Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
23-07-2024 05:58
Behavioral task
behavioral1
Sample
6665ab44db118b972ce2a88e66118fb8_JaffaCakes118.doc
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
6665ab44db118b972ce2a88e66118fb8_JaffaCakes118.doc
Resource
win10v2004-20240709-en
General
-
Target
6665ab44db118b972ce2a88e66118fb8_JaffaCakes118.doc
-
Size
235KB
-
MD5
6665ab44db118b972ce2a88e66118fb8
-
SHA1
fee2da365e916da5c67e7c9ac1f011651b538009
-
SHA256
3fb97d9c2e1864424882af8744978f5c367b27f5fa6b2a857621f126e758a6f9
-
SHA512
0ebcd4d975f56369d1b53b9c3c0f78a4a2e5bd1e1a28a083286d08318bdc3372b793811b5fd692de9fbcc5132f960c3a1b32149ee35b1386e70bfc7f5cd9f71b
-
SSDEEP
1536:zterThwxEM5OsmqrmrAK9hbZQHrTPUyZK/dRYiX/CN7Ta861YrkyXkHx:zUwxv5OsmqrmrAKHigdSivCFTH6C2Hx
Malware Config
Signatures
-
Abuses OpenXML format to download file from external location 4 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Office\14.0\Common WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Office\Common\Offline\Files\https://intellimagi.com/lli.php?Vgr1Tjy3LJRCqiPWfIuKWbXliWFaC0be:Gf719055 EXCEL.EXE Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Office\Common\Offline\Files\https://intellimagi.com/lli.php?Vgr1Tjy3LJRCqiPWfIuKWbXliWFaC0be:Gf719055 EXCEL.EXE Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Office\Common\Offline\Files\https://intellimagi.com/lli.php?Vgr1Tjy3LJRCqiPWfIuKWbXliWFaC0be:Gf719055 EXCEL.EXE -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\TypeLib\{DDB5C59C-81EE-4E88-80A3-99474CF80454}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DDB5C59C-81EE-4E88-80A3-99474CF80454}\2.0\0\win32 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\TypeLib\{DDB5C59C-81EE-4E88-80A3-99474CF80454}\2.0\FLAGS\ = "6" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\TypeLib\{DDB5C59C-81EE-4E88-80A3-99474CF80454}\2.0\0\win32 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DDB5C59C-81EE-4E88-80A3-99474CF80454}\2.0\HELPDIR WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\TypeLib\{DDB5C59C-81EE-4E88-80A3-99474CF80454}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 688 WINWORD.EXE 2532 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 2124 EXCEL.EXE Token: SeShutdownPrivilege 2776 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 688 WINWORD.EXE 688 WINWORD.EXE 2124 EXCEL.EXE 2124 EXCEL.EXE 2124 EXCEL.EXE 2532 WINWORD.EXE 2532 WINWORD.EXE 2776 EXCEL.EXE 2776 EXCEL.EXE 2776 EXCEL.EXE 1804 EXCEL.EXE 1804 EXCEL.EXE 1804 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 688 wrote to memory of 2472 688 WINWORD.EXE 30 PID 688 wrote to memory of 2472 688 WINWORD.EXE 30 PID 688 wrote to memory of 2472 688 WINWORD.EXE 30 PID 688 wrote to memory of 2472 688 WINWORD.EXE 30
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6665ab44db118b972ce2a88e66118fb8_JaffaCakes118.doc"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2472
-
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- Abuses OpenXML format to download file from external location
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2124
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2532
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- Abuses OpenXML format to download file from external location
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2776
