Automated Malware Analysis Management Report for BankPaymAdviceVend.Report.docx

Overview

General Information

Sample name:	BankPaymAdviceVend.Report.docx
Analysis ID:	1502190
MD5:	22eede72746e7a9a26f3f6d311a12a7e
SHA1:	6738d1a969194359c7c7579956269d77fed8d26f
SHA256:	2e1408013503cbc13466e2041bd3e045833ce65f5c91b7226e28e27d43d6eaf9
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Contains an external reference to another file

Document contains embedded VBA macros

Document misses a certain OLE stream usually present in this Microsoft Office document type

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Sigma detected: Suspicious Office Outbound Connections

Uses a known web browser user agent for HTTP communication

Classification

Signatures

AV Detection

Antivirus detection for URL or domain

Source: https://tt.vg/BVhaS	Avira URL Cloud: Label: phishing
Source: http://tt.vg/BVhaS	Avira URL Cloud: Label: phishing

Multi AV Scanner detection for domain / URL

Source: tt.vg	Virustotal: Detection: 5%	Perma Link
Source: http://tt.vg/BVhaS	Virustotal: Detection: 7%	Perma Link
Source: https://tt.vg/BVhaS	Virustotal: Detection: 7%	Perma Link

Multi AV Scanner detection for submitted file

Source: BankPaymAdviceVend.Report.docx	ReversingLabs: Detection: 66%
Source: BankPaymAdviceVend.Report.docx	Virustotal: Detection: 59%			Perma Link

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.16:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.16:49707 version: TLS 1.2

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: tt.vg

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.16:49705 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.16:49703 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.16:49703 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.16:49703 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.16:49703 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.16:49703 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.16:49703 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.16:49703 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.16:49703 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 188.114.96.3:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.16:49698 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.16:49698
Source: global traffic	TCP traffic: 192.168.2.16:49698 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.16:49698 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.16:49698
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.16:49698
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.16:49698
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.16:49698
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.16:49698
Source: global traffic	TCP traffic: 192.168.2.16:49698 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.16:49698 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.16:49698 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.16:49698
Source: global traffic	TCP traffic: 192.168.2.16:49698 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.16:49699 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.16:49699
Source: global traffic	TCP traffic: 192.168.2.16:49699 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.16:49699 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.16:49699
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.16:49699
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.16:49699
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.16:49699
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.16:49699
Source: global traffic	TCP traffic: 192.168.2.16:49699 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.16:49699 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.16:49699 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.16:49699 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.16:49700 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.16:49700
Source: global traffic	TCP traffic: 192.168.2.16:49700 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.16:49700 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.16:49700
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.16:49700
Source: global traffic	TCP traffic: 192.168.2.16:49703 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.16:49703
Source: global traffic	TCP traffic: 192.168.2.16:49703 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.16:49703 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.16:49703
Source: global traffic	TCP traffic: 192.168.2.16:49700 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.16:49703
Source: global traffic	TCP traffic: 192.168.2.16:49703 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.16:49703 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.16:49703
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.16:49703
Source: global traffic	TCP traffic: 192.168.2.16:49703 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.16:49703
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.16:49703
Source: global traffic	TCP traffic: 192.168.2.16:49703 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.16:49703
Source: global traffic	TCP traffic: 192.168.2.16:49703 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.16:49703
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.16:49703
Source: global traffic	TCP traffic: 192.168.2.16:49705 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.16:49705
Source: global traffic	TCP traffic: 192.168.2.16:49705 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.16:49705 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.16:49705
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.16:49705
Source: global traffic	TCP traffic: 192.168.2.16:49705 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.16:49707
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.16:49707
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.16:49707
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.16:49707
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.16:49707
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.16:49707
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.16:49707
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.16:49707
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.16:49707
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.16:49707
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.16:49707
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.16:49707
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.16:49707
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.16:49705 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.16:49705
Source: global traffic	TCP traffic: 192.168.2.16:49705 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.16:49700 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.16:49700
Source: global traffic	TCP traffic: 192.168.2.16:49700 -> 188.114.96.3:80

Source: winword.exe

Memory has grown: Private usage: 4MB later: 71MB

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 6271f898ce5be7dd52b0fc260d0662b3
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /BVhaS HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateConnection: Keep-AliveHost: tt.vg
Source: global traffic	HTTP traffic detected: GET /BVhaS HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: tt.vgConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /BVhaS HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateConnection: Keep-AliveHost: tt.vg
Source: global traffic	HTTP traffic detected: GET /BVhaS HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: tt.vgConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: tt.vg

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 31 Aug 2024 11:53:39 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-EncodingSet-Cookie: PHPSESSID=i8gl54qibf7il8mmf3e2knsqp9; path=/Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SjV7l7D6mpHjsddSIugwiy%2F6o%2B1gtcSEKXhMpJ2V0mezbkYZeAM5fvJbl%2B9zwtPWRJZS%2BWsDfjxVJTvhg%2FD8rQAAFn6CuEOy3MLizADYpcQCSXqUhOj6Mw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bbcd242dedb0fa4-EWRalt-svc: h3=":443"; ma=86400
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 31 Aug 2024 11:53:40 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingSet-Cookie: PHPSESSID=dsihvm7r2p2b3f7snkgbas200o; path=/Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=atEdInXFybdt6A6rKnAmwtMpc%2Fj4C9PTSOJ%2F9rnNJmOi1s9YWy4CFfGzI2R05usq24pFLZs3jssdCUvaBQTCHdtMeUbBXgVcMNv53nvo416z68wShXluMw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bbcd24b8f034408-EWRalt-svc: h3=":443"; ma=86400

Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.0.dr

String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab

Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.16:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.16:49707 version: TLS 1.2

