e91acb156a99be7f700c4ec2dd4d026b2efaf466077a4a65f923b7d8cab6405e

Analysis

max time kernel
144s
max time network
137s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10-07-2024 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

356a305814e66bf96aee899ad78f6b01_JaffaCakes118.doc
Size

235KB
MD5

356a305814e66bf96aee899ad78f6b01
SHA1

d6c2eda4b130df5469bb6108e00fb93980f9f23a
SHA256

e91acb156a99be7f700c4ec2dd4d026b2efaf466077a4a65f923b7d8cab6405e
SHA512

87c9b8ec6bb8e6c6d0bd071b4256992eaa30500616875c489469b6c06ac6dfe42d368371e814a5f3ab67d55d043729a4db5a7069f0e55e6052b2fda24b1ac25d
SSDEEP

3072:pUwxv5OsmqrmrAKHjCdSR9FQPciVUTlF4C:pUgv5O4rmEDUReciVor

Score

7^/10

Malware Config

Signatures

Abuses OpenXML format to download file from external location 4 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\14.0\Common	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\Common\Offline\Files\https://intellimagi.com/lli.php?IeYnGPCOBlj7e8wWCmnI5zdESULKlj5S:1E712005	EXCEL.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\Common\Offline\Files\https://intellimagi.com/lli.php?IeYnGPCOBlj7e8wWCmnI5zdESULKlj5S:1E712005	EXCEL.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\Common\Offline\Files\https://intellimagi.com/lli.php?IeYnGPCOBlj7e8wWCmnI5zdESULKlj5S:1E712005	EXCEL.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\TypeLib\{C1440018-4A98-41F6-94AE-DF4249184740}\2.0\FLAGS	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\TypeLib\{C1440018-4A98-41F6-94AE-DF4249184740}\2.0\FLAGS\ = "6"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\TypeLib\{C1440018-4A98-41F6-94AE-DF4249184740}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C1440018-4A98-41F6-94AE-DF4249184740}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\TypeLib\{C1440018-4A98-41F6-94AE-DF4249184740}\2.0\HELPDIR	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1512	WINWORD.EXE
628	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	924	EXCEL.EXE
Token: SeShutdownPrivilege	916	EXCEL.EXE

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
1512	WINWORD.EXE
1512	WINWORD.EXE
924	EXCEL.EXE
924	EXCEL.EXE
924	EXCEL.EXE
628	WINWORD.EXE
628	WINWORD.EXE
916	EXCEL.EXE
916	EXCEL.EXE
916	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 620	1512	WINWORD.EXE	31
PID 1512 wrote to memory of 620	1512	WINWORD.EXE	31
PID 1512 wrote to memory of 620	1512	WINWORD.EXE	31
PID 1512 wrote to memory of 620	1512	WINWORD.EXE	31

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\356a305814e66bf96aee899ad78f6b01_JaffaCakes118.doc"
1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:620

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Abuses OpenXML format to download file from external location
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:924

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:628

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Abuses OpenXML format to download file from external location
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:916

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Abuses OpenXML format to download file from external location
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:1504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

Filesize
128KB

MD5
cd7722eb08204aab3342be09c23a742a

SHA1
942f97fd4d433b2a8476928942442962c5812b4a

SHA256
05dea3cdb2876816afdbb4e0a21d160534de5af012a22fec8d6a5984ab83c50a

SHA512
36420ca4611282a0dd2d881aecb88e0c7ed0f7626edd3d83fd5c2d4aefa297cd727239579de69c0408be3f687e570e02f15559def63d0486517ba7810f8a6d3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{BE4876C0-595A-4448-A73C-D325E65D4EEC}.FSD

Filesize
128KB

MD5
593b8d8c643b34702aa5e1a77c257fef

SHA1
b5d5e6f4304e2a1de443ee097010bfcb4a7c5f91

SHA256
1597686de496626156bcd6e6679c8c711bb2b6b2876b290f4c10d6e7e10f600e

SHA512
e728e68332aed17c2a60b948e36f3f57f377b417f50520b068177ac6e4548da61843cecfbfeaebff4dd946fb8d7f5ee0c8dbbc19837afd3c54d278524efc54e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

