Malware Analysis Report

2025-03-15 05:22

Sample ID 240529-b8qwcsed75
Target ae473d07d944f559e365f0dfe60c54b82d12c6eb9ab50251561e2355b5e6a950.docm
SHA256 ae473d07d944f559e365f0dfe60c54b82d12c6eb9ab50251561e2355b5e6a950
Tags
persistence macro
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

ae473d07d944f559e365f0dfe60c54b82d12c6eb9ab50251561e2355b5e6a950

Threat Level: Likely malicious

The file ae473d07d944f559e365f0dfe60c54b82d12c6eb9ab50251561e2355b5e6a950.docm was found to be: Likely malicious.

Malicious Activity Summary

persistence macro

Suspicious Office macro

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Office loads VBA resources, possible macro or embedded object present

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Enumerates system info in registry

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-29 01:49

Signatures

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-29 01:49

Reported

2024-05-29 01:51

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

146s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ae473d07d944f559e365f0dfe60c54b82d12c6eb9ab50251561e2355b5e6a950.docm" /o ""

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\Users\Public\ctrlpanel.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ctrlpanel = "c:\\Users\\Public" \??\c:\Users\Public\ctrlpanel.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4864 wrote to memory of 4820 N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE \??\c:\Users\Public\ctrlpanel.exe
PID 4864 wrote to memory of 4820 N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE \??\c:\Users\Public\ctrlpanel.exe

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ae473d07d944f559e365f0dfe60c54b82d12c6eb9ab50251561e2355b5e6a950.docm" /o ""

\??\c:\Users\Public\ctrlpanel.exe

c:\Users\Public\ctrlpanel.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 129.68.109.52.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 226.162.46.104.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
NL 23.62.61.184:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 184.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 23.251.17.2.in-addr.arpa udp
NL 23.62.61.184:443 metadata.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 174.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

memory/4864-0-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp

memory/4864-2-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp

memory/4864-1-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp

memory/4864-3-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp

memory/4864-5-0x00007FFC162CD000-0x00007FFC162CE000-memory.dmp

memory/4864-4-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp

memory/4864-6-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

memory/4864-7-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

memory/4864-8-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

memory/4864-11-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

memory/4864-10-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

memory/4864-12-0x00007FFBD3FE0000-0x00007FFBD3FF0000-memory.dmp

memory/4864-9-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

memory/4864-13-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

memory/4864-14-0x00007FFBD3FE0000-0x00007FFBD3FF0000-memory.dmp

memory/4864-15-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

memory/4864-16-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

memory/4864-17-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

memory/4864-73-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

C:\Users\Public\ctrlpanel.exe

MD5 40d2ccd570bd898cc31af1cbfe5fb08e
SHA1 41d81d3275f8fe7be023b9731519cdf359743818
SHA256 10e720fbcf797a2f40fbaa214b3402df14b7637404e5e91d7651bd13d28a69d8
SHA512 0753eec8f21c4681559b82327c93098d2d74732df05d2304a8428dc7af0ff13d49079eacd0dc29d9b32ba5e5095cac6b9fa62a82f77e3ca3bb5986b64fe9195d

memory/4820-215-0x000000001B760000-0x000000001B848000-memory.dmp

memory/4820-216-0x000000001BFB0000-0x000000001C056000-memory.dmp

memory/4820-217-0x000000001C530000-0x000000001C9FE000-memory.dmp

memory/4820-218-0x000000001CBF0000-0x000000001CC8C000-memory.dmp

memory/4820-219-0x0000000001030000-0x0000000001038000-memory.dmp

memory/4820-220-0x000000001CF30000-0x000000001CFA2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\6E432DB4-CBD5-4846-BBDF-049C4732F3BA

MD5 25779a5716045f1d35bb83fcdbcb8588
SHA1 900fdb7259e84a3eae45ed490032ddf60c5c8519
SHA256 db0d78c76450aa2c656a333cbfdc62e7bd88c1bc5372ea6c9a6e59c3ba7a9e77
SHA512 786062c06aedb9707f3307f39dc70f77a254442ffb6709058ab24ac82f615ab502fac1727cf934127d5e7e6ffdbf758ebb785bc8814ed308d90990fa5e650ea5

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

MD5 c1986d9e017cf7d328d4153f84204bc8
SHA1 6aea61758889d8cfceb0f558d3cd91faac49a67d
SHA256 2fdd2428868e621849d42d8c0c9258fbfe5c956f7076f7f29fd0491ddff9873e
SHA512 f598f77033f55fbfbe00f185b1cf6a6fb5b7e7e4f9a96c7f8ef46e0521ee5de0e9f5ff545bbfc11751d04e0d9d43a08fa746512b3ef87aa4fb3555cc3d071909

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

MD5 f47ff18a1d7db1d061361ac4394276e4
SHA1 625af291cd7e7a3905d45c0a2a0d0cced637bfb5
SHA256 68e5c3ad226a2cbee59cfe3c85072c3fb4d60de9c8b6ca2a76cf1c2b156f4c80
SHA512 e5d44778646330e9f6ce23e0e6a67a3cc84005d7a1c6f5065dd94ffc8cab9b03a8f375e304a3b429dd20360d5d47d748fee61712f9290cb672e25e68baf81766

memory/4820-234-0x000000001CCF0000-0x000000001CD02000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

MD5 75ab5b6db50bc066f44228ade87dfde9
SHA1 ccafbfe06dff972c67a53d5f024d0255793c6228
SHA256 2b6d33cec2ff7b1e70ed6fc7f5244f5a806c08da3cbfcf0db78a6f53a749b0fc
SHA512 04737b727e172ebdc9c2f1773ef7caa28373f7f65ccc7be93914c6ae9d9980804e3b4e0a277c09e307e47d338b5ffdaa6cd4d067639059e08b763e6ab1797ee4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 6f744f01ed197a769d13b923441638dd
SHA1 af21b528775ec9a4b160323ddf240325744d321b
SHA256 17a2b2cecf3c860572b0642257908e72ec556da32e1295b80fbf3d65e93034da
SHA512 3bd234caeb038b5ed9351bbbd2fe9c0865186dab2a1b01ff25ac1e0d6c1d4eeac9fa5e2e41016980394cf64c1363cedbaecbc8876f8335fe388a713f066faf44

