86b77086f3080a513c8ea671350984420e02fea6e216a23b8fc927f353593648

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
08/07/2024, 00:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a6514db0353dc21015acc303978e50b_JaffaCakes118.doc
Size

238KB
MD5

2a6514db0353dc21015acc303978e50b
SHA1

32b8138b335965fe93c8fa4562c878d95ddd6670
SHA256

86b77086f3080a513c8ea671350984420e02fea6e216a23b8fc927f353593648
SHA512

e421a371955ed92c599bdf8edb50bac43fddb02d14b7d707c2d61d6145ddc4b29848db3a462e0218627b196370cc11885536c1251e8a8e0fd3e8539599a29585
SSDEEP

3072:PAw1vPEfOgnPJceKBDaWOdSHm9/Qk6tWhL:PAKvPEfrPJBA4UH4YIx

Score

7^/10

Malware Config

Signatures

Abuses OpenXML format to download file from external location 4 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Office\14.0\Common	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Office\Common\Offline\Files\https://kholoq.com/khol.php?EGPUAy6Be2fYJVxIYkEUUslvHW4c8sZx:Yz317076	EXCEL.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Office\Common\Offline\Files\https://kholoq.com/khol.php?EGPUAy6Be2fYJVxIYkEUUslvHW4c8sZx:Yz317076	EXCEL.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Office\Common\Offline\Files\https://kholoq.com/khol.php?EGPUAy6Be2fYJVxIYkEUUslvHW4c8sZx:Yz317076	EXCEL.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7E14BCEF-2F11-4634-94AA-502FD16BB229}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7E14BCEF-2F11-4634-94AA-502FD16BB229}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7E14BCEF-2F11-4634-94AA-502FD16BB229}\2.0	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\TypeLib\{7E14BCEF-2F11-4634-94AA-502FD16BB229}\2.0\FLAGS	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\TypeLib	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\TypeLib\{7E14BCEF-2F11-4634-94AA-502FD16BB229}\2.0\FLAGS\ = "6"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7E14BCEF-2F11-4634-94AA-502FD16BB229}\2.0\HELPDIR	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7E14BCEF-2F11-4634-94AA-502FD16BB229}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\TypeLib\{7E14BCEF-2F11-4634-94AA-502FD16BB229}\2.0\ = "Microsoft Forms 2.0 Object Library"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\TypeLib\{7E14BCEF-2F11-4634-94AA-502FD16BB229}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2688	WINWORD.EXE
2092	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1928	EXCEL.EXE
Token: SeShutdownPrivilege	2020	EXCEL.EXE

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
2688	WINWORD.EXE
2688	WINWORD.EXE
1928	EXCEL.EXE
1928	EXCEL.EXE
1928	EXCEL.EXE
2092	WINWORD.EXE
2092	WINWORD.EXE
2020	EXCEL.EXE
2020	EXCEL.EXE
2020	EXCEL.EXE
1324	EXCEL.EXE
1324	EXCEL.EXE
1324	EXCEL.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2912	2688	WINWORD.EXE	31
PID 2688 wrote to memory of 2912	2688	WINWORD.EXE	31
PID 2688 wrote to memory of 2912	2688	WINWORD.EXE	31
PID 2688 wrote to memory of 2912	2688	WINWORD.EXE	31

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2a6514db0353dc21015acc303978e50b_JaffaCakes118.doc"
1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2912

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Abuses OpenXML format to download file from external location
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1928

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2092

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Abuses OpenXML format to download file from external location
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2020

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Abuses OpenXML format to download file from external location
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:1324

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
PID:112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

Filesize
128KB

MD5
7850918dfa2322bce9e88e6d9cdb55f3

SHA1
38ece3d0a951e3a91bd35e3911f6b2a0c4027d60

SHA256
62e677dd6e791bb92f13490916a068776792169edf28115d179b867688654798

SHA512
89cc3f32365eccc86a2e84e062dfb3fb2c4809ecff146e48e1042c387ab77a859c8f707221dfd19b9a82d2cb11247b81c0a9d359782131632fd3d21f8c791ebe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{A454A13C-718B-44E8-BB08-21218E17BBF2}.FSD

Filesize
128KB

MD5
da62debb99fdd9480472776b2a4a9949

SHA1
38d17953d20eb5019bedcfae86b0ab317340ce0b

SHA256
3e623463535e6eeec6b174e31f41f7265c8a47d61e6700a3d719c8f808213255

SHA512
20fa22240acafd2544f86704dfcd4c0923832866dd138e0f135146850d586cbb93e8edffc9c699cdc4024ea16c77599e76583fa97c9c719ab15dc55c4d3c36fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

Filesize
114B

MD5
2cd4f91af69276db3e243286ce9469a2

SHA1
9a38dba5ba8aa5cd838d3d8fe45c9db8edd6f39d

SHA256
be246cf752299dbe1906c4891aad4bf8d2449656d87193807e242dfdf5d94706

SHA512
67f6fb9f8b2a15b0d48cc0a40ea0f88a84f26c5c1da5aed142e47bcdd54b37951c1d11dfbb9ad6009a6a19d7a0939e64207c6b8ce20bcbcfec2c43b279902764

