Malware Analysis Report

2025-03-15 05:21

Sample ID 240529-ndt1racf8v
Target ae473d07d944f559e365f0dfe60c54b82d12c6eb9ab50251561e2355b5e6a950.docm
SHA256 ae473d07d944f559e365f0dfe60c54b82d12c6eb9ab50251561e2355b5e6a950
Tags
macro persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

ae473d07d944f559e365f0dfe60c54b82d12c6eb9ab50251561e2355b5e6a950

Threat Level: Likely malicious

The file ae473d07d944f559e365f0dfe60c54b82d12c6eb9ab50251561e2355b5e6a950.docm was found to be: Likely malicious.

Malicious Activity Summary

macro persistence

Suspicious Office macro

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Office loads VBA resources, possible macro or embedded object present

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies registry class

Modifies Internet Explorer settings

Suspicious behavior: AddClipboardFormatListener

Checks processor information in registry

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-29 11:17

Signatures

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 11:17

Reported

2024-05-29 11:19

Platform

win7-20240215-en

Max time kernel

149s

Max time network

121s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ae473d07d944f559e365f0dfe60c54b82d12c6eb9ab50251561e2355b5e6a950.docm"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\Users\Public\ctrlpanel.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ctrlpanel = "c:\\Users\\Public" \??\c:\Users\Public\ctrlpanel.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ae473d07d944f559e365f0dfe60c54b82d12c6eb9ab50251561e2355b5e6a950.docm"

\??\c:\Users\Public\ctrlpanel.exe

c:\Users\Public\ctrlpanel.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding

Network

Files

memory/1756-0-0x000000002FC21000-0x000000002FC22000-memory.dmp

memory/1756-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1756-2-0x000000007135D000-0x0000000071368000-memory.dmp

memory/1756-18-0x00000000005F0000-0x00000000006F0000-memory.dmp

C:\Users\Public\ctrlpanel.exe

MD5 40d2ccd570bd898cc31af1cbfe5fb08e
SHA1 41d81d3275f8fe7be023b9731519cdf359743818
SHA256 10e720fbcf797a2f40fbaa214b3402df14b7637404e5e91d7651bd13d28a69d8
SHA512 0753eec8f21c4681559b82327c93098d2d74732df05d2304a8428dc7af0ff13d49079eacd0dc29d9b32ba5e5095cac6b9fa62a82f77e3ca3bb5986b64fe9195d

memory/1756-27-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-9-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-32-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-33-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-37-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/312-176-0x000000001B030000-0x000000001B110000-memory.dmp

memory/1756-47-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-48-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-65-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-67-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-70-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-10-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-112-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-11-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-12-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-13-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-14-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-15-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-16-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-40-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-104-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-94-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-83-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-74-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-73-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-72-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-71-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-69-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-68-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-66-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-64-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-63-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-62-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-61-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-60-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-59-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-58-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-57-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-56-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-55-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-54-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-53-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-52-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-51-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-50-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-49-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-46-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-45-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-44-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-43-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-42-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/312-191-0x0000000002080000-0x00000000020F0000-memory.dmp

memory/1756-39-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-38-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-36-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-35-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-34-0x00000000005F0000-0x00000000006F0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Office\MSO1033.acl

MD5 d87156c1f13491266d4c2de7782caffc
SHA1 0fc235b229cebf5b8adeaf2c9ed33234b6da15f0
SHA256 58bb22b66a91232169f53cb61f2c323e029747f0e786a22595786f48f77d4487
SHA512 fbe97cdc3dda861ce0f094061cc0fd78dd9d9d3dde49c674e89d7bea5562c6003b2104cb612cbf34ebf903f38fac59d031e2893c4211bcebde68cf17e86c7cb3

memory/312-196-0x0000000002140000-0x0000000002152000-memory.dmp

memory/1756-31-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-30-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-28-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-26-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-25-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-24-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-23-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-22-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-21-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-20-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-19-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-17-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-197-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1756-198-0x000000007135D000-0x0000000071368000-memory.dmp

memory/1756-200-0x00000000005F0000-0x00000000006F0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 4b051a3cc8a8fb8a4af43a7996c54ead
SHA1 b04c9313c16b2c9a6825b2105f46a0c71cf9be31
SHA256 b1ef60b4582b6f181f84a09216e849039b76b8ea69145fcfbac097fa6e06fc3b
SHA512 0da90430d34c9d1162845e03b295e9779f253c257dc96f6431de95480bc640efd08619d1796e1824f225662152ca67ed743ac9321c1e45144005bd944487e824

memory/1756-223-0x000000007135D000-0x0000000071368000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 b04fd3884038b13390e7a065db5af8e8
SHA1 77766abc66b4466c2bbbf7c95ffce8e88888cb2a
SHA256 dbfc917519388f434307e61f1e03c6d76817d90ff746217f0f9c06858c3c3650
SHA512 a1739f2774f4bb11335eaec921a76736a0f5ec3a98c04fbf0777e902c07c640bc90f4806710d12e34f9f51d855044f007a1519f779eaf1754e533134b2a0e8e4

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 07ef8f7b2bdeb3477243cbd5e9e5acf6
SHA1 07e1a9e5ae2997d9929267bb20682f2d8f023585
SHA256 bb7da8724f3205f931ca55a1c495894811821f167d8232e6184a19b0b83aa71f
SHA512 929bc7e16d535a20d5994dc6af2943cc6eaa682d878555189a201824d99ec73b15a5ce78f25fbc7954863581f84f5ca509623cfce8a57d2c18c6f8a1b62b13e5

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-29 11:17

Reported

2024-05-29 11:19

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ae473d07d944f559e365f0dfe60c54b82d12c6eb9ab50251561e2355b5e6a950.docm" /o ""

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\Users\Public\ctrlpanel.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ctrlpanel = "c:\\Users\\Public" \??\c:\Users\Public\ctrlpanel.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3588 wrote to memory of 3736 N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE \??\c:\Users\Public\ctrlpanel.exe
PID 3588 wrote to memory of 3736 N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE \??\c:\Users\Public\ctrlpanel.exe

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ae473d07d944f559e365f0dfe60c54b82d12c6eb9ab50251561e2355b5e6a950.docm" /o ""

\??\c:\Users\Public\ctrlpanel.exe

c:\Users\Public\ctrlpanel.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
NL 23.62.61.162:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 162.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 164.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 142.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
NL 23.62.61.162:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 2.22.144.164:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 13.73.50.20.in-addr.arpa udp
US 8.8.8.8:53 154.141.79.40.in-addr.arpa udp