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 b34588816f4ffe247962eab8236b35c3
SHA1 083f3bfaf486668d28e3b703ff150538446490cb
SHA256 1b5c24f961316e83fff588a5b21300336edd256b7a8cca99729bd4d7fab9ee2a
SHA512 1fe610629eb069adaddf0ddbe65c794b9eed2c4690c4fc82fd12869a184d63391476c4f27704c4d3869071505863116fa1e445d51a6c9af2eb481c35e17fa7ea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

MD5 ff42acb8ea7e4b6affa521d4c9819da9
SHA1 36c2af56dcd42c94cc5680d93889f27154548de8
SHA256 3287dcd4a3aa01aaedb9c51a8cfd0c75eaabb25ae69919801bbd6745becf47f6
SHA512 6a91a5f9be2adf6256a0ba745a370104c338d7f0c80c5697246cca3ec04cb3d2b80089edcd4b2f41fcad258f09d690ea4144778fb27c84c67040eb2457efe009

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

MD5 ce3b4b93023b8ed2d25814b12515e0c9
SHA1 a32651a3921245a15bc03ac6caaa1a60b9c34373
SHA256 65fe26972f07bc6059a5ffbc88dbfb105a63dcfdb654fc1e2e1b822574d93bda
SHA512 8467edb51883baddff4487da3ad98783fcaed3c78096b97f5ea3aa102af8669be8b48be3d7b657d411174c8560437519b9c7ba77b659339bda17a7caaff74dfc

C:\Users\Admin\AppData\Local\Temp\TCD817A.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

C:\Users\Admin\AppData\Local\Temp\cab9A83.tmp

MD5 8867bdf5fc754da9da6f5ba341334595
SHA1 5067cce84c6c682b75c1ef3dea067a8d58d80fa9
SHA256 42323dd1d3e88c3207e16e0c95ca1048f2e4cd66183ad23b90171da381d37b58
SHA512 93421d7fe305d27e7e2fd8521a8b328063cd22fe4de67cccf5d3b8f0258ef28027195c53062d179cd2eba3a7e6f6a34a7a29297d4af57650aa6dd19d1ef8413d

C:\Users\Admin\AppData\Local\Temp\cab9939.tmp

MD5 f256aca509b4c6c0144d278c7036b0a8
SHA1 93f6106d0759afd0061f73b876aa9cab05aa8ef6
SHA256 ad26761d59f1fa9783c2f49184a2e8fe55fcd46cd3c49ffc099c02310649dc67
SHA512 08c57661f8cc9b547bbe42b4a5f8072b979e93346679ade23ca685c0085f7bc14c26707b3d3c02f124359ebb640816e13763c7546ff095c96d2bb090320f3a95

C:\Users\Admin\AppData\Local\Temp\cab989B.tmp

MD5 26beab9cceafe4fbf0b7c0362681a9d2
SHA1 f63dd970040ca9f6cfcf5793ff7d4f1f4a69c601
SHA256 217ec1b6e00a24583b166026dec480d447fb564cf3bca81984684648c272f767
SHA512 2bbea62360e21e179014045ee95c7b330a086014f582439903f960375ca7e9c0cf5c0d5bb24e94279362965ca9d6a37e6aaa6a7c5969fc1970f6c50876582be1

C:\Users\Admin\AppData\Local\Temp\cab9E5D.tmp

MD5 e29ce2663a56a1444eaa3732ffb82940
SHA1 767a14b51be74d443b5a3feff4d870c61cb76501
SHA256 3732eb6166945db2bf792da04199b5c4a0fb3c96621ecbfdeaf2ea1699ba88ee
SHA512 6bc420f3a69e03d01a955570dc0656c83c9e842c99cf7b429122e612e1e54875c61063843d8a24db7ec2035626f02ddabf6d84fc3902184c1eff3583dbb4d3d8

C:\Users\Admin\AppData\Local\Temp\cab9879.tmp

MD5 828f96031f40bf8ebcb5e52aaeeb7e4c
SHA1 cacc32738a0a66c8fe51a81ed8e27a6f82e69eb2
SHA256 640ad075b555d4a2143f909eafd91f54076f5dde42a2b11cd897bc564b5d7ff7
SHA512 61f6355ff4d984931e79624394ccca217054ae0f61b9af1a1eded5acca3d6fef8940e338c313be63fc766e6e7161cafa0c8ae44ad4e0be26c22ff17e2e6abaf7

C:\Users\Admin\AppData\Local\Temp\cab977D.tmp

MD5 9c9f49a47222c18025cc25575337a965
SHA1 e42edb33471d7c1752dcc42c06dd3f9fda8b25f0
SHA256 ada7eff0676d9cce1935d5485f3dde35c594d343658fb1da42cb5a48fc3fc16a
SHA512 9fdcbab988cbe97bfd931b727d31ba6b8ecf795d0679a714b9afbc2c26e7dcf529e7a51289c7a1ae7ef04f4a923c2d7966d5af7c0bc766dcd0fca90251576794

C:\Users\Admin\AppData\Local\Temp\cab96D0.tmp

MD5 e1101cca6e3fedb28b57af4c41b50d37
SHA1 990421b1d858b756e6695b004b26cdccae478c23
SHA256 69b2675e47917a9469f771d0c634bd62b2dfa0f5d4af3fd7afe9196bf889c19e
SHA512 b1edea65b6d0705a298bff85fc894a11c1f86b43fac3c2149d0bd4a13edcd744af337957cbc21a33ab7a948c11ea9f389f3a896b6b1423a504e7028c71300c44

C:\Users\Admin\AppData\Local\Temp\cab968F.tmp

MD5 d4eac009e9e7b64b8b001ae82b8102fa
SHA1 d8d166494d5813db20ea1231da4b1f8a9b312119
SHA256 8b0631da4dc79e036251379a0a68c3ba977f14bcc797ba0eb9692f8bb90ddb4d
SHA512 561653f9920661027d006e7def7fb27de23b934e4860e0df78c97d183b7cebd9dce0d395e2018eef1c02fc6818a179a661e18a2c26c4180afee5ef4f9c9c6035

C:\Users\Admin\AppData\Local\Temp\cab95C2.tmp

MD5 748a53c6bdd5ce97bd54a76c7a334286
SHA1 7dd9eedb13ac187e375ad70f0622518662c61d9f
SHA256 9af92b1671772e8e781b58217dab481f0afbcf646de36bc1bffc7d411d14e351
SHA512 ec8601d1a0dbd5d79c67af2e90fad44bbc0b890412842bf69065a2c7cb16c12b1c5ff594135c7b67b830779645801da20c9be8d629b6ad8a3ba656e0598f0540

