Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
14/08/2024, 18:59
Behavioral task
behavioral1
Sample
974a5ad1bafb5b79f82344ed58b4a4e3_JaffaCakes118.doc
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
974a5ad1bafb5b79f82344ed58b4a4e3_JaffaCakes118.doc
Resource
win10v2004-20240802-en
General
-
Target
974a5ad1bafb5b79f82344ed58b4a4e3_JaffaCakes118.doc
-
Size
205KB
-
MD5
974a5ad1bafb5b79f82344ed58b4a4e3
-
SHA1
eb5a049eed82dae88d367b815667502d72b0e34b
-
SHA256
ed76647779036186cfe280b8a241fedd1fffd5950d21cf9cfaedfe9fbca0fcab
-
SHA512
5b2149e16b4c89f13549e1ba0390ebf1a7f85a2f90fe2dd1c3ca935a3534be8dd349238dbf08f82d9dbd49d051b6f2d3d4a795e1d4cfbf3800f8fb6a7ad2839c
-
SSDEEP
1536:StPrT8wrLT0NeXxz1DwezHrTP5yX5J8b0KYcwzKIMkZQoJ5LqWIS8W/E:S2w3keXxz1DfH4cQz15J5LWS8L
Malware Config
Signatures
-
Abuses OpenXML format to download file from external location 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Common\Offline\Files\https://khalilmouna.com/docs/count.xls?QA7x_6w499138.974a5ad1bafb5b79f82344ed58b4a4e3_JaffaCakes118.doc EXCEL.EXE Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Common\Offline\Files\https://khalilmouna.com/docs/count.xls?QA7x_6w499138.974a5ad1bafb5b79f82344ed58b4a4e3_JaffaCakes118.doc EXCEL.EXE Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Common\Offline\Files\https://khalilmouna.com/docs/count.xls?QA7x_6w499138.974a5ad1bafb5b79f82344ed58b4a4e3_JaffaCakes118.doc EXCEL.EXE -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{27E3529B-071B-4B94-891F-3DC0FF93FA6B}\2.0\FLAGS\ = "6" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\TypeLib\{27E3529B-071B-4B94-891F-3DC0FF93FA6B}\2.0\0\win32 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{27E3529B-071B-4B94-891F-3DC0FF93FA6B}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 620 WINWORD.EXE 2268 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 2440 EXCEL.EXE Token: SeShutdownPrivilege 2288 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 620 WINWORD.EXE 620 WINWORD.EXE 2440 EXCEL.EXE 2440 EXCEL.EXE 2440 EXCEL.EXE 2268 WINWORD.EXE 2268 WINWORD.EXE 2288 EXCEL.EXE 2288 EXCEL.EXE 2288 EXCEL.EXE 944 EXCEL.EXE 944 EXCEL.EXE 944 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 620 wrote to memory of 2060 620 WINWORD.EXE 31 PID 620 wrote to memory of 2060 620 WINWORD.EXE 31 PID 620 wrote to memory of 2060 620 WINWORD.EXE 31 PID 620 wrote to memory of 2060 620 WINWORD.EXE 31
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\974a5ad1bafb5b79f82344ed58b4a4e3_JaffaCakes118.doc"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2060
-
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- Abuses OpenXML format to download file from external location
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2440
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2268
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- Abuses OpenXML format to download file from external location
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2288
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- Abuses OpenXML format to download file from external location
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:944
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128KB
MD572f1b839058eeb817e86bc1f33926316
SHA12630472669851829769bf035da2e72bf55834a27
SHA256e56f7fe36f6d06302a6b4770188562db07450b500fb0f01b04ae3ba535c6e950
SHA512deece92123c52b37c7888da9e396a5c657b0dcc3e2f17f82b627e7f54994e61e4b6b9289d1dd729fd0bd78b5a7e375060ad41f25d93d753aed439fde88d2a4c9
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{EBBD5463-E7D1-4442-95BB-F4B00D645DBC}.FSD
Filesize128KB
MD53fbf9680edf86a4cf49c0c4865ab5bd2
