        
        "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:1640
    - - C:\Program Files\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:2160
- - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
    3⤵
    PID:7760
- - C:\Windows\System32\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    PID:7244
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:5744
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:8552
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:8956
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    PID:8200
- - C:\Windows\System32\control.exe
    "C:\Windows\System32\control.exe"
    3⤵
    PID:9880
- - C:\Windows\System32\calc.exe
    "C:\Windows\System32\calc.exe"
    3⤵
    PID:7288
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
    3⤵
    PID:11088
  - - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
      4⤵
      PID:12084
  - - C:\Windows\System32\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:12116
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:9372
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:616
- - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
    3⤵
    PID:11800
- - C:\Windows\System32\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    PID:12048
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:1812
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  PID:5136
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:5892
- C:\Program Files\Windows NT\Accessories\wordpad.exe
  "C:\Program Files\Windows NT\Accessories\wordpad.exe"
  2⤵
  PID:6360
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6692
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:6896
- C:\Windows\System32\control.exe
  "C:\Windows\System32\control.exe"
  2⤵
  PID:7120
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:6584
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
  2⤵
  PID:5504
- - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
    3⤵
    PID:7680
- - C:\Windows\System32\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    PID:7568
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:1452
- - C:\Program Files\Windows NT\Accessories\wordpad.exe
    "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:8564
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:9148
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    PID:8088
- - C:\Windows\System32\control.exe
    "C:\Windows\System32\control.exe"
    3⤵
    PID:9896
- - C:\Windows\System32\calc.exe
    "C:\Windows\System32\calc.exe"
    3⤵
    PID:5888
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
    3⤵
    PID:11064
  - - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
      4⤵
      PID:12472
- - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
    3⤵
    PID:11384
- - C:\Windows\System32\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    PID:11784
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:4424
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  PID:7412
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:7792
- C:\Program Files\Windows NT\Accessories\wordpad.exe
  "C:\Program Files\Windows NT\Accessories\wordpad.exe"
  2⤵
  PID:7376
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7912
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:8676
- C:\Windows\System32\control.exe
  "C:\Windows\System32\control.exe"
  2⤵
  PID:7048
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:3144
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
  2⤵
  PID:9964
- - C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
    3⤵
    PID:9348
- - C:\Windows\System32\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    PID:6376
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  PID:9796
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  PID:9904
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:11932
- C:\Program Files\Windows NT\Accessories\wordpad.exe
  "C:\Program Files\Windows NT\Accessories\wordpad.exe"
  2⤵
  PID:12224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:5000

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1028

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2320

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4288

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5180

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:6044

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5288

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6496

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5564

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6952

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7652

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7140

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5464

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8600

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7476

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9404

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8792

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:11056

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:11652

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:12340

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:8604

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:11824

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10584

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:10620

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:10152

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:13020

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2404

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:13652

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8908

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2444

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:12940

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:6468

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:10788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
471B

MD5
3e205ea1f2bbe04fef8c7fb6c4f1584e

SHA1
238b84c90c91e4ebf66524dba894145158be0729

SHA256
a48a0b8713d35062e9a9ad28694cbe104645c9d08e9aa67c5db7a9d2c368f147

SHA512
cdc224e1bd83414a7414acbdcd651e0511c0236a78ba2cace311117fb176ae1b194238ac818258fa2d320cf3423e02d0c4dd2efb29b9ed9190803843caec08f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
30941a61b4ee49a6ee821609617faede

SHA1
8b5d3fcd28ce6e859b236c7bd8ed26a8d353b3a5

SHA256
390a63c4ce98cb6e283f4a2f2196a59d7f438784a3235393449f349c7f91c0ce

SHA512
b428369e249fd56170b1ebdee005adae215622c01a90dade00e42d1f63d5fb46143d52e3bccfe00a9efbbec5c7636d96b531b71f081332d33bff0eba20beb7ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

Filesize
21B

MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json

Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\C88371E6-CA78-49F5-BA82-87F80544BABD

Filesize
160KB

MD5
40800f7ab8b42056f2cbcdc7a3c267d4

SHA1
cc0cb5133fb650f09488ff2144c60baf0855a972

SHA256
c360bbcd5e03e0380f20534e558182f6b9410a043219f3f8f8be8349093a1910

SHA512
b93c2b04bb76c7e81346132920abf94299fbc4b33dd46ee549d8c11521053c0ab2781faf7389e2b6239d1ac87fc73c47949e5c4d642e90104eddcf8e1deb360c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

Filesize
8KB

MD5
927af630ff1a808d73a4c6eb9f64d5c3

SHA1
806995dfb87fc4379cd5338f1e72bc36ac52bbc3

SHA256
56d60ff0825f5222d3ed415850547b8d43c79d47c992133d0e3f8a44022d6259

SHA512
29d5a94f4261b108e529a29b48647263aec1cc0a3634c36526153671c256f0e4704512f10ef3b1a24f519e9ab79350c7deb14a6cfb48dd9a4b3ba2a7212e3448

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

Filesize
24KB

MD5
7c9ff5b614c37786e5da674eb9cc093b

SHA1
926ab29527b66f29ab5d70a52c3d3c7f25443821

SHA256
e1e44e4d4280b953ce49700c35088b19ed4b2fa9a67ba24d2040d0b24443ec7e

SHA512
81790e2e886bab96b65fd7dbca3dfcc3d57a11fc76fd8a1fb9b58d769cabd7764811335fb46e2c93f3fca25767beb777218a7ae6640b3cdda3ea1bb40fa384c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

Filesize
28KB

MD5
2ca2462b509c2d8c44e2e99441030680

SHA1
e47170e5fd627181c9364a3ae30cad1ad085947b

SHA256
a28716bcc781cffa292cb833194e576a970ba6930864f755a565c062ab4450c8

SHA512
5475edcb798807d10cf9c763a955f09579b3bcfe86744b59ab1973cb13ed84dc6c0b04db749738a0d7c4e4bb2b4e61215f245dfdfb157821676d31569de5dd48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
81a7d335ccf1333d17d455bc4027368f

SHA1
5357dc0e608027b9f5db22bbc2be0502031af035

SHA256
060b97b431db5b2ee9e9ac259b1ebfe78e6ef9f3f32e7c2eb919c82ca9a4951c

SHA512
5093d86bd2fdad46e0e5c15aee07ef5343bf4d98dc9499df4ee156a5de0087a0aaabdded8a980c7cf1dab2aad253a4edd9fec91a8c931e587385ed921817ec65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRC0001.tmp