Files

memory/3588-0-0x00007FF8394B0000-0x00007FF8394C0000-memory.dmp

memory/3588-1-0x00007FF8394B0000-0x00007FF8394C0000-memory.dmp

memory/3588-2-0x00007FF8394B0000-0x00007FF8394C0000-memory.dmp

memory/3588-3-0x00007FF8394B0000-0x00007FF8394C0000-memory.dmp

memory/3588-4-0x00007FF8794CD000-0x00007FF8794CE000-memory.dmp

memory/3588-6-0x00007FF8394B0000-0x00007FF8394C0000-memory.dmp

memory/3588-5-0x00007FF879430000-0x00007FF879625000-memory.dmp

memory/3588-7-0x00007FF879430000-0x00007FF879625000-memory.dmp

memory/3588-9-0x00007FF879430000-0x00007FF879625000-memory.dmp

memory/3588-8-0x00007FF879430000-0x00007FF879625000-memory.dmp

memory/3588-10-0x00007FF836C90000-0x00007FF836CA0000-memory.dmp

memory/3588-12-0x00007FF879430000-0x00007FF879625000-memory.dmp

memory/3588-17-0x00007FF836C90000-0x00007FF836CA0000-memory.dmp

memory/3588-16-0x00007FF879430000-0x00007FF879625000-memory.dmp

memory/3588-15-0x00007FF879430000-0x00007FF879625000-memory.dmp

memory/3588-14-0x00007FF879430000-0x00007FF879625000-memory.dmp

memory/3588-18-0x00007FF879430000-0x00007FF879625000-memory.dmp

memory/3588-19-0x00007FF879430000-0x00007FF879625000-memory.dmp

memory/3588-13-0x00007FF879430000-0x00007FF879625000-memory.dmp

memory/3588-11-0x00007FF879430000-0x00007FF879625000-memory.dmp

memory/3588-66-0x00007FF879430000-0x00007FF879625000-memory.dmp

\??\c:\Users\Public\ctrlpanel.exe

MD5 40d2ccd570bd898cc31af1cbfe5fb08e
SHA1 41d81d3275f8fe7be023b9731519cdf359743818
SHA256 10e720fbcf797a2f40fbaa214b3402df14b7637404e5e91d7651bd13d28a69d8
SHA512 0753eec8f21c4681559b82327c93098d2d74732df05d2304a8428dc7af0ff13d49079eacd0dc29d9b32ba5e5095cac6b9fa62a82f77e3ca3bb5986b64fe9195d

memory/3736-215-0x000000001B4A0000-0x000000001B588000-memory.dmp

memory/3736-216-0x000000001BD20000-0x000000001BDC6000-memory.dmp

memory/3736-217-0x000000001C2A0000-0x000000001C76E000-memory.dmp

memory/3736-218-0x000000001C910000-0x000000001C9AC000-memory.dmp

memory/3736-219-0x000000001B340000-0x000000001B348000-memory.dmp

memory/3736-220-0x000000001CC50000-0x000000001CCC2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\70F555BD-4D00-4A47-8A00-CC8710F88C1B

MD5 eefde6d1f778f8b3fee2c1a8877b6a52
SHA1 2c63549e83ee8fb226b512410983aaffd843ae42
SHA256 d078887d4837dcd3fc07e551efe1bbebedff67bcb1e86fb75a2d25630d6c60a7
SHA512 504f0b9150c7a49c23dc7e74a9f1d24ce3705f942dffdad44e56031e538a5861d4398c851f681da2aff1bc8620d7a265d72f9245c5deb7b5876b654acea28701

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

MD5 8703b0dd123a23686d761122514613a6
SHA1 bd4b8e7e85f6cb50f4c7b6a94c476a23e68ec4e6
SHA256 57d0bbdc388219eba1360650282f7343abec26a83c702124baeda0cb17a25c0e
SHA512 a8d125a640c5fc7598709970a77a50b1c969c781138a2a54203cc6bc18f1a32c142965b6e0e240faea992250b2c2bc9b22bcbeb6b655b0ca298aa9a883094ac0

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

MD5 147786e9908d570dec486c80ef9a01b3
SHA1 bb17f37cd9fb9cdc2f400f6bba937a5363c78b21
SHA256 078045f786194d4fb1cac5aa8d7e24332f2ad8a1884ec11363a79e2c440564c4
SHA512 fc1954925ca25689ab986bb1b7a9868c13f9745b2f41057ce12f5c83f7052502a432a48720935eb47166a780cad4886cb3b8c168cb8bedbf9441e6a357d8fc88

memory/3736-237-0x000000001CA90000-0x000000001CAA2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MeasureLock.doc

MD5 1d576616a4b15e70eab5bca656b1e6fe
SHA1 82a873eb999dbdfd6698b8fda45e37a7488ef18f
SHA256 2a51fac834e7f847c14ccb12d7feab5a7c515c43d3b42ce3a1c4305aad41fe88
SHA512 0f8c8e6f87fb087a3115de3a56319d2f6d7caf17063169372529b132d2e81c3f4da566ad81aaf22919428f4fe11838994deb2baf0edae12fd7ea791ee1690e33

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

MD5 d47d13ee7b478b086b4e547210ca34c4
SHA1 12d6423b507f81fa3e667363e89c1fdea0997bf4
SHA256 35ff2cfd116b8bd7636050900322a7a664f27ea675d789ef6368b8c0b7a89c73
SHA512 9417de9c5f60b1236ab2932134f8baa128d7a5f650f054f881d14239061af04913c535ae115abae5e5bf376fccf6cbed130c16449d94bebf1faf2bc2a071d2d8

C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

MD5 1c3189f54b7d48db724104cab7ca90f3
SHA1 b11ef4766f4c7a98a459e9aee2d3b06841c1d44e
SHA256 69686de27193ecaa9f4b9a44cfa93e6b3c93d2a7f7c37b61656301036c30128c
SHA512 45be4bc8b98d003966607de3d480c02aa7ade358edc183dbcd1c579f7299c46195d2e00404267cbdfb72c6880bec60e396dbff03ccf2a5b5023032d50547fe27

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRD0005.doc

MD5 6fa96a13a06754f59ff32d7e57a028d9
SHA1 8458c4a4682da160fdfd6d716236af73fc7911e9
SHA256 e4ecd3103ea303a72244140a54ca3f757576f77674bf24a1f869b1df1c887490
SHA512 a219c7006089eb862e358ee4e4cdd061188dc9c799aeabfe55341bbd03eebf0bf0ed4daf8d123b64c19c1789e99093208efd9ee1fbfce21cb077b76fd0d043c1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 5f6cc10cd2a94ae8282495144253910f
SHA1 4fd0006d87fce8d36937cf72b8122ee5c4f6cb39
SHA256 0fb85bd5d33db11fdc8d92e164bdf4a3825c03ed9292772791c7aa870275d728
SHA512 7aa6b886f74a2c3f97775067e61a91e5b741f0abdf6c5fe4e6de74ee5b2080613339921eeadeac94ecb7442703496676ce72ca5939ae5349f30a7f43eb3a54c7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 6a926930700c2da18b03f2083454eb80
SHA1 9e5bcb9ae4968abec77a7e0597d0812be7c106ee
SHA256 855a468495ed8761b7e564347cefedb3e64aff57d49b6b25fb1075a0d0af1946
SHA512 862abcf62d7bbc97696a58dae46e4b5ff4678945e406255161cd362188ff555d5c97caedb80d13eb4787d9957018512491a903746e3cc0d6fc5b638fa1d225e6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

