9ae7d3838afcb4c79b2886cc51dd7600174234603c9008a096c11babd2ed62af

Analysis

max time kernel
149s
max time network
142s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6707a339e2ba210cce35fef5cc69dbd4_JaffaCakes118.doc
Size

234KB
MD5

6707a339e2ba210cce35fef5cc69dbd4
SHA1

a8d99e07e32806db0da3f1a9cd68ffca0bfcd230
SHA256

9ae7d3838afcb4c79b2886cc51dd7600174234603c9008a096c11babd2ed62af
SHA512

43c80c93e6edc25ee3fb197b0c2ec2b0249643116e79ab175fb9c8d662782473e89678d05f67e956fe6227bc5c1b70506ef8d57a4ef7484c68445bdc65dcd98c
SSDEEP

1536:3terThwxEM5OsmqrmrAK9hbMxHrTPTyqK/dRYP697qInyYnRvHMu3kriuZb/RlL+:3Uwxv5OsmqrmrAKHaSdSP6YClMck3p6r

Score

7^/10

Malware Config

Signatures

Abuses OpenXML format to download file from external location 4 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\14.0\Common	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\Common\Offline\Files\https://intellimagi.com/lli.php?MwzNgcYc6H3L7XnNeYcZkeQ9MB4q1vxT:Qn399335	EXCEL.EXE
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\Common\Offline\Files\https://intellimagi.com/lli.php?MwzNgcYc6H3L7XnNeYcZkeQ9MB4q1vxT:Qn399335	EXCEL.EXE
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\Common\Offline\Files\https://intellimagi.com/lli.php?MwzNgcYc6H3L7XnNeYcZkeQ9MB4q1vxT:Qn399335	EXCEL.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F969EB39-8BFC-4B58-88FE-FBE940E41FA3}\2.0\HELPDIR	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F969EB39-8BFC-4B58-88FE-FBE940E41FA3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F969EB39-8BFC-4B58-88FE-FBE940E41FA3}\2.0\FLAGS	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F969EB39-8BFC-4B58-88FE-FBE940E41FA3}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\TypeLib\{F969EB39-8BFC-4B58-88FE-FBE940E41FA3}\2.0\FLAGS	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\TypeLib\{F969EB39-8BFC-4B58-88FE-FBE940E41FA3}\2.0\0\win32	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\TypeLib\{F969EB39-8BFC-4B58-88FE-FBE940E41FA3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F969EB39-8BFC-4B58-88FE-FBE940E41FA3}\2.0\0\win32	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2232	WINWORD.EXE
1412	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	924	EXCEL.EXE
Token: SeShutdownPrivilege	1020	EXCEL.EXE

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
2232	WINWORD.EXE
2232	WINWORD.EXE
924	EXCEL.EXE
924	EXCEL.EXE
924	EXCEL.EXE
1412	WINWORD.EXE
1412	WINWORD.EXE
1020	EXCEL.EXE
1020	EXCEL.EXE
1020	EXCEL.EXE
928	EXCEL.EXE
928	EXCEL.EXE
928	EXCEL.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2784	2232	WINWORD.EXE	31
PID 2232 wrote to memory of 2784	2232	WINWORD.EXE	31
PID 2232 wrote to memory of 2784	2232	WINWORD.EXE	31
PID 2232 wrote to memory of 2784	2232	WINWORD.EXE	31

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6707a339e2ba210cce35fef5cc69dbd4_JaffaCakes118.doc"
1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2784

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Abuses OpenXML format to download file from external location
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:924

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1412

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Abuses OpenXML format to download file from external location
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1020

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Abuses OpenXML format to download file from external location
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

Filesize
128KB

MD5
fd7d4849a02cd2b593238cd143079ba6

SHA1
b135216d26ca1cc30fced1a153b348dc0f7dae80

SHA256
37e6974ff81e4fe1fcd7ef6f2323c1d5b9427e635caddeb97deff80d3ba193bb

SHA512
1299c15daf157ef868cf7194b6f5b983a1ee2001d814c9e53a3530502572a66977b59049004ec650f2abd7480352b5348ee209818bc8c34c67b0969aba360e58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{3A4E0D09-67A9-4F7B-AD24-A068F3AE81D3}.FSD

Filesize
128KB

MD5
7e403d5d6d505006684101559dd8ac4e

SHA1
240710fc137e4f734843448f81351aaf8996105f

SHA256
911e3f680ee00ec731218dc9e300da7f0d4e089e755ad4eabea425e929a22678

SHA512
2976b658749e0ae2cddd851da5d8250ba82ef3236e52e5df06aacb7993fddfa8d58c4e8c378e68d91d6a161748fa13cd4f5364d0264877ff6b5c56321fee6a0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{3A4E0D09-67A9-4F7B-AD24-A068F3AE81D3}.FSD

Filesize
128KB

MD5
4c834bd5c9416b82e447a896f0e8d36e

SHA1
7000c9ce0b7710abb279a2e4e17f36e57d3f5127

SHA256
873ee7c6d09a11de6f05d5e288717d47d7f95c3c9a71ed2d56bd47304fbd6f17

SHA512
733915be9134282ce9a0a485f3b9913576e62d555c9c37e01ee701c89cb5ccf2fe095a7bf8e33c2ca4a7810e0322197cf99fb417aa06f243fac2ddd416432387

