Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
23-07-2024 15:24
Behavioral task
behavioral1
Sample
68200a45478b22badfd8d4b28e391c46_JaffaCakes118.doc
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
68200a45478b22badfd8d4b28e391c46_JaffaCakes118.doc
Resource
win10v2004-20240709-en
General
-
Target
68200a45478b22badfd8d4b28e391c46_JaffaCakes118.doc
-
Size
204KB
-
MD5
68200a45478b22badfd8d4b28e391c46
-
SHA1
6561cf457dc56355a8680957778cb52f3a8afd18
-
SHA256
ab8f3de244826eb9113aa788511bed8d9a2675a6e672f58c8bac8160d76fdc6d
-
SHA512
a61924cf7f7a92617f2e9b3eefb67ec36df6125393272a88c63cb95812d000192947d5505fe60b9aa7b3508d13f28da53bb3da51bd5e4ac79393536466c4cc4a
-
SSDEEP
1536:MtPrT8wrLT0NeXxz1DweTHrTPxyP5J8b5z2Lk3tl2lvli8+7XG6QKt42+w:M2w3keXxz1Dfnc+M0OvlibX3QJ2+w
Malware Config
Signatures
-
Abuses OpenXML format to download file from external location 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Office\Common\Offline\Files\https://khalilmouna.com/docs/count.xls?j7vp_7d249697.68200a45478b22badfd8d4b28e391c46_JaffaCakes118.doc EXCEL.EXE Key opened \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Office\Common\Offline\Files\https://khalilmouna.com/docs/count.xls?j7vp_7d249697.68200a45478b22badfd8d4b28e391c46_JaffaCakes118.doc EXCEL.EXE Key opened \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Office\Common\Offline\Files\https://khalilmouna.com/docs/count.xls?j7vp_7d249697.68200a45478b22badfd8d4b28e391c46_JaffaCakes118.doc EXCEL.EXE -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\TypeLib\{441064D7-86D5-47B4-A811-A44414D53CC6}\2.0\ = "Microsoft Forms 2.0 Object Library" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\TypeLib\{441064D7-86D5-47B4-A811-A44414D53CC6}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{441064D7-86D5-47B4-A811-A44414D53CC6}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\TypeLib WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\TypeLib\{441064D7-86D5-47B4-A811-A44414D53CC6}\2.0 WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1824 WINWORD.EXE 1620 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeShutdownPrivilege 480 EXCEL.EXE Token: SeShutdownPrivilege 1812 EXCEL.EXE Token: SeShutdownPrivilege 2364 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 1824 WINWORD.EXE 1824 WINWORD.EXE 480 EXCEL.EXE 480 EXCEL.EXE 480 EXCEL.EXE 1620 WINWORD.EXE 1620 WINWORD.EXE 1812 EXCEL.EXE 1812 EXCEL.EXE 1812 EXCEL.EXE 2364 EXCEL.EXE 2364 EXCEL.EXE 2364 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1824 wrote to memory of 2860 1824 WINWORD.EXE 31 PID 1824 wrote to memory of 2860 1824 WINWORD.EXE 31 PID 1824 wrote to memory of 2860 1824 WINWORD.EXE 31 PID 1824 wrote to memory of 2860 1824 WINWORD.EXE 31
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\68200a45478b22badfd8d4b28e391c46_JaffaCakes118.doc"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2860
-
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- Abuses OpenXML format to download file from external location
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:480
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1620
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- Abuses OpenXML format to download file from external location
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1812
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- Abuses OpenXML format to download file from external location
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2364
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128KB
MD5d3f885abc72f860c32fb9bebd3c70672
SHA1b5817997ec7760d9ec8280eaaf994353b7989ee9
SHA25611e9079b19adc92d727dc16176040ae7ebf4514ef34f78f9bd2eb2484f0dfdf0
SHA5124fae61e8be4b11ef4218524528ba0b87e0d3d9a4b2d5078a63353eff32ba7ecd3783b17b3d8c3f6fa3573494b2f74fad772dae7cf46efb106504b8a85eeea23a
