6f9f0bfa2dec9a1b1178b4ca50966833f7515b12fdee5d015977f96558fe2b4c

Analysis

max time kernel
149s
max time network
143s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
10-07-2024 11:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3492414ac7f96cf096455293a419bebc_JaffaCakes118.doc
Size

204KB
MD5

3492414ac7f96cf096455293a419bebc
SHA1

a9e1541403f94ed1170ebb26e74b615367a94c94
SHA256

6f9f0bfa2dec9a1b1178b4ca50966833f7515b12fdee5d015977f96558fe2b4c
SHA512

27945244c34e7fbaced1d5ea23ff47b53f9853d6de843a7bf4a93c3bee62ce4873c3570c6793d15882fc57e8ff85d3cd69f94e6275e1b47256a22fbd82192aa3
SSDEEP

1536:ptPrT8wrLT0NeXxz1DweIHrTPQyq5J8bCXmhKGJtbJKjPNFTwe5J/:p2w3keXxz1Dfk69XXeJ8ie7

Score

7^/10

Malware Config

Signatures

Abuses OpenXML format to download file from external location 4 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Office\Common\Offline\Files\https://khalilmouna.com/docs/count.xls?9E1I_G5144492.3492414ac7f96cf096455293a419bebc_JaffaCakes118.doc	EXCEL.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Office\14.0\Common	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Office\Common\Offline\Files\https://khalilmouna.com/docs/count.xls?9E1I_G5144492.3492414ac7f96cf096455293a419bebc_JaffaCakes118.doc	EXCEL.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Office\Common\Offline\Files\https://khalilmouna.com/docs/count.xls?9E1I_G5144492.3492414ac7f96cf096455293a419bebc_JaffaCakes118.doc	EXCEL.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\TypeLib\{F6C30224-FED2-49C5-9A89-563FC8F8272B}\2.0\HELPDIR	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F6C30224-FED2-49C5-9A89-563FC8F8272B}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F6C30224-FED2-49C5-9A89-563FC8F8272B}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F6C30224-FED2-49C5-9A89-563FC8F8272B}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F6C30224-FED2-49C5-9A89-563FC8F8272B}\2.0\0	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F6C30224-FED2-49C5-9A89-563FC8F8272B}\2.0\HELPDIR	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F6C30224-FED2-49C5-9A89-563FC8F8272B}\2.0	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\TypeLib	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2676	WINWORD.EXE
2140	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1100	EXCEL.EXE
Token: SeShutdownPrivilege	1712	EXCEL.EXE

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
2676	WINWORD.EXE
2676	WINWORD.EXE
1100	EXCEL.EXE
1100	EXCEL.EXE
1100	EXCEL.EXE
2140	WINWORD.EXE
2140	WINWORD.EXE
1712	EXCEL.EXE
1712	EXCEL.EXE
1712	EXCEL.EXE
1904	EXCEL.EXE
1904	EXCEL.EXE
1904	EXCEL.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2664	2676	WINWORD.EXE	31
PID 2676 wrote to memory of 2664	2676	WINWORD.EXE	31
PID 2676 wrote to memory of 2664	2676	WINWORD.EXE	31
PID 2676 wrote to memory of 2664	2676	WINWORD.EXE	31

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\3492414ac7f96cf096455293a419bebc_JaffaCakes118.doc"
1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2664

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Abuses OpenXML format to download file from external location
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1100

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2140

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Abuses OpenXML format to download file from external location
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1712

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Abuses OpenXML format to download file from external location
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:1904

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
PID:1888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

Filesize
128KB

MD5
d8ade0b85a3487e10e4b5ed9a60149cb

SHA1
862141eb292838eff7b4322fbfa9705b7712819d

SHA256
f0e2748f66b332bb7b3b085fd324edd070e6b783e00fe8f8408258fddb8a6de5

SHA512
f83a9bcf14a8470aa95fb45102a9348ec2e97e895d24f4c7654c5ffddd2c15e70f42b4bd97cbeee32f2cd2f1a22ecaa9e32c4cba762de0f2e1628c89879cfa87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{4AE03FAE-461B-4C02-A8AB-A560D553D697}.FSD

Filesize
128KB

MD5
db06a44f665599624f2e590cbc0cd7b1

SHA1
d9b7a37ae47bcebe7e0649448564d317585ca7aa

SHA256
5885f6e298db8a136766818979ac9653c0eaa6af22065633b2c40ae1be533b6e

SHA512
ea4cf18b1ab81b5fe34393fc254b0fdb74cea0789bae918184bdb4d2cc79fedfc059ba77634b9ce58bbaed6b47228558c3fc1a8df8c5e1d093bc0e72dceae5aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{4AE03FAE-461B-4C02-A8AB-A560D553D697}.FSD

Filesize
128KB

MD5
32cf57a921aa6658263c0e9d186660a0

SHA1
4afb6601f87fdaed5216e000e18b6845fba7b5de

SHA256
f13d8306ce9ca47514e7baa13235d33179aa8fdfbf01f573639b9bc14cb71ae3

SHA512
4c6f66effda46788b815c3a550adae9b04ee622a116ebc5556095d59b2d3f3a6f31c0796d5fa3fea0f34f623054843ffdadcac24dae7dcf631baa8fdc5e50115

