Joe Sandbox Cloud Basic

Want to search on specific fields?


Try our:

Advanced Search

Want to search in depth on all Cloud Basic reports?

Try: Joe Sandbox View

Register Login
sloganpng
top title background image
flash

New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

Status: finished
Submission Time: 2024-07-22 15:50:09 +02:00
Malicious
Exploiter
Evader
Trojan
Spyware

Comments

Tags

  • docm

Details

  • Analysis ID:
    1478411
  • API (Web) ID:
    1478411
  • Analysis Started:
    2024-07-22 15:50:15 +02:00
  • Analysis Finished:
    2024-07-22 16:11:31 +02:00
  • MD5:
    dd2100dfa067caae416b885637adc4ef
  • SHA1:
    499f8881f4927e7b4a1a0448f62c60741ea6d44b
  • SHA256:
    803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61
  • Technologies:

Joe Sandbox

Engine Download Report Detection Info
malicious
Full Report Management Report IOC Report
malicious
Score: 88
System: Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Full Report Management Report IOC Report
malicious
Score: 100
System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run Condition: Potential for more IOCs and behavior

Third Party Analysis Engines

malicious
Score: 10/38

IPs

IP Country Detection
172.104.160.126
 United States
239.255.255.250
 Reserved
142.250.186.164
 United States

Domains

Name IP Detection
www.google.com
 142.250.186.164

URLs

Name Detection
http://172.104.160.126:8099/payload2.txt
http://172.104.160.126:8099
http://172.104.160.126:5000/Uploadss
Click to see the 33 hidden entries
http://172.104.160.
http://172.104.160.126:8099/pay
http://172.104.160.126:8099/pay0
http://172.104.160.126:8099/payload2.txton
https://aka.ms/vs/17/release/vc_redist.x64.exe
https://curl.se/docs/alt-svc.html#
https://curl.se/docs/copyright.htmlD
https://curl.se/docs/hsts.html#
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
http://172.104.160.126:8099/payload2.txtr
https://ac.ecosia.org/autocomplete?q=
http://172.104.160.126:8099/payload2.txts
https://curl.se/P
https://curl.se/docs/http-cookies.html#
http://172.104.160.126:8099/payload2.txt6
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
http://172.104.160.126:8099/payload2.txto
https://curl.se/docs/hsts.html
https://duckduckgo.com/chrome_newtab
https://curl.se/docs/sslcerts.htmlcurl
https://curl.se/docs/sslcerts.html
https://www.ecosia.org/newtab/
https://curl.se/docs/alt-svc.html
http://172.104.160.126:5000/Upl
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
http://172.104.160.126:8099/payload2.txt-oC:
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
http://172.104.160.126:80X99
https://curl.se/docs/http-cookies.html
https://www.google.com/images/branding/product/ico/googleg_lodp.ico
https://duckduckgo.com/ac/?q=
https://curl.se/libcurl/c/curl_easy_setopt.html
http://172.104.160.126:8099/payload2.txt6ov