Filesize
18KB

MD5
970549f892c9b51abb6d48a46ce63f74

SHA1
d7d9ed7f4f4ae2bb9dca3233b44ed0761cdfbb44

SHA256
9ff82749e1e777fc25a57f8611f265ef242889129e6f7f196f760a5f9e5fe618

SHA512
5f8a0241e3a213d04ee0af17c3dfeaa5676a0769eb362f8734ae133d25ed6d60179cf9a1a82142cee1c906c102887180e392b827c7e12ffdce8a85f420894a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD5C02.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD9D46.tmp\Content.inf

Filesize
290B

MD5
8d9b02cc69fa40564e6c781a9cc9e626

SHA1
352469a1abb8da1dc550d7e27924e552b0d39204

SHA256
1d4483830710ef4a2cc173c3514a9f4b0aca6c44db22729b7be074d18c625bae

SHA512
8b7db2ab339dd8085104855f847c48970c2dd32adb0b8eea134a64c5cc7de772615f85d057f4357703b65166c8cf0c06f4f6fd3e60ffc80da3dd34b16d5b1281

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD9DB5.tmp\Content.inf

Filesize
288B

MD5
4a9a2e8db82c90608c96008a5b6160ef

SHA1
a49110814d9546b142c132ebb5b9d8a1ec23e2e6

SHA256
4fa948eeb075dfcb8dca773a3f994560c69d275690953625731c4743cd5729f7

SHA512
320b9cc860ffbdb0fd2db7da7b7b129eeff3ffb2e4e4820c3fbbfea64735eb8cfe1f4bb5980302770c0f77ff575825f2d9a8bb59fc80ad4c198789b3d581963b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD9E92.tmp\Content.inf

Filesize
290B

MD5
c15eb3f4306ebf75d1e7c3c9382deecc

SHA1
a3f9684794ffd59151a80f97770d4a79f1d030a6

SHA256
23c262df3aeacb125e88c8ffb7dbf56fd23f66e0d476afd842a68dde69658c7f

SHA512
acdf7d69a815c42223fd6300179a991a379f7166efaabee41a3995fb2030cd41d8bcd46b566b56d1dfbae8557afa1d9fd55143900a506fa733de9da5d73389d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD9F01.tmp\Content.inf

Filesize
328B

MD5
c3216c3fc73a4b3fffe7ed67153ab7b5

SHA1
f20e4d33babe978be6a6925964c57d6e6ef1a92e

SHA256
7cf1d6a4f0be5e6184f59bfb1304509f38e480b59a3b091dbdc43b052d2137cb

SHA512
d3b78be6e7633ff943f5e34063b5efa4af239cd49f437227fc7575f6cc65c497b7d6f6a979ea065065beaf257cb368560b5462542692286052b5c7e5c01755bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD9F51.tmp\Content.inf

Filesize
302B

MD5
9c00979164e78e3b890e56be2df00666

SHA1
1fa3c439d214c34168adf0fba5184477084a0e51

SHA256
21ccb63a82f1e6acd6bab6875abbb37001721675455c746b17529ee793382c7b

SHA512
54ac8732c2744b60da744e54d74a2664658e4257a136abe886ff21585e8322e028d8243579d131ef4e9a0abdda70b4540a051c8b8b60d65c3ec0888fd691b9a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD9FE0.tmp\Content.inf

Filesize
292B

MD5
a0d51783bfee86f3ac46a810404b6796

SHA1
93c5b21938da69363dbf79ce594c302344af9d9e

SHA256
47b43e7dbdf8b25565d874e4e071547666b08d7df4d736ea8521591d0ded640f

SHA512
ca3db5a574745107e1d6caa60e491f11d8b140637d4ed31577cc0540c12fdf132d8bc5ebabea3222f4d7ba1ca016ff3d45fe7688d355478c27a4877e6c4d0d75

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDA040.tmp\Content.inf

Filesize
374B

MD5
2f7a8fe4e5046175500affa228f99576

SHA1
8a3de74981d7917e6ce1198a3c8e35c7e2100f43

SHA256
1495b4ec56b371148ea195d790562e5621fdbf163cdd8a5f3c119f8ca3bd2363

SHA512
4b8fbb692d91d88b584e46c2f01bde0c05dcd5d2ff073d83331586fb3d201eacd777d48db3751e534e22115aa1c3c30392d0d642b3122f21ef10e3ee6ea3be82

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDA071.tmp\Content.inf

Filesize
314B

MD5
f25ac64ec63fa98d9e37782e2e49d6e6

SHA1
97dd9cfa4a22f5b87f2b53efa37332a9ef218204

SHA256
834046a829d1ea836131b470884905856dbf2c3c136c98adeefa0f206f38f8ab

SHA512
a0387239cde98bcde1668b582b046619c3b3505f9440343dad22b1b7b9e05f3b74f2ae29e591ec37b6570a0c0e5fe571442873594b0684ddccb4f6a1b5e10b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDA082.tmp\Content.inf

Filesize
286B

MD5
9b8d7efe8a69e41cdc2439c38fe59faf

SHA1
034d46bec5e38e20e56dd905e2ca2f25af947ed1

SHA256
70042f1285c3cd91dde8d4a424a5948ae8f1551495d8af4612d59709bef69df2

SHA512
e50bb0c68a33d35f04c75f05ad4598834fec7279140b1bb0847ff39d749591b8f2a0c94da4897aaf6c33c50c1d583a836b0376015851910a77604f8396c7ef3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDA094.tmp\Content.inf

Filesize
332B

MD5
333ba58fce326dea1e4a9de67475aa95

SHA1
f51fad5385dc08f7d3e11e1165a18f2e8a028c14

SHA256
66142d15c7325b98b199ab6ee6f35b7409de64ebd5c0ab50412d18cbe6894097

SHA512
bfee521a05b72515a8d4f7d13d8810846dc60f1e85c363ffebd6cacd23ae8d2e664c563fc74700a4ed4e358f378508d25c46cb5be1cf587e2e278ebc22bb2625

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDA096.tmp\Content.inf

Filesize
286B

MD5
149948e41627be5dc454558e12af2da4

SHA1
db72388c037f0b638fcd007fab46c916249720a8

SHA256
1b981dc422a042cddebe2543c57ed3d468288c20d280ff9a9e2bb4cc8f4776ed

SHA512
070b55b305db48f7a8cd549a5aecf37de9d6dcd780a5ec546b4bb2165af4600fa2af350dddb48beccaa3ed954aee90f5c06c3183310b081f555389060ff4cb01

