Automated Malware Analysis Management Report for wELAqfmQfJ.docx

Overview

General Information

Sample name:	wELAqfmQfJ.docx renamed because original name is a hash value
Original sample name:	2f019ee2e06ae78b7e9474cb961eb1375189b0a8c3c19e5d6b4ab048c5a7f5ad
Analysis ID:	1430946
MD5:	06adf215b95b5fc30d4bb047eff45902
SHA1:	fb07bf1dc797ddeeb54f829a303eb63d44dafa23
SHA256:	2f019ee2e06ae78b7e9474cb961eb1375189b0a8c3c19e5d6b4ab048c5a7f5ad
Infos:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Document contains embedded VBA macros

Document misses a certain OLE stream usually present in this Microsoft Office document type

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Classification

Signatures

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 20.190.190.193:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49813 version: TLS 1.2

Source: winword.exe

Memory has grown: Private usage: 1MB later: 56MB

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 239.255.255.250 239.255.255.250

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.193

Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=es3Cv5Gz6aDxEVV&MD=BvLSDSMO HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=es3Cv5Gz6aDxEVV&MD=BvLSDSMO HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: unknown

DNS traffic detected: queries for: www.echdghvm.life

Source: unknown

HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 3592Host: login.live.com

Source: item1.xml

String found in binary or memory: http://www.wps.cn/officeDocument/2013/wpsCustomData

Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443

Source: unknown	HTTPS traffic detected: 20.190.190.193:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49813 version: TLS 1.2

Document contains embedded VBA macros

Source: sist02.xsl.0.dr	OLE indicator, VBA macros: true
Source: mlaseventheditionofficeonline.xsl.0.dr	OLE indicator, VBA macros: true
Source: chicago.xsl.0.dr	OLE indicator, VBA macros: true
Source: gostname.xsl.0.dr	OLE indicator, VBA macros: true
Source: ieee2006officeonline.xsl.0.dr	OLE indicator, VBA macros: true
Source: turabian.xsl.0.dr	OLE indicator, VBA macros: true
Source: gosttitle.xsl.0.dr	OLE indicator, VBA macros: true
Source: CatalogCacheMetaData.xml.0.dr	OLE indicator, VBA macros: true
Source: gb.xsl.0.dr	OLE indicator, VBA macros: true
Source: harvardanglia2008officeonline.xsl.0.dr	OLE indicator, VBA macros: true
Source: iso690nmerical.xsl.0.dr	OLE indicator, VBA macros: true
Source: iso690.xsl.0.dr	OLE indicator, VBA macros: true
Source: APASixthEditionOfficeOnline.xsl.0.dr	OLE indicator, VBA macros: true

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: sist02.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~WRF{1C1AE911-14F6-4236-A95E-8DCA02FC865C}.tmp.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: mlaseventheditionofficeonline.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: chicago.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: gostname.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ieee2006officeonline.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: turabian.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: gosttitle.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: CatalogCacheMetaData.xml.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: gb.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: harvardanglia2008officeonline.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: iso690nmerical.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: iso690.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: APASixthEditionOfficeOnline.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: classification engine

Classification label: clean2.winDOCX@21/234@22/4

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Roaming\Microsoft\Office

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\{793932A7-3ADC-439C-8BBC-83B776BFADF4} - OProcSessId.dat

Jump to behavior

Source: wELAqfmQfJ.docx	OLE indicator, Word Document stream: true
Source: Equations.dotx.0.dr	OLE indicator, Word Document stream: true
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	OLE indicator, Word Document stream: true
Source: Insight design set.dotx.0.dr	OLE indicator, Word Document stream: true
Source: Element design set.dotx.0.dr	OLE indicator, Word Document stream: true
Source: ~WRD0000.tmp.0.dr	OLE indicator, Word Document stream: true

Source: ~WRF{1C1AE911-14F6-4236-A95E-8DCA02FC865C}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{1C1AE911-14F6-4236-A95E-8DCA02FC865C}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{1C1AE911-14F6-4236-A95E-8DCA02FC865C}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://www.echdghvm.life/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2520 --field-trial-handle=2456,i,10757763659854189295,5211257207204847182,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2520 --field-trial-handle=2456,i,10757763659854189295,5211257207204847182,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Templates.LNK.0.dr	LNK file: ..\..\Templates
Source: wELAqfmQfJ.LNK.0.dr	LNK file: ..\..\..\..\..\Desktop\wELAqfmQfJ.docx

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: wELAqfmQfJ.docx	Initial sample: OLE zip file path = docProps/custom.xml
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/document.xml
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/settings.xml
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = customXml/itemProps2.xml
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = docProps/custom.xml
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = customXml/_rels/item2.xml.rels
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = customXml/item2.xml
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/webSettings.xml
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = [trash]/0000.dat
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/styles.xml
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/stylesWithEffects.xml
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/fontTable.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = word/theme/_rels/theme1.xml.rels
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = word/glossary/settings.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = word/glossary/document.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = word/_rels/settings.xml.rels
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = word/glossary/webSettings.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = word/glossary/fontTable.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = word/glossary/styles.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = word/glossary/stylesWithEffects.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = customXml/item2.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = customXml/_rels/item2.xml.rels
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = customXml/itemProps3.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = customXml/item3.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = customXml/itemProps2.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = customXml/_rels/item3.xml.rels
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = [trash]/0000.dat
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = docProps/custom.xml
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = word/media/image2.jpg
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/settings.xml
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/document.xml
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/styles.xml
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/webSettings.xml
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/fontTable.xml
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = word/media/image10.jpeg
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = customXml/itemProps2.xml
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = customXml/item2.xml
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = customXml/_rels/item2.xml.rels
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = [trash]/0000.dat
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = docProps/custom.xml
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/settings.xml
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/document.xml
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/fontTable.xml
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/webSettings.xml
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/styles.xml
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = customXml/itemProps2.xml
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = customXml/item2.xml
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = customXml/_rels/item2.xml.rels
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = [trash]/0000.dat
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = docProps/custom.xml
Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = word/glossary/document.xml
Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = word/glossary/settings.xml
Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = word/glossary/styles.xml
Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = word/glossary/webSettings.xml
Source: ~WRD0000.tmp.0.dr	Initial sample: OLE zip file path = word/glossary/fontTable.xml

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: wELAqfmQfJ.docx

Initial sample: OLE indicators vbamacros = False

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Process information queried: ProcessInformation

Jump to behavior

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
239.255.255.250	unknown	Reserved		unknown	unknown	false
142.250.141.106	www.google.com	United States		15169	GOOGLEUS	false

Domain

Country

Flag

ASN

ASN Name

Malicious

239.255.255.250

unknown

Reserved

unknown

false

142.250.141.106

www.google.com

United States

15169

GOOGLEUS

false

IP
192.168.2.16
192.168.2.4

192.168.2.16

192.168.2.4

Name	IP	Active
google.com	142.251.2.102	true
www.google.com	142.250.141.106	true
www.echdghvm.life	unknown	unknown