SHA138f1516d9179eb27f252f644cf0bb3866496a60f
SHA2562832f77e4565ea5c62abc8b8fd75345fdecee513d595978db46eac0218b44997
SHA5125ce5d9ac1d98f56eda242378fd8511a2330f6d4f64f985a6236095ee8d078a470a931e8eb278c9a06d92bb5e750b1e074ae9e0d7f16b577199aa5be320640bb9
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{EBBD5463-E7D1-4442-95BB-F4B00D645DBC}.FSD
Filesize128KB
MD5cf5abed52eec076a1f9e41606b9cfd72
SHA1a906fc39b5dc93bd9fd24c9ffde37c9298cbdba0
SHA256120eca5ed656b64c187222bc876e35f44090c6dfcc56271b31cf8a131bee628d
SHA51215022bf7a6f9d05de9f823933779283fa18dea420d10d350eb5e4f4c0a133dba9fa63c01fa3ca3589a9892aa56edd78f5d254ee3c32856f4cf5d622a12775386
-
Filesize
114B
MD556e087f7530effd43208a25f5fc55457
SHA1ffe520f400194da644560273afa8baaf9f82c9ee
SHA256b4c8e7f362c31cb33f407388505fe0d2f8e676a2fa2dea118e56d6b073eddc78
SHA51265e349e95443b3f010584a12aa5c8f7fbeb83d1344e2e57dc8a15c3d6acce43633d564f13292217659ac107b6b6ded0e539ef844a9bfcff48a0bfffbb18c803e
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD5963d9a0c6ed253328c24d527c5431974
SHA122458ee61cf2ff4d29ec23f32f10352bf564de38
SHA25671b8cb086f3d730491489167a11bf09ed48293544a8252a8684580b00e7b9394
SHA512a1eee1f931c36909638ea436c5af0232242f8ed4caee5a09dcca5ad29f10107daf8e043b46f2138d3e1a688c71fb932b3db772158755ee5424bc0d65355e2dbc
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD5cf2a5a0ea9484ed76f90cb0a05cad977
SHA11440eafb2433d58ae03e6c5a0edf5cd6a7ad7644
SHA25600aef7ef9c100ba13e754f435cf918f938d3b7617705b06175deef0417cb4388
SHA512d593c86d87b83a3bd9e7cad2b9c2b05f16c607be5e1c188dbab46bf1f8441f2249ef710c99f21e7529429f024716ae3af7c0b4a40230e1c8c9f614ded9d4609b
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{93DF98B1-ACDD-49A8-82C4-21173676A784}.FSD
Filesize128KB
MD5699756aaf0af3f43ee837f30caea8ba5
SHA1ae1489c9f2b241b4bebe2373fe947425eacb9448
SHA25618f6f355e2ecc6f5614233bb61b3e1c7bb2ea74d7091cd98e6262f43b0134b1c
SHA512ccd1fc749b66024dfbd3b6795415a21181b69a6c63dd958a8ed5fea2c29510fb944022611a1cdb41cb2fc031f5a44d27c7762177748c686853f37e91944fd68c
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{93DF98B1-ACDD-49A8-82C4-21173676A784}.FSD
Filesize128KB
MD51fb0c6de9a5c263cf6ebbcc5f6df7357
SHA171e7c8c7cb86b3cb1c13c5815d73c35290481417
SHA25652f5f117c94788f6de9f15f8320a8c26bf8609f49133b2f55c04c6d200452f66
SHA5127fe442a851abbb90dbf3ce395ce6d3e3ec8b977ba46e4b5b8e4893b68265f1efc632348fa0a3cf7352dd87cc8d94ce8771faab623f32b1e810675fa4bf63ada4
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF
Filesize114B
MD583affe25e5fcb1c8bba14d593717576a
SHA145fc54e0a7670b2ec91bca12457c1cde8622a538
SHA25651ed2609e8b5c4d32615201f50f0460e603e9bc97625a807077c00165cc93fd9
SHA5123b28fd42e185dda70f5a011f0552512b2b585862dc299bcdb5adae3fd8d5bfbe7fefb3ed7bbd7cac77b76356d6ac6f02dfa433447f0a6fb295873fc19328070c
-
Filesize
143KB
MD523b9b5ef23676e73a1bdedeb3d73187d
SHA1c9c32bffc48cb1c46618fdcaf51e6a01bb89e9a1
SHA25617a8f19d0d4b7a001a9d9f57bef8550036852b831df7719e183f6c0a1a2940cd
SHA512bbbd260629310e4793b57839ef8bbe10c3e2839164c176567059b751f7fb9779035638dedf465ce250a4885c4d92512e95343a1b096ca45ad54cf3ea860219a4
-
Filesize
128KB
MD5dbbe06f386e470618fb3e681f127bf86
SHA117e2899b2f66fc596de2223a17a625d4aeda738a
SHA2569c6de96bdb66d8a90ee34493107c96bf05fb16dadbeb2f467a8675eb3106b11f
SHA512cbd6ff935d4f520d097a514f51ff307c0f96d72d58ce73ff445a7a845ace9f65def7256b85d6c951d6ab1dd3021e2ee1f1f2131efe89782cd476d33117870b37
-
Filesize
19KB
MD582cb30a3cd955d19052049999587bb66
SHA1b1987532d86292468618f9ff7807ccd3af243ea0
SHA256783e45e0a765740a9477eae6893ea1d6524651c3e41eacee0e399db85d76912d
SHA51269f01cf8e9ceb6a465b996b722c7485c39ea0afeef6292bf9654ffff20f6fad4bf4d4ca84ab63f49b9cf237c97d91e97fbd0f76fa8fcd63f786af7018009c379