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRC0000.tmp
 Microsoft Word 2007+
 #
C:\Users\user\AppData\Local\Temp\curl.txt
 PEM certificate
 #
C:\Users\user\AppData\Local\Temp\mscorsvc.dll
 PE32+ executable (DLL) (GUI) x86-64, for MS Windows
 #
Click to see the 279 hidden entries
C:\Users\user\AppData\Local\Temp\mscorsvc.txt
 PEM certificate
 #
C:\Users\user\Downloads\MsftRecoveryToolForCSv2.zip (copy)
 Zip archive data, at least v2.0 to extract, compression method=deflate
 #
C:\Users\user\AppData\Local\Microsoft\FontCache\4\Catalog\ListAll.Json
 JSON data
 #
C:\Users\user\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview_4_40.ttf
 TrueType Font data, 10 tables, 1st "OS/2", 7 names, Microsoft, language 0x409, \251 2018 Microsoft Corporation. All Rights Reserved.msofp_4_40RegularVersion 4.40;O365
 #
C:\Users\user\AppData\Local\Microsoft\GraphicsCache\1\CatalogCacheMetaData.xml
 XML 1.0 document, ASCII text, with very long lines (1298), with no line terminators
 #
C:\Users\user\AppData\Local\Microsoft\GraphicsCache\1\CloudGraphicsResources\Graphics\inkeffectbronze.jpg
 JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=0], baseline, precision 8, 540x540, components 3
 #
C:\Users\user\AppData\Local\Microsoft\GraphicsCache\1\CloudGraphicsResources\Graphics\inkeffectgalaxy.jpg
 JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 540x540, components 3
 #
C:\Users\user\AppData\Local\Microsoft\GraphicsCache\1\CloudGraphicsResources\Graphics\inkeffectgold.jpg
 JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 540x540, components 3
 #
C:\Users\user\AppData\Local\Microsoft\GraphicsCache\1\CloudGraphicsResources\Graphics\inkeffectlava.jpg
 JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=0], baseline, precision 8, 540x540, components 3
 #
C:\Users\user\AppData\Local\Microsoft\GraphicsCache\1\CloudGraphicsResources\Graphics\inkeffectocean.jpg
 JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=0], baseline, precision 8, 540x540, components 3
 #
C:\Users\user\AppData\Local\Microsoft\GraphicsCache\1\CloudGraphicsResources\Graphics\inkeffectrainbowglitter.jpg
 JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 540x540, components 3
 #
C:\Users\user\AppData\Local\Microsoft\GraphicsCache\1\CloudGraphicsResources\Graphics\inkeffectrosegold.jpg
 JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=0], baseline, precision 8, 540x540, components 3
 #
C:\Users\user\AppData\Local\Microsoft\GraphicsCache\1\CloudGraphicsResources\Graphics\inkeffectsilver.jpg
 JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 540x540, components 3
 #
C:\Users\user\AppData\Local\Microsoft\GraphicsCache\1\oart.json
 JSON data
 #
C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
 data
 #
C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres
 data
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\12BAF3EE.jpg
 JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=6, orientation=upper-left, xresolution=86, yresolution=94, resolutionunit=2], baseline, precision 8, 841x518, components 3
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\1E8B5958.jpg
 JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=6, orientation=upper-left, xresolution=86, yresolution=94, resolutionunit=2], baseline, precision 8, 837x754, components 3
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\42ED3717.jpg
 JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=6, orientation=upper-left, xresolution=86, yresolution=94, resolutionunit=2], baseline, precision 8, 838x340, components 3
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\43172D61.jpg
 JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=6, orientation=upper-left, xresolution=86, yresolution=94, resolutionunit=2], baseline, precision 8, 837x754, components 3
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8C6EEAE0.jpg
 JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=6, orientation=upper-left, xresolution=86, yresolution=94, resolutionunit=2], baseline, precision 8, 841x744, components 3
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\B1730126.jpg
 JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=6, orientation=upper-left, xresolution=86, yresolution=94, resolutionunit=2], baseline, precision 8, 838x340, components 3
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\CC449979.jpg
 JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=6, orientation=upper-left, xresolution=86, yresolution=94, resolutionunit=2], baseline, precision 8, 841x518, components 3
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E611A7F3.jpg
 JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=6, orientation=upper-left, xresolution=86, yresolution=94, resolutionunit=2], baseline, precision 8, 841x744, components 3
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRF{085F5DEF-FD43-4377-836E-D631451649D2}.tmp
 Composite Document File V2 Document, Cannot read section info
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRF{43F4B375-8E7A-44EF-86E3-6C5BC465D1F2}.tmp
 Composite Document File V2 Document, Cannot read section info
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{505386B3-5C57-4893-9400-535E396A042F}.tmp
 data
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{6FE5DC30-1E06-4128-B942-DEBBBBCDEE1D}.tmp
 data
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{894978C9-3668-4D31-AF1E-60B0DEF1662A}.tmp