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001115[[fn=Parcel]].thmx

MD5 8ba551eec497947fc39d1d48ec868b54
SHA1 02fa15fdaf0d7e2f5d44cae5ffae49e8f91328df
SHA256 db2e99b969546e431548ebd58707fc001bbd1a4bdecad387d194cc9c6d15ac89
SHA512 cc97f9b2c83ff7cac32ab9a9d46e0acde13eecabecd653c88f74e4fc19806bb9498d2f49c4b5581e58e7b0cb95584787ea455e69d99899381b592bea177d4d4b

C:\Users\Admin\AppData\Local\Temp\cab95B4.tmp

MD5 93fa9f779520ab2d22ac4ea864b7bb34
SHA1 d1e9f53a0e012a89978a3c9ded73fb1d380a9d8a
SHA256 6a3801c1d4cf0c19a990282d93ac16007f6cacb645f0e0684ef2edac02647833
SHA512 aa91b4565c88e5da0cf294dc4a2c91eaeb6d81dca96069db032412e1946212a13c3580f5c0143dd28b33f4849d2c2df2214ce1e20598d634e78663d20f03c4e6

C:\Users\Admin\AppData\Local\Temp\cab9504.tmp

MD5 f93364eec6c4ffa5768de545a2c34f07
SHA1 166398552f6b7f4509732e148f93e207dd60420b
SHA256 296b915148b29751e68687ae37d3fafd9ffddf458c48eb059a964d8f2291e899
SHA512 4f0965b4c5f543b857d9a44c7a125ddd3e8b74837a0fdd80c1fdc841bf22fc4ce4adb83aca8aa65a64f8ae6d764fa7b45b58556f44cfce92bfac43762a3bc5f4

C:\Users\Admin\AppData\Local\Temp\cab94F3.tmp

MD5 1c12315c862a745a647dad546eb4267e
SHA1 b3fa11a511a634eec92b051d04f8c1f0e84b3fd6
SHA256 4e2e93ebac4ad3f8690b020040d1ae3f8e7905ab7286fc25671e07aa0282cac0
SHA512 ca8916694d42bac0ad38b453849958e524e9eed2343ebaa10df7a8acd13df5977f91a4f2773f1e57900ef044cfa7af8a94b3e2dce734d7a467dbb192408bc240

C:\Users\Admin\AppData\Local\Temp\cab93F7.tmp

MD5 0ebc45aa0e67cc435d0745438371f948
SHA1 5584210c4a8b04f9c78f703734387391d6b5b347
SHA256 3744bfa286cfcff46e51e6a68823a23f55416cd6619156b5929fed1f7778f1c7
SHA512 31761037c723c515c1a9a404e235fe0b412222cb239b86162d17763565d0ccb010397376fb9b61b38a6aebdd5e6857fd8383045f924af8a83f2c9b9af6b81407

C:\Users\Admin\AppData\Local\Temp\cab9368.tmp

MD5 21437897c9b88ac2cb2bb2fef922d191
SHA1 0cad3d026af2270013f67e43cb44f0568013162d
SHA256 372572dcbad590f64f5d18727757cbdf9366dde90955c79a0fcc9f536dab0384
SHA512 a74da3775c19a7af4a689fa4d920e416ab9f40a8bda82ccf651ddb3eacbc5e932a120abf55f855474cebed0b0082f45d091e211aaea6460424bfd23c2a445cc7

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851227[[fn=sist02]].xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851226[[fn=turabian]].xsl

MD5 f079ec5e2ccb9cd4529673bcdfb90486
SHA1 fba6696e6fa918f52997193168867dd3aebe1ad6
SHA256 3b651258f4d0ee1bffc7fb189250ded1b920475d1682370d6685769e3a9346db
SHA512 4fffa59863f94b3778f321da16c43b92a3053e024bdd8c5317077ea1ecc7b09f67ece3c377db693f3432bf1e2d947ec5bf8e88e19157ed08632537d8437c87d6

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851225[[fn=mlaseventheditionofficeonline]].xsl

MD5 377b3e355414466f3e3861bce1844976
SHA1 0b639a3880aca3fd90fa918197a669cc005e2ba4
SHA256 4ac5b26c5e66e122de80243ef621ca3e1142f643dd2ad61b75ff41cfee3dffaf
SHA512 b050ad52a8161f96cbdc880dd1356186f381b57159f5010489b04528db798db955f0c530465ab3ecd5c653586508429d98336d6eb150436f1a53abee0697aeb9

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851224[[fn=iso690nmerical]].xsl

MD5 3bf8591e1d808bccad8ee2b822cc156b
SHA1 9cc1e5efd715bd0eae5af983fb349bac7a6d7ba0
SHA256 7194396e5c833e6c8710a2e5d114e8e24338c64ec9818d51a929d57a5e4a76c8
SHA512 d434a4c15da3711a5daaf5f7d0a5e324b4d94a04b3787ca35456bfe423eac9d11532bb742cde6e23c16fa9fd203d3636bd198b41c7a51e7d3562d5306d74f757

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851223[[fn=iso690]].xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851222[[fn=ieee2006officeonline]].xsl

MD5 0c9731c90dd24ed5ca6ae283741078d0
SHA1 bdd3d7e5b0de9240805ea53ef2eb784a4a121064
SHA256 abce25d1eb3e70742ec278f35e4157edb1d457a7f9d002ac658aaa6ea4e4dcdf
SHA512 a39e6201d6b34f37c686d9bd144ddd38ae212eda26e3b81b06f1776891a90d84b65f2abc5b8f546a7eff3a62d35e432af0254e2f5bfe4aa3e0cf9530d25949c0

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851221[[fn=harvardanglia2008officeonline]].xsl

MD5 33a829b4893044e1851725f4daf20271
SHA1 dac368749004c255fb0777e79f6e4426e12e5ec8
SHA256 c40451cadf8944a9625dd690624ea1ba19cecb825a67081e8144ad5526116924
SHA512 41c1f65e818c2757e1a37f5255e98f6edeac4214f9d189ad09c6f7a51f036768c1a03d6cfd5845a42c455ee189d13bb795673ace3b50f3e1d77daff400f4d708

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851220[[fn=gosttitle]].xsl

MD5 f425d8c274a8571b625ee66a8ce60287
SHA1 29899e309c56f2517c7d9385ecdbb719b9e2a12b
SHA256 dd7b7878427276af5dbf8355ece0d1fe5d693df55af3f79347f9d20ae50db938
SHA512 e567f283d903fa533977b30fd753aa1043b9dde48a251a9ac6777a3b67667443fead0003765a630d0f840b6c275818d2f903b6cb56136bedcc6d9bdd20776564