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{19AB6FF0-D8D3-462E-BE84-860F4AE7657C}.FSD
Filesize128KB
MD54482d186ba2b2644c4b0ce189a7decae
SHA16489928e9d7b3f4ac044618f3ce71ce348b2985a
SHA256bb38668b66df2f4ad4a292b119fe8e3a92ea75e5579f1ffe2b14394d421141cf
SHA512d9070f1be9d1271a92247e59dd2ded0b0598a9ede38df08f20fc0276b41b78858f3afafb21f9d696796c004245250995f1bf11b36f898042fe2c411e9aaaa009
-
Filesize
114B
MD51a9dcecbc3026193dead147a55a7bfcb
SHA1c8112d8fd3f3c9e37ed17c4f7ef3c9b261137023
SHA25613d466b3bab67a808b97bae86123c28bc4d222d7b12c720eea2afff31b8e825f
SHA512ab0b34dc102113d38bd76eb1bbc9b56e79b1e6c1b10932bc95f06adc7623899f27b7df1f50ec82803023fdead1fee82e9f927b64508535edbdf240d0726ed4ff
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD54d1276aa5ebdaf6f02842db6e6479be8
SHA1e77c9bfbd53c56266cdd5d038d159c4feb748bb2
SHA256c6fa7e93680f898a87d6bdd03f390cd17416279efd01cbf012a4654761dc40db
SHA5124e80d99dd5a92dd8a853e6785c63175b77553639d6d2c8c7b65af5b14b6460e9f281fb5aa274b9e2bfe9693585e95bf62f52bb862b30277ae28913ef00f45a05
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD57ca98572a6f2f04116ec7b11bd93ba26
SHA1405d78c6201972fa223cda062737913a7ee9e603
SHA2566569d1a5469897ce66ae1fd80155a5fd96bafbc08cac0986b1bead3ecb6549cf
SHA5127ca3c191a055fd29f08053009c799a9f5d7bd1d9c10a64ba32d0adbcfb4e2167ea80cffdf20b8e2e5de0ad289d16fc4a68725a265d53985ee81177a9cfca55f6
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{076881CC-F3DB-464F-9D16-38B705C85CC3}.FSD
Filesize128KB
MD5cc204557d4ee1b615983cb6e576ae8f0
SHA12707ba4b609368a767aa80b2626b1176a2ef2488
SHA2566aeb2ce36fcb9eb88b4cd28a2327f5a807660a2725afa2357c1c3d5a595eceac
SHA5122eb5166cb73293ccf75b86ef331598c58cca9129090d2ce02246124160270b14b1e4f900ea5728ae3153e86bb418fa165e2e3a57c853e25f5f7d3aa777d8d38a
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{076881CC-F3DB-464F-9D16-38B705C85CC3}.FSD
Filesize128KB
MD5c5d71b1909eab046a65743543e08fbd0
SHA1065287a7a4937192e2a00ff3b41fc5e0086841b9
SHA256657a66f9989d64f8f96c789537643304c8ce908361c57d5104ef31413d860e83
SHA5123c936ed7b03233e1642df9fa685d06516a2777afa5d2963f691816e28f203909068b665db7f2d30f7cd85e054f33e4ef99364944fc7f3b177c1398e3064df363
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF
Filesize114B
MD5166618abf00ed7412f0c18838e8d332a
SHA1c6fc4668f2c0fb5beb6792a113cda51cd27d8245
SHA256f88b6014f8fdbc3253ae86c0294ce3e7daac5fe16877f73d966a8f805dd6559b
SHA512a8795a912e4fe6e089b95580215f300bc86571c9c795687469826016ba8c910506bffa9f8dca2bbd3fbba5fa16e12f289d68a970944293820303b32c2c29ae3e
-
Filesize
143KB
MD57b4662090c5eb7b77dac9dc8fae10f37
SHA13dcdc7f32adb5cb7307e171efc0d20afeb8b67d8
SHA256fac88b46d55876332235faf70ca36c225d93898a54535c3cedf8bbd16273ae1f
SHA512f1e2b63b58bc9ecc483facf845d9af7c05d7a448ad75e858a8548ea87439371446bf45025fef5c59a9567a616ac91fe4bbea0d507cb395312f14cc43c4e61cb1
-
Filesize
128KB
MD572d0d6767bfcfd5fbe5e9d82b365a4d6
SHA1d58bc76608fbc5ff1174ee3edc4bba15c0a2350d
SHA2560138bdb856dc808ccd36512c02d9b9a132b91dd1d1a752522ddaebaef7d3d923
SHA512b8ad01112083be6f11b9014af477f7f148310c438de3d2ad5d42f8f1f6e6dcd7fd5fbe66ddd3736540e0fd7c925e094338b097bb7483e4b580a2758a02b731de
-
Filesize
250B
MD521b61b29c5e38fde8e95acc5f8fae150
SHA1ec8b5f938c2691c21972f95dff25fbb44e15515f
SHA256f7fbda689e859586b2335f1d67075075a62576850d12069325cb0bc46a90e86c
SHA51223c0ebb8b3d4b303d45796a2a68ea9edc20118b79263e81d47b5e872bca8a42fe52a7c1f9c00cd202b701fc6a8245786dacdbe35c56e82eaa07b518afa2f6dff
-
Filesize
19KB
MD58ff4cb33a66ec643fd49d7e56b658cbb
SHA14b893757c1357d906ad3003491f64f220718bf5b
SHA2563289a86236b18343716828f22c1cea59425978207927e92b2b790cc34f993e6e
SHA512bb8333dd97c2895dc1f0d79b6b676191145cc027832b5f66686e31c7af5b889fe2c171c0252c499045c7df306f5c15ac60d22b12ede5e6fad5ab34e876e30462