Document contains embedded VBA macros

Source: gb.xsl.0.dr	OLE indicator, VBA macros: true
Source: APASixthEditionOfficeOnline.xsl.0.dr	OLE indicator, VBA macros: true
Source: mlaseventheditionofficeonline.xsl.0.dr	OLE indicator, VBA macros: true
Source: turabian.xsl.0.dr	OLE indicator, VBA macros: true
Source: gosttitle.xsl.0.dr	OLE indicator, VBA macros: true
Source: ieee2006officeonline.xsl.0.dr	OLE indicator, VBA macros: true
Source: gostname.xsl.0.dr	OLE indicator, VBA macros: true
Source: iso690.xsl.0.dr	OLE indicator, VBA macros: true
Source: chicago.xsl.0.dr	OLE indicator, VBA macros: true
Source: harvardanglia2008officeonline.xsl.0.dr	OLE indicator, VBA macros: true
Source: sist02.xsl.0.dr	OLE indicator, VBA macros: true
Source: iso690nmerical.xsl.0.dr	OLE indicator, VBA macros: true

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: gb.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: APASixthEditionOfficeOnline.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: mlaseventheditionofficeonline.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: turabian.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: gosttitle.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ieee2006officeonline.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: gostname.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: iso690.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: chicago.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: harvardanglia2008officeonline.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: sist02.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: iso690nmerical.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~WRF{9E2773A0-B35E-4804-8D45-C4FECAD54F2D}.tmp.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: classification engine

Classification label: mal68.evad.winDOCX@2/234@1/1

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Roaming\Microsoft\Office

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\{329DB35C-F535-493F-99B2-03CDA2B25E16} - OProcSessId.dat

Jump to behavior

Source: BankPaymAdviceVend.Report.docx	OLE indicator, Word Document stream: true
Source: BankPaymAdviceVend.Report.docx	OLE indicator, Word Document stream: true
Source: BankPaymAdviceVend.Report.docx	OLE indicator, Word Document stream: true
Source: BankPaymAdviceVend.Report.docx	OLE indicator, Word Document stream: true
Source: Element design set.dotx.0.dr	OLE indicator, Word Document stream: true
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	OLE indicator, Word Document stream: true
Source: Equations.dotx.0.dr	OLE indicator, Word Document stream: true
Source: Insight design set.dotx.0.dr	OLE indicator, Word Document stream: true

Source: BankPaymAdviceVend.Report.docx	OLE document summary: title field not present or empty
Source: BankPaymAdviceVend.Report.docx	OLE document summary: title field not present or empty
Source: BankPaymAdviceVend.Report.docx	OLE document summary: title field not present or empty
Source: BankPaymAdviceVend.Report.docx	OLE document summary: title field not present or empty
Source: ~WRF{9E2773A0-B35E-4804-8D45-C4FECAD54F2D}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{9E2773A0-B35E-4804-8D45-C4FECAD54F2D}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{9E2773A0-B35E-4804-8D45-C4FECAD54F2D}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: BankPaymAdviceVend.Report.docx	ReversingLabs: Detection: 66%
Source: BankPaymAdviceVend.Report.docx	Virustotal: Detection: 59%

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\BankPaymAdviceVend.Report.docx" /o ""
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: unknown unknown			Jump to behavior

Source: BankPaymAdviceVend.Report.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\BankPaymAdviceVend.Report.docx

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: BankPaymAdviceVend.Report.docx	Initial sample: OLE zip file path = word/media/image4.emf
Source: BankPaymAdviceVend.Report.docx	Initial sample: OLE zip file path = word/embeddings/oleObject3.bin
Source: BankPaymAdviceVend.Report.docx	Initial sample: OLE zip file path = word/embeddings/oleObject4.bin
Source: BankPaymAdviceVend.Report.docx	Initial sample: OLE zip file path = word/embeddings/oleObject2.bin
Source: BankPaymAdviceVend.Report.docx	Initial sample: OLE zip file path = word/media/image3.emf
Source: BankPaymAdviceVend.Report.docx	Initial sample: OLE zip file path = word/media/image2.emf
Source: BankPaymAdviceVend.Report.docx	Initial sample: OLE zip file path = word/_rels/settings.xml.rels
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/settings.xml
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/document.xml
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/fontTable.xml
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/webSettings.xml
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/styles.xml
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = customXml/itemProps2.xml
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = customXml/item2.xml
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = customXml/_rels/item2.xml.rels
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = [trash]/0000.dat
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = docProps/custom.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = word/theme/_rels/theme1.xml.rels
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = word/glossary/settings.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = word/glossary/document.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = word/_rels/settings.xml.rels
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = word/glossary/webSettings.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = word/glossary/fontTable.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = word/glossary/styles.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = word/glossary/stylesWithEffects.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = customXml/item2.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = customXml/_rels/item2.xml.rels
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = customXml/itemProps3.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = customXml/item3.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = customXml/itemProps2.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = customXml/_rels/item3.xml.rels
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = [trash]/0000.dat
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = docProps/custom.xml
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/document.xml
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/settings.xml
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = customXml/itemProps2.xml
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = docProps/custom.xml
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = customXml/_rels/item2.xml.rels
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = customXml/item2.xml
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/webSettings.xml
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = [trash]/0000.dat
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/styles.xml
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/stylesWithEffects.xml
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/fontTable.xml
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = word/media/image2.jpg
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/settings.xml
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/document.xml
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/styles.xml
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/webSettings.xml
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/fontTable.xml
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = word/media/image10.jpeg
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = customXml/itemProps2.xml
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = customXml/item2.xml
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = customXml/_rels/item2.xml.rels
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = [trash]/0000.dat
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = docProps/custom.xml

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: BankPaymAdviceVend.Report.docx

Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

Contains an external reference to another file

Source: settings.xml.rels

Extracted files from sample: http://ballontechnologytoupdatethenewthingstodeliveredeverywhere@tt.vg/bvhas

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: BankPaymAdviceVend.Report.docx	Stream path 'CONTENTS' entropy: 7.91598386737 (max. 8.0)
Source: BankPaymAdviceVend.Report.docx	Stream path 'CONTENTS' entropy: 7.91669502048 (max. 8.0)
Source: BankPaymAdviceVend.Report.docx	Stream path 'CONTENTS' entropy: 7.92548841078 (max. 8.0)
Source: BankPaymAdviceVend.Report.docx	Stream path 'CONTENTS' entropy: 7.94924924846 (max. 8.0)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Process information queried: ProcessInformation

Jump to behavior

Domain

Country

Flag

ASN

ASN Name

Malicious

188.114.96.3

tt.vg

European Union

13335

CLOUDFLARENETUS

true

Name

Active

bg.microsoft.map.fastly.net

199.232.214.172

true

tt.vg

188.114.96.3

true

Name

Malicious

Antivirus Detection

Reputation

https://tt.vg/BVhaS

true

8%, Virustotal, Browse
Avira URL Cloud: phishing

unknown

http://tt.vg/BVhaS

true

8%, Virustotal, Browse
Avira URL Cloud: phishing

unknown

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	data	3F48085BC0AEE2F727289A2293625805	48D3D8F94EF079557F25D5C7AC1CCC0AB475E1DE	200C73B856EC0AD5A3CF4E53796D5E825D6657A5DA9FD8C5956C6BA7D15E8C19
C:\Users\user\AppData\Local\Microsoft\FontCache\4\Catalog\ListAll.Json	JSON data	C37972CBD8748E2CA6DA205839B16444	9834B46ACF560146DD7EE9086DB6019FBAC13B4E	D4CFBB0E8B9D3E36ECE921B9B51BD37EF1D3195A9CFA1C4586AEA200EB3434A7
C:\Users\user\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview_4_40.ttf	TrueType Font data, 10 tables, 1st "OS/2", 7 names, Microsoft, language 0x409, \251 2018 Microsoft Corporation. All Rights Reserved.msofp_4_40RegularVersion 4.40;O365	4296A064B917926682E7EED650D4A745	3953A6AA9100F652A6CA533C2E05895E52343718	E04E41C74D6C78213BA1588BACEE64B42C0EDECE85224C474A714F39960D8083
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\29F75E40.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	1FCB3F34B5588F6A647A06DFF1811BF9	1F5EF0E6E41C14795DECEDCEFC883AB9000FAC9A	A99E8172248DAC0B2A6243D06A862901989857B0C2ECBED5F25DDB0D1A95154E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4CE12E7B.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	4D59A7E93170340B5EC4009F7FA3AD31	E07421156DD87789F93F10904118343CA452BBB5	83473215E5C2160333AA92EA7F9B1276D8ED7DD66AFC472DC92C88055D189D7D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E55D4941.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	476C7C2F309C957F6428D04E94C4F64A	F1B0FA252BABFB7002DC87069A436AD71BDA532F	C0DA66B866CC999AEE20456C2EEE3EEFC05046B8F5DF3755F95FECB85F9F8BE5
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F8459E4E.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	D69C22A341E111FEEA69DF6D8C655D60	AC862337F2EFA43627508927F5052CE694012206	05B2053BF1D070D6034B45CD79B54D80DA3C6D88D016671A345E75048B1A68DB
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRF{9E2773A0-B35E-4804-8D45-C4FECAD54F2D}.tmp	Composite Document File V2 Document, Cannot read section info	364DD9BA6D5FC4F4BA18BBBC0C93D71A	E188149A395423F52EAAECB1F2F8AF71C11DD4EE	985DE27EBE1590654BEA8741643E19C64D7F3996B323353006AE417A617D7629
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{080F4DC9-01AB-42CF-8C1D-C627AE3F493A}.tmp	data	C4FB9636B11CBBBDB340791AE1B95084	7D1D3FFCB7C59F2348381B5AF4647DBDC8E368E5	3FB6C0D5AB57F750D323982FDC076848D04201A706C00BB394682023427BCD64
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{971D7DEF-31A7-4429-B214-77703BB8FAA3}.tmp	data	564298F155D985697F10E17622256908	B76AD06F0802FDE3EB7C17A55BCF81275A195673	74167ECF98F65C5567726304CDA98CB14344D83C2A7A8E18E97478C0ACFFF4D2