MD5 3ab72de4907bf9d63b761c97f5c86292
SHA1 1fdd5651818077e267229a4a9ab9624fc488ea20
SHA256 c6baba09d0109137ef7258fb3b206cf611924087ef475a8b0737cc76404148ec
SHA512 ff588e2cb5ebe006b2ae1a18edf07e0efd8f7beb3111d7c39491978a19691c357148c1b27184efcc8611e924c70f449de5b37a1bdd95ff2c562ebc027aaa5734

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

MD5 996db0798c0c153948b5ffbb1a173a0f
SHA1 aeb1d1171e8c77e7fc935d8b7f19ea26db6a1702
SHA256 477cf526151ea27b2d417e1f7e6b2e4c0688fdb532d441623cca0dd89160ecf7
SHA512 82ef1721e6e27b3a4cd4b9a5388be3528e4eadc1ba99123d6d898e9a7937f12f967c309dcc00a1c6563c2837d75796dbdc82ecb7f315c43d5bebd03c52eb7262

C:\Users\Admin\AppData\Local\Temp\TCDA540.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

memory/3588-658-0x00007FF879430000-0x00007FF879625000-memory.dmp

memory/3588-686-0x00007FF879430000-0x00007FF879625000-memory.dmp

memory/3588-774-0x00007FF879430000-0x00007FF879625000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090434[[fn=Wood Type]].thmx

MD5 35200e94ceb3bb7a8b34b4e93e039023
SHA1 5bb55edaa4cdf9d805e36c36fb092e451bddb74d
SHA256 6ce04e8827abaea9b292048c5f84d824de3cefdb493101c2db207bd4475af1fd
SHA512 ed80cee7c22d10664076ba7558a79485aa39be80582cec9a222621764dae5efa70f648f8e8c5c83b6fe31c2a9a933c814929782a964a47157505f4ae79a3e2f9

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328951[[fn=Tabbed Arc]].glox

MD5 e8308da3d46d0bc30857243e1b7d330d
SHA1 c7f8e54a63eb254c194a23137f269185e07f9d10
SHA256 6534d4d7ef31b967dd0a20afff092f8b93d3c0efcbf19d06833f223a65c6e7c4
SHA512 88ab7263b7a8d7dde1225ae588842e07df3ce7a07cbd937b7e26da7da7cfed23f9c12730d9ef4bc1acf26506a2a96e07875a1a40c2ad55ad1791371ee674a09b

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328940[[fn=Radial Picture List]].glox

MD5 cdc1493350011db9892100e94d5592fe
SHA1 684b444ade2a8dbe760b54c08f2d28f2d71ad0fa
SHA256 f637a67799b492feffb65632fed7815226396b4102a7ed790e0d9bb4936e1548
SHA512 3699066a4e8a041079f12e88ab2e7f485e968619cb79175267842846a3ad64aa8e7778cbacdf1117854a7fdcfb46c8025a62f147c81074823778c6b4dc930f12

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328935[[fn=Picture Organization Chart]].glox

MD5 586cebc1fac6962f9e36388e5549ffe9
SHA1 d1ef3bf2443ae75a78e9fde8dd02c5b3e46f5f2e
SHA256 1595c0c027b12fe4c2b506b907c795d14813bbf64a2f3f6f5d71912d7e57bc40
SHA512 68deae9c59ea98bd597ae67a17f3029bc7ea2f801ac775cf7deca292069061ea49c9df5776cb5160b2c24576249daf817fa463196a04189873cf16efc4bedc62

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328932[[fn=Picture Frame]].glox

MD5 d32e93f7782b21785424ae2bea62b387
SHA1 1d5589155c319e28383bc01ed722d4c2a05ef593
SHA256 2dc7e71759d84ef8bb23f11981e2c2044626fea659383e4b9922fe5891f5f478
SHA512 5b07d6764a6616a7ef25b81ab4bd4601ecec1078727bfeab4a780032ad31b1b26c7a2306e0dbb5b39fc6e03a3fc18ad67c170ea9790e82d8a6ceab8e7f564447

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328925[[fn=Interconnected Block Process]].glox

MD5 08d3a25dd65e5e0d36adc602ae68c77d
SHA1 f23b6ddb3da0015b1d8877796f7001caba25ea64
SHA256 58b45b9dba959f40294da2a54270f145644e810290f71260b90f0a3a9fcdebc1
SHA512 77d24c272d67946a3413d0bea700a7519b4981d3b4d8486a655305546ce6133456321ee94fd71008cbfd678433ea1c834cfc147179b31899a77d755008fce489

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328919[[fn=Hexagon Radial]].glox

MD5 20621e61a4c5b0ffeec98ffb2b3bcd31
SHA1 4970c22a410dcb26d1bd83b60846ef6bee1ef7c4
SHA256 223ea2602c3e95840232cacc30f63aa5b050fa360543c904f04575253034e6d7
SHA512 bdf3a8e3d6ee87d8ade0767918603b8d238cae8a2dd0c0f0bf007e89e057c7d1604eb3ccaf0e1ba54419c045fc6380ecbdd070f1bb235c44865f1863a8fa7eea

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328916[[fn=Converging Text]].glox

MD5 c9f9364c659e2f0c626ac0d0bb519062
SHA1 c4036c576074819309d03bb74c188bf902d1ae00
SHA256 6fc428ca0dcfc27d351736ef16c94d1ab08dda50cb047a054f37ec028dd08aa2
SHA512 173a5e68e55163b081c5a8da24ae46428e3fb326ebe17ae9588c7f7d7e5e5810bfcf08c23c3913d6bec7369e06725f50387612f697ac6a444875c01a2c94d0ff

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328908[[fn=Circle Process]].glox

MD5 950f3ab11cb67cc651082febe523af63
SHA1 418de03ad2ef93d0bd29c3d7045e94d3771dacb4
SHA256 9c5e4d8966a0b30a22d92db1da2f0dbf06ac2ea75e7bb8501777095ea0196974
SHA512 d74bf52a58b0c0327db9ddcad739794020f00b3fa2de2b44daaec9c1459ecaf3639a5d761bbbc6bdf735848c4fd7e124d13b23964b0055bb5aa4f6afe76dfe00

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328905[[fn=Chevron Accent]].glox

MD5 7bc0a35807cd69c37a949bbd51880ff5
SHA1 b5870846f44cad890c6eff2f272a037da016f0d8
SHA256 bd3a013f50ebf162aac4ced11928101554c511bd40c2488cf9f5842a375b50ca
SHA512 b5b785d693216e38b5ab3f401f414cadaccdcb0dca4318d88fe1763cd3bab8b7670f010765296613e8d3363e47092b89357b4f1e3242f156750be86f5f7e9b8d

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328893[[fn=BracketList]].glox

MD5 5d9bad7adb88cee98c5203883261aca1
SHA1 fbf1647fcf19bcea6c3cf4365c797338ca282cd2
SHA256 8ce600404bb3db92a51b471d4ab8b166b566c6977c9bb63370718736376e0e2f
SHA512 7132923869a3da2f2a75393959382599d7c4c05ca86b4b27271ab9ea95c7f2e80a16b45057f4fb729c9593f506208dc70af2a635b90e4d8854ac06c787f6513d

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328884[[fn=architecture]].glox