Name

Active

google.com

142.251.2.102

true

www.google.com

142.250.141.106

true

www.echdghvm.life

unknown

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\FontCache\4\CatalogCacheMetaData.xml	XML 1.0 document, ASCII text, with very long lines (2008), with no line terminators	93FE1C7537D8598666D8FC229A0D78B1	F292C998E7FFF4C635ABF090E3AEB980DB9137B9	6067B6C6F5E16112F8C2620B623A6997D953A1BE9084E67B2786811FA8BF6C91
C:\Users\user\AppData\Local\Microsoft\FontCache\4\Catalog\ListAll.Json	JSON data	036628E3E3F0728DAA7D53AC1B3EF8CC	65327D9039335E1BAF9E14639AE355195766C9EC	2CAEC4D00BD356241B8B405B1B74386C677D501A7A23CE6EF916EAF912541544
C:\Users\user\AppData\Local\Microsoft\FontCache\4\CloudFonts\SimHei\33134363409.ttf	TrueType Font data, 20 tables, 1st "GDEF", name offset 0x93cc0c	AB95F5F6E05AD96F7D81E0F2421B4AF2	199EF917D587BE9580C66BAAFC99903BAEFBEB07	277B78EA5E7A6056224212E5FA28070A12E56ABF6422F4B5DE5FFAA82CB6269D
C:\Users\user\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview_4_39.ttf	TrueType Font data, 10 tables, 1st "OS/2", 7 names, Microsoft, language 0x409, \251 2018 Microsoft Corporation. All Rights Reserved.msofp_4_39RegularVersion 4.39;O365	1BE236301B686323302632C0EACCFD6F	7EF18B642DBFA9FB6E8AFABACB50F6CA6BD73BB4	90200D640623BFB0518B18D72C3F9828BC6EDA63EAB2DA90FBC27A08AAD165D7
C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres	data	7513EF20FBCB6210F93C8284D40546BC	2299017A369801C7F7BD58A4492E3DF571F66D27	0C6F29DEA5DEB6287439467EDF6832FA9788F9B9DDB90FD8577265CF7A151F04
C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres	data	DE47A9074638D86F90EB348C1FF581DF	FE829B50EC6FF61B777CF1C23EE14CF9792BDE92	BC4C942459E317C1F023415DBD1DFBEE9F80F6E9898554EF82D36B1D20F81310
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\15D3050F.png	PNG image data, 400 x 400, 8-bit/color RGBA, non-interlaced	172FED7B7F8F9C0BAE5F41511C22814C	B9F3CAE5C74C0EB626DAEA79DFA17AB62ABAEB80	1064B1182ABA90A66D204A650BF6B585843228201F14F0A879B0C2AD6FA45348
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\A55FB3C6.png	PNG image data, 646 x 144, 8-bit/color RGB, non-interlaced	4CCBFF195203FB803CB6C41E67CEE5D6	A6194AA70F70921BA2DB8AB5302E8BAD99B942E8	2DDA476CBC3A9FE81B4DCC8C810CE4C2DDEBD69BCB1A5D927F78790D88ECD82C
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\AE323BC4.png	PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced	0F720DA4D9BB7FF17A60CFB42D5F51B5	5F54E64868D01DDF09EBE36DB73974E808AE6C46	46CD2348B88C2D0FC46283FABD5ED76D858D0567D6450FEE513BFAAA1694CB12
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRF{1C1AE911-14F6-4236-A95E-8DCA02FC865C}.tmp	Composite Document File V2 Document, Cannot read section info	679672A5004E0AF50529F33DB5469699	427A4EC3281C9C4FAEB47A22FFBE7CA3E928AFB0	205D000AA762F3A96AC3AD4B25D791B5F7FC8EFB9056B78F299F671A02B9FD21
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{CB8C97A5-38C5-42E7-A798-D47D0FC5E793}.tmp	data	3AB99A69D5A65CF43668AC3838FB32F3	17217C3C2CDA84E80614688663C2A86FA05EC69D	7B6696E2EC456DF5FDA33312AE84930F757CA5D0AC06B4EDDC75B60F2EE7B029
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{D2C1C9DA-214B-40D5-B01C-93E0EE0EDC75}.tmp	data	10FD7F57D877A82660425609760D1C63	89CD405A158AF04FBA7AF6324D36EB88D67ED5D3	7236F0AA88C29DC101BB232D9313E51293BC75E2D663470EDDDFD83C5A17C00D
C:\Users\user\AppData\Local\Temp\Diagnostics\WINWORD\App1713953839004216600_793932A7-3ADC-439C-8BBC-83B776BFADF4.log	ASCII text, with very long lines (7507), with CRLF line terminators	F30A6C82536EED4194514F962EB015C7	1EF9B1DD8EACA420537255CEAC8F7F9800054E24	46F953EA33476675E0B9D81E06BFE75EB68F91DD58307AE4867869F79DBBC084
C:\Users\user\AppData\Local\Temp\TCDCCA5.tmp\Content.inf	data	D79B5DE6D93AC06005761D88783B3EE6	E05BDCE2673B6AA8CBB17A138751EDFA2264DB91	96125D6804544B8D4E6AE8638EFD4BD1F96A1BFB9EEF57337FFF40BA9FF4CDD1
C:\Users\user\AppData\Local\Temp\TCDCCA5.tmp\architecture.glox	Microsoft OOXML	8109B3C170E6C2C114164B8947F88AA1	FC63956575842219443F4B4C07A8127FBD804C84	F320B4BB4E57825AA4A40E5A61C1C0189D808B3EACE072B35C77F38745A4C416
C:\Users\user\AppData\Local\Temp\TCDCCA6.tmp\Content.inf	data	1309D172F10DD53911779C89A06BBF65	274351A1059868E9DEB53ADF01209E6BFBDFADFB	C190F9E7D00E053596C3477455D1639C337C0BE01012C0D4F12DFCB432F5EC56
C:\Users\user\AppData\Local\Temp\TCDCCA6.tmp\InterconnectedBlockProcess.glox	Zip archive data, at least v2.0 to extract, compression method=deflate	08D3A25DD65E5E0D36ADC602AE68C77D	F23B6DDB3DA0015B1D8877796F7001CABA25EA64	58B45B9DBA959F40294DA2A54270F145644E810290F71260B90F0A3A9FCDEBC1
C:\Users\user\AppData\Local\Temp\TCDCCB6.tmp\Content.inf	data	C1B36A0547FB75445957A619201143AC	CDB0A18152F57653F1A707D39F3D7FB504E244A7	4DFF7D1CEF6DD85CC73E1554D705FA6586A1FBD10E4A73EEE44EAABA2D2FFED9
C:\Users\user\AppData\Local\Temp\TCDCCB6.tmp\pictureorgchart.glox	Microsoft OOXML	586CEBC1FAC6962F9E36388E5549FFE9	D1EF3BF2443AE75A78E9FDE8DD02C5B3E46F5F2E	1595C0C027B12FE4C2B506B907C795D14813BBF64A2F3F6F5D71912D7E57BC40
C:\Users\user\AppData\Local\Temp\TCDCCB7.tmp\Content.inf	data	149948E41627BE5DC454558E12AF2DA4	DB72388C037F0B638FCD007FAB46C916249720A8	1B981DC422A042CDDEBE2543C57ED3D468288C20D280FF9A9E2BB4CC8F4776ED
C:\Users\user\AppData\Local\Temp\TCDCCB7.tmp\sist02.xsl	XML 1.0 document, ASCII text, with CRLF line terminators	F883B260A8D67082EA895C14BF56DD56	7954565C1F243D46AD3B1E2F1BAF3281451FC14B	EF4835DB41A485B56C2EF0FF7094BC2350460573A686182BC45FD6613480E353
C:\Users\user\AppData\Local\Temp\TCDCCBA.tmp\Content.inf	data	69757AF3677EA8D80A2FBE44DEE7B9E4	26AF5881B48F0CB81F194D1D96E3658F8763467C	0F14CA656CDD95CAB385F9B722580DDE2F46F8622E17A63F4534072D86DF97C3
C:\Users\user\AppData\Local\Temp\TCDCCBA.tmp\PictureFrame.glox	Microsoft OOXML	D32E93F7782B21785424AE2BEA62B387	1D5589155C319E28383BC01ED722D4C2A05EF593	2DC7E71759D84EF8BB23F11981E2C2044626FEA659383E4B9922FE5891F5F478
C:\Users\user\AppData\Local\Temp\TCDCCCF.tmp\Content.inf	data	A6B2731ECC78E7CED9ED5408AB4F2931	BA15D036D522978409846EA682A1D7778381266F	6A2F9E46087B1F0ED0E847AF05C4D4CC9F246989794993E8F3E15B633EFDD744
C:\Users\user\AppData\Local\Temp\TCDCCCF.tmp\TabList.glox	Zip archive data, at least v2.0 to extract, compression method=deflate	0A4CA91036DC4F3CD8B6DBF18094CF25	6C7EED2530CD0032E9EEAB589AFBC296D106FBB9	E5A56CCB3B3898F76ABF909209BFAB401B5DDCD88289AD43CE96B02989747E50
C:\Users\user\AppData\Local\Temp\TCDCCD0.tmp\Content.inf	data	2F7A8FE4E5046175500AFFA228F99576	8A3DE74981D7917E6CE1198A3C8E35C7E2100F43	1495B4EC56B371148EA195D790562E5621FDBF163CDD8A5F3C119F8CA3BD2363
C:\Users\user\AppData\Local\Temp\TCDCCD0.tmp\Text Sidebar (Annual Report Red and Black design).docx	Microsoft Word 2007+	5A53F55DD7DA8F10A8C0E711F548B335	035E685927DA2FECB88DE9CAF0BECEC88BC118A7	66501B659614227584DA04B64F44309544355E3582F59DBCA3C9463F67B7E303
C:\Users\user\AppData\Local\Temp\TCDCCE3.tmp\Content.inf	data	E8B30D1070779CC14FBE93C8F5CF65BE	9C87F7BC66CF55634AB3F070064AAF8CC977CD05	2E90434BE1F6DCEA9257D42C331CD9A8D06B848859FD4742A15612B2CA6EFACB
C:\Users\user\AppData\Local\Temp\TCDCCE3.tmp\HexagonRadial.glox	Microsoft OOXML	20621E61A4C5B0FFEEC98FFB2B3BCD31	4970C22A410DCB26D1BD83B60846EF6BEE1EF7C4	223EA2602C3E95840232CACC30F63AA5B050FA360543C904F04575253034E6D7
C:\Users\user\AppData\Local\Temp\TCDCCF3.tmp\Content.inf	data	52BD0762F3DC77334807DDFC60D5F304	5962DA7C58F742046A116DDDA5DC8EA889C4CB0E	30C20CC835E912A6DD89FD1BF5F7D92B233B2EC24594F1C1FE0CADB03A8C3FAB
C:\Users\user\AppData\Local\Temp\TCDCCF3.tmp\RadialPictureList.glox	Microsoft OOXML	CDC1493350011DB9892100E94D5592FE	684B444ADE2A8DBE760B54C08F2D28F2D71AD0FA	F637A67799B492FEFFB65632FED7815226396B4102A7ED790E0D9BB4936E1548
C:\Users\user\AppData\Local\Temp\TCDCCF5.tmp\Content.inf	data	16711B951E1130126E240A6E4CC2E382	8095AA79AEE029FD06428244CA2A6F28408448DB	855342FE16234F72DA0C2765455B69CF412948CFBE70DE5F6D75A20ACDE29AE9
C:\Users\user\AppData\Local\Temp\TCDCCF5.tmp\TabbedArc.glox	Zip archive data, at least v2.0 to extract, compression method=deflate	E8308DA3D46D0BC30857243E1B7D330D	C7F8E54A63EB254C194A23137F269185E07F9D10	6534D4D7EF31B967DD0A20AFFF092F8B93D3C0EFCBF19D06833F223A65C6E7C4
C:\Users\user\AppData\Local\Temp\TCDCD09.tmp\Content.inf	data	4DD225E2A305B50AF39084CE568B8110	C85173D49FC1522121AA2B0B2E98ADF4BB95B897	6F00DD73F169C73D425CB9895DAC12387E21C6E4C9C7DDCFB03AC32552E577F4
C:\Users\user\AppData\Local\Temp\TCDCD09.tmp\chevronaccent.glox	Microsoft OOXML	7BC0A35807CD69C37A949BBD51880FF5	B5870846F44CAD890C6EFF2F272A037DA016F0D8	BD3A013F50EBF162AAC4CED11928101554C511BD40C2488CF9F5842A375B50CA
C:\Users\user\AppData\Local\Temp\TCDCD0B.tmp\Content.inf	data	6C489D45F3B56845E68BE07EA804C698	C4C9012C0159770CB882870D4C92C307126CEC3F	3FE447260CDCDEE287B8D01CF5F9F53738BFD6AAEC9FB9787F2826F8DEF1CA45
C:\Users\user\AppData\Local\Temp\TCDCD0B.tmp\ThemePictureAccent.glox	Zip archive data, at least v2.0 to extract, compression method=deflate	42A840DC06727E42D42C352703EC72AA	21AAAF517AFB76BF1AF4E06134786B1716241D29	02CCE7D526F844F70093AC41731D1A1E9B040905DCBA63BA8BFFC0DBD4D3A7A7
C:\Users\user\AppData\Local\Temp\TCDCD1C.tmp\Content.inf	data	923D406B2170497AD4832F0AD3403168	A77DA08C9CB909206CDE42FE1543B9FE96DF24FB	EBF9CF474B25DDFE0F6032BA910D5250CBA2F5EDF9CF7E4B3107EDB5C13B50BF