 data
 #
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{B3EC896D-9D96-4AE9-BA85-97C47E5353BA}.tmp
 data
 #
C:\Users\user\AppData\Local\Temp\Diagnostics\WINWORD\App1721656660101767000_EDECE918-A2EA-49DC-A414-445477A4F37D.log
 ASCII text, with very long lines (10173), with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\Diagnostics\WINWORD\App1721656713704356800_77D492B2-7E92-413F-B233-B07670110F32.log
 ASCII text, with very long lines (28929), with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\Diagnostics\WINWORD\App1721656713705260000_77D492B2-7E92-413F-B233-B07670110F32.log
 data
 #
C:\Users\user\AppData\Local\Temp\TCD3B14.tmp\Basis.thmx
 Microsoft OOXML
 #
C:\Users\user\AppData\Local\Temp\TCD3B14.tmp\content.inf
 Unicode text, UTF-16, little-endian text, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\TCD3B15.tmp\Dividend.thmx
 Microsoft OOXML
 #
C:\Users\user\AppData\Local\Temp\TCD3B15.tmp\content.inf
 Unicode text, UTF-16, little-endian text, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\TCD7D37.tmp\BracketList.glox
 Microsoft OOXML
 #
C:\Users\user\AppData\Local\Temp\TCD7D37.tmp\Content.inf
 data
 #
C:\Users\user\AppData\Local\Temp\TCD7D38.tmp\CircleProcess.glox
 Zip archive data, at least v2.0 to extract, compression method=deflate
 #
C:\Users\user\AppData\Local\Temp\TCD7D38.tmp\Content.inf
 data
 #
C:\Users\user\AppData\Local\Temp\TCD7D39.tmp\Content.inf
 data
 #
C:\Users\user\AppData\Local\Temp\TCD7D39.tmp\InterconnectedBlockProcess.glox
 Zip archive data, at least v2.0 to extract, compression method=deflate
 #
C:\Users\user\AppData\Local\Temp\TCD7D4B.tmp\APASixthEditionOfficeOnline.xsl
 XML 1.0 document, ASCII text, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\TCD7D4B.tmp\Content.inf
 data
 #
C:\Users\user\AppData\Local\Temp\TCD7D5C.tmp\Content.inf
 data
 #
C:\Users\user\AppData\Local\Temp\TCD7D5C.tmp\gostname.xsl
 XML 1.0 document, ASCII text, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\TCD7D5D.tmp\Content.inf
 data
 #
C:\Users\user\AppData\Local\Temp\TCD7D5D.tmp\Equations.dotx
 Microsoft Word 2007+
 #
C:\Users\user\AppData\Local\Temp\TCD7D9B.tmp\Content.inf
 data
 #
C:\Users\user\AppData\Local\Temp\TCD7D9B.tmp\pictureorgchart.glox
 Microsoft OOXML
 #
C:\Users\user\AppData\Local\Temp\TCD7DAC.tmp\Content.inf
 data
 #
C:\Users\user\AppData\Local\Temp\TCD7DAC.tmp\sist02.xsl
 XML 1.0 document, ASCII text, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\TCD7DC2.tmp\Content.inf
 data
 #
C:\Users\user\AppData\Local\Temp\TCD7DC2.tmp\ConvergingText.glox
 Zip archive data, at least v2.0 to extract, compression method=deflate
 #
C:\Users\user\AppData\Local\Temp\TCD7DD3.tmp\Content.inf
 data
 #
C:\Users\user\AppData\Local\Temp\TCD7DD3.tmp\PictureFrame.glox
 Microsoft OOXML
 #
C:\Users\user\AppData\Local\Temp\TCD7DD4.tmp\Content.inf
 data
 #
C:\Users\user\AppData\Local\Temp\TCD7DD4.tmp\iso690nmerical.xsl
 XML 1.0 document, ASCII text, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\TCD7DE4.tmp\Content.inf
 data
 #
C:\Users\user\AppData\Local\Temp\TCD7DE4.tmp\chevronaccent.glox
 Microsoft OOXML
 #
C:\Users\user\AppData\Local\Temp\TCD7DE5.tmp\Content.inf
 data
 #
C:\Users\user\AppData\Local\Temp\TCD7DE5.tmp\ThemePictureAlternatingAccent.glox
 Zip archive data, at least v2.0 to extract, compression method=deflate
 #
C:\Users\user\AppData\Local\Temp\TCD7DF6.tmp\Content.inf
 data
 #
C:\Users\user\AppData\Local\Temp\TCD7DF6.tmp\gb.xsl
 XML 1.0 document, ASCII text, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\TCD7E07.tmp\Content.inf
 data
 #
C:\Users\user\AppData\Local\Temp\TCD7E07.tmp\ThemePictureAccent.glox
 Zip archive data, at least v2.0 to extract, compression method=deflate
 #
C:\Users\user\AppData\Local\Temp\TCD7E08.tmp\Content.inf
 data
 #
C:\Users\user\AppData\Local\Temp\TCD7E08.tmp\TabList.glox
 Zip archive data, at least v2.0 to extract, compression method=deflate
 #
C:\Users\user\AppData\Local\Temp\TCD7E09.tmp\Content.inf
 data
 #
C:\Users\user\AppData\Local\Temp\TCD7E09.tmp\ThemePictureGrid.glox
 Zip archive data, at least v2.0 to extract, compression method=deflate
 #
C:\Users\user\AppData\Local\Temp\TCD7E19.tmp\Content.inf
 data
 #
C:\Users\user\AppData\Local\Temp\TCD7E19.tmp\iso690.xsl
 XML 1.0 document, ASCII text, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\TCD7E2A.tmp\Content.inf
 data
 #
C:\Users\user\AppData\Local\Temp\TCD7E2A.tmp\chicago.xsl
 XML 1.0 document, ASCII text, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\TCD7E4A.tmp\Content.inf
 data
 #
C:\Users\user\AppData\Local\Temp\TCD7E4A.tmp\rings.glox
 Microsoft OOXML
 #
C:\Users\user\AppData\Local\Temp\TCD7E5B.tmp\Content.inf
 data
 #
C:\Users\user\AppData\Local\Temp\TCD7E5B.tmp\architecture.glox
 Microsoft OOXML
 #
C:\Users\user\AppData\Local\Temp\TCD7E6B.tmp\Content.inf
 data
 #
C:\Users\user\AppData\Local\Temp\TCD7E6B.tmp\TabbedArc.glox
 Zip archive data, at least v2.0 to extract, compression method=deflate
 #
C:\Users\user\AppData\Local\Temp\TCD7E9B.tmp\Content.inf
 data
 #
C:\Users\user\AppData\Local\Temp\TCD7E9B.tmp\gosttitle.xsl
 XML 1.0 document, ASCII text, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\TCD7EAC.tmp\Content.inf
 data
 #
C:\Users\user\AppData\Local\Temp\TCD7EAC.tmp\HexagonRadial.glox
 Microsoft OOXML
 #
C:\Users\user\AppData\Local\Temp\TCD7EBD.tmp\Content.inf
 data