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDA357.tmp\Content.inf

Filesize
278B

MD5
877a8a960b2140e3a0a2752550959db9

SHA1
fbec17b332cbc42f2f16a1a08767623c7955df48

SHA256
fe07084a41cf7db58b06d2c0d11bcacb603d6574261d1e7ebadcff85f39afb47

SHA512
b8b660374ec6504b3b5fcc7dac63af30a0c9d24306c36b33b33b23186ec96aefe958a3851ff3bc57fba72a1334f633a19c0b8d253bb79aa5e5afe4a247105889

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDA9B2.tmp\Content.inf

Filesize
332B

MD5
4ec6724cbba516cf202a6bd17226d02c

SHA1
e412c574d567f0ba68b4a31edb46a6ab3546ea95

SHA256
18e408155a2c2a24d91cd45e065927ffda726356aab115d290a3c1d0b7100402

SHA512
de45011a084ab94bf5b27f2ec274d310cf68df9fb082e11726e08eb89d5d691ea086c9e0298e16ae7ae4b23753e5916f69f78aad82f4627fc6f80a6a43d163db

Download Submit
C:\Users\Admin\AppData\Local\Temp\cab61D2.tmp

Filesize
30KB

MD5
69edb3bf81c99fe8a94bba03408c5ae1

SHA1
1ac85b369a976f35244beefa9c06787055c869c1

SHA256
cebe759bc4509700e3d23c6a5df8d889132a60ebc92260a74947eaa1089e2789

SHA512
bea70229a21fba3fd6d47a3dc5becba3eaa0335c08d486fab808344bfaa2f7b24dd9a14a0f070e13a42be45de3ff54d32cf38b43192996d20df4176964e81a53

Download Submit
C:\Users\Admin\AppData\Local\Temp\cab61D3.tmp

Filesize
30KB

MD5
f10df902980f1d5beea96b2c668408a7

SHA1
92d341581b9e24284b7c29e5623f8028dbbaafe9

SHA256
e0100320a4f63e07c77138a89ea24a1cbd69784a89fe3bf83e35576114b4ce02

SHA512
00a8fbcd17d791289ac8f12dc3c404b0afd240278492df74d2c5f37609b11d91a26d737be95d3fe01cdbc25eedc6da0c2d63a2ccc4ab208d6e054014083365fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\cab61D4.tmp

Filesize
32KB

MD5
51804e255c573176039f4d5b55c12ab2

SHA1
a4822e5072b858a7cca7de948caa7d2268f1bb4b

SHA256
3c6f66790c543d4e9d8e0e6f476b1acadf0a5fcdd561b8484d8dddadfdf8134b

SHA512
2ac8b1e433c9283377b725a03ae72374663fec81abba4c049b80409819bb9613e135fcd640ed433701795bdf4d5822461d76a06859c4084e7bae216d771bb091

Download Submit
C:\Users\Admin\AppData\Local\Temp\cab61D5.tmp

Filesize
34KB

MD5
62863124cdcda135ecc0e722782cb888

SHA1
2543b8a9d3b2304bb73d2adbec60db040b732055

SHA256
23ccfb7206a8f77a13080998ec6ef95b59b3c3e12b72b2d2ad4e53b0b26bb8c3

SHA512
2734d1119dc14b7dfb417f217867ef8ce8e73d69c332587278c0896b91247a40c289426a1a53f1796ccb42190001273d35525fcea8ba2932a69a581972a1ef00

Download Submit
C:\Users\Admin\AppData\Local\Temp\cab61D6.tmp

Filesize
45KB

MD5
c455c4bc4bec9e0da67c4d1e53e46d5a

SHA1
7674600c387114b0f98ec925be74e811fb25c325

SHA256
40e9af9284ff07fdb75c33a11a794f5333712baa4a6cf82fa529fbaf5ad0fed0

SHA512
08166f6cb3f140e4820f86918f59295cad8b4a17240c206dcba8b46088110bdf4e4adbab9f6380315ad4590ca7c8ecdc9afac6bd1935b17afb411f325fe81720

Download Submit
C:\Users\Admin\AppData\Local\Temp\cab61E7.tmp

Filesize
31KB

MD5
92a819d434a8aaea2c65f0cc2f33bb3a

SHA1
85c3f1801effea1ea10a8429b0875fc30893f2c8

SHA256
5d13f9907ac381d19f0a7552fd6d9fc07c9bd42c0f9ce017fff75587e1890375

SHA512
01339e04130e08573df7dbdfe25d82ed1d248b8d127bb90d536ecf4a26f5554e793e51e1a1800f61790738cc386121e443e942544246c60e47e25756f0c810a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cab6245.tmp

Filesize
30KB

MD5
1d6f8e73a0662a48d332090a4c8c898f

SHA1
cf9ad4f157772f5edc0fddeefd9b05958b67549c

SHA256
8077c92c66d15d7e03fbff3a48bd9576b80f698a36a44316eaba81ee8043b673

SHA512
5c03a99ecd747fbc7a15f082df08c0d26383db781e1f70771d4970e354a962294ce11be53becaad6746ab127c5b194a93b7e1b139c12e6e45423b3a509d771fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\cab6395.tmp

Filesize
30KB

MD5
e033ccbc7ba787a2f824ce0952e57d44

SHA1
eeea573bea217878cd9e47d7ea94e56bdaffe22a

SHA256
d250eb1f93b43efb7654b831b4183c9caec2d12d4efee8607fee70b9fab20730

SHA512
b807b024b32e7f975aed408b77563a6b47865eece32e8ba993502d9874b56580ecc9d9a3fefa057fdd36fb8d519b6e184db0593a65cc0acf5e4accbede0f9417

Download Submit
C:\Users\Admin\AppData\Local\Temp\cab63A6.tmp

Filesize
28KB

MD5
6d787b1e223db6b91b69238062cca872

SHA1
a02f3d847d1f8973e854b89d4558413ea2e349f7

SHA256
da2f261c3c82e229a097a9302c8580f014bb6442825db47c008da097cfce0ee4

SHA512
9856d88d5c63cd6ebcf26e5d7521f194fa6b6e7bf55dd2e0238457a1b760eb8fb0d573a6e85e819bf8e5be596537e99bc8c2dce7ec6e2809a43490caccd44169

Download Submit
C:\Users\Admin\AppData\Local\Temp\cab63D8.tmp

Filesize
30KB

MD5
91aadbec4171cfa8292b618492f5ef34

SHA1
a47deb62a21056376dd8f862e1300f1e7dc69d1d

SHA256
7e1a90cdb2ba7f03abcb4687f0931858bf57e13552e0e4e54ec69a27325011ea

SHA512
1978280c699f7f739cd9f6a81f2b665643bd0be42ce815d22528f0d57c5a646fc30aae517d4a0a374efb8bd3c53eb9b3d129660503a82ba065679bbbb39bd8d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cab6409.tmp