C:\Users\user\AppData\Local\Temp\TCDCD1C.tmp\ConvergingText.glox	Zip archive data, at least v2.0 to extract, compression method=deflate	C9F9364C659E2F0C626AC0D0BB519062	C4036C576074819309D03BB74C188BF902D1AE00	6FC428CA0DCFC27D351736EF16C94D1AB08DDA50CB047A054F37EC028DD08AA2
C:\Users\user\AppData\Local\Temp\TCDCD1D.tmp\Content.inf	data	6F8FE7B05855C203F6DEC5C31885DD08	9CC27D17B654C6205284DECA3278DA0DD0153AFF	B7F58DF058C938CCF39054B31472DC76E18A3764B78B414088A261E440870175
C:\Users\user\AppData\Local\Temp\TCDCD1D.tmp\ThemePictureGrid.glox	Zip archive data, at least v2.0 to extract, compression method=deflate	031C246FFE0E2B623BBBD231E414E0D2	A57CA6134779D54691A4EFD344BC6948E253E0BA	2D76C8D1D59EDB40D1FBBC6406A06577400582D1659A544269500479B6753CF7
C:\Users\user\AppData\Local\Temp\TCDCD2F.tmp\Content.inf	data	877A8A960B2140E3A0A2752550959DB9	FBEC17B332CBC42F2F16A1A08767623C7955DF48	FE07084A41CF7DB58B06D2C0D11BCACB603D6574261D1E7EBADCFF85F39AFB47
C:\Users\user\AppData\Local\Temp\TCDCD2F.tmp\gb.xsl	XML 1.0 document, ASCII text, with CRLF line terminators	51D32EE5BC7AB811041F799652D26E04	412193006AA3EF19E0A57E16ACF86B830993024A	6230814BF5B2D554397580613E20681752240AB87FD354ECECF188C1EABE0E97
C:\Users\user\AppData\Local\Temp\TCDCD44.tmp\Content.inf	data	4EC6724CBBA516CF202A6BD17226D02C	E412C574D567F0BA68B4A31EDB46A6AB3546EA95	18E408155A2C2A24D91CD45E065927FFDA726356AAB115D290A3C1D0B7100402
C:\Users\user\AppData\Local\Temp\TCDCD44.tmp\harvardanglia2008officeonline.xsl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	33A829B4893044E1851725F4DAF20271	DAC368749004C255FB0777E79F6E4426E12E5EC8	C40451CADF8944A9625DD690624EA1BA19CECB825A67081E8144AD5526116924
C:\Users\user\AppData\Local\Temp\TCDCD56.tmp\Content.inf	data	9C00979164E78E3B890E56BE2DF00666	1FA3C439D214C34168ADF0FBA5184477084A0E51	21CCB63A82F1E6ACD6BAB6875ABBB37001721675455C746B17529EE793382C7B
C:\Users\user\AppData\Local\Temp\TCDCD56.tmp\iso690nmerical.xsl	XML 1.0 document, ASCII text, with CRLF line terminators	3BF8591E1D808BCCAD8EE2B822CC156B	9CC1E5EFD715BD0EAE5AF983FB349BAC7A6D7BA0	7194396E5C833E6C8710A2E5D114E8E24338C64EC9818D51A929D57A5E4A76C8
C:\Users\user\AppData\Local\Temp\TCDCD58.tmp\Content.inf	data	9B8D7EFE8A69E41CDC2439C38FE59FAF	034D46BEC5E38E20E56DD905E2CA2F25AF947ED1	70042F1285C3CD91DDE8D4A424A5948AE8F1551495D8AF4612D59709BEF69DF2
C:\Users\user\AppData\Local\Temp\TCDCD58.tmp\iso690.xsl	XML 1.0 document, ASCII text, with CRLF line terminators	FF0E07EFF1333CDF9FC2523D323DD654	77A1AE0DD8DBC3FEE65DD6266F31E2A564D088A4	3F925E0CC1542F09DE1F99060899EAFB0042BB9682507C907173C392115A44B5
C:\Users\user\AppData\Local\Temp\TCDCD69.tmp\Content.inf	data	2240CF2315F2EB448CEA6E9CE21B5AC5	46332668E2169E86760CBD975FF6FA9DB5274F43	0F7D0BD5A8CED523CFF4F99D7854C0EE007F5793FA9E1BA1CD933B0894BFBD0D
C:\Users\user\AppData\Local\Temp\TCDCD69.tmp\rings.glox	Microsoft OOXML	6C24ED9C7C868DB0D55492BB126EAFF8	C6D96D4D298573B70CF5C714151CF87532535888	48AF17267AD75C142EFA7AB7525CA48FAB579592339FB93E92C4C4DA577D4C9F
C:\Users\user\AppData\Local\Temp\TCDCD7A.tmp\APASixthEditionOfficeOnline.xsl	XML 1.0 document, ASCII text, with CRLF line terminators	5632C4A81D2193986ACD29EADF1A2177	E8FF4FDFEB0002786FCE1CF8F3D25F8E9631E346	06DE709513D7976690B3DD8F5FDF1E59CF456A2DFBA952B97EACC72FE47B238B
C:\Users\user\AppData\Local\Temp\TCDCD7A.tmp\Content.inf	data	C3216C3FC73A4B3FFFE7ED67153AB7B5	F20E4D33BABE978BE6A6925964C57D6E6EF1A92E	7CF1D6A4F0BE5E6184F59BFB1304509F38E480B59A3B091DBDC43B052D2137CB
C:\Users\user\AppData\Local\Temp\TCDCD8A.tmp\Content.inf	data	0F98498818DC28E82597356E2650773C	1995660972A978D17BC483FCB5EE6D15E7058046	4587CA0B2A60728FF0A5B8E87D35BF6C6FDF396747E13436EC856612AC1C6288
C:\Users\user\AppData\Local\Temp\TCDCD8A.tmp\Element design set.dotx	Microsoft Word 2007+	7CDFFC23FB85AD5737452762FA36AAA0	CFBC97247959B3142AFD7B6858AD37B18AFB3237	68A8FBFBEE4C903E17C9421082E839144C205C559AFE61338CBDB3AF79F0D270
C:\Users\user\AppData\Local\Temp\TCDCDBA.tmp\Content.inf	data	A0D51783BFEE86F3AC46A810404B6796	93C5B21938DA69363DBF79CE594C302344AF9D9E	47B43E7DBDF8B25565D874E4E071547666B08D7DF4D736EA8521591D0DED640F
C:\Users\user\AppData\Local\Temp\TCDCDBA.tmp\gosttitle.xsl	XML 1.0 document, ASCII text, with CRLF line terminators	F425D8C274A8571B625EE66A8CE60287	29899E309C56F2517C7D9385ECDBB719B9E2A12B	DD7B7878427276AF5DBF8355ECE0D1FE5D693DF55AF3F79347F9D20AE50DB938
C:\Users\user\AppData\Local\Temp\TCDCDBD.tmp\Content.inf	data	3D52060B74D7D448DC733FFE5B92CB52	3FBA3FFC315DB5B70BF6F05C4FF84B52A50FCCBC	BB980559C6FC38B703D1E9C41720D5CE8D00D2FF86D4F25136DB02B1E54B1518
C:\Users\user\AppData\Local\Temp\TCDCDBD.tmp\ThemePictureAlternatingAccent.glox	Zip archive data, at least v2.0 to extract, compression method=deflate	2F8998AA9CF348F1D6DE16EAB2D92070	85B13499937B4A584BEA0BFE60475FD4C73391B6	8A216D16DEC44E02B9AB9BBADF8A11F97210D8B73277B22562A502550658E580
C:\Users\user\AppData\Local\Temp\TCDCDED.tmp\Content.inf	data	63E8B0621B5DEFE1EF17F02EFBFC2436	2D02AD4FD9BF89F453683B7D2B3557BC1EEEE953	9243D99795DCDAD26FA857CB2740E58E3ED581E3FAEF0CB3781CBCD25FB4EE06
C:\Users\user\AppData\Local\Temp\TCDCDED.tmp\VaryingWidthList.glox	Microsoft OOXML	67766FF48AF205B771B53AA2FA82B4F4	0964F8B9DC737E954E16984A585BDC37CE143D84	160D05B4CB42E1200B859A2DE00770A5C9EBC736B70034AFC832A475372A1667
C:\Users\user\AppData\Local\Temp\TCDCDFE.tmp\BracketList.glox	Microsoft OOXML	5D9BAD7ADB88CEE98C5203883261ACA1	FBF1647FCF19BCEA6C3CF4365C797338CA282CD2	8CE600404BB3DB92A51B471D4AB8B166B566C6977C9BB63370718736376E0E2F
C:\Users\user\AppData\Local\Temp\TCDCDFE.tmp\Content.inf	data	1A314B08BB9194A41E3794EF54017811	D1E70DB69CA737101524C75E634BB72F969464FF	9025DD691FCAD181D5FD5952C7AA3728CD8A2CAF20DEA14930876419BED9B379
C:\Users\user\AppData\Local\Temp\TCDCE0E.tmp\Content.inf	data	333BA58FCE326DEA1E4A9DE67475AA95	F51FAD5385DC08F7D3E11E1165A18F2E8A028C14	66142D15C7325B98B199AB6EE6F35B7409DE64EBD5C0AB50412D18CBE6894097
C:\Users\user\AppData\Local\Temp\TCDCE0E.tmp\mlaseventheditionofficeonline.xsl	XML 1.0 document, ASCII text, with CRLF line terminators	377B3E355414466F3E3861BCE1844976	0B639A3880ACA3FD90FA918197A669CC005E2BA4	4AC5B26C5E66E122DE80243EF621CA3E1142F643DD2AD61B75FF41CFEE3DFFAF
C:\Users\user\AppData\Local\Temp\TCDCE1F.tmp\CircleProcess.glox	Zip archive data, at least v2.0 to extract, compression method=deflate	950F3AB11CB67CC651082FEBE523AF63	418DE03AD2EF93D0BD29C3D7045E94D3771DACB4	9C5E4D8966A0B30A22D92DB1DA2F0DBF06AC2EA75E7BB8501777095EA0196974
C:\Users\user\AppData\Local\Temp\TCDCE1F.tmp\Content.inf	data	D04EC08EFE18D1611BDB9A5EC0CC00B1	668FF6DFE64D5306220341FC2C1353199D122932	FA60500F951AFAF8FFDB6D1828456D60004AE1558E8E1364ADC6ECB59F5450C9
C:\Users\user\AppData\Local\Temp\TCDCE20.tmp\Content.inf	data	F25AC64EC63FA98D9E37782E2E49D6E6	97DD9CFA4A22F5B87F2B53EFA37332A9EF218204	834046A829D1EA836131B470884905856DBF2C3C136C98ADEEFA0F206F38F8AB
C:\Users\user\AppData\Local\Temp\TCDCE20.tmp\ieee2006officeonline.xsl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	0C9731C90DD24ED5CA6AE283741078D0	BDD3D7E5B0DE9240805EA53EF2EB784A4A121064	ABCE25D1EB3E70742EC278F35E4157EDB1D457A7F9D002AC658AAA6EA4E4DCDF
C:\Users\user\AppData\Local\Temp\TCDCE21.tmp\Content.inf	data	4A9A2E8DB82C90608C96008A5B6160EF	A49110814D9546B142C132EBB5B9D8A1EC23E2E6	4FA948EEB075DFCB8DCA773A3F994560C69D275690953625731C4743CD5729F7
C:\Users\user\AppData\Local\Temp\TCDCE21.tmp\chicago.xsl	XML 1.0 document, ASCII text, with CRLF line terminators	9AC6DE7B629A4A802A41F93DB2C49747	3D6E929AA1330C869D83F2BF8EBEBACD197FB367	52984BC716569120D57C8E6A360376E9934F00CF31447F5892514DDCCF546293
C:\Users\user\AppData\Local\Temp\TCDCE22.tmp\Content.inf	data	8D9B02CC69FA40564E6C781A9CC9E626	352469A1ABB8DA1DC550D7E27924E552B0D39204	1D4483830710EF4A2CC173C3514A9F4B0ACA6C44DB22729B7BE074D18C625BAE
C:\Users\user\AppData\Local\Temp\TCDCE22.tmp\gostname.xsl	XML 1.0 document, ASCII text, with CRLF line terminators	9888A214D362470A6189DEFF775BE139	32B552EB3C73CD7D0D9D924C96B27A86753E0F97	C64ED5C2A323C00E84272AD3A701CAEBE1DCCEB67231978DE978042F09635FA7
C:\Users\user\AppData\Local\Temp\TCDCE42.tmp\Content.inf	data	93149E194021B37162FD86684ED22401	1B31CAEBE1BBFA529092BE834D3B4AD315A6F8F1	50BE99A154A6F632D49B04FCEE6BCA4D6B3B4B7C1377A31CE9FB45C462D697B2
C:\Users\user\AppData\Local\Temp\TCDCE42.tmp\Equations.dotx	Microsoft Word 2007+	2AB22AC99ACFA8A82742E774323C0DBD	790F8B56DF79641E83A16E443A75A66E6AA2F244	BC9D45D0419A08840093B0BF4DCF96264C02DFE5BD295CD9B53722E1DA02929D
C:\Users\user\AppData\Local\Temp\TCDCE53.tmp\Content.inf	data	C15EB3F4306EBF75D1E7C3C9382DEECC	A3F9684794FFD59151A80F97770D4A79F1D030A6	23C262DF3AEACB125E88C8FFB7DBF56FD23F66E0D476AFD842A68DDE69658C7F
C:\Users\user\AppData\Local\Temp\TCDCE53.tmp\turabian.xsl	XML 1.0 document, ASCII text, with CRLF line terminators	F079EC5E2CCB9CD4529673BCDFB90486	FBA6696E6FA918F52997193168867DD3AEBE1AD6	3B651258F4D0EE1BFFC7FB189250DED1B920475D1682370D6685769E3A9346DB
C:\Users\user\AppData\Local\Temp\TCDCEA3.tmp\Banded.thmx	Microsoft OOXML	4A1657A3872F9A77EC257F41B8F56B3D	4DDEA85C649A2C1408B5B08A15DEF49BAA608A0B	C17103ADE455094E17AC182AD4B4B6A8C942FD3ACB381F9A5E34E3F8B416AE60