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

Filesize
114B

MD5
5ac92d5949977be020c873c92c2ecf7a

SHA1
15307d96f3a10688c80925c6bbc3ce7947efff15

SHA256
636bb35936d360d8fc9637f2e7627e1c8c68d04680cbd8e58779747d7301adc1

SHA512
81819eb3078c6fd8328e72f3a1bc310d6430424dab594d695da0ba67ed538c0cbb5ae6c5a7fb3218f0aaa83d802ed96866c79a0046e2012c4681a4a7c529f862

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
2d8470e2aef069b40967a3e6d8f98482

SHA1
42a9521bf5de7a4178c4cd02ef79165982ee7f25

SHA256
55941c93c9d2aa0c3151be4def8b3fd03c34e305cf390d1d37e773ec47fab426

SHA512
1848e565ab3f0053319616ff62fbb5deeba4a7ddb575827aacf71aebbaf361a39090b9a6633543ac05840cae3118ea733a58cda5c5418bd8868681a051835da0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{897B39AB-E705-41A9-86D3-C7705D3DFD6B}.FSD

Filesize
128KB

MD5
f90fab8ac95448597d3080526a786366

SHA1
7c6c6420b43544cab012e02b95d5c02aaefe5c9f

SHA256
61cc00ed3d667cf4a89f87f41e97a6d438023ccdb43fb3094f526e5777a69fa2

SHA512
e762b3bcbb6fc79ddc9fc5f968b92e6c2266be4e1f0e6ed8de415ef88f5b8a3e080633ad27b9e8111cbf1ef28f7a3c054289bfdecf5b0dec3e20d4e942c42789

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{897B39AB-E705-41A9-86D3-C7705D3DFD6B}.FSD

Filesize
128KB

MD5
7dcf402e6f19beda8af0612fe19601cd

SHA1
f74c24834bbd58bbe385de2c39416ab36c8a629c

SHA256
ad8bfae3c85257a1b3f9e79e6f32e835ce1dad05dbb4acdd8d7b856e49d4e6cb

SHA512
b192c434b3b5726a07237387d18add2a0cbc8296f042116540ca21ef44a754ca80dd1dcf7005a5653a3a5351bce5e5a92d178f711ff19f95958a2414ff8ce486

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

Filesize
114B

MD5
aaf5c3773ec52feb8e371a03a7e576b0

SHA1
6d73faa02f09251e39621b6d7ecbeef4e5cbaadc

SHA256
67fa58420a0284c37e40b4ad50207552a3c5fbd1e04ef43b4785c5d99f74c652

SHA512
49d474d5096ddc4b05b1561f0ce6f875cf8cd3949d795b595bb312fb6bf06ec72d769f85f91979f75d196eb0b223b84066efed7c7f7b5868a2d4f6b4d0a62d62

Download Submit
C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

Filesize
143KB

MD5
3d5308ae15741f80fa2fce8a274ad7f0

SHA1
de00cf5cfa5725fb8e182840ab23701b127612ea

SHA256
3e201cb0ae5bd1f25773b33e9e7794e44827eef2f10930a3810fb9371a82f9c6

SHA512
aeb93b7b006dd8297a8c5f1ca09944a62b88a16a2a72f8be3a053322881e59de0c3f38b3a0bd4f2d77e869126040d5052eaba3fac6bddabe0f053dbb20359dec

Download Submit
C:\Users\Admin\AppData\Local\Temp\{10E0B068-9849-4DB5-825D-09BA3144DCCB}

Filesize
128KB

MD5
9af0c3167a9befd6de6fd9f407a4137d

SHA1
9afdd0b4c815d9703c2cb8b5cfcb0813afc650d8

SHA256
7b69e6866a1ed6212c25a06cc7fde42b8476f470a3728358ad6518e1bf280ef2

SHA512
c9d97f672d213282a76a4d1d7e9f738373fdfdd0e678e16730656fce6b488d743674ae555b029a8a05bc8fa8ee22798ce224307ae309800ff73563319b2c54a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
ea4970616fbf7cdc45d6b122f4bfc8d6

SHA1
52141380e07b627db7866445ec87499fca618fdb

SHA256
b4ebc66d27245ada4e335c90d081e381c26719f10175ca5a43041a1fe1d78319

SHA512
fa9afca691103d102b871e751e82e2db3aa990a5aa173ec2c6ad1709171aed62714e875b84ed07dbeff8578da7f9f74f41ec6f43adae9b56b9da523895a65f02

Download Submit
memory/2232-34-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-28-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-55-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-54-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-53-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-52-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-51-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-49-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-48-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-47-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-46-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-45-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-44-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-43-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-42-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-41-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-40-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-39-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-37-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-36-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-35-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-57-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-33-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-32-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-31-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-30-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-29-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-56-0x000000000F120000-0x000000000F220000-memory.dmp

Filesize
1024KB

Download
memory/2232-27-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-26-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-24-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-23-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-21-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-20-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-18-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-17-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-15-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-12-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-71-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-11-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-9-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-8-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-50-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-38-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-25-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-14-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-16-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-5-0x000000007162D000-0x0000000071638000-memory.dmp

Filesize
44KB

Download
memory/2232-2-0x000000007162D000-0x0000000071638000-memory.dmp

Filesize
44KB

Download
memory/2232-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2232-0-0x000000002F4D1000-0x000000002F4D2000-memory.dmp

Filesize
4KB

Download
memory/2232-22-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-19-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-13-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-10-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2232-7-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download