MD5 8109b3c170e6c2c114164b8947f88aa1
SHA1 fc63956575842219443f4b4c07a8127fbd804c84
SHA256 f320b4bb4e57825aa4a40e5a61c1c0189d808b3eace072b35c77f38745a4c416
SHA512 f8a8d7a6469cd3e7c31f3335ddcc349ad7a686730e1866f130ee36aa9994c52a01545ce73d60b642ffe0ee49972435d183d8cd041f2bb006a6caf31baf4924ac

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998159[[fn=Insight]].dotx

MD5 8bc84db5a3b2f8ae2940d3fb19b43787
SHA1 3a5fe7b14d020fad0e25cd1df67864e3e23254ee
SHA256 af1fdeea092169bf794cdc290bca20aea07ac7097d0efcab76f783fa38fdacdd
SHA512 558f52c2c79bf4a3fbb8bb7b1c671afd70a2ec0b1bde10ac0fed6f5398e53ed3b2087b38b7a4a3d209e4f1b34150506e1ba362e4e1620a47ed9a1c7924bb9995

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998158[[fn=Element]].dotx

MD5 7cdffc23fb85ad5737452762fa36aaa0
SHA1 cfbc97247959b3142afd7b6858ad37b18afb3237
SHA256 68a8fbfbee4c903e17c9421082e839144c205c559afe61338cbdb3af79f0d270
SHA512 a0685fd251208b772436e9745da2aa52bc26e275537688e3ab44589372d876c9ace14b21f16ec4053c50eb4c8e11787e9b9d922e37249d2795c5b7986497033e

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx

MD5 5a53f55dd7da8f10a8c0e711f548b335
SHA1 035e685927da2fecb88de9caf0becec88bc118a7
SHA256 66501b659614227584da04b64f44309544355e3582f59dbca3c9463f67b7e303
SHA512 095bd5d1aca2a0ca3430de2f005e1d576ac9387e096d32d556e4348f02f4d658d0e22f2fc4aa5bf6c07437e6a6230d2abf73bbd1a0344d73b864bc4813d60861

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM01840907[[fn=Equations]].dotx

MD5 2ab22ac99acfa8a82742e774323c0dbd
SHA1 790f8b56df79641e83a16e443a75a66e6aa2f244
SHA256 bc9d45d0419a08840093b0bf4dcf96264c02dfe5bd295cd9b53722e1da02929d
SHA512 e5715c0ecf35ce250968bd6de5744d28a9f57d20fd6866e2af0b2d8c8f80fedc741d48f554397d61c5e702da896bd33eed92d778dbac71e2e98dcfb0912de07b

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001114[[fn=Gallery]].thmx

MD5 2192871a20313bec581b277e405c6322
SHA1 1f9a6a5e10e1c3ffeb6b6725c5d2fa9ecdf51085
SHA256 a06b302954a4c9a6a104a8691864a9577b0bfea240b0915d9bea006e98cdffec
SHA512 6d8844d2807bb90aea6fe0dddb9c67542f587ec9b7fc762746164b2d4a1a99ef8368a70c97bad7a986aaa80847f64408f50f4707bb039fccc509133c231d53b9

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033937[[fn=Vapor Trail]].thmx

MD5 fb88bfb743eea98506536fc44b053bd0
SHA1 b27a67a5eec1b5f9e7a9c3b76223ede4fcaf5537
SHA256 05057213ba7e5437ac3b8e9071a5577a8f04b1a67efe25a08d3884249a22fbbf
SHA512 4270a19f4d73297eec910b81ff17441f3fc7a6a2a84eba2ea3f7388dd3aa0ba31e9e455cff93d0a34f4ec7ca74672d407a1c4dc838a130e678ca92a2e085851c

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033929[[fn=Slate]].thmx

MD5 5bde450a4bd9efc71c370c731e6cdf43
SHA1 5b223fb902d06f9fcc70c37217277d1e95c8f39d
SHA256 93bfc6ac1dc1cff497df92b30b42056c9d422b2321c21d65728b98e420d4ed50
SHA512 2365a9f76da07d705a6053645fd2334d707967878f930061d451e571d9228c74a8016367525c37d09cb2ad82261b4b9e7caefba0b96ce2374ac1fac6b7ab5123

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033927[[fn=Main Event]].thmx

MD5 5af1581e9e055b6e323129e4b07b1a45
SHA1 b849f85bcaf0e1c58fa841ffae3476d20d33f2dd
SHA256 bdc9fbf81fbe91f5bf286b2cea00ee76e70752f7e51fe801146b79f9adcb8e98
SHA512 11bfef500daec099503e8cdb3b4de4ede205201c0985db4ca5ebba03471502d79d6616d9e8f471809f6f388d7cbb8b0d0799262cbe89feb13998033e601cee09

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033925[[fn=Droplet]].thmx

MD5 529795e0b55926752462cbf32c14e738
SHA1 e72dff8354df2cb6a5698f14bbd1805d72feeaff
SHA256 8d341d1c24176dc6b67104c2af90fabd3bff666ccc0e269381703d7659a6fa05
SHA512 a51f440f1e19c084d905b721d0257f7eee082b6377465cb94e677c29d4e844fd8021d0b6ba26c0907b72b84157c60a3efedfd96c16726f6abea8d896d78b08ce

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033921[[fn=Damask]].thmx

MD5 ee33fda08fbf10ef6450b875717f8887
SHA1 7dfa77b8f4559115a6bf186ede51727731d7107d
SHA256 5cf611069f281584de3e63de8b99253aa665867299dc0192e8274a32a82caa20
SHA512 aed6e11003aaaacc3fb28ae838eda521cb5411155063dfc391ace2b9cbdfbd5476fab2b5cc528485943ebbf537b95f026b7b5ab619893716f0a91aeff076d885

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033919[[fn=Circuit]].thmx

MD5 acba78931b156e4af5c4ef9e4ab3003b
SHA1 2a1f506749a046ecfb049f23ec43b429530ec489
SHA256 943e4044c40aba93bd7ea31e8b5ebebd7976085e8b1a89e905952fa8dac7b878
SHA512 2815d912088ba049f468ca9d65b92f8951a9be82ab194dbfaccf0e91f0202820f5bc9535966654d28f69a8b92d048808e95fea93042d8c5dea1dcb0d58be5175

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033917[[fn=Berlin]].thmx

MD5 9e563d44c28b9632a7cf4bd046161994
SHA1 d3db4e5f5b1cc6dd08bb3ebf488ff05411348a11
SHA256 86a70cdbe4377c32729fd6c5a0b5332b7925a91c492292b7f9c636321e6fad86
SHA512 8eb14a1b10cb5c7607d3e07e63f668cfc5fc345b438d39138d62cadf335244952fbc016a311d5cb8a71d50660c49087b909528fc06c1d10af313f904c06cbd5c

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457515[[fn=View]].thmx

MD5 0e37aecabdb3fdf8aafedb9c6d693d2f
SHA1 f29254d2476df70979f723de38a4bf41c341ac78
SHA256 7ac7629142c2508b070f09788217114a70de14acdb9ea30cbab0246f45082349
SHA512 de6afe015c1d41737d50add857300996f6e929fed49cb71bc59bb091f9dab76574c56dea0488b0869fe61e563b07ebb7330c8745bc1df6305594ac9bdea4a6bf

