Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
15/08/2024, 23:10
Behavioral task
behavioral1
Sample
9bfedc7eaf8c3fab6b036b434c3571a6_JaffaCakes118.doc
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
9bfedc7eaf8c3fab6b036b434c3571a6_JaffaCakes118.doc
Resource
win10v2004-20240802-en
General
-
Target
9bfedc7eaf8c3fab6b036b434c3571a6_JaffaCakes118.doc
-
Size
234KB
-
MD5
9bfedc7eaf8c3fab6b036b434c3571a6
-
SHA1
106f7f5925ec5be17d59030967905fe9f78722ac
-
SHA256
7af2939fc061dcfdfcc640f224a4f1f73efa5b49113f0900324def05c0ec84d3
-
SHA512
630eca49e7a87149e472e52a00e253801279fb804349aaad847f0eda4756d821b5711720f355790f2fb9636b9b668b5ee10e3165010c39d4fea412cb6538f7d1
-
SSDEEP
1536:CterThwxEM5OsmqrmrAK9hbUrHrTP9yQK/dRYz10RzwadtVXMz:CUwxv5OsmqrmrAKH4adSzKkMLMz
Malware Config
Signatures
-
Abuses OpenXML format to download file from external location 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Common\Offline\Files\https://intellimagi.com/lli.php?r4agCQIhJeI1QhOQHFtcykQLNH6MRrQB:uR376493 EXCEL.EXE Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Common\Offline\Files\https://intellimagi.com/lli.php?r4agCQIhJeI1QhOQHFtcykQLNH6MRrQB:uR376493 EXCEL.EXE Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Common\Offline\Files\https://intellimagi.com/lli.php?r4agCQIhJeI1QhOQHFtcykQLNH6MRrQB:uR376493 EXCEL.EXE Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Common\Offline\Files\https://intellimagi.com/lli.php?r4agCQIhJeI1QhOQHFtcykQLNH6MRrQB:uR376493 EXCEL.EXE -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\TypeLib\{D52A72E7-B9A2-4FB9-928F-DDE8BD83BDFB}\2.0\HELPDIR WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\TypeLib\{D52A72E7-B9A2-4FB9-928F-DDE8BD83BDFB}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2308 WINWORD.EXE 1048 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeShutdownPrivilege 936 EXCEL.EXE Token: SeShutdownPrivilege 772 EXCEL.EXE Token: SeShutdownPrivilege 1708 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 2308 WINWORD.EXE 2308 WINWORD.EXE 936 EXCEL.EXE 936 EXCEL.EXE 936 EXCEL.EXE 1048 WINWORD.EXE 1048 WINWORD.EXE 772 EXCEL.EXE 772 EXCEL.EXE 772 EXCEL.EXE 1708 EXCEL.EXE 1708 EXCEL.EXE 1708 EXCEL.EXE 892 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2308 wrote to memory of 2692 2308 WINWORD.EXE 32 PID 2308 wrote to memory of 2692 2308 WINWORD.EXE 32 PID 2308 wrote to memory of 2692 2308 WINWORD.EXE 32 PID 2308 wrote to memory of 2692 2308 WINWORD.EXE 32
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9bfedc7eaf8c3fab6b036b434c3571a6_JaffaCakes118.doc"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2692
-
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- Abuses OpenXML format to download file from external location
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:936
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1048
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- Abuses OpenXML format to download file from external location
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:772
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- Abuses OpenXML format to download file from external location
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1708
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- Abuses OpenXML format to download file from external location
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:892
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128KB
MD5979da8e51b79a1d7b3a5f422cb9a08e3
SHA1078b63ce6b7a279129e3665bea0feff3205f9aab
SHA256422a5541c6ed465b9084ea1f8c3b4a61f2f9e1723d0bb401a3a37d4af2192b9f
SHA512ed68e06533c66a5b73c9eaee3dee6a4ccaab4df9f3e432f3f7bbd3e6025e71fc3385a0c7118179f55931e63a57d6d079c7c5d91d9bfb9218e912e26d4deb1f85
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{974C491D-3C34-4ADA-88C9-DD560DF621AC}.FSD
