1e42bacdd75441a16f3b99f6b63b2e9f01786413a0218531f26d7c9b96795484

Analysis

max time kernel
144s
max time network
137s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
12/07/2024, 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e844abd29091f61f3c48ce4dd6a145e_JaffaCakes118.doc
Size

234KB
MD5

3e844abd29091f61f3c48ce4dd6a145e
SHA1

cbd1935e9c28f478e963c81333e0607e157c1843
SHA256

1e42bacdd75441a16f3b99f6b63b2e9f01786413a0218531f26d7c9b96795484
SHA512

64b4b6bd9f7e36a3e2c84d999359963312c81245ce9b24e2e38d9e3eedf6e1e1d5746100cb7f62c03a0ca71780508dea6a2b2472d0f1385f36cfd7848bb06845
SSDEEP

1536:pterThwxEM5OsmqrmrAK9hbhkHrTPcyhK/dRYaBMRq0T7+hAm53n:pUwxv5OsmqrmrAKHyAdSAbo7+nVn

Score

7^/10

Malware Config

Signatures

Abuses OpenXML format to download file from external location 4 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Office\14.0\Common	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Office\Common\Offline\Files\https://intellimagi.com/lli.php?4SHU7JzWaglUWfemmFra3Yve2DmeiwP0:v0164720	EXCEL.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Office\Common\Offline\Files\https://intellimagi.com/lli.php?4SHU7JzWaglUWfemmFra3Yve2DmeiwP0:v0164720	EXCEL.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Office\Common\Offline\Files\https://intellimagi.com/lli.php?4SHU7JzWaglUWfemmFra3Yve2DmeiwP0:v0164720	EXCEL.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\TypeLib	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\TypeLib\{6DB266EB-B3FD-4924-A7E3-1C32884D70E6}\2.0\FLAGS\ = "6"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\TypeLib\{6DB266EB-B3FD-4924-A7E3-1C32884D70E6}\2.0\FLAGS	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6DB266EB-B3FD-4924-A7E3-1C32884D70E6}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6DB266EB-B3FD-4924-A7E3-1C32884D70E6}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\TypeLib\{6DB266EB-B3FD-4924-A7E3-1C32884D70E6}\2.0\0\win32	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2636	WINWORD.EXE
1176	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2904	EXCEL.EXE
Token: SeShutdownPrivilege	2940	EXCEL.EXE

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
2636	WINWORD.EXE
2636	WINWORD.EXE
2904	EXCEL.EXE
2904	EXCEL.EXE
2904	EXCEL.EXE
1176	WINWORD.EXE
1176	WINWORD.EXE
2940	EXCEL.EXE
2940	EXCEL.EXE
2940	EXCEL.EXE
2364	EXCEL.EXE
2364	EXCEL.EXE
2364	EXCEL.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 2780	2636	WINWORD.EXE	31
PID 2636 wrote to memory of 2780	2636	WINWORD.EXE	31
PID 2636 wrote to memory of 2780	2636	WINWORD.EXE	31
PID 2636 wrote to memory of 2780	2636	WINWORD.EXE	31

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\3e844abd29091f61f3c48ce4dd6a145e_JaffaCakes118.doc"
1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2780

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Abuses OpenXML format to download file from external location
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2904

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1176

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Abuses OpenXML format to download file from external location
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2940

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Abuses OpenXML format to download file from external location
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

Filesize
128KB

MD5
fee59209dbdc7b64427b85a33823e963

SHA1
22957bc4bf506fbf5677300fcb6b1d972ed19c45

SHA256
6b8f987f5f72545ba0a4f9d76bcb8cb6f8a2298f96d26a884a1cff1706102199

SHA512
cd9f47850a5c8561af90f4dcb7cad173c63687eaebbf6030f6a4dbab1dfe1837b35843c72722e1bd5102e678a567b9d9b7236e91be6b2f5db1325569499e8395

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{0A06EFEA-8A88-4A06-8639-71F6374CB170}.FSD

Filesize
128KB

MD5
2c724a61589ebd696934cb67f3382f22

SHA1
bd25812b60888fe1575a14d52337d123531b7983

SHA256
9bb92ebfaad6c7b68204e30a40f0f9dacbbd5b0e153c69575d293f8910820b26

SHA512
e97710ec49ad0066c96c17904a8d4645589fdcf9c383b20657583664ebb557ca9eb189ca0bc7a720d497b4d373cd4ce172b27feaf18bc4cc39aa23beff4afd62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{0A06EFEA-8A88-4A06-8639-71F6374CB170}.FSD

Filesize
128KB

MD5
97342f14c0301be6ee343f7574695e45

SHA1
73f59d7feea4d796eab86cc1d26dc07cbfa9a096

SHA256
797095aa6997a2aed6113d3cb64ae6628b4cb3e7eacd5ef766f485215d07446d

SHA512
9c59b681560f2bf712be3737400430b0e9fdfbd3403469a2487ed9b5e1e87c43eedeab0cd435b4242b9a7ad760140e4fa72f499cbba51987d592ad7069a93f76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

Filesize
114B

MD5
3fdaf5cebacf9cfe9ec9eb0333981fbc

SHA1
cb685c13f4293d6f72f7017d3957ac7089df65e1

SHA256
d57bda9bf68baaedf7bc8537529c04d0857839acab1aa854dc583a3c5f54b977

SHA512
eea581cf66b1fa7fd599b65c40d0b3c8035924aa7638200e57434113dbd51c59e27454f6c5586781a2e6b393a06605f0e9f134229f004c7c509c9fb2d0457706