 #
C:\Users\user\AppData\Local\Temp\TCD7EBD.tmp\harvardanglia2008officeonline.xsl
 XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\TCD7EBE.tmp\Content.inf
 data
 #
C:\Users\user\AppData\Local\Temp\TCD7EBE.tmp\Text Sidebar (Annual Report Red and Black design).docx
 Microsoft Word 2007+
 #
C:\Users\user\AppData\Local\Temp\TCD7EBF.tmp\Content.inf
 data
 #
C:\Users\user\AppData\Local\Temp\TCD7EBF.tmp\mlaseventheditionofficeonline.xsl
 XML 1.0 document, ASCII text, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\TCD7EEE.tmp\Content.inf
 data
 #
C:\Users\user\AppData\Local\Temp\TCD7EEE.tmp\RadialPictureList.glox
 Microsoft OOXML
 #
C:\Users\user\AppData\Local\Temp\TCD7F1F.tmp\Content.inf
 data
 #
C:\Users\user\AppData\Local\Temp\TCD7F1F.tmp\Element design set.dotx
 Microsoft Word 2007+
 #
C:\Users\user\AppData\Local\Temp\TCD7F45.tmp\Content.inf
 data
 #
C:\Users\user\AppData\Local\Temp\TCD7F45.tmp\turabian.xsl
 XML 1.0 document, ASCII text, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\TCD7F55.tmp\Content.inf
 data
 #
C:\Users\user\AppData\Local\Temp\TCD7F55.tmp\VaryingWidthList.glox
 Microsoft OOXML
 #
C:\Users\user\AppData\Local\Temp\TCD7F87.tmp\Metropolitan.thmx
 Microsoft OOXML
 #
C:\Users\user\AppData\Local\Temp\TCD7F87.tmp\content.inf
 Unicode text, UTF-16, little-endian text, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\TCD7FB8.tmp\Banded.thmx
 Microsoft OOXML
 #
C:\Users\user\AppData\Local\Temp\TCD7FB8.tmp\content.inf
 Unicode text, UTF-16, little-endian text, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\TCD7FD8.tmp\Wood_Type.thmx
 Microsoft OOXML
 #
C:\Users\user\AppData\Local\Temp\TCD7FD8.tmp\content.inf
 Unicode text, UTF-16, little-endian text, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\TCD7FF8.tmp\View.thmx
 Microsoft OOXML
 #
C:\Users\user\AppData\Local\Temp\TCD7FF8.tmp\content.inf
 Unicode text, UTF-16, little-endian text, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\TCD8088.tmp\Parallax.thmx
 Zip archive data, at least v2.0 to extract, compression method=deflate
 #
C:\Users\user\AppData\Local\Temp\TCD8088.tmp\content.inf
 Unicode text, UTF-16, little-endian text, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\TCD809A.tmp\Parcel.thmx
 Microsoft OOXML
 #
C:\Users\user\AppData\Local\Temp\TCD809A.tmp\content.inf
 Unicode text, UTF-16, little-endian text, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\TCD80AA.tmp\Content.inf
 data
 #
C:\Users\user\AppData\Local\Temp\TCD80AA.tmp\ieee2006officeonline.xsl
 XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\TCD80EC.tmp\Quotable.thmx
 Microsoft OOXML
 #
C:\Users\user\AppData\Local\Temp\TCD80EC.tmp\content.inf
 Unicode text, UTF-16, little-endian text, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\TCD811C.tmp\Berlin.thmx
 Microsoft OOXML
 #
C:\Users\user\AppData\Local\Temp\TCD811C.tmp\content.inf
 Unicode text, UTF-16, little-endian text, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\TCD81F8.tmp\Savon.thmx
 Microsoft OOXML
 #
C:\Users\user\AppData\Local\Temp\TCD81F8.tmp\content.inf
 Unicode text, UTF-16, little-endian text, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\TCD8278.tmp\Circuit.thmx
 Zip archive data, at least v2.0 to extract, compression method=deflate
 #
C:\Users\user\AppData\Local\Temp\TCD8278.tmp\content.inf
 Unicode text, UTF-16, little-endian text, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\TCD82B8.tmp\Gallery.thmx
 Microsoft OOXML
 #
C:\Users\user\AppData\Local\Temp\TCD82B8.tmp\content.inf
 Unicode text, UTF-16, little-endian text, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\TCD8337.tmp\Droplet.thmx
 Microsoft OOXML
 #
C:\Users\user\AppData\Local\Temp\TCD8337.tmp\content.inf
 Unicode text, UTF-16, little-endian text, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\TCD8491.tmp\Slate.thmx
 Microsoft OOXML
 #
C:\Users\user\AppData\Local\Temp\TCD8491.tmp\content.inf
 Unicode text, UTF-16, little-endian text, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\TCD851F.tmp\Damask.thmx
 Microsoft OOXML
 #
C:\Users\user\AppData\Local\Temp\TCD851F.tmp\content.inf
 Unicode text, UTF-16, little-endian text, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\TCD860C.tmp\Mesh.thmx
 Microsoft OOXML
 #
C:\Users\user\AppData\Local\Temp\TCD860C.tmp\content.inf
 Unicode text, UTF-16, little-endian text, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\TCD8727.tmp\Main_Event.thmx
 Microsoft OOXML
 #
C:\Users\user\AppData\Local\Temp\TCD8727.tmp\content.inf
 Unicode text, UTF-16, little-endian text, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\TCD88D0.tmp\Vapor_Trail.thmx
 Microsoft OOXML
 #
C:\Users\user\AppData\Local\Temp\TCD88D0.tmp\content.inf
 Unicode text, UTF-16, little-endian text, with CRLF line terminators
 #
C:\Users\user\AppData\Local\Temp\TCD88F0.tmp\Content.inf
 data
 #
C:\Users\user\AppData\Local\Temp\TCD88F0.tmp\Insight design set.dotx
 Microsoft Word 2007+
 #
C:\Users\user\AppData\Local\Temp\cab3A95.tmp
 Microsoft Cabinet archive data, many, 259074 bytes, 2 files, at 0x44 +A "content.inf" +A "Dividend.thmx", flags 0x4, ID 58359, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression
 #
C:\Users\user\AppData\Local\Temp\cab3AD5.tmp
 Microsoft Cabinet archive data, many, 279287 bytes, 2 files, at 0x44 +A "Basis.thmx" +A "content.inf", flags 0x4, ID 55632, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression