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457510[[fn=Savon]].thmx

MD5 fd5bbc58056522847b3b75750603df0c
SHA1 97313e85c0937739af7c7fc084a10bf202ac9942
SHA256 44976408bd6d2703bdbe177259061a502552193b1cd05e09b698c0dac3653c5f
SHA512 dbd72827044331215a7221ca9b0ecb8809c7c79825b9a2275f3450bae016d7d320b4ca94095f7cef4372ac63155c78ca4795e23f93166d4720032ecf9f932b8e

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457503[[fn=Quotable]].thmx

MD5 f03ab824395a8f1f1c4f92763e5c5cad
SHA1 a6e021918c3ceffb6490222d37eceed1fc435d52
SHA256 d96f7a63a912ca058fb140138c41dcb3af16638ba40820016af78df5d07faedd
SHA512 0241146b63c938f11045fb9df5360f63ef05b9b3dd1272a3e3e329a1bfec5a4a645d5472461de9c06cfe4adb991fe96c58f0357249806c341999c033cd88a7af

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457496[[fn=Parallax]].thmx

MD5 97eec245165f2296139ef8d4d43bbb66
SHA1 0d91b68ccb6063eb342cfced4f21a1ce4115c209
SHA256 3c5cf7bdb27592791adf4e7c5a09dde4658e10ed8f47845064db1153be69487c
SHA512 8594c49cab6ff8385b1d6e174431dafb0e947a8d7d3f200e622ae8260c793906e17aa3e6550d4775573858ea1243ccbf7132973cd1cf7a72c3587b9691535ff8

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457491[[fn=Metropolitan]].thmx

MD5 b30d2ef0fc261aece90b62e9c5597379
SHA1 4893c5b9be04ecbb19ee45ffce33ca56c7894fe3
SHA256 bb170d6de4ee8466f56c93dc26e47ee8a229b9c4842ea8dd0d9ccc71bc8e2976
SHA512 2e728408c20c3c23c84a1c22db28f0943aaa960b4436f8c77570448d5bea9b8d53d95f7562883fa4f9b282dfe2fd07251eeefde5481e49f99b8fedb66aaaab68

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457485[[fn=Mesh]].thmx

MD5 cdf98d6b111cf35576343b962ea5eec6
SHA1 d481a70ec9835b82bd6e54316bf27fad05f13a1c
SHA256 e3f108ddb3b8581a7a2290dd1e220957e357a802eca5b3087c95ed13ad93a734
SHA512 95c352869d08c0fe903b15311622003cb4635de8f3a624c402c869f1715316be2d8d9c0ab58548a84bbb32757e5a1f244b1014120543581fdea7d7d9d502ef9c

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457475[[fn=Frame]].thmx

MD5 c276f590bb846309a5e30adc35c502ad
SHA1 ca6d9d6902475f0be500b12b7204dd1864e7dd02
SHA256 782996d93debd2af9b91e7f529767a8ce84accc36cd62f24ebb5117228b98f58
SHA512 b85165c769dfe037502e125a04cfacda7f7cc36184b8d0a54c1f9773666ffcc43a1b13373093f97b380871571788d532deea352e8d418e12fd7aad6adb75a150

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457464[[fn=Dividend]].thmx

MD5 d676de8877aceb43ef0ed570a2b30f0e
SHA1 6c8922697105cec7894966c9c5553beb64744717
SHA256 df012d101de808f6cd872dfbb619b16732c23cf4abc64149b6c3ce49e9efda01
SHA512 f40bada680ea5ca508947290ba73901d78de79eaa10d01eaef975b80612d60e75662bda542e7f71c2bba5ca9ba46ecafe208fd6e40c1f929bb5e407b10e89fbd

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457444[[fn=Basis]].thmx

MD5 3b5e44ddc6ae612e0346c58c2a5390e3
SHA1 23bcf3fcb61f80c91d2cffd8221394b1cb359c87
SHA256 9ed9ad4eb45e664800a4876101cbee65c232ef478b6de502a330d7c89c9ae8e2
SHA512 2e63419f272c6e411ca81945e85e08a6e3230a2f601c4d28d6312db5c31321f94fafa768b16bc377ae37b154c6869ca387005693a79c5ab1ac45ed73bccc6479

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090430[[fn=Banded]].thmx

MD5 4a1657a3872f9a77ec257f41b8f56b3d
SHA1 4ddea85c649a2c1408b5b08a15def49baa608a0b
SHA256 c17103ade455094e17ac182ad4b4b6a8c942fd3acb381f9a5e34e3f8b416ae60
SHA512 7a2932639e06d79a5ce1d3c71091890d9e329ca60251e16ae4095e4a06c6428b4f86b7fffa097bf3eefa064370a4d51ca3df8c89eafa3b1f45384759dec72922

C:\Users\Admin\AppData\Local\Temp\cabD1F8.tmp

MD5 abbf10cee9480e41d81277e9538f98cb
SHA1 f4ea53d180c95e78cc1da88cd63f4c099bf0512c
SHA256 557e0714d5536070131e7e7cdd18f0ef23fe6fb12381040812d022ec0fee7957
SHA512 9430daacf3ca67a18813ecd842be80155fd2de0d55b7cd16560f4aaefda781c3e4b714d850d367259caab28a3bf841a5cb42140b19cfe04ac3c23c358ca87ffb

C:\Users\Admin\AppData\Local\Temp\cabD1F7.tmp

MD5 66c5199cf4fb18bd4f9f3f2ccb074007
SHA1 ba9d8765ffc938549cc19b69b3bf5e6522fb062e
SHA256 4a7dc4ed098e580c8d623c51b57c0bc1d601c45f40b60f39bba5f063377c3c1f
SHA512 94c434a131cde47cb64bcd2fb8af442482f8ecfa63d958c832eca935deb10d360034ef497e2ebb720c72b4c1d7a1130a64811d362054e1d52a441b91c46034b0

C:\Users\Admin\AppData\Local\Temp\cabD2A7.tmp

MD5 7c645ec505982fe529d0e5035b378ffc
SHA1 1488ed81b350938d68a47c7f0bce8d91fb1673e2
SHA256 298fd9dadf0acebb2aa058a09eebfae15e5d1c5a8982dee6669c63fb6119a13d
SHA512 9f410da5db24b0b72e7774b4cf4398edf0d361b9a79fbe2736a1ddd770afe280877f5b430e0d26147cca0524a54ea8b41f88b771f3598c2744a7803237b314b2

C:\Users\Admin\AppData\Local\Temp\cabD2B9.tmp

MD5 4efa48ec307eaf2f9b346a073c67fcfb
SHA1 76a7e1234ff29a2b18c968f89082a14c9c851a43
SHA256 3ee9ae1f8dab4c498bd561d8fcc66d83e58f11b7bb4b2776df99f4cda4b850c2
SHA512 2705644d501d85a821e96732776f61641fe82820fd6a39ffaf54a45ad126c886dc36c1398cdbdbb5fe282d9b09d27f9bfe7f26a646f926da55dff28e61fbd696