Filesize
114B

MD5
d6009fb376b176e7a6e2e24db9f6934c

SHA1
65fe7a7baf19c162aebdf46916286115a1eea23c

SHA256
27e8e976726167c8485bc4a7888f03146a06a4b2c1981981efddaffd5be0b264

SHA512
6595859648767affbf30434bb86fb86e4c0d438cb77929c6a4362a76d5de8051b3cb657bcefd80838b3b5c30418c905d712018405184bb4b2b4d5ae9d3d18b30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
fe241424f532ca87f5fc16942212cb58

SHA1
d5cc307d0e4a02dddc49f4737ad7a782874158bd

SHA256
a9dd968abb3298672da8bbb7fb7697806401729bc285d59b0723191a2bd69744

SHA512
b0597535d2843963816ff99b5deb79c63a27ae9f7cc5e1afa08d5e93aeab4ab8a966ff42d28e0a122ce2806450932a799f63ef89c15d8450f3723f894a3d56ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{B8ED404E-083B-4EB6-BA78-3EF07E6B874B}.FSD

Filesize
128KB

MD5
8f90d96a01d4573c1ec93298e7bac9b8

SHA1
fea7a3fbb059fbb3a27d391b1bc261b62285b6d5

SHA256
e9ac0a9dbb7b76b08d1ead824ce3b6f6e5e17e90de6a5a547a0f7da8b9eb6b60

SHA512
5ca5c15cf1a2ee39ff270ffba3a1ce512d1e05a174b692ad3389366bfbfc785bc09b9b66a2dfc4e6ac8ce884edfa1090eee7e639987b637e79ba2c87da37bd71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

Filesize
114B

MD5
14a81a649fed4a60a626886369391b17

SHA1
7c0a39f11d41f9b2ddcd738f49f45cd87db4fbc1

SHA256
51d7e7b848dbb94e027d4c91099244f001b6b5268bfc568d6a56bcd769c82ad0

SHA512
d72693251b69a912259d7b42213b0d9044c5e8181c6e19d363ecff0fbe00cc00f62d41a5b6d506ab3f58b407ce8b08b08b5d47e192d9d1a0f3649b22389f8756

Download Submit
C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

Filesize
143KB

MD5
d9dae580702bcd8f1c12b57270395872

SHA1
e6785db5b386fdc8251fd0915ce6833d18aa5e0b

SHA256
61d4a5b6a5d375eff83b71bca35e97068bf8eee2b32413ec32d08a90eb186802

SHA512
65d538f5a91acfe09a00fc512f21275fd01a362062118288285cda8c4743504e66c7a5c3b1f4eb8e0cd3fa473cf4b5b98e2607c771e4354dcb4f0a05b23975c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{52681EE0-B1EB-4ECA-B37D-0BB337773C0D}

Filesize
128KB

MD5
a4899bef6b391608f4cfb9f873e742e5

SHA1
e1a66abe9176149ab1fd2f2b4cc87690fb0f15db

SHA256
28bc2aec9075d27ae52a5f24563cb7ae656e9d679c99f348528974738264eb67

SHA512
23395706751c967cf59a85088a83f5b00839b68f06149681641a3e83327c8680d4ed7c8be7c9dc768634bb348f0fb93a10a03d2a20026d51afa48be710744bbd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
eeb339aa88b00b55d43fd77fc3916591

SHA1
e38389373318abdd2e4850ba4f1e7d3915de961c

SHA256
ef469dfd40f603443553ebf7f705c8886ce767a12a140562fbf914aa05da6dc1

SHA512
ab24c3a849a95364de94ef74173093f7d1cb169aea1ed4cd272380b3535061f439b0ef8174cd1b1acdd5d5e7a6a4335b002376faab953f60c1b95bd372cfbcf2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/628-1388-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download
memory/628-1078-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download
memory/628-1031-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download
memory/628-1032-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download
memory/628-1034-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download
memory/628-1035-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download
memory/628-1030-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download
memory/628-1033-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download
memory/628-1243-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download
memory/628-1195-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download
memory/628-1138-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download
memory/628-1490-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download
memory/628-1292-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download
memory/628-1436-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download
memory/628-1340-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download
memory/924-1014-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1512-0-0x000000002FC01000-0x000000002FC02000-memory.dmp

Filesize
4KB

Download
memory/1512-81-0x000000000EDA0000-0x000000000EEA0000-memory.dmp

Filesize
1024KB

Download
memory/1512-60-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/1512-10-0x000000007111D000-0x0000000071128000-memory.dmp

Filesize
44KB

Download
memory/1512-2-0x000000007111D000-0x0000000071128000-memory.dmp

Filesize
44KB

Download
memory/1512-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download