Filesize128KB
MD546c84d332708de5898f1118027ed9022
SHA1a8c0a371260482c9049996cf44a90706699d9b72
SHA256d37fcc39381c27dfa43bb2d9788e1e9ff7923996f174b55ad8bfa44d1d38e8e2
SHA5120c006212ca20e60d8de90cb92b0ff817d088d271722a51d3ca994bae31e67e82c76aa7d743a33e7489e862ee3254f019d8b2d6bcf821e6baa80465e4527290d4
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{974C491D-3C34-4ADA-88C9-DD560DF621AC}.FSD
Filesize128KB
MD5acb2dc9d1d60d4be52b34a01105e33d4
SHA12977a8e254de0fe91731c3c5555ae1dc51b6a0b0
SHA256cab03330db0ce720331bbe997efb37ca5d3bb5183748f3977f9693fdb1245508
SHA512e750891a8b70af849f157713df7b887175b582633b05d1e45907e410e24f3d9407dbd55436ba5dcab018f54504d4c7914cb1c5c70a32667d4a7b2563118a22cb
-
Filesize
114B
MD509f7dfa9087bfb4b4ecbc8b2bab40f14
SHA174e95353545c43304af23e36d5f74c25bc7d3eb8
SHA25639cc0e9bac70124e22a1bc5fb093baf9f7c0542d379c577c3f911a0ea0ed5dda
SHA5122eb717dbefee23c2e858f5cb9511df31d2b09c5d3a5eb5cdfbac4cb550912e212a06f11f131327ec65aa62da96d36ac5eef8b5734fbceed642a1b8797c7dba2c
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD58ad597caee326e32ef7f66586f74b05c
SHA1413308abc84d8126a29f3c3e15b2d37ac9df4137
SHA2563afebf6e75b0f119b62a9e48a8eb02b2bff8a79c227def46bc45d6702e60a5d5
SHA5125ea0c45b9fd21732bb949fd2f945d472f65d0f5f12151cd61e00f478f6444e9255bc2606c9b502aba40306a5d6fbff2a5be049953178cc6e175c79a104715830
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD50c7bafa3d83761b5c2ba870cfb0d4b00
SHA179496b6c2591ce83ea62167232b45e7817b20a1a
SHA2563c3a28ede599c11e1b7d697d8a6ebcb32232f88d08698b8a0065577725eabd42
SHA51245fdc6e937077a4b1d8685fd4260dc705ce402c2a5c0972c7a0cce2d2b5e002726f28b685258e3f37f4a0f5c2e7999cb762e201da0d546ccb9378b9bbfeaa002
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{C2706DC5-E199-4FCC-AB94-56588839A3C0}.FSD
Filesize128KB
MD55cb7d1ee95b713b55e804e56f067b0d1
SHA14632fe9c05d64fff635998ae1b7da26fb8bf1ba4
SHA256d6fbcfd817c92420bb1d5878a4f53e1f1425b22d337565b5039d0885cc96ddc6
SHA51224067b4989b439c563af5341e5b65be4394afc6dee0e2562e846268d58395cecce198a9b415668e8079d0a51a9098d6d79bb9d6351050c3b5e7b5cce1549c03e
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{C2706DC5-E199-4FCC-AB94-56588839A3C0}.FSD
Filesize128KB
MD5c588226cfff4e080029eacaed537deb8
SHA12686f5d06f8ecb34ba1f8e8589c0b06fb757ac24
SHA2563862734e0442b5eda9d47d4118b8dbb3fd8d84157c53ea6b9f16b98ba054316d
SHA512e54468646eb90f660724a9f08aa12ef3bdcc67b79099b932e3a0fd462fc441dcf6d3fe1cf1bd07cce9ac6ffb8e16a406f4669bd057e02640525243f1dcad05a1
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF
Filesize114B
MD52463b70ae81dde2232078bbd32e4c620
SHA16ac326eb9ef865647e798ad890e8f094f6f0a531
SHA256bd66ff8f468e97e519ecbd6ecf78d61a6a9bf831099bef53363bce8e234c3ee8
SHA512710f73a2f8337590caa81b9489e802d8fe63a9d283e02542cf3de7d73a610a2bd907d67c2081d69024e73f69cc09d3e9893bd8e43b2334f6d542b344f6a0f5e8
-
Filesize
143KB
MD5ef52b10af51f5821457dee22b583ed36
SHA1be0223f91758f86fee3d093efa5f44eb6bce7458
SHA256b0ec45f16c8fa8887992418b72f2d162c82a82824ab2b323e1b6b05d6b17c8cb
SHA512ca8000b90f0f9564c3641ed71ab8c4e0ab854edbd701ecee99593b41331b54de2bd4827ca16d6cd2ac0e5e2140f73945ba0bb670cac7fafb8d32b6728516154e
-
Filesize
128KB
MD5524ebbc9e961ac36c6c3ea3c90c88cd9
SHA1b5198e00fac9384a4121e59e4694d35ad6889067
SHA25624961422305ecfefd26e5e430c27442ce7a525dc4bc7fd49dc6e4ec89dac2044
SHA512d5c91415b88f375f3bdef1dfb55d30f8954e4910f3a1e78ad96f102161f353590a4d7c6933493b0b60f7e27b959dd36d2ff0fdffef066f980e9d592ecbf54152
-
Filesize
19KB
MD516813db43aa061d5ab7e426a218e1a2c
SHA13aede5b75652f018c56588c12a7852ae4870fd75
SHA25685589d05630af3ebcb16724c8814c09c43b7e38ea3b71ae5006feede59e2f8c9
SHA51255c1d31f57a530c3663bcf30d767988b3f239a522d7ffe9f8b31637421e1eca0c8eed448ebdb2e434b0912b3908049df5300b54a531527efc91848d762a685f8
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84