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\BVhaS[1].htm	HTML document, ASCII text, with CRLF line terminators	0104C301C5E02BD6148B8703D19B3A73	7436E0B4B1F8C222C38069890B75FA2BAF9CA620	446A6087825FA73EADB045E5A2E9E2ADF7DF241B571228187728191D961DDA1F
C:\Users\user\AppData\Local\Temp\Diagnostics\WINWORD\App1725105215187024600_329DB35C-F535-493F-99B2-03CDA2B25E16.log	ASCII text, with very long lines (1392), with CRLF line terminators	18D5F9C9B5FA6FE442BC3A5319A0E51D	E203DAFEF93B74CD2E30E091778FBDA52FB266FF	028E17406E18C11DF85A65C1A68D91E21E61D526C3F15DC8A686210B77B2EB76
C:\Users\user\AppData\Local\Temp\Diagnostics\WINWORD\App1725105215187623700_329DB35C-F535-493F-99B2-03CDA2B25E16.log	data	8F4E33F3DC3E414FF94E5FB6905CBA8C	9674344C90C2F0646F0B78026E127C9B86E3AD77	CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
C:\Users\user\AppData\Local\Temp\TCD2578.tmp\Content.inf	data	A0D51783BFEE86F3AC46A810404B6796	93C5B21938DA69363DBF79CE594C302344AF9D9E	47B43E7DBDF8B25565D874E4E071547666B08D7DF4D736EA8521591D0DED640F
C:\Users\user\AppData\Local\Temp\TCD2578.tmp\gosttitle.xsl	XML 1.0 document, ASCII text, with CRLF line terminators	F425D8C274A8571B625EE66A8CE60287	29899E309C56F2517C7D9385ECDBB719B9E2A12B	DD7B7878427276AF5DBF8355ECE0D1FE5D693DF55AF3F79347F9D20AE50DB938
C:\Users\user\AppData\Local\Temp\TCD2588.tmp\Content.inf	data	C15EB3F4306EBF75D1E7C3C9382DEECC	A3F9684794FFD59151A80F97770D4A79F1D030A6	23C262DF3AEACB125E88C8FFB7DBF56FD23F66E0D476AFD842A68DDE69658C7F
C:\Users\user\AppData\Local\Temp\TCD2588.tmp\turabian.xsl	XML 1.0 document, ASCII text, with CRLF line terminators	F079EC5E2CCB9CD4529673BCDFB90486	FBA6696E6FA918F52997193168867DD3AEBE1AD6	3B651258F4D0EE1BFFC7FB189250DED1B920475D1682370D6685769E3A9346DB
C:\Users\user\AppData\Local\Temp\TCD2589.tmp\Content.inf	data	333BA58FCE326DEA1E4A9DE67475AA95	F51FAD5385DC08F7D3E11E1165A18F2E8A028C14	66142D15C7325B98B199AB6EE6F35B7409DE64EBD5C0AB50412D18CBE6894097
C:\Users\user\AppData\Local\Temp\TCD2589.tmp\mlaseventheditionofficeonline.xsl	XML 1.0 document, ASCII text, with CRLF line terminators	377B3E355414466F3E3861BCE1844976	0B639A3880ACA3FD90FA918197A669CC005E2BA4	4AC5B26C5E66E122DE80243EF621CA3E1142F643DD2AD61B75FF41CFEE3DFFAF
C:\Users\user\AppData\Local\Temp\TCD258C.tmp\Content.inf	data	877A8A960B2140E3A0A2752550959DB9	FBEC17B332CBC42F2F16A1A08767623C7955DF48	FE07084A41CF7DB58B06D2C0D11BCACB603D6574261D1E7EBADCFF85F39AFB47
C:\Users\user\AppData\Local\Temp\TCD258C.tmp\gb.xsl	XML 1.0 document, ASCII text, with CRLF line terminators	51D32EE5BC7AB811041F799652D26E04	412193006AA3EF19E0A57E16ACF86B830993024A	6230814BF5B2D554397580613E20681752240AB87FD354ECECF188C1EABE0E97
C:\Users\user\AppData\Local\Temp\TCD258E.tmp\APASixthEditionOfficeOnline.xsl	XML 1.0 document, ASCII text, with CRLF line terminators	5632C4A81D2193986ACD29EADF1A2177	E8FF4FDFEB0002786FCE1CF8F3D25F8E9631E346	06DE709513D7976690B3DD8F5FDF1E59CF456A2DFBA952B97EACC72FE47B238B
C:\Users\user\AppData\Local\Temp\TCD258E.tmp\Content.inf	data	C3216C3FC73A4B3FFFE7ED67153AB7B5	F20E4D33BABE978BE6A6925964C57D6E6EF1A92E	7CF1D6A4F0BE5E6184F59BFB1304509F38E480B59A3B091DBDC43B052D2137CB
C:\Users\user\AppData\Local\Temp\TCD2590.tmp\Content.inf	data	F25AC64EC63FA98D9E37782E2E49D6E6	97DD9CFA4A22F5B87F2B53EFA37332A9EF218204	834046A829D1EA836131B470884905856DBF2C3C136C98ADEEFA0F206F38F8AB
C:\Users\user\AppData\Local\Temp\TCD2590.tmp\ieee2006officeonline.xsl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	0C9731C90DD24ED5CA6AE283741078D0	BDD3D7E5B0DE9240805EA53EF2EB784A4A121064	ABCE25D1EB3E70742EC278F35E4157EDB1D457A7F9D002AC658AAA6EA4E4DCDF
C:\Users\user\AppData\Local\Temp\TCD2591.tmp\Content.inf	data	8D9B02CC69FA40564E6C781A9CC9E626	352469A1ABB8DA1DC550D7E27924E552B0D39204	1D4483830710EF4A2CC173C3514A9F4B0ACA6C44DB22729B7BE074D18C625BAE