C:\Users\user\AppData\Local\Temp\TCDCEA3.tmp\content.inf	Unicode text, UTF-16, little-endian text, with CRLF line terminators	487E25E610F3FC2EEA27AB54324EA8F6	11C2BB004C5E44503704E9FFEEFA7EA7C2A9305C	022EC5077279A8E447B590F7260E1DBFF764DE5F9CDFD4FDEE32C94C66D4A1A2
C:\Users\user\AppData\Local\Temp\TCDCEC8.tmp\Dividend.thmx	Microsoft OOXML	D676DE8877ACEB43EF0ED570A2B30F0E	6C8922697105CEC7894966C9C5553BEB64744717	DF012D101DE808F6CD872DFBB619B16732C23CF4ABC64149B6C3CE49E9EFDA01
C:\Users\user\AppData\Local\Temp\TCDCEC8.tmp\content.inf	Unicode text, UTF-16, little-endian text, with CRLF line terminators	76340C3F8A0BFCEDAB48B08C57D9B559	E1A6672681AA6F6D525B1D17A15BF4F912C4A69B	78FE546321EDB34EBFA1C06F2B6ADE375F3B7C12552AB2A04892A26E121B3ECC
C:\Users\user\AppData\Local\Temp\TCDCEE8.tmp\View.thmx	Microsoft OOXML	0E37AECABDB3FDF8AAFEDB9C6D693D2F	F29254D2476DF70979F723DE38A4BF41C341AC78	7AC7629142C2508B070F09788217114A70DE14ACDB9EA30CBAB0246F45082349
C:\Users\user\AppData\Local\Temp\TCDCEE8.tmp\content.inf	Unicode text, UTF-16, little-endian text, with CRLF line terminators	35AFE8D8724F3E19EB08274906926A0B	435B528AAF746428A01F375226C5A6A04099DF75	97B8B2E246E4DAB15E494D2FB5F8BE3E6361A76C8B406C77902CE4DFF7AC1A35
C:\Users\user\AppData\Local\Temp\TCDCEE9.tmp\Basis.thmx	Microsoft OOXML	3B5E44DDC6AE612E0346C58C2A5390E3	23BCF3FCB61F80C91D2CFFD8221394B1CB359C87	9ED9AD4EB45E664800A4876101CBEE65C232EF478B6DE502A330D7C89C9AE8E2
C:\Users\user\AppData\Local\Temp\TCDCEE9.tmp\content.inf	Unicode text, UTF-16, little-endian text, with CRLF line terminators	133D126F0DE2CC4B29ECE38194983265	D8D701298D7949BE6235493925026ED405290D43	08485EBF168364D846C6FD55CD9089FE2090D1EE9D1A27C1812E1247B9005E68
C:\Users\user\AppData\Local\Temp\TCDCF0A.tmp\Metropolitan.thmx	Microsoft OOXML	B30D2EF0FC261AECE90B62E9C5597379	4893C5B9BE04ECBB19EE45FFCE33CA56C7894FE3	BB170D6DE4EE8466F56C93DC26E47EE8A229B9C4842EA8DD0D9CCC71BC8E2976
C:\Users\user\AppData\Local\Temp\TCDCF0A.tmp\content.inf	Unicode text, UTF-16, little-endian text, with CRLF line terminators	23D59577F4AE6C6D1527A1B8CDB9AB19	A345D683E54D04CC0105C4BFFCEF8C6617A0093D	9ADD2C3912E01C2AC7FAD6737901E4EECBCCE6EC60F8E4D78585469A440E1E2C
C:\Users\user\AppData\Local\Temp\TCDCF2A.tmp\Frame.thmx	Microsoft OOXML	C276F590BB846309A5E30ADC35C502AD	CA6D9D6902475F0BE500B12B7204DD1864E7DD02	782996D93DEBD2AF9B91E7F529767A8CE84ACCC36CD62F24EBB5117228B98F58
C:\Users\user\AppData\Local\Temp\TCDCF2A.tmp\content.inf	Unicode text, UTF-16, little-endian text, with CRLF line terminators	71CCB69AF8DD9821F463270FB8CBB285	8FED3EB733A74B2A57D72961F0E4CF8BCA42C851	8E63D7ABA97DABF9C20D2FAC6EB1665A5D3FDEAB5FA29E4750566424AE6E40B4
C:\Users\user\AppData\Local\Temp\TCDCFB9.tmp\Wood_Type.thmx	Microsoft OOXML	35200E94CEB3BB7A8B34B4E93E039023	5BB55EDAA4CDF9D805E36C36FB092E451BDDB74D	6CE04E8827ABAEA9B292048C5F84D824DE3CEFDB493101C2DB207BD4475AF1FD
C:\Users\user\AppData\Local\Temp\TCDCFB9.tmp\content.inf	Unicode text, UTF-16, little-endian text, with CRLF line terminators	5728F26DF04D174DE9BDFF51D0668E2A	C998DF970655E4AF9C270CC85901A563CFDBCC22	979DAFD61C23C185830AA3D771EDDC897BEE87587251B84F61776E720ACF9840
C:\Users\user\AppData\Local\Temp\TCDCFDA.tmp\Parallax.thmx	Zip archive data, at least v2.0 to extract, compression method=deflate	97EEC245165F2296139EF8D4D43BBB66	0D91B68CCB6063EB342CFCED4F21A1CE4115C209	3C5CF7BDB27592791ADF4E7C5A09DDE4658E10ED8F47845064DB1153BE69487C
C:\Users\user\AppData\Local\Temp\TCDCFDA.tmp\content.inf	Unicode text, UTF-16, little-endian text, with CRLF line terminators	7956D2B60E2A254A07D46BCA07D0EFF0	AF1AC8CA6FE2F521B2EE2B7ABAB612956A65B0B5	C92B7FD46B4553FF2A656FF5102616479F3B503341ED7A349ECCA2E12455969E
C:\Users\user\AppData\Local\Temp\TCDD03A.tmp\Parcel.thmx	Microsoft OOXML	8BA551EEC497947FC39D1D48EC868B54	02FA15FDAF0D7E2F5D44CAE5FFAE49E8F91328DF	DB2E99B969546E431548EBD58707FC001BBD1A4BDECAD387D194CC9C6D15AC89
C:\Users\user\AppData\Local\Temp\TCDD03A.tmp\content.inf	Unicode text, UTF-16, little-endian text, with CRLF line terminators	960E28B1E0AB3522A8A8558C02694ECF	8387E9FD5179A8C811CCB5878BAC305E6A166F93	2707FCA8CEC54DF696F19F7BCAD5F0D824A2AC01B73815DE58F3FCF0AAB3F6A0
C:\Users\user\AppData\Local\Temp\TCDD04B.tmp\Berlin.thmx	Microsoft OOXML	9E563D44C28B9632A7CF4BD046161994	D3DB4E5F5B1CC6DD08BB3EBF488FF05411348A11	86A70CDBE4377C32729FD6C5A0B5332B7925A91C492292B7F9C636321E6FAD86
C:\Users\user\AppData\Local\Temp\TCDD04B.tmp\content.inf	Unicode text, UTF-16, little-endian text, with CRLF line terminators	327DA4A5C757C0F1449976BE82653129	CF74ECDF94B4A8FD4C227313C8606FD53B8EEA71	341BABD413AA5E8F0A921AC309A8C760A4E9BA9CFF3CAD3FB2DD9DF70FD257A6
C:\Users\user\AppData\Local\Temp\TCDD0E9.tmp\Quotable.thmx	Microsoft OOXML	F03AB824395A8F1F1C4F92763E5C5CAD	A6E021918C3CEFFB6490222D37ECEED1FC435D52	D96F7A63A912CA058FB140138C41DCB3AF16638BA40820016AF78DF5D07FAEDD
C:\Users\user\AppData\Local\Temp\TCDD0E9.tmp\content.inf	Unicode text, UTF-16, little-endian text, with CRLF line terminators	BD6B5A98CA4E6C5DBA57C5AD167EDD00	CCFF7F635B31D12707DC0AC6D1191AB5C4760107	F22248FE60A55B6C7C1EB31908FAB7726813090DE887316791605714E6E3CEF7
C:\Users\user\AppData\Local\Temp\TCDD189.tmp\Circuit.thmx	Zip archive data, at least v2.0 to extract, compression method=deflate	ACBA78931B156E4AF5C4EF9E4AB3003B	2A1F506749A046ECFB049F23EC43B429530EC489	943E4044C40ABA93BD7EA31E8B5EBEBD7976085E8B1A89E905952FA8DAC7B878
C:\Users\user\AppData\Local\Temp\TCDD189.tmp\content.inf	Unicode text, UTF-16, little-endian text, with CRLF line terminators	40FF521ED2BA1B015F17F0B0E5D95068	0F29C084311084B8FDFE67855884D8EB60BDE1A6	CC3575BA195F0F271FFEBA6F6634BC9A2CF5F3BE448F58DBC002907D7C81CBBB
C:\Users\user\AppData\Local\Temp\TCDD1A9.tmp\Gallery.thmx	Microsoft OOXML	2192871A20313BEC581B277E405C6322	1F9A6A5E10E1C3FFEB6B6725C5D2FA9ECDF51085	A06B302954A4C9A6A104A8691864A9577B0BFEA240B0915D9BEA006E98CDFFEC
C:\Users\user\AppData\Local\Temp\TCDD1A9.tmp\content.inf	Unicode text, UTF-16, little-endian text, with CRLF line terminators	1C5D58A5ED3B40486BC22B254D17D1DD	69B8BB7B0112B37B9B5F9ADA83D11FBC99FEC80A	EBE031C340F04BB0235FE62C5A675CF65C5CC8CE908F4621A4F5D7EE85F83055
C:\Users\user\AppData\Local\Temp\TCDD1EC.tmp\Droplet.thmx	Microsoft OOXML	529795E0B55926752462CBF32C14E738	E72DFF8354DF2CB6A5698F14BBD1805D72FEEAFF	8D341D1C24176DC6B67104C2AF90FABD3BFF666CCC0E269381703D7659A6FA05
C:\Users\user\AppData\Local\Temp\TCDD1EC.tmp\content.inf	Unicode text, UTF-16, little-endian text, with CRLF line terminators	AA7B919B21FD42C457948DE1E2988CB3	19DA49CF5540E5840E95F4E722B54D44F3154E04	5FFF5F1EC1686C138192317D5A67E22A6B02E5AAE89D73D4B19A492C2F5BE2F9
C:\Users\user\AppData\Local\Temp\TCDD24C.tmp\Slate.thmx	Microsoft OOXML	5BDE450A4BD9EFC71C370C731E6CDF43	5B223FB902D06F9FCC70C37217277D1E95C8F39D	93BFC6AC1DC1CFF497DF92B30B42056C9D422B2321C21D65728B98E420D4ED50
C:\Users\user\AppData\Local\Temp\TCDD24C.tmp\content.inf	Unicode text, UTF-16, little-endian text, with CRLF line terminators	5402138088A9CF0993C08A0CA81287B8	D734BD7F2FB2E0C7D5DB8F70B897376ECA935C9A	5C9F5E03EEA4415043E65172AD2729F34BBBFC1A1156A630C65A71CE578EF137
C:\Users\user\AppData\Local\Temp\TCDD25D.tmp\Damask.thmx	Microsoft OOXML	EE33FDA08FBF10EF6450B875717F8887	7DFA77B8F4559115A6BF186EDE51727731D7107D	5CF611069F281584DE3E63DE8B99253AA665867299DC0192E8274A32A82CAA20
C:\Users\user\AppData\Local\Temp\TCDD25D.tmp\content.inf	Unicode text, UTF-16, little-endian text, with CRLF line terminators	06B3DDEFF905F75FA5FA5C5B70DCB938	E441B94F0621D593DC870A27B28AC6BE3842E7DB	72D49BDDE44DAE251AEADF963C336F72FA870C969766A2BB343951E756B3C28A
C:\Users\user\AppData\Local\Temp\TCDD29D.tmp\Mesh.thmx	Microsoft OOXML	CDF98D6B111CF35576343B962EA5EEC6	D481A70EC9835B82BD6E54316BF27FAD05F13A1C	E3F108DDB3B8581A7A2290DD1E220957E357A802ECA5B3087C95ED13AD93A734
C:\Users\user\AppData\Local\Temp\TCDD29D.tmp\content.inf	Unicode text, UTF-16, little-endian text, with CRLF line terminators	8D1E1991838307E4C2197ECB5BA9FA79	4AD8BB98DC9C5060B58899B3E9DCBA6890BC9E93	4ABA3D10F65D050A19A3C2F57A024DBA342D1E05706A8A3F66B6B8E16A980DB9
C:\Users\user\AppData\Local\Temp\TCDD2ED.tmp\Main_Event.thmx	Microsoft OOXML	5AF1581E9E055B6E323129E4B07B1A45	B849F85BCAF0E1C58FA841FFAE3476D20D33F2DD	BDC9FBF81FBE91F5BF286B2CEA00EE76E70752F7E51FE801146B79F9ADCB8E98
C:\Users\user\AppData\Local\Temp\TCDD2ED.tmp\content.inf	Unicode text, UTF-16, little-endian text, with CRLF line terminators	C9812793A4E94320C49C7CA054EE6AA4	CC1F88C8F3868B3A9DE7E0E5F928DBD015234ABA	A535AE7DD5EDA6D31E1B5053E64D0D7600A7805C6C8F8AF1DB65451822848FFC
C:\Users\user\AppData\Local\Temp\TCDD36B.tmp\Content.inf	data	55BA5B2974A072B131249FD9FD42EB91	6509F8AC0AA23F9B8F3986217190F10206A691EA	13FFAAFFC987BAAEF7833CD6A8994E504873290395DC2BD9B8E1D7E7E64199E7
C:\Users\user\AppData\Local\Temp\TCDD36B.tmp\Insight design set.dotx	Microsoft Word 2007+	8BC84DB5A3B2F8AE2940D3FB19B43787	3A5FE7B14D020FAD0E25CD1DF67864E3E23254EE	AF1FDEEA092169BF794CDC290BCA20AEA07AC7097D0EFCAB76F783FA38FDACDD
C:\Users\user\AppData\Local\Temp\TCDD3CB.tmp\Vapor_Trail.thmx	Microsoft OOXML	FB88BFB743EEA98506536FC44B053BD0	B27A67A5EEC1B5F9E7A9C3B76223EDE4FCAF5537	05057213BA7E5437AC3B8E9071A5577A8F04B1A67EFE25A08D3884249A22FBBF