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
23a7e7c8ce020d7762965bd134446737

SHA1
121a91306a6fd05799af0aa64ff5459fdd82b3d5

SHA256
c8ed11dc494f781cd507a4a8c6d6b39788be10094e5503fdb454e1b45f8a3031

SHA512
3a8d0e66d110c193b7944957697922d23cffcb3aafa0784bf36482aefe9d22a80c2d9b0d9466685461df408f5a24d47ac73c3a34421c7dacf606949cc8598a49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
791fdb4a4345af76b74dbbd4475293ce

SHA1
29341d8783763a0d693483255545d998774c50a8

SHA256
dfe185512903615cf69f3d036d1be7e997a28f1ee66c9676a9ab95e11ef79fb8

SHA512
0c89e40d4426d89ffc1f576a0fdec725fd77397600adedf8ce9f31f8a08f394890ffb94aafdedc9a53849d6bb798e53089117ac964471b7b23f68fd210fc3d63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{04E276C9-A112-49DE-B3DA-D8545391070C}.FSD

Filesize
128KB

MD5
915de3c05f575e2a2919b72ba5161a5e

SHA1
cf8ee0354e896f1d6969679d17879c36c7093d2c

SHA256
59d4e9abdfba76c0f5039a2830176eca8ace31c7aebf9ecfff407ec696de43a2

SHA512
c0cba4d34b8e556a91889df19c0d531061457131f01fe1979b513a368ba61444ecb3c8e2fb2c5a44601e5ed9f54491bc44910bef240048116ab5423e26972069

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{04E276C9-A112-49DE-B3DA-D8545391070C}.FSD

Filesize
128KB

MD5
a216527a0b17676e974ad37cf1c5f2b6

SHA1
1f401157b4896143ab0b8bdd1de241a1f01dfc76

SHA256
99e2f9e5f520507c5159a92e1459102a2c0a5737818e9e1e2409cb1cf3d5ca82

SHA512
f9ac89c269ad00812e125553cb63229f2e7b85ce0d0e6ff139837e91d0b20b27df60b3ae082586ed78f54a5ab6e2f11690460c9633f3e48d1359c7302744ab69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

Filesize
114B

MD5
aeac44d47e0dc7c6ac4a599c2f1df3a2

SHA1
7b5dbe5b57984f1a5f3ae8679b5514ecc04d412c

SHA256
1881a83981687f7eb9ff12fcae5a67882a1ed50b23c56fa07d864acbbb3f4613

SHA512
280ba48a3f49f028a0a7802f9e8840fbbeb8332f7402c04acd8efe893349524b28f04a5fbf073f9d98c77f49b6e274f49a2ef095976743f924b1daccea7a8a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

Filesize
143KB

MD5
6c5ad0f428538fc6e91b5e0b8f6d0a08

SHA1
fe7ffea0413575d4c167d9477d4010933a128a0f

SHA256
519d4880c3a6fac548b7c7ceafefeb6dc1455c8198d6a498a3713a8eb1a881f4

SHA512
3278a5ce80e52ccea554d1c4547b94eb489ecf51c085f10d30fbcc70a9de519095e9349cf89b207d159ec8c07a6aaf983be076679684b65d286821aa7a3354b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\{80CD889A-C5DC-4A6D-AEC2-5DA0F49DA4AB}

Filesize
128KB

MD5
d4eed91ce487e93cb9e77bd00ecbe0da

SHA1
1ca6a7e785a921e0b9202d77af0c9633ab934e45

SHA256
b8401ca5c55097c2577744df0712efcdfc69131126f53c243505600dd75cf1b2

SHA512
f23d482189f5e76cac707dd2c926b06a6077f2acf8c5b3317cd8967d0b6cff5fd2e8d43ec816f22abe630ddd1d54491ff05f6e06ac4c89d834cfa46bef1c6920

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
ff9da7bacb3c80ac115897301026b4e9

SHA1
5365c1002acf36052f258fe24c5e91e7e14e391a

SHA256
1453faac37e5f204049bc503b55911677d8bf90331c967a9a48c5b16484f4788

SHA512
cd3f23598e4a1cb4ef9bc689baec6ffbbbbdfb3bd31f8fd9b6e2d2f08f1664f5ac966c626457abf926e6bda9c5ad7e09e3be1ccfce109f123c02547fd235bb45

Download Submit
memory/1928-1009-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2688-0-0x000000002FBF1000-0x000000002FBF2000-memory.dmp

Filesize
4KB

Download
memory/2688-56-0x000000000F010000-0x000000000F110000-memory.dmp

Filesize
1024KB

Download
memory/2688-55-0x0000000004EE0000-0x0000000004FE0000-memory.dmp

Filesize
1024KB

Download
memory/2688-5-0x0000000070B0D000-0x0000000070B18000-memory.dmp

Filesize
44KB

Download
memory/2688-2-0x0000000070B0D000-0x0000000070B18000-memory.dmp

Filesize
44KB

Download
memory/2688-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download