C:\Users\user\AppData\Local\Temp\TCD2591.tmp\gostname.xsl	XML 1.0 document, ASCII text, with CRLF line terminators	9888A214D362470A6189DEFF775BE139	32B552EB3C73CD7D0D9D924C96B27A86753E0F97	C64ED5C2A323C00E84272AD3A701CAEBE1DCCEB67231978DE978042F09635FA7
C:\Users\user\AppData\Local\Temp\TCD25A4.tmp\Content.inf	data	9B8D7EFE8A69E41CDC2439C38FE59FAF	034D46BEC5E38E20E56DD905E2CA2F25AF947ED1	70042F1285C3CD91DDE8D4A424A5948AE8F1551495D8AF4612D59709BEF69DF2
C:\Users\user\AppData\Local\Temp\TCD25A4.tmp\iso690.xsl	XML 1.0 document, ASCII text, with CRLF line terminators	FF0E07EFF1333CDF9FC2523D323DD654	77A1AE0DD8DBC3FEE65DD6266F31E2A564D088A4	3F925E0CC1542F09DE1F99060899EAFB0042BB9682507C907173C392115A44B5
C:\Users\user\AppData\Local\Temp\TCD25A5.tmp\Content.inf	data	4A9A2E8DB82C90608C96008A5B6160EF	A49110814D9546B142C132EBB5B9D8A1EC23E2E6	4FA948EEB075DFCB8DCA773A3F994560C69D275690953625731C4743CD5729F7
C:\Users\user\AppData\Local\Temp\TCD25A5.tmp\chicago.xsl	XML 1.0 document, ASCII text, with CRLF line terminators	9AC6DE7B629A4A802A41F93DB2C49747	3D6E929AA1330C869D83F2BF8EBEBACD197FB367	52984BC716569120D57C8E6A360376E9934F00CF31447F5892514DDCCF546293
C:\Users\user\AppData\Local\Temp\TCD25A7.tmp\Content.inf	data	4EC6724CBBA516CF202A6BD17226D02C	E412C574D567F0BA68B4A31EDB46A6AB3546EA95	18E408155A2C2A24D91CD45E065927FFDA726356AAB115D290A3C1D0B7100402
C:\Users\user\AppData\Local\Temp\TCD25A7.tmp\harvardanglia2008officeonline.xsl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	33A829B4893044E1851725F4DAF20271	DAC368749004C255FB0777E79F6E4426E12E5EC8	C40451CADF8944A9625DD690624EA1BA19CECB825A67081E8144AD5526116924
C:\Users\user\AppData\Local\Temp\TCD25CC.tmp\Content.inf	data	4DD225E2A305B50AF39084CE568B8110	C85173D49FC1522121AA2B0B2E98ADF4BB95B897	6F00DD73F169C73D425CB9895DAC12387E21C6E4C9C7DDCFB03AC32552E577F4
C:\Users\user\AppData\Local\Temp\TCD25CC.tmp\chevronaccent.glox	Microsoft OOXML	7BC0A35807CD69C37A949BBD51880FF5	B5870846F44CAD890C6EFF2F272A037DA016F0D8	BD3A013F50EBF162AAC4CED11928101554C511BD40C2488CF9F5842A375B50CA
C:\Users\user\AppData\Local\Temp\TCD25DE.tmp\Content.inf	data	149948E41627BE5DC454558E12AF2DA4	DB72388C037F0B638FCD007FAB46C916249720A8	1B981DC422A042CDDEBE2543C57ED3D468288C20D280FF9A9E2BB4CC8F4776ED
C:\Users\user\AppData\Local\Temp\TCD25DE.tmp\sist02.xsl	XML 1.0 document, ASCII text, with CRLF line terminators	F883B260A8D67082EA895C14BF56DD56	7954565C1F243D46AD3B1E2F1BAF3281451FC14B	EF4835DB41A485B56C2EF0FF7094BC2350460573A686182BC45FD6613480E353
C:\Users\user\AppData\Local\Temp\TCD25DF.tmp\Content.inf	data	9C00979164E78E3B890E56BE2DF00666	1FA3C439D214C34168ADF0FBA5184477084A0E51	21CCB63A82F1E6ACD6BAB6875ABBB37001721675455C746B17529EE793382C7B
C:\Users\user\AppData\Local\Temp\TCD25DF.tmp\iso690nmerical.xsl	XML 1.0 document, ASCII text, with CRLF line terminators	3BF8591E1D808BCCAD8EE2B822CC156B	9CC1E5EFD715BD0EAE5AF983FB349BAC7A6D7BA0	7194396E5C833E6C8710A2E5D114E8E24338C64EC9818D51A929D57A5E4A76C8
C:\Users\user\AppData\Local\Temp\TCD25E0.tmp\CircleProcess.glox	Zip archive data, at least v2.0 to extract, compression method=deflate	950F3AB11CB67CC651082FEBE523AF63	418DE03AD2EF93D0BD29C3D7045E94D3771DACB4	9C5E4D8966A0B30A22D92DB1DA2F0DBF06AC2EA75E7BB8501777095EA0196974
C:\Users\user\AppData\Local\Temp\TCD25E0.tmp\Content.inf	data	D04EC08EFE18D1611BDB9A5EC0CC00B1	668FF6DFE64D5306220341FC2C1353199D122932	FA60500F951AFAF8FFDB6D1828456D60004AE1558E8E1364ADC6ECB59F5450C9
C:\Users\user\AppData\Local\Temp\TCD25E1.tmp\Content.inf	data	1309D172F10DD53911779C89A06BBF65	274351A1059868E9DEB53ADF01209E6BFBDFADFB	C190F9E7D00E053596C3477455D1639C337C0BE01012C0D4F12DFCB432F5EC56