Filesize
34KB

MD5
53ee9da49d0b84357038ecf376838d2e

SHA1
ab03f46783b2227f312187dd84dc0c517510de20

SHA256
9e46b8ba0bad6e534af33015c86396c33c5088d3ae5389217a5e90ba68252374

SHA512
751300c76ece4901801b1f9f51eaca7a758d5d4e6507e227558aaaaf8e547c3d59fa56153fea96b6b2d7eb08c7af2e4d5568ace7e798d1a86cede363efbecf7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cab6469.tmp

Filesize
32KB

MD5
205af51604ef96ef1e8e60212541f742

SHA1
d436fe689f8ef51fba898454cf509ddb049c1545

SHA256
df3fff163924d08517b41455f2d06788ba4e49c68337d15ecf329be48cf7da2d

SHA512
bcba80ed0e36f7abc1aef19e6ff6eb654b9e91268e79ca8f421cb8add6c2b0268ad6c45e6cc06652f59235084ecda3ba2851a38e6bcd1a0387eb3420c6ec94ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\cab66AE.tmp

Filesize
30KB

MD5
d3c9036e4e1159e832b1b4d2e9d42bf0

SHA1
966e04b7a8016d7fdafe2c611957f6e946fab1b9

SHA256
434576eb1a16c2d14d666a33edde76717c896d79f45df56742afd90acb9f21ce

SHA512
d28d7f467f072985bcfcc6449ad16d528d531eb81912d4c3d956cf8936f96d474b18e7992b16d6834e9d2782470d193a17598cab55a7f9eb0824bc3f069216b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cab676E.tmp

Filesize
1.0MB

MD5
e1101cca6e3fedb28b57af4c41b50d37

SHA1
990421b1d858b756e6695b004b26cdccae478c23

SHA256
69b2675e47917a9469f771d0c634bd62b2dfa0f5d4af3fd7afe9196bf889c19e

SHA512
b1edea65b6d0705a298bff85fc894a11c1f86b43fac3c2149d0bd4a13edcd744af337957cbc21a33ab7a948c11ea9f389f3a896b6b1423a504e7028c71300c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\cab6906.tmp

Filesize
1.7MB

MD5
828f96031f40bf8ebcb5e52aaeeb7e4c

SHA1
cacc32738a0a66c8fe51a81ed8e27a6f82e69eb2

SHA256
640ad075b555d4a2143f909eafd91f54076f5dde42a2b11cd897bc564b5d7ff7

SHA512
61f6355ff4d984931e79624394ccca217054ae0f61b9af1a1eded5acca3d6fef8940e338c313be63fc766e6e7161cafa0c8ae44ad4e0be26c22ff17e2e6abaf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cab6A41.tmp

Filesize
3.3MB

MD5
749c3615e54c8e6875518cfd84e5a1b2

SHA1
64d51eb1156e850eca706b00961c8b101f5ac2fc

SHA256
f2d2df37366f8e49106980377d2448080879027c380d90d5a25da3bdad771f8c

SHA512
a5f591ba5c31513bd52bbfc5c6caa79c036c7b50a55c4fdf96c84d311ccdcf1341f1665f1da436d3744094280f98660481dca4aa30bceb3a7fccb2a62412dc99

Download Submit
C:\Users\Admin\AppData\Local\Temp\cab6A72.tmp

Filesize
1.8MB

MD5
53c5f45b22e133b28d4bd3b5a350fdbd

SHA1
d180cfb1438d27f76e1919da3e84f307cb83434f

SHA256
8af4c7cac47d2b9c7adeadf276edae830b4cc5ffe7e765e3c3d7b3fadcb5f273

SHA512
46ad3da58c63ca62fcfc4faf9a7b5b320f4898a1e84eef4de16e0c0843bafe078982fc9f78c5ac6511740b35382400b5f7ac3ae99bb52e32ad9639437db481d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cab6C1B.tmp

Filesize
1.0MB

MD5
bf95e967e7d1cec8efe426bc0127d3de

SHA1
ba44c5500a36d748a9a60a23db47116d37fd61bc

SHA256
4c3b008e0eb10a722d8fedb325bfb97edaa609b1e901295f224dd4cb4df5fc26

SHA512
0697e394abac429b00c3a4f8db9f509e5d45ff91f3c2af2c2a330d465825f058778c06b129865b6107a0731762ad73777389bb0e319b53e6b28c363232fa2ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cab6CA6.tmp

Filesize
2.5MB

MD5
beb12a0464d096ca33baea4352ce800f

SHA1
f678d650b4a41676ba05c836d462f34bdc5bf648

SHA256
a44166f5c9f2553555a43586ba5db1c1de54d72d308a48268f27c6a00076b1ca

SHA512
b6e7ccd1ecbb9a49fc72e40771725825daf41ddb2ff8ea4ecce18b8fa1a59d3b2c474add055f30da58c7e833a6e6555ebb77ccc324b61ca337187b4b41f7008b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cab6E3F.tmp

Filesize
3.1MB

MD5
8867bdf5fc754da9da6f5ba341334595

SHA1
5067cce84c6c682b75c1ef3dea067a8d58d80fa9

SHA256
42323dd1d3e88c3207e16e0c95ca1048f2e4cd66183ad23b90171da381d37b58

SHA512
93421d7fe305d27e7e2fd8521a8b328063cd22fe4de67cccf5d3b8f0258ef28027195c53062d179cd2eba3a7e6f6a34a7a29297d4af57650aa6dd19d1ef8413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cabA3E6.tmp

Filesize
19KB

MD5
e3c64173b2f4aa7ab72e1396a9514bd8

SHA1
774e52f7e74b90e6a520359840b0ca54b3085d88

SHA256
16c08547239e5b969041ab201eb55a3e30ead400433e926257331cb945dff094

SHA512
7ed618578c6517ed967fb3521fd4dbed9cdfb7f7982b2b8437804786833207d246e4fcd7b85a669c305be3b823832d2628105f01e2cf30b494172a17fc48576d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457510[[fn=Savon]].thmx