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851219[[fn=gostname]].xsl

MD5 9888a214d362470a6189deff775be139
SHA1 32b552eb3c73cd7d0d9d924c96b27a86753e0f97
SHA256 c64ed5c2a323c00e84272ad3a701caebe1dcceb67231978de978042f09635fa7
SHA512 8a75fc2713003fa40b9730d29c786c76a796f30e6ace12064468dd2bb4bf97ef26ac43ffe1158ab1db06ff715d2e6cde8ef3e8b7c49aa1341603ce122f311073

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851217[[fn=chicago]].xsl

MD5 9ac6de7b629a4a802a41f93db2c49747
SHA1 3d6e929aa1330c869d83f2bf8ebebacd197fb367
SHA256 52984bc716569120d57c8e6a360376e9934f00cf31447f5892514ddccf546293
SHA512 5736f14569e0341afb5576c94b0a7f87e42499cec5927aac83bb5a1f77b279c00aea86b5f341e4215076d800f085d831f34e4425ad9cfd52c7ae4282864b1e73

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851216[[fn=apasixtheditionofficeonline]].xsl

MD5 5632c4a81d2193986acd29eadf1a2177
SHA1 e8ff4fdfeb0002786fce1cf8f3d25f8e9631e346
SHA256 06de709513d7976690b3dd8f5fdf1e59cf456a2dfba952b97eacc72fe47b238b
SHA512 676ce1957a374e0f36634aa9cffbcfb1e1befe1b31ee876483b10763ea9b2d703f2f3782b642a5d7d0945c5149b572751ebd9abb47982864834ef61e3427c796

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328998[[fn=Rings]].glox

MD5 6c24ed9c7c868db0d55492bb126eaff8
SHA1 c6d96d4d298573b70cf5c714151cf87532535888
SHA256 48af17267ad75c142efa7ab7525ca48fab579592339fb93e92c4c4da577d4c9f
SHA512 a3e9dc48c04dc8571289f57ae790ca4e6934fbea4fddc20cb780f7ea469fe1fc1d480a1dbb04d15301ef061da5700ff0a793eb67d2811c525fef618b997bcabd

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328990[[fn=Varying Width List]].glox

MD5 67766ff48af205b771b53aa2fa82b4f4
SHA1 0964f8b9dc737e954e16984a585bdc37ce143d84
SHA256 160d05b4cb42e1200b859a2de00770a5c9ebc736b70034afc832a475372a1667
SHA512 ac28b0b4a9178e9b424e5893870913d80f4ee03d595f587aa1d3acc68194153bafc29436adfd6ea8992f0b00d17a43cfb42c529829090af32c3be591bd41776d

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328986[[fn=Theme Picture Grid]].glox

MD5 031c246ffe0e2b623bbbd231e414e0d2
SHA1 a57ca6134779d54691a4efd344bc6948e253e0ba
SHA256 2d76c8d1d59edb40d1fbbc6406a06577400582d1659a544269500479b6753cf7
SHA512 6a784c28e12c3740300883a0e690f560072a3ea8199977cbd7f260a21e8346b82ba8a4f78394d3bb53fa2e98564b764c2d0232c40b25fb6085c36d20d70a39d1

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328983[[fn=Theme Picture Alternating Accent]].glox

MD5 2f8998aa9cf348f1d6de16eab2d92070
SHA1 85b13499937b4a584bea0bfe60475fd4c73391b6
SHA256 8a216d16dec44e02b9ab9bbadf8a11f97210d8b73277b22562a502550658e580
SHA512 f10f7772985edda442b9558127f1959ff0a9909c7b7470e62d74948428bfff7e278739209e8626ae5917ff728afb8619ae137bee2a6a4f40662122208a41abb2

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328975[[fn=Theme Picture Accent]].glox

MD5 42a840dc06727e42d42c352703ec72aa
SHA1 21aaaf517afb76bf1af4e06134786b1716241d29
SHA256 02cce7d526f844f70093ac41731d1a1e9b040905dcba63ba8bffc0dbd4d3a7a7
SHA512 8886bfd240d070237317352deb3d46c6b07e392ebd57730b1ded016bd8740e75b9965f7a3fcd43796864f32aae0be911ab1a670e9ccc70e0774f64b1bda93488

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328972[[fn=Tab List]].glox

MD5 0a4ca91036dc4f3cd8b6dbf18094cf25
SHA1 6c7eed2530cd0032e9eeab589afbc296d106fbb9
SHA256 e5a56ccb3b3898f76abf909209bfab401b5ddcd88289ad43ce96b02989747e50
SHA512 7c69426f2250e8c84368e8056613c22977630a4b3f5b817fb5ea69081ce2a3ca6e5f93df769264253d5411419af73467a27f0bb61291ccde67d931bd0689cb66

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328951[[fn=Tabbed Arc]].glox

MD5 e8308da3d46d0bc30857243e1b7d330d
SHA1 c7f8e54a63eb254c194a23137f269185e07f9d10
SHA256 6534d4d7ef31b967dd0a20afff092f8b93d3c0efcbf19d06833f223a65c6e7c4
SHA512 88ab7263b7a8d7dde1225ae588842e07df3ce7a07cbd937b7e26da7da7cfed23f9c12730d9ef4bc1acf26506a2a96e07875a1a40c2ad55ad1791371ee674a09b

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328940[[fn=Radial Picture List]].glox

MD5 cdc1493350011db9892100e94d5592fe
SHA1 684b444ade2a8dbe760b54c08f2d28f2d71ad0fa
SHA256 f637a67799b492feffb65632fed7815226396b4102a7ed790e0d9bb4936e1548
SHA512 3699066a4e8a041079f12e88ab2e7f485e968619cb79175267842846a3ad64aa8e7778cbacdf1117854a7fdcfb46c8025a62f147c81074823778c6b4dc930f12

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328935[[fn=Picture Organization Chart]].glox

MD5 586cebc1fac6962f9e36388e5549ffe9
SHA1 d1ef3bf2443ae75a78e9fde8dd02c5b3e46f5f2e
SHA256 1595c0c027b12fe4c2b506b907c795d14813bbf64a2f3f6f5d71912d7e57bc40
SHA512 68deae9c59ea98bd597ae67a17f3029bc7ea2f801ac775cf7deca292069061ea49c9df5776cb5160b2c24576249daf817fa463196a04189873cf16efc4bedc62