C:\Users\Admin\AppData\Local\Temp\cabD2B8.tmp

MD5 e3c64173b2f4aa7ab72e1396a9514bd8
SHA1 774e52f7e74b90e6a520359840b0ca54b3085d88
SHA256 16c08547239e5b969041ab201eb55a3e30ead400433e926257331cb945dff094
SHA512 7ed618578c6517ed967fb3521fd4dbed9cdfb7f7982b2b8437804786833207d246e4fcd7b85a669c305be3b823832d2628105f01e2cf30b494172a17fc48576d

C:\Users\Admin\AppData\Local\Temp\cabD2DB.tmp

MD5 65828dc7be8ba1ce61ad7142252acc54
SHA1 538b186eaf960a076474a64f508b6c47b7699dd3
SHA256 849e2e915aa61e2f831e54f337a745a5946467d539ccbd0214b4742f4e7e94ff
SHA512 8c129f26f77b4e73bf02de8f9a9f432bb7e632ee4abad560a331c2a12da9ef5840d737bfc1ce24fdcbb7ef39f30f98a00dd17f42c51216f37d0d237145b8de15

C:\Users\Admin\AppData\Local\Temp\cabD31B.tmp

MD5 e532038762503ffa1371df03fa2e222d
SHA1 f343b559ae21daef06cbcd8b2b3695de1b1a46f0
SHA256 5c70dd1551eb8b9b13efafeeaf70f08b307e110caee75ad9908a6a42bbccb07e
SHA512 e0712b481f1991256a01c3d02ed56645f61aa46eb5de47e5d64d5ecd20052cda0ee7d38208b5ee982971cca59f2717b7cae4dfcf235b779215e7613aa5dcd976

C:\Users\Admin\AppData\Local\Temp\cabD307.tmp

MD5 89a9818e6658d73a73b642522ff8701f
SHA1 e66c95e957b74e90b444ff16d9b270adab12e0f4
SHA256 f747dd8b79fc69217fa3e36fae0ab417c1a0759c28c2c4f8b7450c70171228e6
SHA512 321782b0b633380da69bd7e98aa05be7fa5d19a131294cc7c0a598a6a1a1aef97ab1068427e4223aa30976e3c8246ff5c3c1265d4768fe9909b37f38cbc9e60d

C:\Users\Admin\AppData\Local\Temp\cabD34F.tmp

MD5 748a53c6bdd5ce97bd54a76c7a334286
SHA1 7dd9eedb13ac187e375ad70f0622518662c61d9f
SHA256 9af92b1671772e8e781b58217dab481f0afbcf646de36bc1bffc7d411d14e351
SHA512 ec8601d1a0dbd5d79c67af2e90fad44bbc0b890412842bf69065a2c7cb16c12b1c5ff594135c7b67b830779645801da20c9be8d629b6ad8a3ba656e0598f0540

C:\Users\Admin\AppData\Local\Temp\cabD361.tmp

MD5 f93364eec6c4ffa5768de545a2c34f07
SHA1 166398552f6b7f4509732e148f93e207dd60420b
SHA256 296b915148b29751e68687ae37d3fafd9ffddf458c48eb059a964d8f2291e899
SHA512 4f0965b4c5f543b857d9a44c7a125ddd3e8b74837a0fdd80c1fdc841bf22fc4ce4adb83aca8aa65a64f8ae6d764fa7b45b58556f44cfce92bfac43762a3bc5f4

C:\Users\Admin\AppData\Local\Temp\cabD306.tmp

MD5 7bf88b3ca20eb71ed453a3361908e010
SHA1 f75f86557051160507397f653d7768836e3b5655
SHA256 e555a610a61db4f45a29a7fb196a9726c25772594252ad534453e69f05345283
SHA512 2c3dfb0f8913d1d8ff95a55e1a1fd58ce1f9d034268cd7bc0d2bf2dcefea8ef05dd62b9afde1f983cacadd0529538381632adfe7195eac19ce4143414c44dbe3

C:\Users\Admin\AppData\Local\Temp\cabD305.tmp

MD5 97f5b7b7e9e1281999468a5c42cb12e7
SHA1 99481b2fa609d1d80a9016adaa3d37e7707a2ed1
SHA256 1cf5c2d0f6188ffff117932c424cc55d1459e0852564c09d7779263abd116118
SHA512 ace9718d724b51fe04b900ce1d2075c0c05c80243ea68d4731a63138f3a1287776e80bd67ecb14c323c69aa1796e9d8774a3611fe835ba3ca891270de1e7fd1f

C:\Users\Admin\AppData\Local\Temp\cabD304.tmp

MD5 b9a6ff715719ee9de16421ab983ca745
SHA1 6b3f68b224020cd4bf142d7edaaec6b471870358
SHA256 e3be3f1e341c0fa5e9cb79e2739cf0565c6ea6c189ea3e53acf04320459a7070
SHA512 062a765ac4602db64d0504b79be7380c14c143091a09f98a5e03e18747b2166bd862ce7ef55403d27b54ceb397d95bfae3195c15d5516786febdac6cd5fbf9cd

C:\Users\Admin\AppData\Local\Temp\cabD3A1.tmp

MD5 84d8f3848e7424cbe3801f9570e05018
SHA1 71d7f2621da8b295ce6885f8c7c81016d583c6b1
SHA256 b4bc3cd34bd328aaf68289cc0ed4d5cf8167f1ee1d7be20232ed4747ff96a80a
SHA512 e27873bfd95e464cb58b3855f2da404858b935530cf74c7f86ff8b3fc3086c2faea09fa479f0ca7b04d87595ed8c4d07d104426ff92dfb31bed405fa7a017da8

C:\Users\Admin\AppData\Local\Temp\cabD303.tmp

MD5 ef9cb8bdfbc08f03bef519ad66ba642f
SHA1 d98c275e9402462bf52a4d28faf57df0d232af6b
SHA256 93a2f873acf5bead4bc0d1cc17b5e89a928d63619f70a1918b29e5230abead8e
SHA512 4dfbdf389730370fa142dcfb6f7e1ac1c0540b5320fa55f94164c0693db06c21e6d4a1316f0abe51e51bcbdab3fd33ae882d9e3cfdb4385ab4c3af4c2536b0b3

C:\Users\Admin\AppData\Local\Temp\cabD3A3.tmp

MD5 0ebc45aa0e67cc435d0745438371f948
SHA1 5584210c4a8b04f9c78f703734387391d6b5b347
SHA256 3744bfa286cfcff46e51e6a68823a23f55416cd6619156b5929fed1f7778f1c7
SHA512 31761037c723c515c1a9a404e235fe0b412222cb239b86162d17763565d0ccb010397376fb9b61b38a6aebdd5e6857fd8383045f924af8a83f2c9b9af6b81407