C:\Users\user\AppData\Local\Temp\TCDD3CB.tmp\content.inf	Unicode text, UTF-16, little-endian text, with CRLF line terminators	0FEA64606C519B78B7A52639FEA11492	FC9A6D5185088318032FD212F6BDCBD1CF2FFE76	60059C4DD87A74A2DC36748941CF5A421ED394368E0AA19ACA90D850FA6E4A13
C:\Users\user\AppData\Local\Temp\TCDD3EB.tmp\Savon.thmx	Microsoft OOXML	FD5BBC58056522847B3B75750603DF0C	97313E85C0937739AF7C7FC084A10BF202AC9942	44976408BD6D2703BDBE177259061A502552193B1CD05E09B698C0DAC3653C5F
C:\Users\user\AppData\Local\Temp\TCDD3EB.tmp\content.inf	Unicode text, UTF-16, little-endian text, with CRLF line terminators	CD465E8DA15E26569897213CA9F6BC9C	9EA9B5E6C9B7BF72A777A21EC17FD82BC4386D4C	D4109317C2DBA1D7A94FC1A4B23FA51F4D0FC8E1D9433697AAFA72E335192610
C:\Users\user\AppData\Local\Temp\cabCC8D.tmp	Microsoft Cabinet archive data, many, 7453 bytes, 2 files, at 0x44 "pictureorgchart.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression	7C645EC505982FE529D0E5035B378FFC	1488ED81B350938D68A47C7F0BCE8D91FB1673E2	298FD9DADF0ACEBB2AA058A09EEBFAE15E5D1C5A8982DEE6669C63FB6119A13D
C:\Users\user\AppData\Local\Temp\cabCC8E.tmp	Microsoft Cabinet archive data, many, 5731 bytes, 2 files, at 0x44 "ThemePictureAlternatingAccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression	E532038762503FFA1371DF03FA2E222D	F343B559AE21DAEF06CBCD8B2B3695DE1B1A46F0	5C70DD1551EB8B9B13EFAFEEAF70F08B307E110CAEE75AD9908A6A42BBCCB07E
C:\Users\user\AppData\Local\Temp\cabCC8F.tmp	Microsoft Cabinet archive data, many, 5864 bytes, 2 files, at 0x44 "architecture.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression	ABBF10CEE9480E41D81277E9538F98CB	F4EA53D180C95E78CC1DA88CD63F4C099BF0512C	557E0714D5536070131E7E7CDD18F0EF23FE6FB12381040812D022EC0FEE7957
C:\Users\user\AppData\Local\Temp\cabCC90.tmp	Microsoft Cabinet archive data, many, 9170 bytes, 2 files, at 0x44 "InterconnectedBlockProcess.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression	C47E3430AF813DF8B02E1CB4829DD94B	35F1F1A18AA4FD2336A4EA9C6005DBE70013C7FC	F2DB1E60533F0D108D5FB1004904C1F2E8557D4493F3B251A1B3055F8F1507A3
C:\Users\user\AppData\Local\Temp\cabCC91.tmp	Microsoft Cabinet archive data, many, 15327 bytes, 2 files, at 0x4c "sist02.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression	91AADBEC4171CFA8292B618492F5EF34	A47DEB62A21056376DD8F862E1300F1E7DC69D1D	7E1A90CDB2BA7F03ABCB4687F0931858BF57E13552E0E4E54EC69A27325011EA
C:\Users\user\AppData\Local\Temp\cabCC92.tmp	Microsoft Cabinet archive data, many, 4410 bytes, 2 files, at 0x44 "PictureFrame.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression	486CBCB223B873132FFAF4B8AD0AD044	B0EC82CD986C2AB5A51C577644DE32CFE9B12F92	B217393FD2F95A11E2C594E736067870212E3C5242A212D6F9539450E8684616
C:\Users\user\AppData\Local\Temp\cabCC93.tmp	Microsoft Cabinet archive data, many, 27509 bytes, 2 files, at 0x4c "Equations.dotx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 2 datablocks, 0x1203 compression	DA3380458170E60CBEA72602FDD0D955	1D059F8CFD69F193D363DA337C87136885018F0F	6F8FFB225F3B8C7ADE31A17A02F941FC534E4F7B5EE678B21CD9060282034701
C:\Users\user\AppData\Local\Temp\cabCC94.tmp	Microsoft Cabinet archive data, many, 4967 bytes, 2 files, at 0x44 "TabList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression	D30AD26DBB6DECA4FDD294F48EDAD55D	CA767A1B6AF72CF170C9E10438F61797E0F2E8CE	6B1633DD765A11E7ED26F8F9A4DD45023B3E4ADB903C934DF3917D07A3856BFF
C:\Users\user\AppData\Local\Temp\cabCCB8.tmp	Microsoft Cabinet archive data, many, 6005 bytes, 2 files, at 0x44 "HexagonRadial.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression	66C5199CF4FB18BD4F9F3F2CCB074007	BA9D8765FFC938549CC19B69B3BF5E6522FB062E	4A7DC4ED098E580C8D623C51B57C0BC1D601C45F40B60F39BBA5F063377C3C1F
C:\Users\user\AppData\Local\Temp\cabCCB9.tmp	Microsoft Cabinet archive data, many, 30269 bytes, 2 files, at 0x4c "Text Sidebar (Annual Report Red and Black design).docx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 2 datablocks, 0x1203 compression	C455C4BC4BEC9E0DA67C4D1E53E46D5A	7674600C387114B0F98EC925BE74E811FB25C325	40E9AF9284FF07FDB75C33A11A794F5333712BAA4A6CF82FA529FBAF5AD0FED0
C:\Users\user\AppData\Local\Temp\cabCCBB.tmp	Microsoft Cabinet archive data, many, 3749 bytes, 2 files, at 0x44 "TabbedArc.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression	EF9CB8BDFBC08F03BEF519AD66BA642F	D98C275E9402462BF52A4D28FAF57DF0D232AF6B	93A2F873ACF5BEAD4BC0D1CC17B5E89A928D63619F70A1918B29E5230ABEAD8E
C:\Users\user\AppData\Local\Temp\cabCCBC.tmp	Microsoft Cabinet archive data, many, 5647 bytes, 2 files, at 0x44 "RadialPictureList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression	7BF88B3CA20EB71ED453A3361908E010	F75F86557051160507397F653D7768836E3B5655	E555A610A61DB4F45A29A7FB196A9726C25772594252AD534453E69F05345283
C:\Users\user\AppData\Local\Temp\cabCCBD.tmp	Microsoft Cabinet archive data, many, 14939 bytes, 2 files, at 0x44 "CircleProcess.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression	89A9818E6658D73A73B642522FF8701F	E66C95E957B74E90B444FF16D9B270ADAB12E0F4	F747DD8B79FC69217FA3E36FAE0AB417C1A0759C28C2C4F8B7450C70171228E6
C:\Users\user\AppData\Local\Temp\cabCCBE.tmp	Microsoft Cabinet archive data, many, 14864 bytes, 2 files, at 0x4c "mlaseventheditionofficeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression	E033CCBC7BA787A2F824CE0952E57D44	EEEA573BEA217878CD9E47D7EA94E56BDAFFE22A	D250EB1F93B43EFB7654B831B4183C9CAEC2D12D4EFEE8607FEE70B9FAB20730
C:\Users\user\AppData\Local\Temp\cabCCD1.tmp	Microsoft Cabinet archive data, many, 4313 bytes, 2 files, at 0x44 "chevronaccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression	4EFA48EC307EAF2F9B346A073C67FCFB	76A7E1234FF29A2B18C968F89082A14C9C851A43	3EE9AE1F8DAB4C498BD561D8FCC66D83E58F11B7BB4B2776DF99F4CDA4B850C2
C:\Users\user\AppData\Local\Temp\cabCCE2.tmp	Microsoft Cabinet archive data, many, 6450 bytes, 2 files, at 0x44 "ThemePictureAccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression	EE0129C7CC1AC92BBC3D6CB0F653FCAE	4ABAA858176B349BDAB826A7C5F9F00AC5499580	345AA5CA2496F975B7E33C182D5E57377F8B740F23E9A55F4B2B446723947B72
C:\Users\user\AppData\Local\Temp\cabCCF4.tmp	Microsoft Cabinet archive data, many, 10800 bytes, 2 files, at 0x44 "ConvergingText.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression	F913DD84915753042D856CEC4E5DABA5	FB1E423C8D09388C3F0B6D44364D94D786E8CF53	AA03AFB681A76C86C1BD8902EE2BBA31A644841CE6BCB913C8B5032713265578
C:\Users\user\AppData\Local\Temp\cabCCF6.tmp	Microsoft Cabinet archive data, many, 12767 bytes, 2 files, at 0x4c "ieee2006officeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression	6D787B1E223DB6B91B69238062CCA872	A02F3D847D1F8973E854B89D4558413EA2E349F7	DA2F261C3C82E229A097A9302C8580F014BB6442825DB47C008DA097CFCE0EE4
C:\Users\user\AppData\Local\Temp\cabCCF7.tmp	Microsoft Cabinet archive data, many, 6196 bytes, 2 files, at 0x44 "ThemePictureGrid.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression	8B29FAB506FD65C21C9CD6FE6BBBC146	CE1B8A57BB3C682F6A0AFC32955DAFD360720FDF	773AC516C9B9B28058128EC9BE099F817F3F90211AC70DC68077599929683D6F
C:\Users\user\AppData\Local\Temp\cabCCF8.tmp	Microsoft Cabinet archive data, many, 15691 bytes, 2 files, at 0x4c "gb.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression	92A819D434A8AAEA2C65F0CC2F33BB3A	85C3F1801EFFEA1EA10A8429B0875FC30893F2C8	5D13F9907AC381D19F0A7552FD6D9FC07C9BD42C0F9CE017FFF75587E1890375
C:\Users\user\AppData\Local\Temp\cabCD0A.tmp	Microsoft Cabinet archive data, many, 17466 bytes, 2 files, at 0x4c "chicago.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 10 datablocks, 0x1203 compression	51804E255C573176039F4D5B55C12AB2	A4822E5072B858A7CCA7DE948CAA7D2268F1BB4B	3C6F66790C543D4E9D8E0E6F476B1ACADF0A5FCDD561B8484D8DDDADFDF8134B
C:\Users\user\AppData\Local\Temp\cabCD0C.tmp	Microsoft Cabinet archive data, many, 15461 bytes, 2 files, at 0x4c "gostname.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression	69EDB3BF81C99FE8A94BBA03408C5AE1	1AC85B369A976F35244BEEFA9C06787055C869C1	CEBE759BC4509700E3D23C6A5DF8D889132A60EBC92260A74947EAA1089E2789
C:\Users\user\AppData\Local\Temp\cabCD2E.tmp	Microsoft Cabinet archive data, many, 15418 bytes, 2 files, at 0x4c "harvardanglia2008officeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression	1D6F8E73A0662A48D332090A4C8C898F	CF9AD4F157772F5EDC0FDDEEFD9B05958B67549C	8077C92C66D15D7E03FBFF3A48BD9576B80F698A36A44316EABA81EE8043B673
C:\Users\user\AppData\Local\Temp\cabCD30.tmp	Microsoft Cabinet archive data, many, 15338 bytes, 2 files, at 0x4c "gosttitle.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression	F10DF902980F1D5BEEA96B2C668408A7	92D341581B9E24284B7C29E5623F8028DBBAAFE9	E0100320A4F63E07C77138A89EA24A1CBD69784A89FE3BF83E35576114B4CE02
C:\Users\user\AppData\Local\Temp\cabCD31.tmp	Microsoft Cabinet archive data, many, 19375 bytes, 2 files, at 0x4c "turabian.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 11 datablocks, 0x1203 compression	53EE9DA49D0B84357038ECF376838D2E	AB03F46783B2227F312187DD84DC0C517510DE20	9E46B8BA0BAD6E534AF33015C86396C33C5088D3AE5389217A5E90BA68252374