C:\Users\user\AppData\Local\Temp\TCD25E1.tmp\InterconnectedBlockProcess.glox	Zip archive data, at least v2.0 to extract, compression method=deflate	08D3A25DD65E5E0D36ADC602AE68C77D	F23B6DDB3DA0015B1D8877796F7001CABA25EA64	58B45B9DBA959F40294DA2A54270F145644E810290F71260B90F0A3A9FCDEBC1
C:\Users\user\AppData\Local\Temp\TCD25F2.tmp\Content.inf	data	2F7A8FE4E5046175500AFFA228F99576	8A3DE74981D7917E6CE1198A3C8E35C7E2100F43	1495B4EC56B371148EA195D790562E5621FDBF163CDD8A5F3C119F8CA3BD2363
C:\Users\user\AppData\Local\Temp\TCD25F2.tmp\Text Sidebar (Annual Report Red and Black design).docx	Microsoft Word 2007+	5A53F55DD7DA8F10A8C0E711F548B335	035E685927DA2FECB88DE9CAF0BECEC88BC118A7	66501B659614227584DA04B64F44309544355E3582F59DBCA3C9463F67B7E303
C:\Users\user\AppData\Local\Temp\TCD25F3.tmp\Content.inf	data	93149E194021B37162FD86684ED22401	1B31CAEBE1BBFA529092BE834D3B4AD315A6F8F1	50BE99A154A6F632D49B04FCEE6BCA4D6B3B4B7C1377A31CE9FB45C462D697B2
C:\Users\user\AppData\Local\Temp\TCD25F3.tmp\Equations.dotx	Microsoft Word 2007+	2AB22AC99ACFA8A82742E774323C0DBD	790F8B56DF79641E83A16E443A75A66E6AA2F244	BC9D45D0419A08840093B0BF4DCF96264C02DFE5BD295CD9B53722E1DA02929D
C:\Users\user\AppData\Local\Temp\TCD25F4.tmp\BracketList.glox	Microsoft OOXML	5D9BAD7ADB88CEE98C5203883261ACA1	FBF1647FCF19BCEA6C3CF4365C797338CA282CD2	8CE600404BB3DB92A51B471D4AB8B166B566C6977C9BB63370718736376E0E2F
C:\Users\user\AppData\Local\Temp\TCD25F4.tmp\Content.inf	data	1A314B08BB9194A41E3794EF54017811	D1E70DB69CA737101524C75E634BB72F969464FF	9025DD691FCAD181D5FD5952C7AA3728CD8A2CAF20DEA14930876419BED9B379
C:\Users\user\AppData\Local\Temp\TCD25F6.tmp\Content.inf	data	923D406B2170497AD4832F0AD3403168	A77DA08C9CB909206CDE42FE1543B9FE96DF24FB	EBF9CF474B25DDFE0F6032BA910D5250CBA2F5EDF9CF7E4B3107EDB5C13B50BF
C:\Users\user\AppData\Local\Temp\TCD25F6.tmp\ConvergingText.glox	Zip archive data, at least v2.0 to extract, compression method=deflate	C9F9364C659E2F0C626AC0D0BB519062	C4036C576074819309D03BB74C188BF902D1AE00	6FC428CA0DCFC27D351736EF16C94D1AB08DDA50CB047A054F37EC028DD08AA2
C:\Users\user\AppData\Local\Temp\TCD2607.tmp\Content.inf	data	D79B5DE6D93AC06005761D88783B3EE6	E05BDCE2673B6AA8CBB17A138751EDFA2264DB91	96125D6804544B8D4E6AE8638EFD4BD1F96A1BFB9EEF57337FFF40BA9FF4CDD1
C:\Users\user\AppData\Local\Temp\TCD2607.tmp\architecture.glox	Microsoft OOXML	8109B3C170E6C2C114164B8947F88AA1	FC63956575842219443F4B4C07A8127FBD804C84	F320B4BB4E57825AA4A40E5A61C1C0189D808B3EACE072B35C77F38745A4C416
C:\Users\user\AppData\Local\Temp\TCD2608.tmp\Content.inf	data	52BD0762F3DC77334807DDFC60D5F304	5962DA7C58F742046A116DDDA5DC8EA889C4CB0E	30C20CC835E912A6DD89FD1BF5F7D92B233B2EC24594F1C1FE0CADB03A8C3FAB
C:\Users\user\AppData\Local\Temp\TCD2608.tmp\RadialPictureList.glox	Microsoft OOXML	CDC1493350011DB9892100E94D5592FE	684B444ADE2A8DBE760B54C08F2D28F2D71AD0FA	F637A67799B492FEFFB65632FED7815226396B4102A7ED790E0D9BB4936E1548
C:\Users\user\AppData\Local\Temp\TCD261B.tmp\Content.inf	data	69757AF3677EA8D80A2FBE44DEE7B9E4	26AF5881B48F0CB81F194D1D96E3658F8763467C	0F14CA656CDD95CAB385F9B722580DDE2F46F8622E17A63F4534072D86DF97C3
C:\Users\user\AppData\Local\Temp\TCD261B.tmp\PictureFrame.glox	Microsoft OOXML	D32E93F7782B21785424AE2BEA62B387	1D5589155C319E28383BC01ED722D4C2A05EF593	2DC7E71759D84EF8BB23F11981E2C2044626FEA659383E4B9922FE5891F5F478
C:\Users\user\AppData\Local\Temp\TCD262B.tmp\Content.inf	data	E8B30D1070779CC14FBE93C8F5CF65BE	9C87F7BC66CF55634AB3F070064AAF8CC977CD05	2E90434BE1F6DCEA9257D42C331CD9A8D06B848859FD4742A15612B2CA6EFACB
C:\Users\user\AppData\Local\Temp\TCD262B.tmp\HexagonRadial.glox	Microsoft OOXML	20621E61A4C5B0FFEEC98FFB2B3BCD31	4970C22A410DCB26D1BD83B60846EF6BEE1EF7C4	223EA2602C3E95840232CACC30F63AA5B050FA360543C904F04575253034E6D7