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328932[[fn=Picture Frame]].glox

MD5 d32e93f7782b21785424ae2bea62b387
SHA1 1d5589155c319e28383bc01ed722d4c2a05ef593
SHA256 2dc7e71759d84ef8bb23f11981e2c2044626fea659383e4b9922fe5891f5f478
SHA512 5b07d6764a6616a7ef25b81ab4bd4601ecec1078727bfeab4a780032ad31b1b26c7a2306e0dbb5b39fc6e03a3fc18ad67c170ea9790e82d8a6ceab8e7f564447

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328925[[fn=Interconnected Block Process]].glox

MD5 08d3a25dd65e5e0d36adc602ae68c77d
SHA1 f23b6ddb3da0015b1d8877796f7001caba25ea64
SHA256 58b45b9dba959f40294da2a54270f145644e810290f71260b90f0a3a9fcdebc1
SHA512 77d24c272d67946a3413d0bea700a7519b4981d3b4d8486a655305546ce6133456321ee94fd71008cbfd678433ea1c834cfc147179b31899a77d755008fce489

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328919[[fn=Hexagon Radial]].glox

MD5 20621e61a4c5b0ffeec98ffb2b3bcd31
SHA1 4970c22a410dcb26d1bd83b60846ef6bee1ef7c4
SHA256 223ea2602c3e95840232cacc30f63aa5b050fa360543c904f04575253034e6d7
SHA512 bdf3a8e3d6ee87d8ade0767918603b8d238cae8a2dd0c0f0bf007e89e057c7d1604eb3ccaf0e1ba54419c045fc6380ecbdd070f1bb235c44865f1863a8fa7eea

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328916[[fn=Converging Text]].glox

MD5 c9f9364c659e2f0c626ac0d0bb519062
SHA1 c4036c576074819309d03bb74c188bf902d1ae00
SHA256 6fc428ca0dcfc27d351736ef16c94d1ab08dda50cb047a054f37ec028dd08aa2
SHA512 173a5e68e55163b081c5a8da24ae46428e3fb326ebe17ae9588c7f7d7e5e5810bfcf08c23c3913d6bec7369e06725f50387612f697ac6a444875c01a2c94d0ff

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328908[[fn=Circle Process]].glox

MD5 950f3ab11cb67cc651082febe523af63
SHA1 418de03ad2ef93d0bd29c3d7045e94d3771dacb4
SHA256 9c5e4d8966a0b30a22d92db1da2f0dbf06ac2ea75e7bb8501777095ea0196974
SHA512 d74bf52a58b0c0327db9ddcad739794020f00b3fa2de2b44daaec9c1459ecaf3639a5d761bbbc6bdf735848c4fd7e124d13b23964b0055bb5aa4f6afe76dfe00

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328905[[fn=Chevron Accent]].glox

MD5 7bc0a35807cd69c37a949bbd51880ff5
SHA1 b5870846f44cad890c6eff2f272a037da016f0d8
SHA256 bd3a013f50ebf162aac4ced11928101554c511bd40c2488cf9f5842a375b50ca
SHA512 b5b785d693216e38b5ab3f401f414cadaccdcb0dca4318d88fe1763cd3bab8b7670f010765296613e8d3363e47092b89357b4f1e3242f156750be86f5f7e9b8d

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328893[[fn=BracketList]].glox

MD5 5d9bad7adb88cee98c5203883261aca1
SHA1 fbf1647fcf19bcea6c3cf4365c797338ca282cd2
SHA256 8ce600404bb3db92a51b471d4ab8b166b566c6977c9bb63370718736376e0e2f
SHA512 7132923869a3da2f2a75393959382599d7c4c05ca86b4b27271ab9ea95c7f2e80a16b45057f4fb729c9593f506208dc70af2a635b90e4d8854ac06c787f6513d

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328884[[fn=architecture]].glox

MD5 8109b3c170e6c2c114164b8947f88aa1
SHA1 fc63956575842219443f4b4c07a8127fbd804c84
SHA256 f320b4bb4e57825aa4a40e5a61c1c0189d808b3eace072b35c77f38745a4c416
SHA512 f8a8d7a6469cd3e7c31f3335ddcc349ad7a686730e1866f130ee36aa9994c52a01545ce73d60b642ffe0ee49972435d183d8cd041f2bb006a6caf31baf4924ac

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998159[[fn=Insight]].dotx

MD5 8bc84db5a3b2f8ae2940d3fb19b43787
SHA1 3a5fe7b14d020fad0e25cd1df67864e3e23254ee
SHA256 af1fdeea092169bf794cdc290bca20aea07ac7097d0efcab76f783fa38fdacdd
SHA512 558f52c2c79bf4a3fbb8bb7b1c671afd70a2ec0b1bde10ac0fed6f5398e53ed3b2087b38b7a4a3d209e4f1b34150506e1ba362e4e1620a47ed9a1c7924bb9995

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998158[[fn=Element]].dotx

MD5 7cdffc23fb85ad5737452762fa36aaa0
SHA1 cfbc97247959b3142afd7b6858ad37b18afb3237
SHA256 68a8fbfbee4c903e17c9421082e839144c205c559afe61338cbdb3af79f0d270
SHA512 a0685fd251208b772436e9745da2aa52bc26e275537688e3ab44589372d876c9ace14b21f16ec4053c50eb4c8e11787e9b9d922e37249d2795c5b7986497033e

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx

MD5 5a53f55dd7da8f10a8c0e711f548b335
SHA1 035e685927da2fecb88de9caf0becec88bc118a7
SHA256 66501b659614227584da04b64f44309544355e3582f59dbca3c9463f67b7e303
SHA512 095bd5d1aca2a0ca3430de2f005e1d576ac9387e096d32d556e4348f02f4d658d0e22f2fc4aa5bf6c07437e6a6230d2abf73bbd1a0344d73b864bc4813d60861

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM01840907[[fn=Equations]].dotx

MD5 2ab22ac99acfa8a82742e774323c0dbd
SHA1 790f8b56df79641e83a16e443a75a66e6aa2f244
SHA256 bc9d45d0419a08840093b0bf4dcf96264c02dfe5bd295cd9b53722e1da02929d
SHA512 e5715c0ecf35ce250968bd6de5744d28a9f57d20fd6866e2af0b2d8c8f80fedc741d48f554397d61c5e702da896bd33eed92d778dbac71e2e98dcfb0912de07b