C:\Users\user\AppData\Local\Temp\cabCD42.tmp	Microsoft Cabinet archive data, many, 16689 bytes, 2 files, at 0x4c "iso690.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression	205AF51604EF96EF1E8E60212541F742	D436FE689F8EF51FBA898454CF509DDB049C1545	DF3FFF163924D08517B41455F2D06788BA4E49C68337D15ECF329BE48CF7DA2D
C:\Users\user\AppData\Local\Temp\cabCD43.tmp	Microsoft Cabinet archive data, many, 14813 bytes, 2 files, at 0x4c "iso690nmerical.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 7 datablocks, 0x1203 compression	D3C9036E4E1159E832B1B4D2E9D42BF0	966E04B7A8016D7FDAFE2C611957F6E946FAB1B9	434576EB1A16C2D14D666A33EDDE76717C896D79F45DF56742AFD90ACB9F21CE
C:\Users\user\AppData\Local\Temp\cabCD45.tmp	Microsoft Cabinet archive data, many, 5213 bytes, 2 files, at 0x44 "rings.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression	97F5B7B7E9E1281999468A5C42CB12E7	99481B2FA609D1D80A9016ADAA3D37E7707A2ED1	1CF5C2D0F6188FFFF117932C424CC55D1459E0852564C09D7779263ABD116118
C:\Users\user\AppData\Local\Temp\cabCD46.tmp	Microsoft Cabinet archive data, many, 18672 bytes, 2 files, at 0x4c "APASixthEditionOfficeOnline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 11 datablocks, 0x1203 compression	62863124CDCDA135ECC0E722782CB888	2543B8A9D3B2304BB73D2ADBEC60DB040B732055	23CCFB7206A8F77A13080998EC6EF95B59B3C3E12B72B2D2AD4E53B0B26BB8C3
C:\Users\user\AppData\Local\Temp\cabCD57.tmp	Microsoft Cabinet archive data, many, 26644 bytes, 2 files, at 0x4c "Element design set.dotx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 2 datablocks, 0x1203 compression	21A4B7B71631C2CCDA5FBBA63751F0D2	DE65DC641D188062EF9385CC573B070AAA8BDD28	AE0C5A2C8377DBA613C576B1FF73F01AE8EF4A3A4A10B078B5752FB712B3776C
C:\Users\user\AppData\Local\Temp\cabCDBB.tmp	Microsoft Cabinet archive data, many, 3144 bytes, 2 files, at 0x44 "VaryingWidthList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression	B9A6FF715719EE9DE16421AB983CA745	6B3F68B224020CD4BF142D7EDAAEC6B471870358	E3BE3F1E341C0FA5E9CB79E2739CF0565C6EA6C189EA3E53ACF04320459A7070
C:\Users\user\AppData\Local\Temp\cabCDBC.tmp	Microsoft Cabinet archive data, many, 4091 bytes, 2 files, at 0x44 "BracketList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression	E3C64173B2F4AA7AB72E1396A9514BD8	774E52F7E74B90E6A520359840B0CA54B3085D88	16C08547239E5B969041AB201EB55A3E30EAD400433E926257331CB945DFF094
C:\Users\user\AppData\Local\Temp\cabCE83.tmp	Microsoft Cabinet archive data, many, 291188 bytes, 2 files, at 0x44 +A "Banded.thmx" +A "content.inf", flags 0x4, ID 56338, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression	0EBC45AA0E67CC435D0745438371F948	5584210C4A8B04F9C78F703734387391D6B5B347	3744BFA286CFCFF46E51E6A68823A23F55416CD6619156B5929FED1F7778F1C7
C:\Users\user\AppData\Local\Temp\cabCEA4.tmp	Microsoft Cabinet archive data, many, 259074 bytes, 2 files, at 0x44 +A "content.inf" +A "Dividend.thmx", flags 0x4, ID 58359, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression	84D8F3848E7424CBE3801F9570E05018	71D7F2621DA8B295CE6885F8C7C81016D583C6B1	B4BC3CD34BD328AAF68289CC0ED4D5CF8167F1EE1D7BE20232ED4747FF96A80A
C:\Users\user\AppData\Local\Temp\cabCEA5.tmp	Microsoft Cabinet archive data, many, 252241 bytes, 2 files, at 0x44 +A "content.inf" +A "Frame.thmx", flags 0x4, ID 34169, number 1, extra bytes 20 in head, 16 datablocks, 0x1503 compression	21437897C9B88AC2CB2BB2FEF922D191	0CAD3D026AF2270013F67E43CB44F0568013162D	372572DCBAD590F64F5D18727757CBDF9366DDE90955C79A0FCC9F536DAB0384
C:\Users\user\AppData\Local\Temp\cabCEB5.tmp	Microsoft Cabinet archive data, many, 206792 bytes, 2 files, at 0x44 +A "content.inf" +A "View.thmx", flags 0x4, ID 33885, number 1, extra bytes 20 in head, 15 datablocks, 0x1503 compression	26BEAB9CCEAFE4FBF0B7C0362681A9D2	F63DD970040CA9F6CFCF5793FF7D4F1F4A69C601	217EC1B6E00A24583B166026DEC480D447FB564CF3BCA81984684648C272F767
C:\Users\user\AppData\Local\Temp\cabCEC6.tmp	Microsoft Cabinet archive data, many, 279287 bytes, 2 files, at 0x44 +A "Basis.thmx" +A "content.inf", flags 0x4, ID 55632, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression	9A07035EF802BF89F6ED254D0DB02AB0	9A48C1962B5CF1EE37FEEC861A5B51CE11091E78	6CB03CEBAB2C28BF5318B13EEEE49FBED8DCEDAF771DE78126D1BFE9BD81C674
C:\Users\user\AppData\Local\Temp\cabCEC7.tmp	Microsoft Cabinet archive data, many, 243642 bytes, 2 files, at 0x44 +A "content.inf" +A "Metropolitan.thmx", flags 0x4, ID 19054, number 1, extra bytes 20 in head, 24 datablocks, 0x1503 compression	65828DC7BE8BA1CE61AD7142252ACC54	538B186EAF960A076474A64F508B6C47B7699DD3	849E2E915AA61E2F831E54F337A745A5946467D539CCBD0214B4742F4E7E94FF
C:\Users\user\AppData\Local\Temp\cabCF79.tmp	Microsoft Cabinet archive data, many, 704319 bytes, 2 files, at 0x44 +A "content.inf" +A "Wood_Type.thmx", flags 0x4, ID 5778, number 1, extra bytes 20 in head, 51 datablocks, 0x1503 compression	748A53C6BDD5CE97BD54A76C7A334286	7DD9EEDB13AC187E375AD70F0622518662C61D9F	9AF92B1671772E8E781B58217DAB481F0AFBCF646DE36BC1BFFC7D411D14E351
C:\Users\user\AppData\Local\Temp\cabCF99.tmp	Microsoft Cabinet archive data, many, 533290 bytes, 2 files, at 0x44 +A "content.inf" +A "Parallax.thmx", flags 0x4, ID 64081, number 1, extra bytes 20 in head, 29 datablocks, 0x1503 compression	1C12315C862A745A647DAD546EB4267E	B3FA11A511A634EEC92B051D04F8C1F0E84B3FD6	4E2E93EBAC4AD3F8690B020040D1AE3F8E7905AB7286FC25671E07AA0282CAC0
C:\Users\user\AppData\Local\Temp\cabCFEA.tmp	Microsoft Cabinet archive data, many, 214772 bytes, 2 files, at 0x44 +A "content.inf" +A "Parcel.thmx", flags 0x4, ID 26500, number 1, extra bytes 20 in head, 19 datablocks, 0x1503 compression	93FA9F779520AB2D22AC4EA864B7BB34	D1E9F53A0E012A89978A3C9DED73FB1D380A9D8A	6A3801C1D4CF0C19A990282D93AC16007F6CACB645F0E0684EF2EDAC02647833
C:\Users\user\AppData\Local\Temp\cabD00B.tmp	Microsoft Cabinet archive data, many, 682092 bytes, 2 files, at 0x44 +A "Berlin.thmx" +A "content.inf", flags 0x4, ID 46672, number 1, extra bytes 20 in head, 30 datablocks, 0x1503 compression	E29CE2663A56A1444EAA3732FFB82940	767A14B51BE74D443B5A3FEFF4D870C61CB76501	3732EB6166945DB2BF792DA04199B5C4A0FB3C96621ECBFDEAF2EA1699BA88EE
C:\Users\user\AppData\Local\Temp\cabD0C9.tmp	Microsoft Cabinet archive data, many, 624532 bytes, 2 files, at 0x44 +A "content.inf" +A "Quotable.thmx", flags 0x4, ID 13510, number 1, extra bytes 20 in head, 30 datablocks, 0x1503 compression	F93364EEC6C4FFA5768DE545A2C34F07	166398552F6B7F4509732E148F93E207DD60420B	296B915148B29751E68687AE37D3FAFD9FFDDF458C48EB059A964D8F2291E899
C:\Users\user\AppData\Local\Temp\cabD158.tmp	Microsoft Cabinet archive data, many, 1081343 bytes, 2 files, at 0x44 +A "Circuit.thmx" +A "content.inf", flags 0x4, ID 11309, number 1, extra bytes 20 in head, 45 datablocks, 0x1503 compression	BF95E967E7D1CEC8EFE426BC0127D3DE	BA44C5500A36D748A9A60A23DB47116D37FD61BC	4C3B008E0EB10A722D8FEDB325BFB97EDAA609B1E901295F224DD4CB4DF5FC26
C:\Users\user\AppData\Local\Temp\cabD159.tmp	Microsoft Cabinet archive data, many, 937309 bytes, 2 files, at 0x44 +A "content.inf" +A "Gallery.thmx", flags 0x4, ID 44349, number 1, extra bytes 20 in head, 34 datablocks, 0x1503 compression	D4EAC009E9E7B64B8B001AE82B8102FA	D8D166494D5813DB20EA1231DA4B1F8A9B312119	8B0631DA4DC79E036251379A0A68C3BA977F14BCC797BA0EB9692F8BB90DDB4D
C:\Users\user\AppData\Local\Temp\cabD1AA.tmp	Microsoft Cabinet archive data, many, 1291243 bytes, 2 files, at 0x44 +A "content.inf" +A "Droplet.thmx", flags 0x4, ID 47417, number 1, extra bytes 20 in head, 54 datablocks, 0x1503 compression	9C9F49A47222C18025CC25575337A965	E42EDB33471D7C1752DCC42C06DD3F9FDA8B25F0	ADA7EFF0676D9CCE1935D5485F3DDE35C594D343658FB1DA42CB5A48FC3FC16A
C:\Users\user\AppData\Local\Temp\cabD1CA.tmp	Microsoft Cabinet archive data, many, 1865728 bytes, 2 files, at 0x44 +A "content.inf" +A "Damask.thmx", flags 0x4, ID 63852, number 1, extra bytes 20 in head, 68 datablocks, 0x1503 compression	53C5F45B22E133B28D4BD3B5A350FDBD	D180CFB1438D27F76E1919DA3E84F307CB83434F	8AF4C7CAC47D2B9C7ADEADF276EDAE830B4CC5FFE7E765E3C3D7B3FADCB5F273
C:\Users\user\AppData\Local\Temp\cabD1DB.tmp	Microsoft Cabinet archive data, many, 1750009 bytes, 2 files, at 0x44 +A "content.inf" +A "Slate.thmx", flags 0x4, ID 28969, number 1, extra bytes 20 in head, 72 datablocks, 0x1503 compression	828F96031F40BF8EBCB5E52AAEEB7E4C	CACC32738A0A66C8FE51A81ED8E27A6F82E69EB2	640AD075B555D4A2143F909EAFD91F54076F5DDE42A2B11CD897BC564B5D7FF7
C:\Users\user\AppData\Local\Temp\cabD1DC.tmp	Microsoft Cabinet archive data, many, 2573508 bytes, 2 files, at 0x44 +A "content.inf" +A "Mesh.thmx", flags 0x4, ID 62129, number 1, extra bytes 20 in head, 94 datablocks, 0x1503 compression	BEB12A0464D096CA33BAEA4352CE800F	F678D650B4A41676BA05C836D462F34BDC5BF648	A44166F5C9F2553555A43586BA5DB1C1DE54D72D308A48268F27C6A00076B1CA
C:\Users\user\AppData\Local\Temp\cabD23B.tmp	Microsoft Cabinet archive data, many, 2511552 bytes, 2 files, at 0x44 +A "content.inf" +A "Main_Event.thmx", flags 0x4, ID 59889, number 1, extra bytes 20 in head, 90 datablocks, 0x1503 compression	F256ACA509B4C6C0144D278C7036B0A8	93F6106D0759AFD0061F73B876AA9CAB05AA8EF6	AD26761D59F1FA9783C2F49184A2E8FE55FCD46CD3C49FFC099C02310649DC67
