5b9b8e1d76d1ff23d8c7002b7337a6021a859dd767c5d321a7c7e48bbb7e49ac

Analysis

max time kernel
150s
max time network
135s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-09-2024 23:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7477feb312f9f76ea3c9273e4a01ca8_JaffaCakes118.doc
Size

205KB
MD5

d7477feb312f9f76ea3c9273e4a01ca8
SHA1

3b0312e9bee594b784c65295c547e4a5218f7aa7
SHA256

5b9b8e1d76d1ff23d8c7002b7337a6021a859dd767c5d321a7c7e48bbb7e49ac
SHA512

ff73b0c5a8472dc522c5d50022df80abd2106e0ffb26e110ef6c3966c126d7841b0785f233609ae9b69b06a537648bd541d2a731330045d9c42f9d89316ed4dc
SSDEEP

1536:JtPrT8wrLT0NeXxz1DweCHrTPayY5J8bOf27VH3gkoUNFqsENgb:J2w3keXxz1Df6yr2JwkxkRNgb

Score

7^/10

discovery

Malware Config

Signatures

Abuses OpenXML format to download file from external location 4 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\Common\Offline\Files\https://khalilmouna.com/docs/count.xls?bHFN_48389601.d7477feb312f9f76ea3c9273e4a01ca8_JaffaCakes118.doc	EXCEL.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\Common\Offline\Files\https://khalilmouna.com/docs/count.xls?bHFN_48389601.d7477feb312f9f76ea3c9273e4a01ca8_JaffaCakes118.doc	EXCEL.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\Common\Offline\Files\https://khalilmouna.com/docs/count.xls?bHFN_48389601.d7477feb312f9f76ea3c9273e4a01ca8_JaffaCakes118.doc	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{22E553AC-02C0-4A84-90AD-D94CCC14A127}\2.0\FLAGS\ = "6"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{22E553AC-02C0-4A84-90AD-D94CCC14A127}\2.0\0\win32	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\TypeLib\{22E553AC-02C0-4A84-90AD-D94CCC14A127}\2.0\HELPDIR	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\TypeLib\{22E553AC-02C0-4A84-90AD-D94CCC14A127}\2.0\FLAGS\ = "6"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2824	WINWORD.EXE
2628	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	316	EXCEL.EXE
Token: SeShutdownPrivilege	1196	EXCEL.EXE

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
2824	WINWORD.EXE
2824	WINWORD.EXE
316	EXCEL.EXE
316	EXCEL.EXE
316	EXCEL.EXE
2628	WINWORD.EXE
2628	WINWORD.EXE
1196	EXCEL.EXE
1196	EXCEL.EXE
1196	EXCEL.EXE
1956	EXCEL.EXE
1956	EXCEL.EXE
1956	EXCEL.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2572	2824	WINWORD.EXE	31
PID 2824 wrote to memory of 2572	2824	WINWORD.EXE	31
PID 2824 wrote to memory of 2572	2824	WINWORD.EXE	31
PID 2824 wrote to memory of 2572	2824	WINWORD.EXE	31

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d7477feb312f9f76ea3c9273e4a01ca8_JaffaCakes118.doc"
1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2572

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Abuses OpenXML format to download file from external location
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:316

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2628

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Abuses OpenXML format to download file from external location
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1196

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Abuses OpenXML format to download file from external location
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:1956

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:1360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

Filesize
128KB

MD5
f2d13fa777687b0e0233176d64309fa0

SHA1
2de1409909a0834dd875307e2f1bfec2683208ca

SHA256
457976891e6be3b9b1ce858360d38ee08276455b0ee6196e1f7a264781851a7d

SHA512
3297a08a0843e1b4f97e4f3734d19c5703f3ec83971cae922948c9448621eb10d15b996a9cff1a8c182f54c7f8deec3a12d888ba176df89c7e07801e344dfcfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{E7127C3F-B8EB-4EF1-BAFD-5C8088AD28A2}.FSD

Filesize
128KB

MD5
b92abb3f9e2268ecf749ddeaf1a03389

SHA1
ab524a1aba640ad2c7a5e58c116ffbb525bf7b71

SHA256
57a782f199140fbded9f8c287b14ace5076e1d29e1bae0f8ed96a1297886c2fc

SHA512
0d1d27e86c4f2fb63a5ea8faa48a52be073d4948bf603e9fe55d7ef975a88fbcf9e5b4a4d6e17ddc1389c98f9214c78938c89745426185d99209343a191aa91c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{E7127C3F-B8EB-4EF1-BAFD-5C8088AD28A2}.FSD

Filesize
128KB

MD5
77f3495cef5448888c179fda0ca644bd

SHA1
a5fc4e901f9a3aadb63c7abef167de69eeb32145

SHA256
14a1f32f16f8e6f201214b9f0c2cb6787e6c45bad2ad98fd2f85015b425aa5ac

SHA512
b0abc64f5e85d782d7fee576662605a3c113284ce7f26d648989e33153fad640277f877097c20094a1f73ea56045be7f85956f41c54d83e8f8addbde9b8ccb15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