Filesize
1.1MB

MD5
fd5bbc58056522847b3b75750603df0c

SHA1
97313e85c0937739af7c7fc084a10bf202ac9942

SHA256
44976408bd6d2703bdbe177259061a502552193b1cd05e09b698c0dac3653c5f

SHA512
dbd72827044331215a7221ca9b0ecb8809c7c79825b9a2275f3450bae016d7d320b4ca94095f7cef4372ac63155c78ca4795e23f93166d4720032ecf9f932b8e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033921[[fn=Damask]].thmx

Filesize
2.1MB

MD5
ee33fda08fbf10ef6450b875717f8887

SHA1
7dfa77b8f4559115a6bf186ede51727731d7107d

SHA256
5cf611069f281584de3e63de8b99253aa665867299dc0192e8274a32a82caa20

SHA512
aed6e11003aaaacc3fb28ae838eda521cb5411155063dfc391ace2b9cbdfbd5476fab2b5cc528485943ebbf537b95f026b7b5ab619893716f0a91aeff076d885

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033929[[fn=Slate]].thmx

Filesize
2.2MB

MD5
5bde450a4bd9efc71c370c731e6cdf43

SHA1
5b223fb902d06f9fcc70c37217277d1e95c8f39d

SHA256
93bfc6ac1dc1cff497df92b30b42056c9d422b2321c21d65728b98e420d4ed50

SHA512
2365a9f76da07d705a6053645fd2334d707967878f930061d451e571d9228c74a8016367525c37d09cb2ad82261b4b9e7caefba0b96ce2374ac1fac6b7ab5123

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851216[[fn=apasixtheditionofficeonline]].xsl

Filesize
325KB

MD5
5632c4a81d2193986acd29eadf1a2177

SHA1
e8ff4fdfeb0002786fce1cf8f3d25f8e9631e346

SHA256
06de709513d7976690b3dd8f5fdf1e59cf456a2dfba952b97eacc72fe47b238b

SHA512
676ce1957a374e0f36634aa9cffbcfb1e1befe1b31ee876483b10763ea9b2d703f2f3782b642a5d7d0945c5149b572751ebd9abb47982864834ef61e3427c796

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851217[[fn=chicago]].xsl

Filesize
289KB

MD5
9ac6de7b629a4a802a41f93db2c49747

SHA1
3d6e929aa1330c869d83f2bf8ebebacd197fb367

SHA256
52984bc716569120d57c8e6a360376e9934f00cf31447f5892514ddccf546293

SHA512
5736f14569e0341afb5576c94b0a7f87e42499cec5927aac83bb5a1f77b279c00aea86b5f341e4215076d800f085d831f34e4425ad9cfd52c7ae4282864b1e73

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851219[[fn=gostname]].xsl

Filesize
249KB

MD5
9888a214d362470a6189deff775be139

SHA1
32b552eb3c73cd7d0d9d924c96b27a86753e0f97

SHA256
c64ed5c2a323c00e84272ad3a701caebe1dcceb67231978de978042f09635fa7

SHA512
8a75fc2713003fa40b9730d29c786c76a796f30e6ace12064468dd2bb4bf97ef26ac43ffe1158ab1db06ff715d2e6cde8ef3e8b7c49aa1341603ce122f311073

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851220[[fn=gosttitle]].xsl

Filesize
245KB

MD5
f425d8c274a8571b625ee66a8ce60287

SHA1
29899e309c56f2517c7d9385ecdbb719b9e2a12b

SHA256
dd7b7878427276af5dbf8355ece0d1fe5d693df55af3f79347f9d20ae50db938

SHA512
e567f283d903fa533977b30fd753aa1043b9dde48a251a9ac6777a3b67667443fead0003765a630d0f840b6c275818d2f903b6cb56136bedcc6d9bdd20776564

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851221[[fn=harvardanglia2008officeonline]].xsl

Filesize
277KB

MD5
33a829b4893044e1851725f4daf20271

SHA1
dac368749004c255fb0777e79f6e4426e12e5ec8

SHA256
c40451cadf8944a9625dd690624ea1ba19cecb825a67081e8144ad5526116924

SHA512
41c1f65e818c2757e1a37f5255e98f6edeac4214f9d189ad09c6f7a51f036768c1a03d6cfd5845a42c455ee189d13bb795673ace3b50f3e1d77daff400f4d708

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851222[[fn=ieee2006officeonline]].xsl

Filesize
287KB

MD5
0c9731c90dd24ed5ca6ae283741078d0

SHA1
bdd3d7e5b0de9240805ea53ef2eb784a4a121064

SHA256
abce25d1eb3e70742ec278f35e4157edb1d457a7f9d002ac658aaa6ea4e4dcdf

SHA512
a39e6201d6b34f37c686d9bd144ddd38ae212eda26e3b81b06f1776891a90d84b65f2abc5b8f546a7eff3a62d35e432af0254e2f5bfe4aa3e0cf9530d25949c0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851223[[fn=iso690]].xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851224[[fn=iso690nmerical]].xsl

Filesize
212KB

MD5
3bf8591e1d808bccad8ee2b822cc156b

SHA1
9cc1e5efd715bd0eae5af983fb349bac7a6d7ba0

SHA256
7194396e5c833e6c8710a2e5d114e8e24338c64ec9818d51a929d57a5e4a76c8

SHA512
d434a4c15da3711a5daaf5f7d0a5e324b4d94a04b3787ca35456bfe423eac9d11532bb742cde6e23c16fa9fd203d3636bd198b41c7a51e7d3562d5306d74f757

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851225[[fn=mlaseventheditionofficeonline]].xsl

Filesize
248KB

MD5
377b3e355414466f3e3861bce1844976

SHA1
0b639a3880aca3fd90fa918197a669cc005e2ba4

SHA256
4ac5b26c5e66e122de80243ef621ca3e1142f643dd2ad61b75ff41cfee3dffaf

SHA512
b050ad52a8161f96cbdc880dd1356186f381b57159f5010489b04528db798db955f0c530465ab3ecd5c653586508429d98336d6eb150436f1a53abee0697aeb9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851226[[fn=turabian]].xsl

Filesize
336KB

MD5
f079ec5e2ccb9cd4529673bcdfb90486

SHA1
fba6696e6fa918f52997193168867dd3aebe1ad6

SHA256
3b651258f4d0ee1bffc7fb189250ded1b920475d1682370d6685769e3a9346db

SHA512
4fffa59863f94b3778f321da16c43b92a3053e024bdd8c5317077ea1ecc7b09f67ece3c377db693f3432bf1e2d947ec5bf8e88e19157ed08632537d8437c87d6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851227[[fn=sist02]].xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx

Filesize
46KB

MD5
5a53f55dd7da8f10a8c0e711f548b335

SHA1
035e685927da2fecb88de9caf0becec88bc118a7

SHA256
66501b659614227584da04b64f44309544355e3582f59dbca3c9463f67b7e303

SHA512
095bd5d1aca2a0ca3430de2f005e1d576ac9387e096d32d556e4348f02f4d658d0e22f2fc4aa5bf6c07437e6a6230d2abf73bbd1a0344d73b864bc4813d60861

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998159[[fn=Insight]].dotx

Filesize
3.3MB

MD5
8bc84db5a3b2f8ae2940d3fb19b43787

SHA1
3a5fe7b14d020fad0e25cd1df67864e3e23254ee

SHA256
af1fdeea092169bf794cdc290bca20aea07ac7097d0efcab76f783fa38fdacdd

SHA512
558f52c2c79bf4a3fbb8bb7b1c671afd70a2ec0b1bde10ac0fed6f5398e53ed3b2087b38b7a4a3d209e4f1b34150506e1ba362e4e1620a47ed9a1c7924bb9995

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\N7O2PN8UH1RRFTLJHHMO.temp

Filesize
3KB

MD5
47dd4cde123fd4a34916ee4e7a107fec

SHA1
c64e17d87428e7cc097217c025024971ca5b2cac

SHA256
0f3780d8cda97733fdf4b2b7a9d639f2fc4e08617a1cc992766f9ce2e5d4da70

SHA512
9996ddf4315409251652c65bc0491e7cadbddf64a55b69fc8d204a8c13d4bb619a519dac0d8f48ceba067dd7c675707b6246e18b0ecba061f777794adf36f030

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WMT0BKUC7G4WY41PKI08.temp

Filesize
3KB

MD5
4702bd85789e719e02b15c9fcbcd283a

SHA1
2916a783da41128fb46099bd23c1c73274f15ef9

SHA256
3ba4cef6c76d8fb564394d4f4453f89639f3563905236d302e6df0156160ac7e

SHA512
4fc9b5d1dd606c2619ac81ba41ff08057e518eecc3dfceec7d0df0487c80d1c7c553007ab90c206a278c01268a21d7b468a0adeb0a86801a384f096e494badf4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
71348ce7eba696c8338caedbea0af79c

SHA1
a04af99ecf9d64225b89354a6dce6c31113eee70

SHA256
6283089e32bc0a53e2d31ec891ea84b6918d8d18340df8743976ee211404f943

SHA512
b241be329c3003407defa303d642c0c3e570413ace0e25906ecacc64c2db74999435847aeb98176f96246f93e0274ac4be961e2f03acde9f99dec34130a3a55b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
88415495b2de161b07cfdcb3ccc1e98f

SHA1
06d67d0c0e819fa0f798d691852a53176210e151

SHA256
82ac5f338902ada4ed35ea97c9736178d0647906a5ea225931418f5a27c702ea

SHA512
1d3c6d6e878f65a76903af25fa7395b9ac36f39dc4ed108f350e335fc9a896c51b7a6a72850e6fcf05dab0de8f3a043b41c212fee95255086e979023360a8412

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
5c2045ae2b30f2358defe341c61542a6

SHA1
9ee58477cce70de31cf1de191a90aae35549ec0f

SHA256
16c4d002684f8ce86c25999e1376c83a71767b9ce9f9c4aef3babb9b3eedba6d

SHA512
a1f0fd95f18829a5986afc873a41b49488b7a2d40e0be6fe0dc8962aac76841ecc5da0b7be4d4e79778c3f7f4b0565e2f61606db8953d29a61af82436aeb3f8e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
733e3982b988e2cbd13b6492a099db87

SHA1
482934094d35bcb0fda8ddf685d3f459792aea19

SHA256
810ef76f4a977ddc5149e7cca709c9351019cf4a4b007fba2f65257aae12d9a4

SHA512
39c40c995e2ab475ba6128674a2d2d4306d3a701287e99ae52baddc4b9a9a7b426ffb8bee225285160fa2f1b6d27e78c0190c847837e4144a4d9228cce3669a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
962f2ffce71eb56af94cd14ee116724f

SHA1
0b4278a7183f96fc8933197c09365b150bac5f95

SHA256
8f2cf56c3aa82f34f44ea2401bb23f4b918df87b6bfde75106eb113db4c588eb

SHA512
5f01d08f7c0343e0a0ca299193162c867170779afb2de1f4be25fd14407cd1ee4c3a1fc764c13275c08b19406bfe27b241e1253c41bdfad59e88fb86dfd67fca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
87a1047d60aec82c11efde5fd21c2fa1

SHA1
b626de93249887eb904a40839294cf31dbad9be8

SHA256
91fa3b8835a8ea5869d2358d4b72adab1b1e76fe8d5206ce7e4e25cc430f65da

SHA512
fb7e7a3d2580d9c6761310afebad4d82a60860042ddfe12339a9c3b9b469120cd90429e0bc1dad2041c33ea50bbc5a940b5b4b4929d0b08422ccea7d63813a28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
2fd2a3dc750eefd23445c2e8e0d098ed

SHA1
d65b1400cbce4bf6266de1de92522772a37720c1

SHA256
e44461f3a5230da5c96f5478659815f5647551eab44ab2dfd23f59f9091fd204

SHA512
c79ee55b93aaf017c493d31650e71f5d59805900bd0c95f280b68c7e818f0b102906f49a27ed38cdaab26366e7386795aeb157fc46257531a0448b06d6d87858

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
6KB

MD5
1481dcdb617690b93d7092a1860a415e

SHA1
9f2ec1f966bc1aef9dcebbcd300f9412dacc5405

SHA256
c93ae4e670544af5e20c0cae77a50d2e13ded28b1c2c860670919405507a7c07

SHA512
f9f39ee6bcc72155853e697893c128b07eeac8ae5eb5cc1bd722730386fd1d8db25112f4723b366339415568c01709a79bba252d4ce1efcb3095f1cc2ce40bab

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
9KB

MD5
47d268afded1cb8b53a39f50e13865de

SHA1
e1eec175727ab64484c39728758612b19222f03e

SHA256
963565e163a8a087d5bd0954d0f697ef87fd841e0677ceae22cdae43e4802e78

SHA512
e3ef91bbfc1ee495d90dd98a418456cdaa8702553ac1996d31c1b01290d4372403f31908e1ac9a30d6f1e7e1b74101abb42be8ce5883c61f137a9ce804a607d9