 #
C:\Users\user\AppData\Local\Temp\cab7D02.tmp
 Microsoft Cabinet archive data, many, 4091 bytes, 2 files, at 0x44 "BracketList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
 #
C:\Users\user\AppData\Local\Temp\cab7D13.tmp
 Microsoft Cabinet archive data, many, 9170 bytes, 2 files, at 0x44 "InterconnectedBlockProcess.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
 #
C:\Users\user\AppData\Local\Temp\cab7D14.tmp
 Microsoft Cabinet archive data, many, 5864 bytes, 2 files, at 0x44 "architecture.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
 #
C:\Users\user\AppData\Local\Temp\cab7D15.tmp
 Microsoft Cabinet archive data, many, 14939 bytes, 2 files, at 0x44 "CircleProcess.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
 #
C:\Users\user\AppData\Local\Temp\cab7D16.tmp
 Microsoft Cabinet archive data, many, 15338 bytes, 2 files, at 0x4c "gosttitle.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression
 #
C:\Users\user\AppData\Local\Temp\cab7D26.tmp
 Microsoft Cabinet archive data, many, 18672 bytes, 2 files, at 0x4c "APASixthEditionOfficeOnline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 11 datablocks, 0x1203 compression
 #
C:\Users\user\AppData\Local\Temp\cab7D3A.tmp
 Microsoft Cabinet archive data, many, 15461 bytes, 2 files, at 0x4c "gostname.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression
 #
C:\Users\user\AppData\Local\Temp\cab7D3B.tmp
 Microsoft Cabinet archive data, many, 27509 bytes, 2 files, at 0x4c "Equations.dotx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 2 datablocks, 0x1203 compression
 #
C:\Users\user\AppData\Local\Temp\cab7D6E.tmp
 Microsoft Cabinet archive data, many, 6005 bytes, 2 files, at 0x44 "HexagonRadial.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
 #
C:\Users\user\AppData\Local\Temp\cab7D6F.tmp
 Microsoft Cabinet archive data, many, 14813 bytes, 2 files, at 0x4c "iso690nmerical.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 7 datablocks, 0x1203 compression
 #
C:\Users\user\AppData\Local\Temp\cab7D70.tmp
 Microsoft Cabinet archive data, many, 30269 bytes, 2 files, at 0x4c "Text Sidebar (Annual Report Red and Black design).docx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 2 datablocks, 0x1203 compression
 #
C:\Users\user\AppData\Local\Temp\cab7D71.tmp
 Microsoft Cabinet archive data, many, 15418 bytes, 2 files, at 0x4c "harvardanglia2008officeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression
 #
C:\Users\user\AppData\Local\Temp\cab7D72.tmp
 Microsoft Cabinet archive data, many, 14864 bytes, 2 files, at 0x4c "mlaseventheditionofficeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression
 #
C:\Users\user\AppData\Local\Temp\cab7D82.tmp
 Microsoft Cabinet archive data, many, 7453 bytes, 2 files, at 0x44 "pictureorgchart.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
 #
C:\Users\user\AppData\Local\Temp\cab7D83.tmp
 Microsoft Cabinet archive data, many, 15691 bytes, 2 files, at 0x4c "gb.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression
 #
C:\Users\user\AppData\Local\Temp\cab7D94.tmp
 Microsoft Cabinet archive data, many, 15327 bytes, 2 files, at 0x4c "sist02.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression
 #
C:\Users\user\AppData\Local\Temp\cab7D95.tmp
 Microsoft Cabinet archive data, many, 5731 bytes, 2 files, at 0x44 "ThemePictureAlternatingAccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
 #
C:\Users\user\AppData\Local\Temp\cab7D96.tmp
 Microsoft Cabinet archive data, many, 4313 bytes, 2 files, at 0x44 "chevronaccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
 #
C:\Users\user\AppData\Local\Temp\cab7D97.tmp
 Microsoft Cabinet archive data, many, 16689 bytes, 2 files, at 0x4c "iso690.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression
 #
C:\Users\user\AppData\Local\Temp\cab7D98.tmp
 Microsoft Cabinet archive data, many, 4410 bytes, 2 files, at 0x44 "PictureFrame.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
 #
C:\Users\user\AppData\Local\Temp\cab7D99.tmp
 Microsoft Cabinet archive data, many, 6450 bytes, 2 files, at 0x44 "ThemePictureAccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
 #
C:\Users\user\AppData\Local\Temp\cab7D9A.tmp
 Microsoft Cabinet archive data, many, 17466 bytes, 2 files, at 0x4c "chicago.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 10 datablocks, 0x1203 compression
 #
C:\Users\user\AppData\Local\Temp\cab7DAD.tmp
 Microsoft Cabinet archive data, many, 3749 bytes, 2 files, at 0x44 "TabbedArc.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
 #
C:\Users\user\AppData\Local\Temp\cab7DAE.tmp
 Microsoft Cabinet archive data, many, 10800 bytes, 2 files, at 0x44 "ConvergingText.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
 #
C:\Users\user\AppData\Local\Temp\cab7DAF.tmp
 Microsoft Cabinet archive data, many, 4967 bytes, 2 files, at 0x44 "TabList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
 #
C:\Users\user\AppData\Local\Temp\cab7DB0.tmp
 Microsoft Cabinet archive data, many, 5647 bytes, 2 files, at 0x44 "RadialPictureList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
 #
C:\Users\user\AppData\Local\Temp\cab7DB1.tmp
 Microsoft Cabinet archive data, many, 6196 bytes, 2 files, at 0x44 "ThemePictureGrid.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
 #
C:\Users\user\AppData\Local\Temp\cab7DC1.tmp