C:\Users\Admin\AppData\Local\Temp\cabD301.tmp

MD5 8b29fab506fd65c21c9cd6fe6bbbc146
SHA1 ce1b8a57bb3c682f6a0afc32955dafd360720fdf
SHA256 773ac516c9b9b28058128ec9be099f817f3f90211ac70dc68077599929683d6f
SHA512 afa82ccbc0aef9fae4e728e4212e9c6eb2396d7330ccbe57f8979377d336b4dacf4f3bf835d04abcebcdb824b9a9147b4a7b5f12b8addadf42ab2c34a7450ade

C:\Users\Admin\AppData\Local\Temp\cabD2EF.tmp

MD5 486cbcb223b873132ffaf4b8ad0ad044
SHA1 b0ec82cd986c2ab5a51c577644de32cfe9b12f92
SHA256 b217393fd2f95a11e2c594e736067870212e3c5242a212d6f9539450e8684616
SHA512 69a48bf2b1db64348c63fc0a50b4807fb9f0175215e306e60252fffd792b1300128e8e847a81a0e24757b5f999875da9e662c0f0d178071db4f9e78239109060

C:\Users\Admin\AppData\Local\Temp\cabD2ED.tmp

MD5 21437897c9b88ac2cb2bb2fef922d191
SHA1 0cad3d026af2270013f67e43cb44f0568013162d
SHA256 372572dcbad590f64f5d18727757cbdf9366dde90955c79a0fcc9f536dab0384
SHA512 a74da3775c19a7af4a689fa4d920e416ab9f40a8bda82ccf651ddb3eacbc5e932a120abf55f855474cebed0b0082f45d091e211aaea6460424bfd23c2a445cc7

C:\Users\Admin\AppData\Local\Temp\cabD471.tmp

MD5 c47e3430af813df8b02e1cb4829dd94b
SHA1 35f1f1a18aa4fd2336a4ea9c6005dbe70013c7fc
SHA256 f2db1e60533f0d108d5fb1004904c1f2e8557d4493f3b251a1b3055f8f1507a3
SHA512 6f8904e658eb7d04c6880f7cc3ec63fcfe31ef2c3a768f4ecf40b115314f23774daee66dce9c55faf0ad31075a3ac27c8967fd341c23c953ca28bdc120997287

C:\Users\Admin\AppData\Local\Temp\cabD52E.tmp

MD5 26beab9cceafe4fbf0b7c0362681a9d2
SHA1 f63dd970040ca9f6cfcf5793ff7d4f1f4a69c601
SHA256 217ec1b6e00a24583b166026dec480d447fb564cf3bca81984684648c272f767
SHA512 2bbea62360e21e179014045ee95c7b330a086014f582439903f960375ca7e9c0cf5c0d5bb24e94279362965ca9d6a37e6aaa6a7c5969fc1970f6c50876582be1

C:\Users\Admin\AppData\Local\Temp\cabD540.tmp

MD5 1c12315c862a745a647dad546eb4267e
SHA1 b3fa11a511a634eec92b051d04f8c1f0e84b3fd6
SHA256 4e2e93ebac4ad3f8690b020040d1ae3f8e7905ab7286fc25671e07aa0282cac0
SHA512 ca8916694d42bac0ad38b453849958e524e9eed2343ebaa10df7a8acd13df5977f91a4f2773f1e57900ef044cfa7af8a94b3e2dce734d7a467dbb192408bc240

C:\Users\Admin\AppData\Local\Temp\cabD551.tmp

MD5 ee0129c7cc1ac92bbc3d6cb0f653fcae
SHA1 4abaa858176b349bdab826a7c5f9f00ac5499580
SHA256 345aa5ca2496f975b7e33c182d5e57377f8b740f23e9a55f4b2b446723947b72
SHA512 cddabe701c8cba5bd5d131abb85f9241212967ce6924e34b9d78d6f43d76a8de017e28302ff13ce800456ad6d1b5b8ffd8891a66e5be0c1e74cf19df9a7ad959

C:\Users\Admin\AppData\Local\Temp\cabD67C.tmp

MD5 e1101cca6e3fedb28b57af4c41b50d37
SHA1 990421b1d858b756e6695b004b26cdccae478c23
SHA256 69b2675e47917a9469f771d0c634bd62b2dfa0f5d4af3fd7afe9196bf889c19e
SHA512 b1edea65b6d0705a298bff85fc894a11c1f86b43fac3c2149d0bd4a13edcd744af337957cbc21a33ab7a948c11ea9f389f3a896b6b1423a504e7028c71300c44

C:\Users\Admin\AppData\Local\Temp\cabD72C.tmp

MD5 d4eac009e9e7b64b8b001ae82b8102fa
SHA1 d8d166494d5813db20ea1231da4b1f8a9b312119
SHA256 8b0631da4dc79e036251379a0a68c3ba977f14bcc797ba0eb9692f8bb90ddb4d
SHA512 561653f9920661027d006e7def7fb27de23b934e4860e0df78c97d183b7cebd9dce0d395e2018eef1c02fc6818a179a661e18a2c26c4180afee5ef4f9c9c6035

C:\Users\Admin\AppData\Local\Temp\cabD79B.tmp

MD5 beb12a0464d096ca33baea4352ce800f
SHA1 f678d650b4a41676ba05c836d462f34bdc5bf648
SHA256 a44166f5c9f2553555a43586ba5db1c1de54d72d308a48268f27c6a00076b1ca
SHA512 b6e7ccd1ecbb9a49fc72e40771725825daf41ddb2ff8ea4ecce18b8fa1a59d3b2c474add055f30da58c7e833a6e6555ebb77ccc324b61ca337187b4b41f7008b

C:\Users\Admin\AppData\Local\Temp\cabD7FB.tmp

MD5 f913dd84915753042d856cec4e5daba5
SHA1 fb1e423c8d09388c3f0b6d44364d94d786e8cf53
SHA256 aa03afb681a76c86c1bd8902ee2bba31a644841ce6bcb913c8b5032713265578
SHA512 c48850522c809b18208403b3e721abeb1187f954045ce2f8c48522368171cc8faf5f30fa44f6762afde130ec72284bb2e74097a35fe61f056656a27f9413c6b6

C:\Users\Admin\AppData\Local\Temp\cabD8A9.tmp

MD5 9c9f49a47222c18025cc25575337a965
SHA1 e42edb33471d7c1752dcc42c06dd3f9fda8b25f0
SHA256 ada7eff0676d9cce1935d5485f3dde35c594d343658fb1da42cb5a48fc3fc16a
SHA512 9fdcbab988cbe97bfd931b727d31ba6b8ecf795d0679a714b9afbc2c26e7dcf529e7a51289c7a1ae7ef04f4a923c2d7966d5af7c0bc766dcd0fca90251576794

C:\Users\Admin\AppData\Local\Temp\cabD8CC.tmp

MD5 9a07035ef802bf89f6ed254d0db02ab0
SHA1 9a48c1962b5cf1ee37feec861a5b51ce11091e78
SHA256 6cb03cebab2c28bf5318b13eeee49fbed8dcedaf771de78126d1bfe9bd81c674
SHA512 be13d6d88c68fa16390b04130838d69cdb6169dc16af0e198c905b22c25b345c541f8fccd4690d88be89383c19943b34edc67793f5eb90a97cd6f6eccb757f87