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

Filesize
114B

MD5
49ab81b394cdcfc776071840319e1c19

SHA1
68a5359f4ebcb432066b5363f19a1b8a68e8a916

SHA256
c5eb02685d50250ca02870b52e01b4078868193f1373f5e47baf9cefec981ac6

SHA512
4d1104c35f43c831d8a3240fd891c1e7fd763d3b691940ec85ec2484ddc9991d23513901619ff8d1eb8a8744f5f60751f3e0460fc942d9d5c700523836b8956c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
ba333ce0b18048196e9b5f8822d507b7

SHA1
6db510240c8aaa80baadd7e3f2ed3e9384e548f3

SHA256
468d2c2dcdb711a95664e3dbc4f9851fae1bd8f6cf83164ab500abbfd64c7aaa

SHA512
c02a38594438c77f023d1051010385d334dea1ef80194a15cba22fd30c94cf8c0bc6ccf13bddf50d85466b771d666162acef496d268b063956fcdda0ec25a3bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
b4f7f68818fe39fec39a63448b0008ba

SHA1
71a5f2da7eff10d2b2fe774d5962ab96503d3018

SHA256
e8343e37eedb9e39dd27836f5cc36361e3d08494e5e94db7556c07d91af0a6a8

SHA512
e264f71885d05f076482e80ee5e25cbeef0c06b659ef6d7105e4aebb3239ce3f45ef48c96ffca43dfd43e80ae0d3392c2c8479b664a5275cc51a03ddf113f27a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{541C7786-B0C9-4F67-B786-8739C8769E6D}.FSD

Filesize
128KB

MD5
176a05144973146315871274b7d50237

SHA1
07a5e9c3a41ad365c6df16715950c1e68dc2a43e

SHA256
dae0ea7c75c5b0b2da79df6b3d7d6aa091acba32c6403e0dc309c464f017fed4

SHA512
0723ccbcabcc4f882eb84b32ad7b774cbe5d71a40c5594e4096d51fe0651e6b93e28b45f7603424faa22da212aa5cb26f215b4d266aae87bbe565e4fa2dbc549

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{541C7786-B0C9-4F67-B786-8739C8769E6D}.FSD

Filesize
128KB

MD5
b22b9399c128353dbf4ae0e6b2e101bd

SHA1
75a824ced199a7b8239d4efef96cb6feefe0c18b

SHA256
9b1a1d795e23a77e59f373fd3387e795f4db6532c6b2c5141cfc1816c98c9b61

SHA512
ac68dfeab3aa2fb8fbdc5de25029da067dfe3e3d7938fa71a345b515f239cac03c55c7f5080548a6f749be8f8db51a0440d0de6aa703e314c69b5e739fef2f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

Filesize
114B

MD5
52fa70e251176438ef0d4fe3f8b94ac2

SHA1
28b52b136c0482f04fefa215fb2c1d9e63716128

SHA256
f0a16ecda830355c1d1573c8be39ceeab6e9e1f859bc45c9ad3e3ee55f65a03c

SHA512
4e31257c8ab7359c9c4b84e2458d483943798c875b46ab27838b2cc9c20574e533ef6d4e26bb36c56a67cc78b9bd2863ad201e77be2c62a9b6cc7c3d9e1284ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

Filesize
143KB

MD5
0e350e98050289abb75f35216f179da8

SHA1
d7b0c7f319ebb5512fc5b799df7a86d4d2505836

SHA256
5208936dbab229c041dbeba6641f5e9b913f4f4365dc8f11feb989e6d2f26d70

SHA512
854752540340f396de3ea513641ec8e6c3b56fe1cd7814275d3ef1aa0ad0584824c28cd2a6e976d5104b55d03ca7084e27c78db2f9a37495a90ca1ebd88f51c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\{70CC8BB6-53B1-4184-8A22-2EACB67268E8}

Filesize
128KB

MD5
4c10ba8e162da48714e72c8c74b1b1f1

SHA1
0511dd65c7316aa32dd728c5eac93a554a6a980e

SHA256
84d5c6aa1db99a0d943ce0aebd38b92275fdce3fbdc558f547bf9c88c26fd0b2

SHA512
3be6dffb7e7dd1611e037a7a78b62d8cfce8ee1e55f1459d3b2cbcb7239386c3abda3744fa561abc28ca96de3c56dcd2422ff3037e550fd020d82f167fb8c373

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
8725a9cca155a2604e579444f46f172f

SHA1
8fb3cb630e9660005b4b7e478669ae6e32f0d5f6

SHA256
9076031587a19b239f615b7040c259b2853f41713e7528d98bf3f585d97ae328

SHA512
e76ba8f22fde9a27ef7d23add85155d5fceaf8546de2aaa1411dc5e698b71c997c70b4cf86a219fb6bfd9d3ef4d5e7730d44c0e2992ec2575ae6caab481716ab

Download Submit
memory/1100-1020-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2676-162-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/2676-160-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/2676-416-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/2676-415-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/2676-516-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/2676-515-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/2676-514-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/2676-513-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/2676-156-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/2676-157-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/2676-158-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/2676-159-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/2676-161-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/2676-0-0x000000002F8B1000-0x000000002F8B2000-memory.dmp

Filesize
4KB

Download
memory/2676-163-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/2676-164-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/2676-56-0x000000000D3C0000-0x000000000D4C0000-memory.dmp

Filesize
1024KB

Download
memory/2676-55-0x0000000004F40000-0x0000000005040000-memory.dmp

Filesize
1024KB

Download
memory/2676-5-0x0000000070B0D000-0x0000000070B18000-memory.dmp

Filesize
44KB

Download
memory/2676-2-0x0000000070B0D000-0x0000000070B18000-memory.dmp

Filesize
44KB

Download
memory/2676-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download