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001114[[fn=Gallery]].thmx

MD5 2192871a20313bec581b277e405c6322
SHA1 1f9a6a5e10e1c3ffeb6b6725c5d2fa9ecdf51085
SHA256 a06b302954a4c9a6a104a8691864a9577b0bfea240b0915d9bea006e98cdffec
SHA512 6d8844d2807bb90aea6fe0dddb9c67542f587ec9b7fc762746164b2d4a1a99ef8368a70c97bad7a986aaa80847f64408f50f4707bb039fccc509133c231d53b9

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033937[[fn=Vapor Trail]].thmx

MD5 fb88bfb743eea98506536fc44b053bd0
SHA1 b27a67a5eec1b5f9e7a9c3b76223ede4fcaf5537
SHA256 05057213ba7e5437ac3b8e9071a5577a8f04b1a67efe25a08d3884249a22fbbf
SHA512 4270a19f4d73297eec910b81ff17441f3fc7a6a2a84eba2ea3f7388dd3aa0ba31e9e455cff93d0a34f4ec7ca74672d407a1c4dc838a130e678ca92a2e085851c

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033929[[fn=Slate]].thmx

MD5 5bde450a4bd9efc71c370c731e6cdf43
SHA1 5b223fb902d06f9fcc70c37217277d1e95c8f39d
SHA256 93bfc6ac1dc1cff497df92b30b42056c9d422b2321c21d65728b98e420d4ed50
SHA512 2365a9f76da07d705a6053645fd2334d707967878f930061d451e571d9228c74a8016367525c37d09cb2ad82261b4b9e7caefba0b96ce2374ac1fac6b7ab5123

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033927[[fn=Main Event]].thmx

MD5 5af1581e9e055b6e323129e4b07b1a45
SHA1 b849f85bcaf0e1c58fa841ffae3476d20d33f2dd
SHA256 bdc9fbf81fbe91f5bf286b2cea00ee76e70752f7e51fe801146b79f9adcb8e98
SHA512 11bfef500daec099503e8cdb3b4de4ede205201c0985db4ca5ebba03471502d79d6616d9e8f471809f6f388d7cbb8b0d0799262cbe89feb13998033e601cee09

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033925[[fn=Droplet]].thmx

MD5 529795e0b55926752462cbf32c14e738
SHA1 e72dff8354df2cb6a5698f14bbd1805d72feeaff
SHA256 8d341d1c24176dc6b67104c2af90fabd3bff666ccc0e269381703d7659a6fa05
SHA512 a51f440f1e19c084d905b721d0257f7eee082b6377465cb94e677c29d4e844fd8021d0b6ba26c0907b72b84157c60a3efedfd96c16726f6abea8d896d78b08ce

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033921[[fn=Damask]].thmx

MD5 ee33fda08fbf10ef6450b875717f8887
SHA1 7dfa77b8f4559115a6bf186ede51727731d7107d
SHA256 5cf611069f281584de3e63de8b99253aa665867299dc0192e8274a32a82caa20
SHA512 aed6e11003aaaacc3fb28ae838eda521cb5411155063dfc391ace2b9cbdfbd5476fab2b5cc528485943ebbf537b95f026b7b5ab619893716f0a91aeff076d885

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033919[[fn=Circuit]].thmx

MD5 acba78931b156e4af5c4ef9e4ab3003b
SHA1 2a1f506749a046ecfb049f23ec43b429530ec489
SHA256 943e4044c40aba93bd7ea31e8b5ebebd7976085e8b1a89e905952fa8dac7b878
SHA512 2815d912088ba049f468ca9d65b92f8951a9be82ab194dbfaccf0e91f0202820f5bc9535966654d28f69a8b92d048808e95fea93042d8c5dea1dcb0d58be5175

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033917[[fn=Berlin]].thmx

MD5 9e563d44c28b9632a7cf4bd046161994
SHA1 d3db4e5f5b1cc6dd08bb3ebf488ff05411348a11
SHA256 86a70cdbe4377c32729fd6c5a0b5332b7925a91c492292b7f9c636321e6fad86
SHA512 8eb14a1b10cb5c7607d3e07e63f668cfc5fc345b438d39138d62cadf335244952fbc016a311d5cb8a71d50660c49087b909528fc06c1d10af313f904c06cbd5c

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457515[[fn=View]].thmx

MD5 0e37aecabdb3fdf8aafedb9c6d693d2f
SHA1 f29254d2476df70979f723de38a4bf41c341ac78
SHA256 7ac7629142c2508b070f09788217114a70de14acdb9ea30cbab0246f45082349
SHA512 de6afe015c1d41737d50add857300996f6e929fed49cb71bc59bb091f9dab76574c56dea0488b0869fe61e563b07ebb7330c8745bc1df6305594ac9bdea4a6bf

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457510[[fn=Savon]].thmx

MD5 fd5bbc58056522847b3b75750603df0c
SHA1 97313e85c0937739af7c7fc084a10bf202ac9942
SHA256 44976408bd6d2703bdbe177259061a502552193b1cd05e09b698c0dac3653c5f
SHA512 dbd72827044331215a7221ca9b0ecb8809c7c79825b9a2275f3450bae016d7d320b4ca94095f7cef4372ac63155c78ca4795e23f93166d4720032ecf9f932b8e

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457503[[fn=Quotable]].thmx

MD5 f03ab824395a8f1f1c4f92763e5c5cad
SHA1 a6e021918c3ceffb6490222d37eceed1fc435d52
SHA256 d96f7a63a912ca058fb140138c41dcb3af16638ba40820016af78df5d07faedd
SHA512 0241146b63c938f11045fb9df5360f63ef05b9b3dd1272a3e3e329a1bfec5a4a645d5472461de9c06cfe4adb991fe96c58f0357249806c341999c033cd88a7af

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457496[[fn=Parallax]].thmx

MD5 97eec245165f2296139ef8d4d43bbb66
SHA1 0d91b68ccb6063eb342cfced4f21a1ce4115c209
SHA256 3c5cf7bdb27592791adf4e7c5a09dde4658e10ed8f47845064db1153be69487c
SHA512 8594c49cab6ff8385b1d6e174431dafb0e947a8d7d3f200e622ae8260c793906e17aa3e6550d4775573858ea1243ccbf7132973cd1cf7a72c3587b9691535ff8

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457491[[fn=Metropolitan]].thmx