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
10KB

MD5
1fde462b10076497c0dbc65663169bc6

SHA1
555b70c0031224fe442a2244c682d728b1ec7525

SHA256
47de41b43d06b2ee92dae74ca3aee3dcc8732a41e0abaf37af98adf206b2b78a

SHA512
242f93b23ff57de369849a2957ecbdf146047d4e2cea28722dc68e1953f3083e54f00cfef674a6cf1c91707d33927ecda55d0d3905f2def70faf0ed28dbafd44

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
12KB

MD5
95e17ec5541daf14168cce0acb0e7cf1

SHA1
30c9b45a0d1d3d32885abc8ab81e16106fc754bf

SHA256
a9a8300b7a784eca930d12b084e531a2667022c748b901bca336539c59c5e40e

SHA512
cb67d734dda722cde0ea98177ce7a835111a1b462b0541701742045a19ffea47930c13693b75635cbce0e24ef573c4f9e8696a3450fc77c239be8f6e93ebecf3

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
15KB

MD5
7d0b64cbd4e250c79dfcc241ee8275ae

SHA1
1859f71be2751c557a96cc81c1fdaa1cf2bb9b19

SHA256
f711792e20830097d0d0eacac7a144d0d96447a50ab756434d0173ff1e37be61

SHA512
a80ec3673f76fa4fde418a939cd202a49bec53a6bd0e1fe03b78bdd97ab8cebb4274b495a8272ff0b667d60c1054f1f60ec7b6cee40928e8071538cf9643ec36

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
19KB

MD5
e91487cb1fdc4b0265af6a68cdb0ba0c

SHA1
25398faef5144921f1e2f86091d9887c2a03bec7

SHA256
a3eaf960f149407e63a8479be5b72e477aea9e25c9af747f5b54ba62c0ad0b2c

SHA512
e91910101eec013aeb64c66276163c461d52f250143ed3c3e8a555cd59b8b15212c70be6cd1b223017e3b1d5064c177fb54cc3b609521d66131edb8bfaf7d8df

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
21KB

MD5
9298e64af6fffe4a1642d278e2ff3331

SHA1
bec923bc33f5bf1ad9db1e4e3ab451b9f1c7ca65

SHA256
89721d0d455e0dfba1e2ab5c40dfed3d950e2394319a0eb292e4aafb50dd6ee6

SHA512
abcd7716fa051fdc6f73fc4d1c55eaceeeced2e5eb164e56c7164d6e578560cb6aeb392b9ec1969ff047857e3faa1da5190ccae3355458f15bf84c1343d2b461

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
1KB

MD5
a4dfe58598ee8f2d00ea74eaa500c1ad

SHA1
12eed4b1e794e018a149355a2468de8b0529826c

SHA256
2a1efa627a26ee3ef37dfdb75f277726ba11eb54184fe6393000420dab2f1e04

SHA512
546b8d0b03225ae4a0b26d11841d1c1e7f39020b7c291374b333c0fa8ef89ead8f3df0b3aae2ed1096c792e23371ef541df086703b8ad9a04c9a39b4bf1eb1b3

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
24KB

MD5
1ef71ac174bec74ca44e2dd384403032

SHA1
dc507a3a9a6dd050ab244441a82a70d99f3a5ae1

SHA256
e03fa7fdec0b507b421a4b2f1e9e539f09b78e2eafca43c45dbb21705c05adb1

SHA512
a36e756f41385382d03d794158ed2879f47086bfb170ae9e7b8dc9d77212cb29664de9b467f98ac15962ec0535f8381fed084b6725915810c8d0618178378422

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
29KB

MD5
eec0d988a4ae24ba7fcf0fa7ef2987b0

SHA1
faf39318e0d3a265f7ffe58512eb7c7532d17187

SHA256
03296ede0612c743974f20cb62d0b7984639a9fbc520ac68f38765ee14a3c087

SHA512
be5c6e6ed1358ebecce911752ffd8be79eadcbfb3c66a1be70919b5764cd7f4ae5d5d31057aec2fb47f0d1cc45dab86dfd281acea97fa85cceaa59c87c222045

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
30KB

MD5
64252930334beea27577fd744052b482

SHA1
1e82301c702ec251c8d0a8f94cce43a6b3a44fc1

SHA256
8be312592a77c14d949c4fda792b8c399450d9179541a90419cb86c7729c970b

SHA512
fcfdcb485750e00c1ea228238afeccb6e5a1e216f328a5210018f497cdbbc8251953aa881e5b084f2e9bb7d3109d32266cec272c4c8a8e4ba000fa14281cd4d9

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
33KB

MD5
08716e66a79feb1bd409dec8fd06bd42

SHA1
707fd9c3891dc62b4bf5310cd15e8beac6fbb1a2

SHA256
a973ed17d3a5839dd8b7a8d19ec055ba4144059cdf897259038f77c933516658

SHA512
ff4419091889a3c52d1767c37d7aaf96591504e0781012f4ef39af08b112f7bc4ba58d5085e8dbba8cd1d91fd1308fc2cbef9bc4409fbe4102830157c8afcc97

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
35KB

MD5
5424ae42943a9dfa89de2e48d2bc86d1

SHA1
488da8902813c01467836adb25e939d57a396fb3

SHA256
ac3cbb5f8a169001356d68b0fcac3523983b1553d86278ea455ec3831a099e54

SHA512
6dfd2fbfd601f19fe3057989a7bb2687901dc16f5539f46f99f662bce0e214f4f71b6a65f6691a3ca7beee5c86c3db89866a6a8dffd2d9f88c74e7e236514e27

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
36KB

MD5
e13974a1a0f01720b85dda9379c51a10

SHA1
921971a85f60c7a4aa35572c4e7c473801b61447

SHA256
f0e9b2d7a25545d6ddd99ba27b344875110f4a9d1e1f946aeded40e73e761d6f

SHA512
04197bfc4a86b6a6035dbbe0c261e6131e3787330abde89365fee9bb0ea7a14ca5c4016c21d03b3dafe48cc08424e93160d5704d74f7705f89152aac20bc8de0

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
39KB

MD5
6153dea87effb995acc25956f1c26159

SHA1
a05f984e272cedda5ab665a5c990437e2e2a8fb5

SHA256
da4be32973d084e6d6f3f8a2710c4f5e861543f0a5da38eaa0b91cb0f5707fe2

SHA512
5d97899cbb6c8dabbb3a53f470a64465c965d1e388a9e765cf241d8467f4e4ad11f2a6fd7c3467eaebb058f3f85fd27e9f50500f89b6ebaa930f5f319a433d92