C:\Users\user\AppData\Local\Temp\cabD27D.tmp	Microsoft Cabinet archive data, many, 3400898 bytes, 2 files, at 0x4c "Insight design set.dotx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 106 datablocks, 0x1203 compression	749C3615E54C8E6875518CFD84E5A1B2	64D51EB1156E850ECA706B00961C8B101F5AC2FC	F2D2DF37366F8E49106980377D2448080879027C380D90D5A25DA3BDAD771F8C
C:\Users\user\AppData\Local\Temp\cabD2CD.tmp	Microsoft Cabinet archive data, many, 3239239 bytes, 2 files, at 0x44 +A "content.inf" +A "Vapor_Trail.thmx", flags 0x4, ID 19811, number 1, extra bytes 20 in head, 111 datablocks, 0x1503 compression	8867BDF5FC754DA9DA6F5BA341334595	5067CCE84C6C682B75C1EF3DEA067A8D58D80FA9	42323DD1D3E88C3207E16E0C95CA1048F2E4CD66183AD23B90171DA381D37B58
C:\Users\user\AppData\Local\Temp\cabD38C.tmp	Microsoft Cabinet archive data, many, 1049713 bytes, 2 files, at 0x44 +A "content.inf" +A "Savon.thmx", flags 0x4, ID 60609, number 1, extra bytes 20 in head, 37 datablocks, 0x1503 compression	E1101CCA6E3FEDB28B57AF4C41B50D37	990421B1D858B756E6695B004B26CDCCAE478C23	69B2675E47917A9469F771D0C634BD62B2DFA0F5D4AF3FD7AFE9196BF889C19E
C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl	data	EF6EBD00B687BDE806940E7774D8155B	E2C2692568946668AC2F75312CBCC4256F75B4BD	457C8D43D3A2A5C9762CCBF17047F6BBBDC04CEF1281106A71898D6A6FEACF1B
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Templates.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Directory, ctime=Wed Apr 24 09:17:18 2024, mtime=Wed Apr 24 09:18:22 2024, atime=Wed Apr 24 09:18:22 2024, length=0, window=hide	1764EBD97D450017BA79D7EAFF863D42	C0C82BD72ACFE8E02878D531F7276E977037E1AA	A94656759EAD4EFB29035AC77D653EAFC397341C5E01A8AF5448B35EA319B647
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	Generic INItialization configuration [folders]	BDAB357111513A4B475E58D0935AF493	BDE23103A2E3F92DE7EE370CBC57A12F2C84BDE4	057F7094EC0E4540215D31DB84C5893FA2CB506925BE2D6AE9F5D4A50DE7DE17
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\wELAqfmQfJ.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Oct 4 11:02:27 2023, mtime=Wed Apr 24 09:17:22 2024, atime=Wed Apr 24 09:17:17 2024, length=78714, window=hide	A0009E9136800E4385108E89BDF78FB4	D3C1C2C41514F327D82E05C07A2ABF5283E9D026	2A1CD391B8AE316A659F1A9EFAFB104E3F84EB00E7661ADD555693603BB5E1A1
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090430[[fn=Banded]].thmx (copy)	Microsoft OOXML	4A1657A3872F9A77EC257F41B8F56B3D	4DDEA85C649A2C1408B5B08A15DEF49BAA608A0B	C17103ADE455094E17AC182AD4B4B6A8C942FD3ACB381F9A5E34E3F8B416AE60
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090434[[fn=Wood Type]].thmx (copy)	Microsoft OOXML	35200E94CEB3BB7A8B34B4E93E039023	5BB55EDAA4CDF9D805E36C36FB092E451BDDB74D	6CE04E8827ABAEA9B292048C5F84D824DE3CEFDB493101C2DB207BD4475AF1FD
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457444[[fn=Basis]].thmx (copy)	Microsoft OOXML	3B5E44DDC6AE612E0346C58C2A5390E3	23BCF3FCB61F80C91D2CFFD8221394B1CB359C87	9ED9AD4EB45E664800A4876101CBEE65C232EF478B6DE502A330D7C89C9AE8E2
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457464[[fn=Dividend]].thmx (copy)	Microsoft OOXML	D676DE8877ACEB43EF0ED570A2B30F0E	6C8922697105CEC7894966C9C5553BEB64744717	DF012D101DE808F6CD872DFBB619B16732C23CF4ABC64149B6C3CE49E9EFDA01
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457475[[fn=Frame]].thmx (copy)	Microsoft OOXML	C276F590BB846309A5E30ADC35C502AD	CA6D9D6902475F0BE500B12B7204DD1864E7DD02	782996D93DEBD2AF9B91E7F529767A8CE84ACCC36CD62F24EBB5117228B98F58
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457485[[fn=Mesh]].thmx (copy)	Microsoft OOXML	CDF98D6B111CF35576343B962EA5EEC6	D481A70EC9835B82BD6E54316BF27FAD05F13A1C	E3F108DDB3B8581A7A2290DD1E220957E357A802ECA5B3087C95ED13AD93A734
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457491[[fn=Metropolitan]].thmx (copy)	Microsoft OOXML	B30D2EF0FC261AECE90B62E9C5597379	4893C5B9BE04ECBB19EE45FFCE33CA56C7894FE3	BB170D6DE4EE8466F56C93DC26E47EE8A229B9C4842EA8DD0D9CCC71BC8E2976
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457496[[fn=Parallax]].thmx (copy)	Zip archive data, at least v2.0 to extract, compression method=deflate	97EEC245165F2296139EF8D4D43BBB66	0D91B68CCB6063EB342CFCED4F21A1CE4115C209	3C5CF7BDB27592791ADF4E7C5A09DDE4658E10ED8F47845064DB1153BE69487C
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457503[[fn=Quotable]].thmx (copy)	Microsoft OOXML	F03AB824395A8F1F1C4F92763E5C5CAD	A6E021918C3CEFFB6490222D37ECEED1FC435D52	D96F7A63A912CA058FB140138C41DCB3AF16638BA40820016AF78DF5D07FAEDD
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457510[[fn=Savon]].thmx (copy)	Microsoft OOXML	FD5BBC58056522847B3B75750603DF0C	97313E85C0937739AF7C7FC084A10BF202AC9942	44976408BD6D2703BDBE177259061A502552193B1CD05E09B698C0DAC3653C5F
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457515[[fn=View]].thmx (copy)	Microsoft OOXML	0E37AECABDB3FDF8AAFEDB9C6D693D2F	F29254D2476DF70979F723DE38A4BF41C341AC78	7AC7629142C2508B070F09788217114A70DE14ACDB9EA30CBAB0246F45082349
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033917[[fn=Berlin]].thmx (copy)	Microsoft OOXML	9E563D44C28B9632A7CF4BD046161994	D3DB4E5F5B1CC6DD08BB3EBF488FF05411348A11	86A70CDBE4377C32729FD6C5A0B5332B7925A91C492292B7F9C636321E6FAD86
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033919[[fn=Circuit]].thmx (copy)	Zip archive data, at least v2.0 to extract, compression method=deflate	ACBA78931B156E4AF5C4EF9E4AB3003B	2A1F506749A046ECFB049F23EC43B429530EC489	943E4044C40ABA93BD7EA31E8B5EBEBD7976085E8B1A89E905952FA8DAC7B878
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033921[[fn=Damask]].thmx (copy)	Microsoft OOXML	EE33FDA08FBF10EF6450B875717F8887	7DFA77B8F4559115A6BF186EDE51727731D7107D	5CF611069F281584DE3E63DE8B99253AA665867299DC0192E8274A32A82CAA20
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033925[[fn=Droplet]].thmx (copy)	Microsoft OOXML	529795E0B55926752462CBF32C14E738	E72DFF8354DF2CB6A5698F14BBD1805D72FEEAFF	8D341D1C24176DC6B67104C2AF90FABD3BFF666CCC0E269381703D7659A6FA05
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033927[[fn=Main Event]].thmx (copy)	Microsoft OOXML	5AF1581E9E055B6E323129E4B07B1A45	B849F85BCAF0E1C58FA841FFAE3476D20D33F2DD	BDC9FBF81FBE91F5BF286B2CEA00EE76E70752F7E51FE801146B79F9ADCB8E98
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033929[[fn=Slate]].thmx (copy)	Microsoft OOXML	5BDE450A4BD9EFC71C370C731E6CDF43	5B223FB902D06F9FCC70C37217277D1E95C8F39D	93BFC6AC1DC1CFF497DF92B30B42056C9D422B2321C21D65728B98E420D4ED50
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033937[[fn=Vapor Trail]].thmx (copy)	Microsoft OOXML	FB88BFB743EEA98506536FC44B053BD0	B27A67A5EEC1B5F9E7A9C3B76223EDE4FCAF5537	05057213BA7E5437AC3B8E9071A5577A8F04B1A67EFE25A08D3884249A22FBBF
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001114[[fn=Gallery]].thmx (copy)	Microsoft OOXML	2192871A20313BEC581B277E405C6322	1F9A6A5E10E1C3FFEB6B6725C5D2FA9ECDF51085	A06B302954A4C9A6A104A8691864A9577B0BFEA240B0915D9BEA006E98CDFFEC
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001115[[fn=Parcel]].thmx (copy)	Microsoft OOXML	8BA551EEC497947FC39D1D48EC868B54	02FA15FDAF0D7E2F5D44CAE5FFAE49E8F91328DF	DB2E99B969546E431548EBD58707FC001BBD1A4BDECAD387D194CC9C6D15AC89
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328884[[fn=architecture]].glox (copy)	Microsoft OOXML	8109B3C170E6C2C114164B8947F88AA1	FC63956575842219443F4B4C07A8127FBD804C84	F320B4BB4E57825AA4A40E5A61C1C0189D808B3EACE072B35C77F38745A4C416
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328893[[fn=BracketList]].glox (copy)	Microsoft OOXML	5D9BAD7ADB88CEE98C5203883261ACA1	FBF1647FCF19BCEA6C3CF4365C797338CA282CD2	8CE600404BB3DB92A51B471D4AB8B166B566C6977C9BB63370718736376E0E2F
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328905[[fn=Chevron Accent]].glox (copy)	Microsoft OOXML	7BC0A35807CD69C37A949BBD51880FF5	B5870846F44CAD890C6EFF2F272A037DA016F0D8	BD3A013F50EBF162AAC4CED11928101554C511BD40C2488CF9F5842A375B50CA
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328908[[fn=Circle Process]].glox (copy)	Zip archive data, at least v2.0 to extract, compression method=deflate	950F3AB11CB67CC651082FEBE523AF63	418DE03AD2EF93D0BD29C3D7045E94D3771DACB4	9C5E4D8966A0B30A22D92DB1DA2F0DBF06AC2EA75E7BB8501777095EA0196974
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328916[[fn=Converging Text]].glox (copy)	Zip archive data, at least v2.0 to extract, compression method=deflate	C9F9364C659E2F0C626AC0D0BB519062	C4036C576074819309D03BB74C188BF902D1AE00	6FC428CA0DCFC27D351736EF16C94D1AB08DDA50CB047A054F37EC028DD08AA2
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328919[[fn=Hexagon Radial]].glox (copy)	Microsoft OOXML	20621E61A4C5B0FFEEC98FFB2B3BCD31	4970C22A410DCB26D1BD83B60846EF6BEE1EF7C4	223EA2602C3E95840232CACC30F63AA5B050FA360543C904F04575253034E6D7
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328925[[fn=Interconnected Block Process]].glox (copy)	Zip archive data, at least v2.0 to extract, compression method=deflate	08D3A25DD65E5E0D36ADC602AE68C77D	F23B6DDB3DA0015B1D8877796F7001CABA25EA64	58B45B9DBA959F40294DA2A54270F145644E810290F71260B90F0A3A9FCDEBC1