C:\Users\Admin\AppData\Local\Temp\cabD8BB.tmp

MD5 828f96031f40bf8ebcb5e52aaeeb7e4c
SHA1 cacc32738a0a66c8fe51a81ed8e27a6f82e69eb2
SHA256 640ad075b555d4a2143f909eafd91f54076f5dde42a2b11cd897bc564b5d7ff7
SHA512 61f6355ff4d984931e79624394ccca217054ae0f61b9af1a1eded5acca3d6fef8940e338c313be63fc766e6e7161cafa0c8ae44ad4e0be26c22ff17e2e6abaf7

C:\Users\Admin\AppData\Local\Temp\cabDFD3.tmp

MD5 d30ad26dbb6deca4fdd294f48edad55d
SHA1 ca767a1b6af72cf170c9e10438f61797e0f2e8ce
SHA256 6b1633dd765a11e7ed26f8f9a4dd45023b3e4adb903c934df3917d07a3856bff
SHA512 7b519f5d82ba0da3b2effad3029c7cab63905d534f3cf1f7ea3446c42fa2130665ca7569a105c18289d65fa955c5624009c1d571e8960d2b7c52e0d8b42be457

C:\Users\Admin\AppData\Local\Temp\cabDFD3.tmp

MD5 53c5f45b22e133b28d4bd3b5a350fdbd
SHA1 d180cfb1438d27f76e1919da3e84f307cb83434f
SHA256 8af4c7cac47d2b9c7adeadf276edae830b4cc5ffe7e765e3c3d7b3fadcb5f273
SHA512 46ad3da58c63ca62fcfc4faf9a7b5b320f4898a1e84eef4de16e0c0843bafe078982fc9f78c5ac6511740b35382400b5f7ac3ae99bb52e32ad9639437db481d1

C:\Users\Admin\AppData\Local\Temp\cabEB3F.tmp

MD5 bf95e967e7d1cec8efe426bc0127d3de
SHA1 ba44c5500a36d748a9a60a23db47116d37fd61bc
SHA256 4c3b008e0eb10a722d8fedb325bfb97edaa609b1e901295f224dd4cb4df5fc26
SHA512 0697e394abac429b00c3a4f8db9f509e5d45ff91f3c2af2c2a330d465825f058778c06b129865b6107a0731762ad73777389bb0e319b53e6b28c363232fa2ce8

C:\Users\Admin\AppData\Local\Temp\cabF505.tmp

MD5 f256aca509b4c6c0144d278c7036b0a8
SHA1 93f6106d0759afd0061f73b876aa9cab05aa8ef6
SHA256 ad26761d59f1fa9783c2f49184a2e8fe55fcd46cd3c49ffc099c02310649dc67
SHA512 08c57661f8cc9b547bbe42b4a5f8072b979e93346679ade23ca685c0085f7bc14c26707b3d3c02f124359ebb640816e13763c7546ff095c96d2bb090320f3a95

C:\Users\Admin\AppData\Local\Temp\cabF601.tmp

MD5 8867bdf5fc754da9da6f5ba341334595
SHA1 5067cce84c6c682b75c1ef3dea067a8d58d80fa9
SHA256 42323dd1d3e88c3207e16e0c95ca1048f2e4cd66183ad23b90171da381d37b58
SHA512 93421d7fe305d27e7e2fd8521a8b328063cd22fe4de67cccf5d3b8f0258ef28027195c53062d179cd2eba3a7e6f6a34a7a29297d4af57650aa6dd19d1ef8413d

C:\Users\Admin\AppData\Local\Temp\cabF6CE.tmp

MD5 e29ce2663a56a1444eaa3732ffb82940
SHA1 767a14b51be74d443b5a3feff4d870c61cb76501
SHA256 3732eb6166945db2bf792da04199b5c4a0fb3c96621ecbfdeaf2ea1699ba88ee
SHA512 6bc420f3a69e03d01a955570dc0656c83c9e842c99cf7b429122e612e1e54875c61063843d8a24db7ec2035626f02ddabf6d84fc3902184c1eff3583dbb4d3d8

C:\Users\Admin\AppData\Local\Temp\cab320A.tmp

MD5 93fa9f779520ab2d22ac4ea864b7bb34
SHA1 d1e9f53a0e012a89978a3c9ded73fb1d380a9d8a
SHA256 6a3801c1d4cf0c19a990282d93ac16007f6cacb645f0e0684ef2edac02647833
SHA512 aa91b4565c88e5da0cf294dc4a2c91eaeb6d81dca96069db032412e1946212a13c3580f5c0143dd28b33f4849d2c2df2214ce1e20598d634e78663d20f03c4e6

memory/3588-1479-0x00007FF8394B0000-0x00007FF8394C0000-memory.dmp

memory/3588-1481-0x00007FF8394B0000-0x00007FF8394C0000-memory.dmp

memory/3588-1482-0x00007FF8394B0000-0x00007FF8394C0000-memory.dmp

memory/3588-1480-0x00007FF8394B0000-0x00007FF8394C0000-memory.dmp

memory/3588-1483-0x00007FF879430000-0x00007FF879625000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json

MD5 6ca4960355e4951c72aa5f6364e459d5
SHA1 2fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA256 88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA512 8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

MD5 f1b59332b953b3c99b3c95a44249c0d2
SHA1 1b16a2ca32bf8481e18ff8b7365229b598908991
SHA256 138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA512 3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{C233F863-A921-4684-A0FC-CD914CF1EF31}.tmp

MD5 5d4d94ee7e06bbb0af9584119797b23a
SHA1 dbb111419c704f116efa8e72471dd83e86e49677
SHA256 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
SHA512 95f83ae84cafcced5eaf504546725c34d5f9710e5ca2d11761486970f2fbeccb25f9cf50bbfc272bd75e1a66a18b7783f09e1c1454afda519624bc2bb2f28ba4

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

MD5 143fc012a4d4f8417efd00b6f7216d7c
SHA1 6ffa2c29f5db78145341b784ca9ee71d2fd087c7
SHA256 fc85866ee8e3b59f876047de23c3e8595bafd0811a2ce9d91f7db3057e876fcc
SHA512 4760d0685fa4ad8682080d68d17707afeb8b4de37dd2612048cba6e12ec3218d6bc4a383c72a8cd230d76036480ac56738be2909c6dcd2c2d32c6b1fe7e8c54c

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

MD5 c56ff60fbd601e84edd5a0ff1010d584
SHA1 342abb130dabeacde1d8ced806d67a3aef00a749
SHA256 200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512 acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

MD5 e4e83f8123e9740b8aa3c3dfa77c1c04
SHA1 5281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA256 6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512 bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

MD5 1f9e8c43875fbfd7a5001028f71cdaf7
SHA1 138d0b08ab9f8cf44f8fcfab8eb3229686904e9a
SHA256 a05df92063d198c71c65b560c0bb9a46870f28eff698ac1d93977d255b442d11
SHA512 f8071eb08f499ef9fc151aca42984fcbab68dd10033e5311b9681dfe14870c0f3b02480388f6a638e41fb141e73d8b02c20f83916579c55c214cff6c186a3b50