MD5 b30d2ef0fc261aece90b62e9c5597379
SHA1 4893c5b9be04ecbb19ee45ffce33ca56c7894fe3
SHA256 bb170d6de4ee8466f56c93dc26e47ee8a229b9c4842ea8dd0d9ccc71bc8e2976
SHA512 2e728408c20c3c23c84a1c22db28f0943aaa960b4436f8c77570448d5bea9b8d53d95f7562883fa4f9b282dfe2fd07251eeefde5481e49f99b8fedb66aaaab68

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457485[[fn=Mesh]].thmx

MD5 cdf98d6b111cf35576343b962ea5eec6
SHA1 d481a70ec9835b82bd6e54316bf27fad05f13a1c
SHA256 e3f108ddb3b8581a7a2290dd1e220957e357a802eca5b3087c95ed13ad93a734
SHA512 95c352869d08c0fe903b15311622003cb4635de8f3a624c402c869f1715316be2d8d9c0ab58548a84bbb32757e5a1f244b1014120543581fdea7d7d9d502ef9c

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457475[[fn=Frame]].thmx

MD5 c276f590bb846309a5e30adc35c502ad
SHA1 ca6d9d6902475f0be500b12b7204dd1864e7dd02
SHA256 782996d93debd2af9b91e7f529767a8ce84accc36cd62f24ebb5117228b98f58
SHA512 b85165c769dfe037502e125a04cfacda7f7cc36184b8d0a54c1f9773666ffcc43a1b13373093f97b380871571788d532deea352e8d418e12fd7aad6adb75a150

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457464[[fn=Dividend]].thmx

MD5 d676de8877aceb43ef0ed570a2b30f0e
SHA1 6c8922697105cec7894966c9c5553beb64744717
SHA256 df012d101de808f6cd872dfbb619b16732c23cf4abc64149b6c3ce49e9efda01
SHA512 f40bada680ea5ca508947290ba73901d78de79eaa10d01eaef975b80612d60e75662bda542e7f71c2bba5ca9ba46ecafe208fd6e40c1f929bb5e407b10e89fbd

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457444[[fn=Basis]].thmx

MD5 3b5e44ddc6ae612e0346c58c2a5390e3
SHA1 23bcf3fcb61f80c91d2cffd8221394b1cb359c87
SHA256 9ed9ad4eb45e664800a4876101cbee65c232ef478b6de502a330d7c89c9ae8e2
SHA512 2e63419f272c6e411ca81945e85e08a6e3230a2f601c4d28d6312db5c31321f94fafa768b16bc377ae37b154c6869ca387005693a79c5ab1ac45ed73bccc6479

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090434[[fn=Wood Type]].thmx

MD5 35200e94ceb3bb7a8b34b4e93e039023
SHA1 5bb55edaa4cdf9d805e36c36fb092e451bddb74d
SHA256 6ce04e8827abaea9b292048c5f84d824de3cefdb493101c2db207bd4475af1fd
SHA512 ed80cee7c22d10664076ba7558a79485aa39be80582cec9a222621764dae5efa70f648f8e8c5c83b6fe31c2a9a933c814929782a964a47157505f4ae79a3e2f9

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090430[[fn=Banded]].thmx

MD5 4a1657a3872f9a77ec257f41b8f56b3d
SHA1 4ddea85c649a2c1408b5b08a15def49baa608a0b
SHA256 c17103ade455094e17ac182ad4b4b6a8c942fd3acb381f9a5e34e3f8b416ae60
SHA512 7a2932639e06d79a5ce1d3c71091890d9e329ca60251e16ae4095e4a06c6428b4f86b7fffa097bf3eefa064370a4d51ca3df8c89eafa3b1f45384759dec72922

C:\Users\Admin\AppData\Local\Temp\cab9F9B.tmp

MD5 9a07035ef802bf89f6ed254d0db02ab0
SHA1 9a48c1962b5cf1ee37feec861a5b51ce11091e78
SHA256 6cb03cebab2c28bf5318b13eeee49fbed8dcedaf771de78126d1bfe9bd81c674
SHA512 be13d6d88c68fa16390b04130838d69cdb6169dc16af0e198c905b22c25b345c541f8fccd4690d88be89383c19943b34edc67793f5eb90a97cd6f6eccb757f87

C:\Users\Admin\AppData\Local\Temp\cab9F9A.tmp

MD5 84d8f3848e7424cbe3801f9570e05018
SHA1 71d7f2621da8b295ce6885f8c7c81016d583c6b1
SHA256 b4bc3cd34bd328aaf68289cc0ed4d5cf8167f1ee1d7be20232ed4747ff96a80a
SHA512 e27873bfd95e464cb58b3855f2da404858b935530cf74c7f86ff8b3fc3086c2faea09fa479f0ca7b04d87595ed8c4d07d104426ff92dfb31bed405fa7a017da8

C:\Users\Admin\AppData\Local\Temp\cab9F88.tmp

MD5 65828dc7be8ba1ce61ad7142252acc54
SHA1 538b186eaf960a076474a64f508b6c47b7699dd3
SHA256 849e2e915aa61e2f831e54f337a745a5946467d539ccbd0214b4742f4e7e94ff
SHA512 8c129f26f77b4e73bf02de8f9a9f432bb7e632ee4abad560a331c2a12da9ef5840d737bfc1ce24fdcbb7ef39f30f98a00dd17f42c51216f37d0d237145b8de15

C:\Users\Admin\AppData\Local\Temp\cabA0E6.tmp

MD5 bf95e967e7d1cec8efe426bc0127d3de
SHA1 ba44c5500a36d748a9a60a23db47116d37fd61bc
SHA256 4c3b008e0eb10a722d8fedb325bfb97edaa609b1e901295f224dd4cb4df5fc26
SHA512 0697e394abac429b00c3a4f8db9f509e5d45ff91f3c2af2c2a330d465825f058778c06b129865b6107a0731762ad73777389bb0e319b53e6b28c363232fa2ce8

C:\Users\Admin\AppData\Local\Temp\cabA1C3.tmp

MD5 beb12a0464d096ca33baea4352ce800f
SHA1 f678d650b4a41676ba05c836d462f34bdc5bf648
SHA256 a44166f5c9f2553555a43586ba5db1c1de54d72d308a48268f27c6a00076b1ca
SHA512 b6e7ccd1ecbb9a49fc72e40771725825daf41ddb2ff8ea4ecce18b8fa1a59d3b2c474add055f30da58c7e833a6e6555ebb77ccc324b61ca337187b4b41f7008b