 Microsoft Cabinet archive data, many, 5213 bytes, 2 files, at 0x44 "rings.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
 #
C:\Users\user\AppData\Local\Temp\cab7F0F.tmp
 Microsoft Cabinet archive data, many, 26644 bytes, 2 files, at 0x4c "Element design set.dotx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 2 datablocks, 0x1203 compression
 #
C:\Users\user\AppData\Local\Temp\cab7F30.tmp
 Microsoft Cabinet archive data, many, 19375 bytes, 2 files, at 0x4c "turabian.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 11 datablocks, 0x1203 compression
 #
C:\Users\user\AppData\Local\Temp\cab7F41.tmp
 Microsoft Cabinet archive data, many, 3144 bytes, 2 files, at 0x44 "VaryingWidthList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
 #
C:\Users\user\AppData\Local\Temp\cab7F42.tmp
 Microsoft Cabinet archive data, many, 279287 bytes, 2 files, at 0x44 +A "Basis.thmx" +A "content.inf", flags 0x4, ID 55632, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression
 #
C:\Users\user\AppData\Local\Temp\cab7F43.tmp
 Microsoft Cabinet archive data, many, 291188 bytes, 2 files, at 0x44 +A "Banded.thmx" +A "content.inf", flags 0x4, ID 56338, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression
 #
C:\Users\user\AppData\Local\Temp\cab7F44.tmp
 Microsoft Cabinet archive data, many, 243642 bytes, 2 files, at 0x44 +A "content.inf" +A "Metropolitan.thmx", flags 0x4, ID 19054, number 1, extra bytes 20 in head, 24 datablocks, 0x1503 compression
 #
C:\Users\user\AppData\Local\Temp\cab7F66.tmp
 Microsoft Cabinet archive data, many, 259074 bytes, 2 files, at 0x44 +A "content.inf" +A "Dividend.thmx", flags 0x4, ID 58359, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression
 #
C:\Users\user\AppData\Local\Temp\cab7F67.tmp
 Microsoft Cabinet archive data, many, 206792 bytes, 2 files, at 0x44 +A "content.inf" +A "View.thmx", flags 0x4, ID 33885, number 1, extra bytes 20 in head, 15 datablocks, 0x1503 compression
 #
C:\Users\user\AppData\Local\Temp\cab7F98.tmp
 Microsoft Cabinet archive data, many, 704319 bytes, 2 files, at 0x44 +A "content.inf" +A "Wood_Type.thmx", flags 0x4, ID 5778, number 1, extra bytes 20 in head, 51 datablocks, 0x1503 compression
 #
C:\Users\user\AppData\Local\Temp\cab8028.tmp
 Microsoft Cabinet archive data, many, 533290 bytes, 2 files, at 0x44 +A "content.inf" +A "Parallax.thmx", flags 0x4, ID 64081, number 1, extra bytes 20 in head, 29 datablocks, 0x1503 compression
 #
C:\Users\user\AppData\Local\Temp\cab8058.tmp
 Microsoft Cabinet archive data, many, 214772 bytes, 2 files, at 0x44 +A "content.inf" +A "Parcel.thmx", flags 0x4, ID 26500, number 1, extra bytes 20 in head, 19 datablocks, 0x1503 compression
 #
C:\Users\user\AppData\Local\Temp\cab8089.tmp
 Microsoft Cabinet archive data, many, 12767 bytes, 2 files, at 0x4c "ieee2006officeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression
 #
C:\Users\user\AppData\Local\Temp\cab80AB.tmp
 Microsoft Cabinet archive data, many, 624532 bytes, 2 files, at 0x44 +A "content.inf" +A "Quotable.thmx", flags 0x4, ID 13510, number 1, extra bytes 20 in head, 30 datablocks, 0x1503 compression
 #
C:\Users\user\AppData\Local\Temp\cab80DB.tmp
 Microsoft Cabinet archive data, many, 682092 bytes, 2 files, at 0x44 +A "Berlin.thmx" +A "content.inf", flags 0x4, ID 46672, number 1, extra bytes 20 in head, 30 datablocks, 0x1503 compression
 #
C:\Users\user\AppData\Local\Temp\cab81B9.tmp
 Microsoft Cabinet archive data, many, 1049713 bytes, 2 files, at 0x44 +A "content.inf" +A "Savon.thmx", flags 0x4, ID 60609, number 1, extra bytes 20 in head, 37 datablocks, 0x1503 compression
 #
C:\Users\user\AppData\Local\Temp\cab8209.tmp
 Microsoft Cabinet archive data, many, 1081343 bytes, 2 files, at 0x44 +A "Circuit.thmx" +A "content.inf", flags 0x4, ID 11309, number 1, extra bytes 20 in head, 45 datablocks, 0x1503 compression
 #
C:\Users\user\AppData\Local\Temp\cab8258.tmp
 Microsoft Cabinet archive data, many, 937309 bytes, 2 files, at 0x44 +A "content.inf" +A "Gallery.thmx", flags 0x4, ID 44349, number 1, extra bytes 20 in head, 34 datablocks, 0x1503 compression
 #
C:\Users\user\AppData\Local\Temp\cab8307.tmp
 Microsoft Cabinet archive data, many, 1291243 bytes, 2 files, at 0x44 +A "content.inf" +A "Droplet.thmx", flags 0x4, ID 47417, number 1, extra bytes 20 in head, 54 datablocks, 0x1503 compression
 #
C:\Users\user\AppData\Local\Temp\cab8451.tmp
 Microsoft Cabinet archive data, many, 1750009 bytes, 2 files, at 0x44 +A "content.inf" +A "Slate.thmx", flags 0x4, ID 28969, number 1, extra bytes 20 in head, 72 datablocks, 0x1503 compression
 #
C:\Users\user\AppData\Local\Temp\cab84A1.tmp
 Microsoft Cabinet archive data, many, 1865728 bytes, 2 files, at 0x44 +A "content.inf" +A "Damask.thmx", flags 0x4, ID 63852, number 1, extra bytes 20 in head, 68 datablocks, 0x1503 compression
 #
C:\Users\user\AppData\Local\Temp\cab858E.tmp
 Microsoft Cabinet archive data, many, 2573508 bytes, 2 files, at 0x44 +A "content.inf" +A "Mesh.thmx", flags 0x4, ID 62129, number 1, extra bytes 20 in head, 94 datablocks, 0x1503 compression
 #
C:\Users\user\AppData\Local\Temp\cab867A.tmp
 Microsoft Cabinet archive data, many, 2511552 bytes, 2 files, at 0x44 +A "content.inf" +A "Main_Event.thmx", flags 0x4, ID 59889, number 1, extra bytes 20 in head, 90 datablocks, 0x1503 compression
 #
C:\Users\user\AppData\Local\Temp\cab8832.tmp