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- Abuses OpenXML format to download file from external location
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:1804
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128KB
MD5c138d29f3ca84c790030d441a99b38c0
SHA139bad3e1a87bee87f1030f9c1d12eda88e139ce7
SHA2564e6b4ce2c4c6d47b74b8b85db93d52af84cd46654879e8cd1b21ea5b1e399dce
SHA51269679671c49909865b1a6867cb0ac276e7d5f715dda2434bdc6988b97e1d7e780abebfceeee7a7f3489902c748a15c2902f12f303bf2ce8d920997c2dcc2cb65
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{9D68B317-C517-4CD8-9B6B-3B4232F27C37}.FSD
Filesize128KB
MD54076eae8d81022c9a8d66638efb5f77b
SHA18a5e4edf90b4d464d6ed9b446705f59ab3743a87
SHA256df8a38085fff7ca7b59c379f3040691011473e6e11b567f1f72e2472a119104c
SHA512d174427c1ae809f49b9d50a5e6c5c8881fdebe5767bad44ccfaec8df75872f54099a8502fc29f22e3d576bdbbbbada68a3553e2927e37d331ba4700106d943ce
-
Filesize
114B
MD506a0ef7eb18c37c07ca9a34d4160efd1
SHA1031db20daee53c9acce262a82cec2a17bb10675a
SHA2564fdd7305291df86be389770b0a97f524e7a79f17fe0b671415dedb0885fa8457
SHA5123dbf849e85b2da4134d0b98b9a3f01ac8d20434f5f7cca140ef48aa7b289c985d22c0efc158ba6e6da10805b3052660a0a07cfa4d48faa5a49d5894ff7f7692c
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD58822bdedb818b661c8219569da769992
SHA1cbd4645786f606b921c823b9c1723579f5ac4b2d
SHA256e6e149128fab0cf0f7e27b09001e0e0e675214036e8d4e8b70ae9dabc14be62a
SHA5121922a189f341d7edc9a8b1940a5bc022a79d728075029ffcfdfa7c3af0728feb18025eb951ba29a7f432fff8bc17e49afef03d99700db216497bacafd4939930
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{C3BA8A24-F369-4AC2-BFB4-594285910D2E}.FSD
Filesize128KB
MD53c018b9f8bdc836bf038bc651a36a565
SHA11aa85ece8aed5bc4257530757d615b2a3c4c1c62
SHA256a217c417491d1fc091bd88de11a34d8f234f209bde29324ed994b07d224aa35a
SHA512ba1c725c59798667edc4a6ef6bc6981219af0e29ad43bbfff2affd600c9f2a43f7b8a662855c58ac1f330aed39c7da3c6fa22a38d8c5391964c0e56f5a9a9de3
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF
Filesize114B
MD581fc781f4ea5a6bf6ba4357691e78671
SHA1fa9049e8f4cb31220446e5e0b439fb74a9946352
SHA2565776f0a9e68c038f2243dac8b6a779ee7eed8a1660207527e629241f44790013
SHA5128243aa9f25b33264180875744a7a45bfcc11aeeab66177c559b9e0beb2a98c63bad50367f7b1cc319a10af9885e013dad2b65e80225d7703dc372cd5a3612cf6
-
Filesize
143KB
MD5537b53dd99d261f6b6c8ed93448d583b
SHA10f3c056593f7359da96f759fc0a27fc5c0474241
SHA256427427b4a498c5d4246d454bfb11ecc3d532e0601b83187b1b23d3a84264e89b
SHA5129c516409b087d0c3010b423c5521dd0a47011c71c9d2879e870f95056559a11d54229eb6b8799cd65251edc3720ff246670727d8a48b883b4ac264c1f491f5a2
-
Filesize
128KB
MD56cae94b5c1ac2709a4ab72f9a0a4e2d5
SHA153eff141d2af533be527778c69b81f86986e4b3f
SHA256936a82dbb443032a193d0815756bc6c182e9b2215bb0e95b27ec1ca2717bcf6f
SHA512e0540a16b66d15eb1edf4eba23d920dee3022e3c8e84f9a530d803a0aaf7aec1e4a28c72d6c13b745436aa3f494578c9426d42756f937b4667ef79b32a872ef8
-
Filesize
19KB
MD5ee448b2f4ad5e739a46dbf159ff1edb0
SHA1504534902c94e2000f37f475043e78777dbca60e
SHA2569873e241cabe447017727d3661a016d4a3238d6448e9d00d4e21600e38def786
SHA51239cccd918863c0c469b3666637886e1cdd949667e3bd9310ecd6a46a834fc541d85ffba617bde4971ef8062c73def4cb824e9f93993159775dc406f96d99b397
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84