C:\Users\Admin\AppData\Local\Temp\cabA242.tmp

MD5 53c5f45b22e133b28d4bd3b5a350fdbd
SHA1 d180cfb1438d27f76e1919da3e84f307cb83434f
SHA256 8af4c7cac47d2b9c7adeadf276edae830b4cc5ffe7e765e3c3d7b3fadcb5f273
SHA512 46ad3da58c63ca62fcfc4faf9a7b5b320f4898a1e84eef4de16e0c0843bafe078982fc9f78c5ac6511740b35382400b5f7ac3ae99bb52e32ad9639437db481d1

memory/4864-956-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

memory/4864-957-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

memory/4864-981-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp

memory/4864-982-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp

memory/4864-983-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp

memory/4864-980-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp

memory/4864-984-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json

MD5 6ca4960355e4951c72aa5f6364e459d5
SHA1 2fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA256 88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA512 8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

MD5 e4e83f8123e9740b8aa3c3dfa77c1c04
SHA1 5281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA256 6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512 bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

MD5 f1b59332b953b3c99b3c95a44249c0d2
SHA1 1b16a2ca32bf8481e18ff8b7365229b598908991
SHA256 138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA512 3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{BB41F4BF-F4B4-495C-AEE1-278F0559D86B}.tmp

MD5 5d4d94ee7e06bbb0af9584119797b23a
SHA1 dbb111419c704f116efa8e72471dd83e86e49677
SHA256 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
SHA512 95f83ae84cafcced5eaf504546725c34d5f9710e5ca2d11761486970f2fbeccb25f9cf50bbfc272bd75e1a66a18b7783f09e1c1454afda519624bc2bb2f28ba4

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

MD5 c56ff60fbd601e84edd5a0ff1010d584
SHA1 342abb130dabeacde1d8ced806d67a3aef00a749
SHA256 200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512 acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

MD5 5d984e157a697ff94708b6f580431346
SHA1 cee3a17790001f7661e4ec0eb9de8ac950e03ea3
SHA256 06a4bce9a38082a5d077df0092783bf3ae8816826cf4c73fe72bc6424b8736b9
SHA512 04bfd3933b066d7dbce7c01ac122603036f38d371e9e1302c632015b700adbf29c0aee12c6a41b263fd27bf1b1580be72da7ee5a9c5af25678fed8ad30fe9f40

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 01:49

Reported

2024-05-29 01:51

Platform

win7-20240508-en

Max time kernel

148s

Max time network

123s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ae473d07d944f559e365f0dfe60c54b82d12c6eb9ab50251561e2355b5e6a950.docm"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\Users\Public\ctrlpanel.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ctrlpanel = "c:\\Users\\Public" \??\c:\Users\Public\ctrlpanel.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ae473d07d944f559e365f0dfe60c54b82d12c6eb9ab50251561e2355b5e6a950.docm"

\??\c:\Users\Public\ctrlpanel.exe

c:\Users\Public\ctrlpanel.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding

Network

Files

memory/1688-0-0x000000002FF71000-0x000000002FF72000-memory.dmp

memory/1688-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1688-2-0x00000000715CD000-0x00000000715D8000-memory.dmp

memory/1688-8-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-18-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-9-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-10-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-11-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-12-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-13-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-14-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-15-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-16-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-24-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-31-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-32-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-30-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-29-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-28-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-27-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-26-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-25-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-23-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-21-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-22-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-20-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-33-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-19-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-41-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-42-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-40-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-39-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-38-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-37-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-36-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-35-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-34-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-17-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-70-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-74-0x00000000003D0000-0x00000000004D0000-memory.dmp

C:\Users\Public\ctrlpanel.exe

MD5 40d2ccd570bd898cc31af1cbfe5fb08e
SHA1 41d81d3275f8fe7be023b9731519cdf359743818
SHA256 10e720fbcf797a2f40fbaa214b3402df14b7637404e5e91d7651bd13d28a69d8
SHA512 0753eec8f21c4681559b82327c93098d2d74732df05d2304a8428dc7af0ff13d49079eacd0dc29d9b32ba5e5095cac6b9fa62a82f77e3ca3bb5986b64fe9195d

memory/1688-43-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-44-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-45-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-97-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-60-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-63-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-62-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-64-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-66-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-65-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-59-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-58-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-57-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-56-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-55-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-54-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-53-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-52-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-51-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-50-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-49-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-48-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-67-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-47-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-46-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-68-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-69-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-72-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-80-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-71-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1688-105-0x00000000003D0000-0x00000000004D0000-memory.dmp

memory/1512-176-0x000000001AFE0000-0x000000001B0C0000-memory.dmp

memory/1512-187-0x0000000001160000-0x00000000011D0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Office\MSO1033.acl

MD5 a3052407a1e78302d2a4fdf0b76391c0
SHA1 43e3df29db20da43ff40bde208fdddcaeafb264f
SHA256 bdcc9b4c4a7bf56945930499f67d3de7d7cd0dd2014b0af606c9f54f8ebf38ec
SHA512 6ad915700e4c5d4a9a450b54107c509907a66454441d468499f8c522f2e909093aaf9bbff0690bee2f583ba27480c2f8d1b29f26b56010aadf08f438380a57f1

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/1512-197-0x000000001AED0000-0x000000001AEE2000-memory.dmp

memory/1688-199-0x00000000715CD000-0x00000000715D8000-memory.dmp

memory/1688-200-0x00000000003D0000-0x00000000004D0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 c92460c240db473c26da623950baaef5
SHA1 782f2af66cfac98b6a8b7c5b33bcca57ffe24a3e
SHA256 e76b2adf7421abb84619bc80d7d22ded79ffe68cd326723474c46a6463b3fc97
SHA512 b936c386d3688dfc48265b57f8653dc9cffb36095c0dc7622a8aac1f6cd4897de2a7f760e9aefe00d12721e999c575632e203b0d46e11929a5dff599c4a0857a

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{18D7DDAD-E1D5-4658-9FEE-FDCBD271D2A0}.tmp

MD5 5d4d94ee7e06bbb0af9584119797b23a
SHA1 dbb111419c704f116efa8e72471dd83e86e49677
SHA256 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
SHA512 95f83ae84cafcced5eaf504546725c34d5f9710e5ca2d11761486970f2fbeccb25f9cf50bbfc272bd75e1a66a18b7783f09e1c1454afda519624bc2bb2f28ba4