 Microsoft Cabinet archive data, many, 3239239 bytes, 2 files, at 0x44 +A "content.inf" +A "Vapor_Trail.thmx", flags 0x4, ID 19811, number 1, extra bytes 20 in head, 111 datablocks, 0x1503 compression
 #
C:\Users\user\AppData\Local\Temp\cab8833.tmp
 Microsoft Cabinet archive data, many, 3400898 bytes, 2 files, at 0x4c "Insight design set.dotx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 106 datablocks, 0x1203 compression
 #
C:\Users\user\AppData\Local\Temp\curl.exe
 PE32 executable (console) Intel 80386, for MS Windows
 #
C:\Users\user\AppData\Local\Temp\mso2566.tmp
 GIF image data, version 89a, 15 x 15
 #
C:\Users\user\AppData\Local\Temp\mso40F2.tmp
 GIF image data, version 89a, 15 x 15
 #
C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl
 data
 #
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.LNK
 MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Oct 5 05:47:15 2023, mtime=Mon Jul 22 12:58:42 2024, atime=Mon Jul 22 12:57:38 2024, length=250145, window=hide
 #
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Templates.LNK
 MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Directory, ctime=Mon Jul 22 12:57:39 2024, mtime=Mon Jul 22 12:59:07 2024, atime=Mon Jul 22 12:59:07 2024, length=0, window=hide
 #
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
 Generic INItialization configuration [folders]
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090430[[fn=Banded]].thmx (copy)
 Microsoft OOXML
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090434[[fn=Wood Type]].thmx (copy)
 Microsoft OOXML
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457444[[fn=Basis]].thmx (copy)
 Microsoft OOXML
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457464[[fn=Dividend]].thmx (copy)
 Microsoft OOXML
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457485[[fn=Mesh]].thmx (copy)
 Microsoft OOXML
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457491[[fn=Metropolitan]].thmx (copy)
 Microsoft OOXML
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457496[[fn=Parallax]].thmx (copy)
 Zip archive data, at least v2.0 to extract, compression method=deflate
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457503[[fn=Quotable]].thmx (copy)
 Microsoft OOXML
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457510[[fn=Savon]].thmx (copy)
 Microsoft OOXML
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457515[[fn=View]].thmx (copy)
 Microsoft OOXML
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033917[[fn=Berlin]].thmx (copy)
 Microsoft OOXML
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033919[[fn=Circuit]].thmx (copy)
 Zip archive data, at least v2.0 to extract, compression method=deflate
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033921[[fn=Damask]].thmx (copy)
 Microsoft OOXML
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033925[[fn=Droplet]].thmx (copy)
 Microsoft OOXML
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033927[[fn=Main Event]].thmx (copy)
 Microsoft OOXML
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033929[[fn=Slate]].thmx (copy)
 Microsoft OOXML
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033937[[fn=Vapor Trail]].thmx (copy)
 Microsoft OOXML
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001114[[fn=Gallery]].thmx (copy)
 Microsoft OOXML
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001115[[fn=Parcel]].thmx (copy)
 Microsoft OOXML
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328884[[fn=architecture]].glox (copy)
 Microsoft OOXML
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328893[[fn=BracketList]].glox (copy)
 Microsoft OOXML
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328905[[fn=Chevron Accent]].glox (copy)
 Microsoft OOXML
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328908[[fn=Circle Process]].glox (copy)
 Zip archive data, at least v2.0 to extract, compression method=deflate
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328916[[fn=Converging Text]].glox (copy)
 Zip archive data, at least v2.0 to extract, compression method=deflate
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328919[[fn=Hexagon Radial]].glox (copy)
 Microsoft OOXML
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328925[[fn=Interconnected Block Process]].glox (copy)
 Zip archive data, at least v2.0 to extract, compression method=deflate
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328932[[fn=Picture Frame]].glox (copy)
 Microsoft OOXML
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328935[[fn=Picture Organization Chart]].glox (copy)
 Microsoft OOXML
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328940[[fn=Radial Picture List]].glox (copy)
 Microsoft OOXML
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328951[[fn=Tabbed Arc]].glox (copy)
 Zip archive data, at least v2.0 to extract, compression method=deflate
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328972[[fn=Tab List]].glox (copy)
 Zip archive data, at least v2.0 to extract, compression method=deflate
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328975[[fn=Theme Picture Accent]].glox (copy)
 Zip archive data, at least v2.0 to extract, compression method=deflate
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328983[[fn=Theme Picture Alternating Accent]].glox (copy)
 Zip archive data, at least v2.0 to extract, compression method=deflate
