3c87127f6ac12f31aa8fe405087144d48495f1c2f7f2d7380b29870bc3e1dce8

Analysis

max time kernel
149s
max time network
140s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
10/08/2024, 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

842031979d838c7c4c9f58028723f6bd_JaffaCakes118.doc
Size

205KB
MD5

842031979d838c7c4c9f58028723f6bd
SHA1

feeedec9dd0b47cc5b5145448cbdd8e24eed9fb0
SHA256

3c87127f6ac12f31aa8fe405087144d48495f1c2f7f2d7380b29870bc3e1dce8
SHA512

14aacf4e44f8e8f060a7698de079aeacdd93c31631a5ce1e2a6b334e730abe0c4a20fb8f11bc1dddd14dbf01e22e9b8bfe579ca642f62537d2441fdd3e836472
SSDEEP

1536:KterT8wKLcCmXwGe1G0ppHrTPJyn5J8bRs5F+QlOwQf1Yc7uWDMOhY:KRwycXwGe1GMpIxCQlkfH7JQ

Score

7^/10

discovery

Malware Config

Signatures

Abuses OpenXML format to download file from external location 4 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Office\Common\Offline\Files\https://khalilmouna.com/docs/count.xls?0V7n_BH551608.842031979d838c7c4c9f58028723f6bd_JaffaCakes118.doc	EXCEL.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Office\Common\Offline\Files\https://khalilmouna.com/docs/count.xls?0V7n_BH551608.842031979d838c7c4c9f58028723f6bd_JaffaCakes118.doc	EXCEL.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Office\Common\Offline\Files\https://khalilmouna.com/docs/count.xls?0V7n_BH551608.842031979d838c7c4c9f58028723f6bd_JaffaCakes118.doc	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\TypeLib\{C1AA79BC-5494-4C42-80A0-7CFE37EE2C6E}\2.0\FLAGS	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\TypeLib\{C1AA79BC-5494-4C42-80A0-7CFE37EE2C6E}\2.0	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C1AA79BC-5494-4C42-80A0-7CFE37EE2C6E}\2.0\FLAGS	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\TypeLib\{C1AA79BC-5494-4C42-80A0-7CFE37EE2C6E}\2.0\0\win32	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\TypeLib	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\TypeLib\{C1AA79BC-5494-4C42-80A0-7CFE37EE2C6E}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\TypeLib\{C1AA79BC-5494-4C42-80A0-7CFE37EE2C6E}\2.0\0	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2704	WINWORD.EXE
3052	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2680	EXCEL.EXE
Token: SeShutdownPrivilege	692	EXCEL.EXE

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
2704	WINWORD.EXE
2704	WINWORD.EXE
2680	EXCEL.EXE
2680	EXCEL.EXE
2680	EXCEL.EXE
3052	WINWORD.EXE
3052	WINWORD.EXE
692	EXCEL.EXE
692	EXCEL.EXE
692	EXCEL.EXE
2152	EXCEL.EXE
2152	EXCEL.EXE
2152	EXCEL.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 1984	2704	WINWORD.EXE	31
PID 2704 wrote to memory of 1984	2704	WINWORD.EXE	31
PID 2704 wrote to memory of 1984	2704	WINWORD.EXE	31
PID 2704 wrote to memory of 1984	2704	WINWORD.EXE	31

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\842031979d838c7c4c9f58028723f6bd_JaffaCakes118.doc"
1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1984

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Abuses OpenXML format to download file from external location
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2680

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3052

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Abuses OpenXML format to download file from external location
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:692

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Abuses OpenXML format to download file from external location
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

Filesize
128KB

MD5
14fe4c800b1bf9c06dc8c11bb1efa4f6

SHA1
1eeb26c852fcbad0efb07ed3b053fefb1b71d5b9

SHA256
276c7fd3b3b9459f2bb3d9add34e4ca094f6407e5e78e90bf193231b00a02984

SHA512
f91eb07d37740234fa7d71fdfc2d2cea4dd525f7a70dfec5b425d7d2539c8723292255e052b05ad1a181bfcc08121e8c175a969c346bd29cc8e40c5ee05d6f5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{3929FF98-8135-4784-86B7-70C76BBD5E57}.FSD

Filesize
128KB

MD5
2fa4cdcbbe97d171bbd5e5658f3fdbaa

SHA1
d274b9588104edc4b9bbdfb786b2d9000f52323a

SHA256
da70155c71d17c2d1f04ff9a6c5927ab2fc1ac4c4c0e73c884387b5f78a6f7e8

SHA512
405f3e7c90f77ac61e89a0469e879490599ad92721f83a60ea99cbd82c94488d9578cf781a213fbb056e943967300349d0af27c05f3f0073f5d4c9f479caa7d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{3929FF98-8135-4784-86B7-70C76BBD5E57}.FSD

Filesize
128KB

MD5
8ebbf1041476990b01f1ce1ede84836a

SHA1
ccf7677a9877626a6e034f90fee6c45e45049c34

SHA256
d1180c83dfef06d55eb418cadff69e865260501391f54649446d48dc8b552f68

SHA512
05eb203eae8d4c181f71c9339b58ce928cdea168fb8123c69d7ff870c55d6a3fc3bf816c57b8218a46a97eef07dbcf42918baa46de97616fb8451efa4d393e13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