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
3KB

MD5
79cc9f24cb5ac353ebc1c2387c9b3319

SHA1
fa22952ba2ddfee2b7e254b5054a078142810773

SHA256
91f5f9eddb19c2c593841fbe55d933f23ad36e7c13262d3eb75b1ed1e288c983

SHA512
fd2518cac5dcde8a8abfff9bdfa51ed8201c6f19a70fbb94d0e7aee9811e48c15eea041493e760b693fb51c8690e66e177ea93c76908cecc6209c0853e20c914

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
41KB

MD5
a9b6b44825c3aae68fd0fc41f8811e79

SHA1
0eefaec51c2fedcee5dfd3c15843adb5548a8871

SHA256
162192742976e58c55b1436aaca56e66e12f83f26af6dbd4da7c2edbc1551c86

SHA512
395c88b977b9bfcb6e4be198b20a83225623388b748a234306d2e9e73a88cbfab971856b7c354e779c8e01da210cdeea8dc295765a00fcf12cb6b216f60cedb0

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
42KB

MD5
cdb979fb33abe47c4efd6ec26c43ab7b

SHA1
839cd63f626767e1a23562b436b77a4c34d85c8f

SHA256
5b6b5170a3fa654f196027b3c3f36edaa27573dfd5fcae1ee31d4bcc0ab162c0

SHA512
d7f07cdd2e4cf1da0f54f895fdbc5fb256be483f8d364333aa4d82397fe9dac43c860a4a33970f4df932d7602d809d3be994e2a3cce6368fbb9a394c0bed3d54

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
47KB

MD5
4634e070c5fafe480ddcbe8a7da49842

SHA1
6b217a7ef5b8e2325ee5526dbf0aba695b065f4b

SHA256
839faef4998083979c5f5f577bb422422ff7ba964918013838b095ebd41e627b

SHA512
da5f32da997274a3e821456b679355d5627d2460d9791fc264120cfa6b7abf20131d959dfcf430b35781f02ea85686f00a2c8c8bb0cfe8e0ff144277d809502b

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
50KB

MD5
b847dcec98bfaca29c64837fc9529ec0

SHA1
0e0e36a79dfe2bbf3bce1ec7c4d4fda71471890d

SHA256
de9a4b4bc0cd4125c8a641b615095d3dee4730d4f9811366db7782d267837ad9

SHA512
b533c0bbc3d304eef68f01f64e39d26edd86aa06707d590710da91f510730bbaa630f7602b02f6b89132760033dcdf5f814283ef24ecbc8ffca5334bd7b8469f

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
52KB

MD5
f834d30caf6aa22b7e7516f7b97c2722

SHA1
f60cd1f04c884c5a22396e9b9029002f26ed3e46

SHA256
baaa0544b84d4be90f56aed85508896e278ae8a72faeee3500a363ff9ca4e5ec

SHA512
98230cfbb1f91a0a0c262aaa832e05227645d694ae662b62ebd53274208f46e3e975a12e5bd2ea931e91f8d24c7d19ba7991e35307fd65e501cb35e960de0f94

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
4KB

MD5
df0c0d0491a623579b08b57b004ca217

SHA1
31b560baa46eeffb4fa1e18d89e475f87820e43f

SHA256
f50a3f4741550e03992b95e39b10c3b9b009fc6b9dac8e6f9e157618b4aa89cb

SHA512
ad0a4af2554e433b8ba25e588f4ea088958e9c9f697d553ea89d023078c2327f36c40d7f87848ae1a8157a4ccad1c2de067f4ff1e44d27a6fd6cc1e4da9c3219

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
53KB

MD5
26197c3ac9281077f7f41eda92ade225

SHA1
aa7d45bbee7dfc869375d413ecf057063a082ba4

SHA256
e1189248ec1cba86ef22af9d9df03beea9efc8843224c5bb14a985f689b79c97

SHA512
a2c75ba42b5e3c870f96386eec7defa6b1a51ba96f52447612fcd5bb873c7283842c8c94388f56d5cfa25630202b0043c4c6ffd08aa304c9c52cbb67fd6cc13b

Download Submit
memory/884-48-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/884-63-0x00007FF8EAF70000-0x00007FF8EAF80000-memory.dmp

Filesize
64KB

Download
memory/884-44-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/884-46-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/884-42-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/884-49-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/884-60-0x00007FF8EAF70000-0x00007FF8EAF80000-memory.dmp

Filesize
64KB

Download
memory/884-40-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/884-52-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/884-58-0x00007FF8EAF70000-0x00007FF8EAF80000-memory.dmp

Filesize
64KB

Download
memory/884-74-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/884-51-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/884-66-0x00007FF8EAF70000-0x00007FF8EAF80000-memory.dmp

Filesize
64KB

Download
memory/1036-56-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1036-100-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1036-70-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1036-72-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1036-76-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1036-64-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1036-59-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1036-61-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1672-5-0x00007FF8EAF70000-0x00007FF8EAF80000-memory.dmp

Filesize
64KB

Download
memory/1672-12-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1672-20-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1672-21-0x00007FF8E86A0000-0x00007FF8E86B0000-memory.dmp

Filesize
64KB

Download
memory/1672-16-0x00007FF8E86A0000-0x00007FF8E86B0000-memory.dmp

Filesize
64KB

Download
memory/1672-10-0x00007FF8EAF70000-0x00007FF8EAF80000-memory.dmp

Filesize
64KB

Download
memory/1672-18-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1672-17-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1672-33-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1672-14-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1672-13-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1672-3-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1672-6-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1672-15-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1672-11-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1672-7-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1672-4-0x00007FF8EAF70000-0x00007FF8EAF80000-memory.dmp

Filesize
64KB

Download
memory/1672-9-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1672-8-0x00007FF8EAF70000-0x00007FF8EAF80000-memory.dmp

Filesize
64KB

Download
memory/1672-2-0x00007FF8EAF70000-0x00007FF8EAF80000-memory.dmp

Filesize
64KB

Download
memory/1732-110-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1732-106-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1732-96-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1732-131-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1732-108-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1732-105-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1732-104-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/3848-125-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/3848-84-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/3848-98-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/3848-101-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/3848-81-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/3848-93-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/3848-90-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/3848-88-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/3848-86-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/4740-24-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/4740-32-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/4740-37-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/4740-22-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/4740-36-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/4740-26-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/4740-28-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/4740-30-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/4740-31-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/4740-75-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/5504-142-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/5504-133-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/5504-129-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/5504-126-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/5504-122-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/5504-118-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/5504-134-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download
memory/5504-140-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmp

Filesize
2.0MB

Download