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328932[[fn=Picture Frame]].glox (copy)	Microsoft OOXML	D32E93F7782B21785424AE2BEA62B387	1D5589155C319E28383BC01ED722D4C2A05EF593	2DC7E71759D84EF8BB23F11981E2C2044626FEA659383E4B9922FE5891F5F478
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328935[[fn=Picture Organization Chart]].glox (copy)	Microsoft OOXML	586CEBC1FAC6962F9E36388E5549FFE9	D1EF3BF2443AE75A78E9FDE8DD02C5B3E46F5F2E	1595C0C027B12FE4C2B506B907C795D14813BBF64A2F3F6F5D71912D7E57BC40
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328940[[fn=Radial Picture List]].glox (copy)	Microsoft OOXML	CDC1493350011DB9892100E94D5592FE	684B444ADE2A8DBE760B54C08F2D28F2D71AD0FA	F637A67799B492FEFFB65632FED7815226396B4102A7ED790E0D9BB4936E1548
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328951[[fn=Tabbed Arc]].glox (copy)	Zip archive data, at least v2.0 to extract, compression method=deflate	E8308DA3D46D0BC30857243E1B7D330D	C7F8E54A63EB254C194A23137F269185E07F9D10	6534D4D7EF31B967DD0A20AFFF092F8B93D3C0EFCBF19D06833F223A65C6E7C4
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328972[[fn=Tab List]].glox (copy)	Zip archive data, at least v2.0 to extract, compression method=deflate	0A4CA91036DC4F3CD8B6DBF18094CF25	6C7EED2530CD0032E9EEAB589AFBC296D106FBB9	E5A56CCB3B3898F76ABF909209BFAB401B5DDCD88289AD43CE96B02989747E50
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328975[[fn=Theme Picture Accent]].glox (copy)	Zip archive data, at least v2.0 to extract, compression method=deflate	42A840DC06727E42D42C352703EC72AA	21AAAF517AFB76BF1AF4E06134786B1716241D29	02CCE7D526F844F70093AC41731D1A1E9B040905DCBA63BA8BFFC0DBD4D3A7A7
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328983[[fn=Theme Picture Alternating Accent]].glox (copy)	Zip archive data, at least v2.0 to extract, compression method=deflate	2F8998AA9CF348F1D6DE16EAB2D92070	85B13499937B4A584BEA0BFE60475FD4C73391B6	8A216D16DEC44E02B9AB9BBADF8A11F97210D8B73277B22562A502550658E580
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328986[[fn=Theme Picture Grid]].glox (copy)	Zip archive data, at least v2.0 to extract, compression method=deflate	031C246FFE0E2B623BBBD231E414E0D2	A57CA6134779D54691A4EFD344BC6948E253E0BA	2D76C8D1D59EDB40D1FBBC6406A06577400582D1659A544269500479B6753CF7
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328990[[fn=Varying Width List]].glox (copy)	Microsoft OOXML	67766FF48AF205B771B53AA2FA82B4F4	0964F8B9DC737E954E16984A585BDC37CE143D84	160D05B4CB42E1200B859A2DE00770A5C9EBC736B70034AFC832A475372A1667
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328998[[fn=Rings]].glox (copy)	Microsoft OOXML	6C24ED9C7C868DB0D55492BB126EAFF8	C6D96D4D298573B70CF5C714151CF87532535888	48AF17267AD75C142EFA7AB7525CA48FAB579592339FB93E92C4C4DA577D4C9F
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851216[[fn=apasixtheditionofficeonline]].xsl (copy)	XML 1.0 document, ASCII text, with CRLF line terminators	5632C4A81D2193986ACD29EADF1A2177	E8FF4FDFEB0002786FCE1CF8F3D25F8E9631E346	06DE709513D7976690B3DD8F5FDF1E59CF456A2DFBA952B97EACC72FE47B238B
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851217[[fn=chicago]].xsl (copy)	XML 1.0 document, ASCII text, with CRLF line terminators	9AC6DE7B629A4A802A41F93DB2C49747	3D6E929AA1330C869D83F2BF8EBEBACD197FB367	52984BC716569120D57C8E6A360376E9934F00CF31447F5892514DDCCF546293
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851218[[fn=gb]].xsl (copy)	XML 1.0 document, ASCII text, with CRLF line terminators	51D32EE5BC7AB811041F799652D26E04	412193006AA3EF19E0A57E16ACF86B830993024A	6230814BF5B2D554397580613E20681752240AB87FD354ECECF188C1EABE0E97
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851219[[fn=gostname]].xsl (copy)	XML 1.0 document, ASCII text, with CRLF line terminators	9888A214D362470A6189DEFF775BE139	32B552EB3C73CD7D0D9D924C96B27A86753E0F97	C64ED5C2A323C00E84272AD3A701CAEBE1DCCEB67231978DE978042F09635FA7
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851220[[fn=gosttitle]].xsl (copy)	XML 1.0 document, ASCII text, with CRLF line terminators	F425D8C274A8571B625EE66A8CE60287	29899E309C56F2517C7D9385ECDBB719B9E2A12B	DD7B7878427276AF5DBF8355ECE0D1FE5D693DF55AF3F79347F9D20AE50DB938
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851221[[fn=harvardanglia2008officeonline]].xsl (copy)	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	33A829B4893044E1851725F4DAF20271	DAC368749004C255FB0777E79F6E4426E12E5EC8	C40451CADF8944A9625DD690624EA1BA19CECB825A67081E8144AD5526116924
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851222[[fn=ieee2006officeonline]].xsl (copy)	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	0C9731C90DD24ED5CA6AE283741078D0	BDD3D7E5B0DE9240805EA53EF2EB784A4A121064	ABCE25D1EB3E70742EC278F35E4157EDB1D457A7F9D002AC658AAA6EA4E4DCDF
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851223[[fn=iso690]].xsl (copy)	XML 1.0 document, ASCII text, with CRLF line terminators	FF0E07EFF1333CDF9FC2523D323DD654	77A1AE0DD8DBC3FEE65DD6266F31E2A564D088A4	3F925E0CC1542F09DE1F99060899EAFB0042BB9682507C907173C392115A44B5
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851224[[fn=iso690nmerical]].xsl (copy)	XML 1.0 document, ASCII text, with CRLF line terminators	3BF8591E1D808BCCAD8EE2B822CC156B	9CC1E5EFD715BD0EAE5AF983FB349BAC7A6D7BA0	7194396E5C833E6C8710A2E5D114E8E24338C64EC9818D51A929D57A5E4A76C8
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851225[[fn=mlaseventheditionofficeonline]].xsl (copy)	XML 1.0 document, ASCII text, with CRLF line terminators	377B3E355414466F3E3861BCE1844976	0B639A3880ACA3FD90FA918197A669CC005E2BA4	4AC5B26C5E66E122DE80243EF621CA3E1142F643DD2AD61B75FF41CFEE3DFFAF
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851226[[fn=turabian]].xsl (copy)	XML 1.0 document, ASCII text, with CRLF line terminators	F079EC5E2CCB9CD4529673BCDFB90486	FBA6696E6FA918F52997193168867DD3AEBE1AD6	3B651258F4D0EE1BFFC7FB189250DED1B920475D1682370D6685769E3A9346DB
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851227[[fn=sist02]].xsl (copy)	XML 1.0 document, ASCII text, with CRLF line terminators	F883B260A8D67082EA895C14BF56DD56	7954565C1F243D46AD3B1E2F1BAF3281451FC14B	EF4835DB41A485B56C2EF0FF7094BC2350460573A686182BC45FD6613480E353
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM01840907[[fn=Equations]].dotx (copy)	Microsoft Word 2007+	2AB22AC99ACFA8A82742E774323C0DBD	790F8B56DF79641E83A16E443A75A66E6AA2F244	BC9D45D0419A08840093B0BF4DCF96264C02DFE5BD295CD9B53722E1DA02929D
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx (copy)	Microsoft Word 2007+	5A53F55DD7DA8F10A8C0E711F548B335	035E685927DA2FECB88DE9CAF0BECEC88BC118A7	66501B659614227584DA04B64F44309544355E3582F59DBCA3C9463F67B7E303
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998158[[fn=Element]].dotx (copy)	Microsoft Word 2007+	7CDFFC23FB85AD5737452762FA36AAA0	CFBC97247959B3142AFD7B6858AD37B18AFB3237	68A8FBFBEE4C903E17C9421082E839144C205C559AFE61338CBDB3AF79F0D270
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998159[[fn=Insight]].dotx (copy)	Microsoft Word 2007+	8BC84DB5A3B2F8AE2940D3FB19B43787	3A5FE7B14D020FAD0E25CD1DF67864E3E23254EE	AF1FDEEA092169BF794CDC290BCA20AEA07AC7097D0EFCAB76F783FA38FDACDD
C:\Users\user\AppData\Roaming\Microsoft\Templates\Normal.dotm (copy)	Microsoft Word 2007+	78586FF91B9497F18533FCC9367CCD15	FB3FFA40BE7C7796800B76AB61C1068CD963F249	C315B9DFA82567B4D23DEA532C275CB4D50BCDE746797E36B98AAB5CE3F7838B
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	4BDF0154FAA6D3F68C4ED4735C42EE2C	2368DDC755D7225CEA6454E33133E2C9985547ED	AB0BD1EBABA029D98C373BD2F311BD9BD88F70249BA2F6AD2129DA8CB90E4DE7
C:\Users\user\AppData\Roaming\Microsoft\Templates\~WRD0000.tmp	Microsoft Word 2007+	78586FF91B9497F18533FCC9367CCD15	FB3FFA40BE7C7796800B76AB61C1068CD963F249	C315B9DFA82567B4D23DEA532C275CB4D50BCDE746797E36B98AAB5CE3F7838B
C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex	Unicode text, UTF-16, little-endian text, with no line terminators	F3B25701FE362EC84616A93A45CE9998	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\Desktop\~$LAqfmQfJ.docx	data	0866552BBCCA45DEBEE8DA113AE0CF46	38024F0329168311EE7E444AA11078DFF2D63123	6FE2D01809883BE8C2F2BB58C774B9D55518B7ED80444E281D9BE58CE0A13C56

ID:	1430946
Product:	CloudBasic
Start time:	12:16:30
Start date:	24.04.2024
Sample:	wELAqfmQfJ.docx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	06adf215b95b5fc30d4bb047eff45902
SHA1:	fb07bf1dc797ddeeb54f829a303eb63d44dafa23
SHA256:	2f019ee2e06ae78b7e9474cb961eb1375189b0a8c3c19e5d6b4ab048c5a7f5ad
Filetype:	Word Microsoft Office Open XML Format document (49504/1) 49.01%

Windows Analysis Report
wELAqfmQfJ.docx

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Software Vulnerabilities

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Windows Analysis Report wELAqfmQfJ.docx

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Software Vulnerabilities

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Windows Analysis Report
wELAqfmQfJ.docx