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328986[[fn=Theme Picture Grid]].glox (copy)
 Zip archive data, at least v2.0 to extract, compression method=deflate
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328990[[fn=Varying Width List]].glox (copy)
 Microsoft OOXML
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328998[[fn=Rings]].glox (copy)
 Microsoft OOXML
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851216[[fn=apasixtheditionofficeonline]].xsl (copy)
 XML 1.0 document, ASCII text, with CRLF line terminators
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851217[[fn=chicago]].xsl (copy)
 XML 1.0 document, ASCII text, with CRLF line terminators
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851218[[fn=gb]].xsl (copy)
 XML 1.0 document, ASCII text, with CRLF line terminators
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851219[[fn=gostname]].xsl (copy)
 XML 1.0 document, ASCII text, with CRLF line terminators
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851220[[fn=gosttitle]].xsl (copy)
 XML 1.0 document, ASCII text, with CRLF line terminators
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851221[[fn=harvardanglia2008officeonline]].xsl (copy)
 XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851222[[fn=ieee2006officeonline]].xsl (copy)
 XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851223[[fn=iso690]].xsl (copy)
 XML 1.0 document, ASCII text, with CRLF line terminators
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851224[[fn=iso690nmerical]].xsl (copy)
 XML 1.0 document, ASCII text, with CRLF line terminators
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851225[[fn=mlaseventheditionofficeonline]].xsl (copy)
 XML 1.0 document, ASCII text, with CRLF line terminators
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851226[[fn=turabian]].xsl (copy)
 XML 1.0 document, ASCII text, with CRLF line terminators
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851227[[fn=sist02]].xsl (copy)
 XML 1.0 document, ASCII text, with CRLF line terminators
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM01840907[[fn=Equations]].dotx (copy)
 Microsoft Word 2007+
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx (copy)
 Microsoft Word 2007+
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998158[[fn=Element]].dotx (copy)
 Microsoft Word 2007+
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998159[[fn=Insight]].dotx (copy)
 Microsoft Word 2007+
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\Normal.dotm (copy)
 Microsoft Word 2007+
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
 data
 #
C:\Users\user\AppData\Roaming\Microsoft\Templates\~WRD0000.tmp
 Microsoft Word 2007+
 #
C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
 Unicode text, UTF-16, little-endian text, with CRLF line terminators
 #
C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
 Unicode text, UTF-16, little-endian text, with no line terminators
 #
C:\Users\user\Desktop\~$w_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm
 data
 #
C:\Users\user\Downloads\7f4ed3e9-8c0a-4989-857e-ae968b50b483.tmp
 Zip archive data, at least v2.0 to extract, compression method=deflate
 #
C:\Users\user\Downloads\MsftRecoveryToolForCSv2.zip.crdownload
 Zip archive data, at least v2.0 to extract, compression method=deflate
 #
C:\Windows\Temp\Login Data
 SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
 #
C:\Windows\Temp\SGlzdG9yeQ==
 SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
 #
C:\Windows\Temp\SVBLR0VMTlRRWS5kb2N4
 ASCII text, with very long lines (1024), with CRLF line terminators
 #
C:\Windows\Temp\SVBLR0VMTlRRWS5wZGY=
 ASCII text, with very long lines (1024), with CRLF line terminators
 #
C:\Windows\Temp\TVhQWENWUERWTi5kb2N4
 ASCII text, with very long lines (1024), with CRLF line terminators
 #
C:\Windows\Temp\TkVCRlFRWVdQUy54bHN4
 ASCII text, with very long lines (1024), with CRLF line terminators
 #
C:\Windows\Temp\TkVCRlFRWVdQUy5kb2N4
 ASCII text, with very long lines (1024), with CRLF line terminators
 #
C:\Windows\Temp\U0ZQVVNBRklPTC54bHN4
 ASCII text, with very long lines (1024), with CRLF line terminators
 #
C:\Windows\Temp\U0ZQVVNBRklPTC5kb2N4
 ASCII text, with very long lines (1024), with CRLF line terminators
 #
C:\Windows\Temp\UElWRkFHRUFBVi5wZGY=
 ASCII text, with very long lines (1024), with CRLF line terminators
 #
C:\Windows\Temp\UU5DWUNERklKSi54bHN4
 ASCII text, with very long lines (1024), with CRLF line terminators
 #
C:\Windows\Temp\UUNGV1lTS01IQS5wZGY=
 ASCII text, with very long lines (1024), with CRLF line terminators
 #
C:\Windows\Temp\V2ViIERhdGE=
 SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
 #
C:\Windows\Temp\WlFJWE1WUUdBSC54bHN4
 ASCII text, with very long lines (1024), with CRLF line terminators
 #
C:\Windows\Temp\WlFJWE1WUUdBSC5wZGY=
 ASCII text, with very long lines (1024), with CRLF line terminators
 #
C:\Windows\Temp\cGxhY2VzLnNxbGl0ZQ==
 SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
 #
C:\Windows\Temp\cookies.sqlite
 SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
 #
C:\Windows\Temp\cookies.sqlite-shm
 data
 #
C:\Windows\Temp\result.txt
 ASCII text, with CRLF line terminators
 #
Chrome Cache Entry: 371
 Zip archive data, at least v2.0 to extract, compression method=deflate
 #
\Device\ConDrv
 ASCII text, with CR, LF line terminators
 #