Filesize
114B

MD5
163dc97b505abbc4af450c6c9f6dd792

SHA1
a8235a3b857cdcddf72c0343ae5f57f42b042649

SHA256
b50165ef66d4cb95a5dc0f65ae6ee37a296e50f5f3784ad1c4b620e928688469

SHA512
09231e0662da88f0085235c5cc95ccfde3b446d61bafedcb18bbf2f420ffa6e4464b8213c1f684eb2158b82f05d57298a6edbb0ca8159a3d86646498ae7b4112

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
90ef1c07b98949c776ed65c37fbd5b02

SHA1
f34856aac439aaff212a454f321897358baac9a9

SHA256
daaaf87da5562bf6d0f1a09c546c13980a13300aa78d744afde91e181842c0f8

SHA512
0ff7cca4190f6b038764a1ba5cc59627abfe5bcd4137c93fde1a257968cff8d2670bc7d1f72f2cec0d4386b31cd4268ef6fa1922c715aee226d27874055d3621

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
b4e1e8a4c6b7742dadb1285b110f8e2c

SHA1
bc4b4e8a803f88637d1df5cc336e6f6929ee4ad5

SHA256
4e45e049d95debce5765d7a7484ebff98c167227267ec86169d5b3c858cc5d9c

SHA512
60e124ac9ef546076bf11471324370001a5371053ea72824b6102066f1f1917ce1c2f59d60e94ae30fba4461b23f7874a27c4cba79b6d9e2d4e5c47dfa91ad73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{BB0CFF41-7ACE-4FAA-BBF1-77ABB6FA4FF6}.FSD

Filesize
128KB

MD5
2fa071f0888f737b0027169c9ee812bc

SHA1
dc0c5528dbe6f43ff2c3ca7628d0d67a60ed1336

SHA256
7114a89c18fe82870bca744f3fec251e61d5332fe70c4b35572b88d48beda1d5

SHA512
c582a12a1ed5280679182f263cdbdd3f6e077f358ebcb9697ca194cf9a00e19d8c1c520ed8cf86b1160cc78c2ef7d787c3a7188814dc104422d685b97b6a27ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{BB0CFF41-7ACE-4FAA-BBF1-77ABB6FA4FF6}.FSD

Filesize
128KB

MD5
abd8cded71712d04c7c2af6e068eb399

SHA1
1b67c1bd98c18cad83bb7a99a46ceffbdb07a1d5

SHA256
991e4fca2ebb49981a8044f4efcd933573fb2082024d5c89330ce05f2ee366b1

SHA512
e390e6714572ba78b12938c4d07a4d3b0c407ceed0689fbe4290229a658b0462d48264ffd58450992f92e721bfd7dbbe77301d5bf460890178cd97e3e089710c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

Filesize
114B

MD5
b1e6f332813aed122751108c1fd3c8d7

SHA1
feacafba3b4789b94943af6939329c45bca26cbe

SHA256
5f6cc02c055959d713946816ee9686826d3b2d3e5e4d6cd555e89cdfb649cd5c

SHA512
49374ce9e32deaab1149cc5ba90b39c92fd652251f19bd962871bff774be32ca96eaeb27db154620f411fd3f38ae8c8a39fbc8b1adae3ed58c382f6d7a6bd709

Download Submit
C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

Filesize
143KB

MD5
5cd87f6e65076db3b6e8aedceaaf984d

SHA1
c0bfb52f5fde091117149399a7cf1040dbb84966

SHA256
c48fd0b45907db136567bf47b4fbf1b39fa6c65191dd749805bc9b58e87c3a5f

SHA512
1c56c547b49dd9930781332b59c328d376bb1b3b419c583f8e2c5471142dc717f5ed2d81ef539b14fded1544a58f9da40a4251cdfff9a17470a44da440a8db10

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8536A45A-98C5-48E4-82ED-24F464379B7C}

Filesize
128KB

MD5
0c97105ab7c9c4cb320f0670ad17aa41

SHA1
c5692a9446d300b0d3afb972da52de3ea0281933

SHA256
40e5b67250cf21718b90937a52e8ec744f1c216a65b90b3eee97f04b0b74ec03

SHA512
0d8dbe77833dee08f6467c71a22949a1500cd878a94eeaade4a82c10a5ed8739d8a610d5a3f0e470500ef04bb31ad3e5366178767e8724a346f2135c5d83d4c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
a944c927210653204e3c982e52724fe0

SHA1
c2e7266189e49a010f59d22f2998df69bbade082

SHA256
4728ae3bf074c46baf303f8bf1108a6e44cd2ebaaa6c9ade20d8bbeaf7ad3d65

SHA512
a3d06c5ac6481281e1cad94a2fd02df7e68f578ba84b0dcba9d19b5a008edf885ffec8d604c16359e56075db56c6ecaee5a1d923dd81210a26c4ce27dd0aab81

Download Submit
memory/2704-104-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/2704-71-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/2704-100-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/2704-98-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/2704-97-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/2704-95-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/2704-93-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/2704-92-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/2704-91-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/2704-90-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/2704-89-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/2704-88-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/2704-99-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/2704-101-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/2704-96-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/2704-94-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/2704-102-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/2704-103-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/2704-0-0x000000002F571000-0x000000002F572000-memory.dmp

Filesize
4KB

Download
memory/2704-117-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/2704-131-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/2704-80-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/2704-57-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/2704-56-0x000000000D3D0000-0x000000000D4D0000-memory.dmp

Filesize
1024KB

Download
memory/2704-55-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/2704-5-0x00000000709ED000-0x00000000709F8000-memory.dmp

Filesize
44KB

Download
memory/2704-2-0x00000000709ED000-0x00000000709F8000-memory.dmp

Filesize
44KB

Download
memory/2704-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download