C:\Users\user\AppData\Local\Temp\TCD262C.tmp\Content.inf	data	C1B36A0547FB75445957A619201143AC	CDB0A18152F57653F1A707D39F3D7FB504E244A7	4DFF7D1CEF6DD85CC73E1554D705FA6586A1FBD10E4A73EEE44EAABA2D2FFED9
C:\Users\user\AppData\Local\Temp\TCD262C.tmp\pictureorgchart.glox	Microsoft OOXML	586CEBC1FAC6962F9E36388E5549FFE9	D1EF3BF2443AE75A78E9FDE8DD02C5B3E46F5F2E	1595C0C027B12FE4C2B506B907C795D14813BBF64A2F3F6F5D71912D7E57BC40
C:\Users\user\AppData\Local\Temp\TCD262D.tmp\Content.inf	data	A6B2731ECC78E7CED9ED5408AB4F2931	BA15D036D522978409846EA682A1D7778381266F	6A2F9E46087B1F0ED0E847AF05C4D4CC9F246989794993E8F3E15B633EFDD744
C:\Users\user\AppData\Local\Temp\TCD262D.tmp\TabList.glox	Zip archive data, at least v2.0 to extract, compression method=deflate	0A4CA91036DC4F3CD8B6DBF18094CF25	6C7EED2530CD0032E9EEAB589AFBC296D106FBB9	E5A56CCB3B3898F76ABF909209BFAB401B5DDCD88289AD43CE96B02989747E50
C:\Users\user\AppData\Local\Temp\TCD2651.tmp\Content.inf	data	6C489D45F3B56845E68BE07EA804C698	C4C9012C0159770CB882870D4C92C307126CEC3F	3FE447260CDCDEE287B8D01CF5F9F53738BFD6AAEC9FB9787F2826F8DEF1CA45
C:\Users\user\AppData\Local\Temp\TCD2651.tmp\ThemePictureAccent.glox	Zip archive data, at least v2.0 to extract, compression method=deflate	42A840DC06727E42D42C352703EC72AA	21AAAF517AFB76BF1AF4E06134786B1716241D29	02CCE7D526F844F70093AC41731D1A1E9B040905DCBA63BA8BFFC0DBD4D3A7A7
C:\Users\user\AppData\Local\Temp\TCD2652.tmp\Content.inf	data	6F8FE7B05855C203F6DEC5C31885DD08	9CC27D17B654C6205284DECA3278DA0DD0153AFF	B7F58DF058C938CCF39054B31472DC76E18A3764B78B414088A261E440870175
C:\Users\user\AppData\Local\Temp\TCD2652.tmp\ThemePictureGrid.glox	Zip archive data, at least v2.0 to extract, compression method=deflate	031C246FFE0E2B623BBBD231E414E0D2	A57CA6134779D54691A4EFD344BC6948E253E0BA	2D76C8D1D59EDB40D1FBBC6406A06577400582D1659A544269500479B6753CF7
C:\Users\user\AppData\Local\Temp\TCD2653.tmp\Content.inf	data	16711B951E1130126E240A6E4CC2E382	8095AA79AEE029FD06428244CA2A6F28408448DB	855342FE16234F72DA0C2765455B69CF412948CFBE70DE5F6D75A20ACDE29AE9
C:\Users\user\AppData\Local\Temp\TCD2653.tmp\TabbedArc.glox	Zip archive data, at least v2.0 to extract, compression method=deflate	E8308DA3D46D0BC30857243E1B7D330D	C7F8E54A63EB254C194A23137F269185E07F9D10	6534D4D7EF31B967DD0A20AFFF092F8B93D3C0EFCBF19D06833F223A65C6E7C4
C:\Users\user\AppData\Local\Temp\TCD2675.tmp\Content.inf	data	3D52060B74D7D448DC733FFE5B92CB52	3FBA3FFC315DB5B70BF6F05C4FF84B52A50FCCBC	BB980559C6FC38B703D1E9C41720D5CE8D00D2FF86D4F25136DB02B1E54B1518
C:\Users\user\AppData\Local\Temp\TCD2675.tmp\ThemePictureAlternatingAccent.glox	Zip archive data, at least v2.0 to extract, compression method=deflate	2F8998AA9CF348F1D6DE16EAB2D92070	85B13499937B4A584BEA0BFE60475FD4C73391B6	8A216D16DEC44E02B9AB9BBADF8A11F97210D8B73277B22562A502550658E580
C:\Users\user\AppData\Local\Temp\TCD2676.tmp\Content.inf	data	63E8B0621B5DEFE1EF17F02EFBFC2436	2D02AD4FD9BF89F453683B7D2B3557BC1EEEE953	9243D99795DCDAD26FA857CB2740E58E3ED581E3FAEF0CB3781CBCD25FB4EE06
C:\Users\user\AppData\Local\Temp\TCD2676.tmp\VaryingWidthList.glox	Microsoft OOXML	67766FF48AF205B771B53AA2FA82B4F4	0964F8B9DC737E954E16984A585BDC37CE143D84	160D05B4CB42E1200B859A2DE00770A5C9EBC736B70034AFC832A475372A1667
C:\Users\user\AppData\Local\Temp\TCD2697.tmp\Content.inf	data	2240CF2315F2EB448CEA6E9CE21B5AC5	46332668E2169E86760CBD975FF6FA9DB5274F43	0F7D0BD5A8CED523CFF4F99D7854C0EE007F5793FA9E1BA1CD933B0894BFBD0D
C:\Users\user\AppData\Local\Temp\TCD2697.tmp\rings.glox	Microsoft OOXML	6C24ED9C7C868DB0D55492BB126EAFF8	C6D96D4D298573B70CF5C714151CF87532535888	48AF17267AD75C142EFA7AB7525CA48FAB579592339FB93E92C4C4DA577D4C9F
C:\Users\user\AppData\Local\Temp\TCD26D8.tmp\Banded.thmx	Microsoft OOXML	4A1657A3872F9A77EC257F41B8F56B3D	4DDEA85C649A2C1408B5B08A15DEF49BAA608A0B	C17103ADE455094E17AC182AD4B4B6A8C942FD3ACB381F9A5E34E3F8B416AE60