Filesize
114B

MD5
8549350396a839adb5e1db2f1b301c28

SHA1
9bc003e64588ad1bafc32fd708ac86d672c8edbc

SHA256
5d0877b084f722b72c734f53bff623523a7a0a4f222678e42d0ef0daf6eb0c0e

SHA512
4fb24fa1b6d4fa98b58daec9b851860c6e785625963d7436efc26147cc512300720111d0f6b728480f1079044025f13462a7064e8293f1183ec4a3863eb7503b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
401f317525626ea014cbbd9d9838116d

SHA1
375e573b4aedf7860fc12fc94bb92696b5a0d610

SHA256
9bdad4cf7473f235249a7b2bcaacbd4410079d49372c7e781a893f1c6112a73f

SHA512
af72891aa4611aa34a75ddd7c3ca24ec3336222ece857a63cb134b8ebee8bca4250ee492176d65c7c32be2ffa79786a377a2c642b8f4eebafd9fe392bb870018

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{68C9040A-B9E9-4F8F-ABB8-9CEEC2A5D95F}.FSD

Filesize
128KB

MD5
61fccaf0c9527ddb5cbca80c2c62990d

SHA1
885cdf2398531be33a05a58cfd546f8f2cae059f

SHA256
75363b5b0e5c9bbd5ecbb25d28519d6d4eefa03f3ee0a38aeaf3225e4dcb0450

SHA512
f87f167f4d7a7499fca5d73aad7423ec0792090ba669af115cb46824dbe7322b917f69b9b207e25aa1da5162a31ff3e3b18b8070ebee72c360434aa1f7de907a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

Filesize
114B

MD5
2a454248cad33c3e7f698033a6f0b573

SHA1
477dcd585b3e6565d527a3ed748219704341dd86

SHA256
1bf5d34fadd8deba8d87182931e0b286c05db5a8f5876b0638bdfebecd08f898

SHA512
1ae1c8f8c4afc7de0ab6dcbcb9e79d2148bb29d095084a4c45bc6b8353555ca8eb2f7e4fffc71af85e191479221e31cda78b781ce0e3f818f6f637ab88a073dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

Filesize
143KB

MD5
fc3a09ee89775af86da08d463bc11fd3

SHA1
c959cf15eea318fd880ca5a6ec0c5074cd0d8a10

SHA256
4a9202ba45f56a3db903d173f9a4d09e738f1a21eee6f1af0f55151ae4c6026a

SHA512
4983987212241ce9589a0d45a7810004d5f248cf82155f52efc302d8a3a323b7a5b566a7b454905f5aba7649573bdc3bb56c6621314be78cbd6772c18406d16c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1F569D4D-8A82-44CE-BC11-BB999CE31246}

Filesize
128KB

MD5
840d8ca08a936a92683617a7742c399e

SHA1
5f594280b05b3ae19f4eddf14332ed386766bb6c

SHA256
4e50376f6ecd01ce70f42d7f666b575daa9ef7c020c8739a9a23be71c1f22394

SHA512
283f424e3ffcda48f9d520ca28b0d3c1fe5626c20396872dca45a9fb67b5408a90dbb0b6c8f28826f55cf4a9d224756a3334b1187c85d433c7561c2ada439119

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
04b0957968a76cb4d894c54b31c27c9b

SHA1
05c734dc434cb4d4803ed3d234c87e0cfabba3da

SHA256
e446434b8ca114d0c38e87b2ee2dfdeff8b52673bf3b1594f14c3a676a050078

SHA512
dcb0d256639c20eb832dedaa64308cfa521334942be5471742e7a57c6efe0f3c6e6a10813ba226fb11b3b844508fd3c0bb147dd3377085090fcf9bf2cbf5a718

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/2824-15-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/2824-13-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/2824-275-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/2824-227-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/2824-179-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/2824-122-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/2824-324-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/2824-470-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/2824-422-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/2824-372-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/2824-12-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/2824-62-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/2824-14-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/2824-0-0x000000002F921000-0x000000002F922000-memory.dmp

Filesize
4KB

Download
memory/2824-580-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/2824-60-0x0000000004F20000-0x0000000005020000-memory.dmp

Filesize
1024KB

Download
memory/2824-61-0x000000000D280000-0x000000000D380000-memory.dmp

Filesize
1024KB

Download
memory/2824-16-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/2824-17-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/2824-10-0x0000000070B3D000-0x0000000070B48000-memory.dmp

Filesize
44KB

Download
memory/2824-2-0x0000000070B3D000-0x0000000070B48000-memory.dmp

Filesize
44KB

Download
memory/2824-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download