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
988103f7a46139bceddebb8b99dec072

SHA1
c629a1f8a391e7a5ef6d82f963c0762b45d2e5e3

SHA256
bfb97ad5a6f2f151d3b7a17f4fcaac7d2fb1ef9527f162aa70085637d49729af

SHA512
96394059a86fb7dbce85237fba8a329162c64f1563dee86124be6d223a33e6beaa259880d5f42a9a59a2aaa5a0f3f2fb1cc8a3509765d0a2ad790a84f65110b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
129e5da939e59513ab92db57bbe77906

SHA1
b3e3544db9496093682e65e5772f07db75134e07

SHA256
4d12dac82a49e5ad3b9a43ec91c7980447966a6d6b673f73c59719d7d07f2e5d

SHA512
53d6776f9982388b0f82343b9f7171132b15a009bf714b85e32250b786257ccd21993ab8ab6556c9af5da2ce657abaf7b376f527cd1ac1e9da28809111a55d87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{91BAFA1D-5313-43ED-96BE-45674608FA07}.FSD

Filesize
128KB

MD5
99d9952ba7922ed73df9dc5248ef0467

SHA1
3bf31c1f5d406cc92c044cd58499b939031ef586

SHA256
21c9d7e7f5c7aa8a8472ee77e81447d2229898b9fb4785a05e29f87ca474a02b

SHA512
4d73e6269d20376024ecbb1950bd9f9c2afc2fb6b32f505060629f0c23efa131de697abb15c4bcb005c3038e00d0d269acb129a84435af56699c5f0fbd9690a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{91BAFA1D-5313-43ED-96BE-45674608FA07}.FSD

Filesize
128KB

MD5
1e8caad9c0a7ac6e20246d6163308829

SHA1
4965b6eb7d7b02a24a3b7394614058e71f488b2b

SHA256
f7bd4da82c6f0a6bb339c0b7bad089b684942a102720be469ca5919dfb721726

SHA512
5f472ba7d2cb72234dd6c2c1211b4572fd7496b8e4b92bb97c4443c4a78e6c5e6067e4319763e014c47d3027dc29c47ca4e20dfed5e98c8b1568b0c90a16da75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

Filesize
114B

MD5
81feb8608c4c2cb0fbb791024a94c55b

SHA1
c0defa6732f5dc13e1cda6871c3fa52edf445e60

SHA256
c297d6a06a4d99db9d2054aae89d2deb49823f2b5be4ea4a0fbfd15bb2d0188d

SHA512
aa2da4b5a7a0c34bc41f1c79f4ffdf07b67969cf40a8a99a4bc5b027283e1c9551344c96ac7643107516af885eb9e6615c57cd0cc8d70a1cb2df11f19fbc8b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

Filesize
143KB

MD5
162268e56f8c667f86fa7e020c993002

SHA1
21122e31f9f09900c23caa318263e9b5ac1e5cf5

SHA256
e91466f455dc672d81e00e729a29ea094402ddceecb3322669274224d48fefd0

SHA512
d874a99c8768dff80e492998146cfb52f28334ae69b83cb7fec8d5c4ee56c78b558b90a69877021eeb6b307eb304bb137c4936668b8ec64bf9192ab8b22c3891

Download Submit
C:\Users\Admin\AppData\Local\Temp\{BC4F2A89-31BC-4FC2-B80D-29066A508D87}

Filesize
128KB

MD5
437239518ce48c197339749d25e1177c

SHA1
90e4bb932f285cfb46eba09023845a8abb5ac317

SHA256
40b90a55171f7010dec0ade18cc3e073c0ce1820892d9207031b0eb28ff6c28d

SHA512
f157d7bc2756c7ae65b5e84ca83cff265fafb1851abd54866105a2ef0f823d28946fefe3da7700b8bc726384e71ac05ddc87057fcd78667152d2433a51404b7d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
69218e55e21a889962dd08341db7579f

SHA1
1e30563b452ed5bb8b9783100c0896a0a3e05c24

SHA256
09e32af1124ec0cacb151a9bae54a7c36b1c8ea12ede09bc69fc603351f4e1cc

SHA512
47a3347bd253a24caa0b627b1e5772689f78d6600a30961f56cf490ff86ceb320ea14a7a2c033a7cd9f30026327dee1a4bedf1cbf463e8a054ea8f9517ae9d45

Download Submit
memory/2636-47-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-40-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-17-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-16-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-15-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-14-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-13-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-12-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-11-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-9-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-8-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-7-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-57-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-56-0x000000000F260000-0x000000000F360000-memory.dmp

Filesize
1024KB

Download
memory/2636-55-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-54-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-53-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-52-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-51-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-50-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-49-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-48-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-19-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-46-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-45-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-44-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-43-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-42-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-41-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-18-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-39-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-37-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-36-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-35-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-34-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-33-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-32-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-31-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-30-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-29-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-28-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-27-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-26-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-25-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-24-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-23-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-22-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-21-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-71-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-1023-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-20-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-38-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-10-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2636-5-0x000000007127D000-0x0000000071288000-memory.dmp

Filesize
44KB

Download
memory/2636-2-0x000000007127D000-0x0000000071288000-memory.dmp

Filesize
44KB

Download
memory/2636-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2636-0-0x000000002F161000-0x000000002F162000-memory.dmp

Filesize
4KB

Download