C:\Users\user\AppData\Local\Temp\TCD26D8.tmp\content.inf	Unicode text, UTF-16, little-endian text, with CRLF line terminators	487E25E610F3FC2EEA27AB54324EA8F6	11C2BB004C5E44503704E9FFEEFA7EA7C2A9305C	022EC5077279A8E447B590F7260E1DBFF764DE5F9CDFD4FDEE32C94C66D4A1A2
C:\Users\user\AppData\Local\Temp\TCD2709.tmp\Content.inf	data	0F98498818DC28E82597356E2650773C	1995660972A978D17BC483FCB5EE6D15E7058046	4587CA0B2A60728FF0A5B8E87D35BF6C6FDF396747E13436EC856612AC1C6288
C:\Users\user\AppData\Local\Temp\TCD2709.tmp\Element design set.dotx	Microsoft Word 2007+	7CDFFC23FB85AD5737452762FA36AAA0	CFBC97247959B3142AFD7B6858AD37B18AFB3237	68A8FBFBEE4C903E17C9421082E839144C205C559AFE61338CBDB3AF79F0D270
C:\Users\user\AppData\Local\Temp\TCD27B7.tmp\Dividend.thmx	Microsoft OOXML	D676DE8877ACEB43EF0ED570A2B30F0E	6C8922697105CEC7894966C9C5553BEB64744717	DF012D101DE808F6CD872DFBB619B16732C23CF4ABC64149B6C3CE49E9EFDA01
C:\Users\user\AppData\Local\Temp\TCD27B7.tmp\content.inf	Unicode text, UTF-16, little-endian text, with CRLF line terminators	76340C3F8A0BFCEDAB48B08C57D9B559	E1A6672681AA6F6D525B1D17A15BF4F912C4A69B	78FE546321EDB34EBFA1C06F2B6ADE375F3B7C12552AB2A04892A26E121B3ECC
C:\Users\user\AppData\Local\Temp\TCD27DC.tmp\Frame.thmx	Microsoft OOXML	C276F590BB846309A5E30ADC35C502AD	CA6D9D6902475F0BE500B12B7204DD1864E7DD02	782996D93DEBD2AF9B91E7F529767A8CE84ACCC36CD62F24EBB5117228B98F58
C:\Users\user\AppData\Local\Temp\TCD27DC.tmp\content.inf	Unicode text, UTF-16, little-endian text, with CRLF line terminators	71CCB69AF8DD9821F463270FB8CBB285	8FED3EB733A74B2A57D72961F0E4CF8BCA42C851	8E63D7ABA97DABF9C20D2FAC6EB1665A5D3FDEAB5FA29E4750566424AE6E40B4
C:\Users\user\AppData\Local\Temp\TCD27DD.tmp\Basis.thmx	Microsoft OOXML	3B5E44DDC6AE612E0346C58C2A5390E3	23BCF3FCB61F80C91D2CFFD8221394B1CB359C87	9ED9AD4EB45E664800A4876101CBEE65C232EF478B6DE502A330D7C89C9AE8E2
C:\Users\user\AppData\Local\Temp\TCD27DD.tmp\content.inf	Unicode text, UTF-16, little-endian text, with CRLF line terminators	133D126F0DE2CC4B29ECE38194983265	D8D701298D7949BE6235493925026ED405290D43	08485EBF168364D846C6FD55CD9089FE2090D1EE9D1A27C1812E1247B9005E68
C:\Users\user\AppData\Local\Temp\TCD27ED.tmp\Metropolitan.thmx	Microsoft OOXML	B30D2EF0FC261AECE90B62E9C5597379	4893C5B9BE04ECBB19EE45FFCE33CA56C7894FE3	BB170D6DE4EE8466F56C93DC26E47EE8A229B9C4842EA8DD0D9CCC71BC8E2976
C:\Users\user\AppData\Local\Temp\TCD27ED.tmp\content.inf	Unicode text, UTF-16, little-endian text, with CRLF line terminators	23D59577F4AE6C6D1527A1B8CDB9AB19	A345D683E54D04CC0105C4BFFCEF8C6617A0093D	9ADD2C3912E01C2AC7FAD6737901E4EECBCCE6EC60F8E4D78585469A440E1E2C
C:\Users\user\AppData\Local\Temp\TCD27EE.tmp\View.thmx	Microsoft OOXML	0E37AECABDB3FDF8AAFEDB9C6D693D2F	F29254D2476DF70979F723DE38A4BF41C341AC78	7AC7629142C2508B070F09788217114A70DE14ACDB9EA30CBAB0246F45082349
C:\Users\user\AppData\Local\Temp\TCD27EE.tmp\content.inf	Unicode text, UTF-16, little-endian text, with CRLF line terminators	35AFE8D8724F3E19EB08274906926A0B	435B528AAF746428A01F375226C5A6A04099DF75	97B8B2E246E4DAB15E494D2FB5F8BE3E6361A76C8B406C77902CE4DFF7AC1A35
C:\Users\user\AppData\Local\Temp\TCD27FF.tmp\Wood_Type.thmx	Microsoft OOXML	35200E94CEB3BB7A8B34B4E93E039023	5BB55EDAA4CDF9D805E36C36FB092E451BDDB74D	6CE04E8827ABAEA9B292048C5F84D824DE3CEFDB493101C2DB207BD4475AF1FD
C:\Users\user\AppData\Local\Temp\TCD27FF.tmp\content.inf	Unicode text, UTF-16, little-endian text, with CRLF line terminators	5728F26DF04D174DE9BDFF51D0668E2A	C998DF970655E4AF9C270CC85901A563CFDBCC22	979DAFD61C23C185830AA3D771EDDC897BEE87587251B84F61776E720ACF9840
C:\Users\user\AppData\Local\Temp\TCD28EC.tmp\Parcel.thmx	Microsoft OOXML	8BA551EEC497947FC39D1D48EC868B54	02FA15FDAF0D7E2F5D44CAE5FFAE49E8F91328DF	DB2E99B969546E431548EBD58707FC001BBD1A4BDECAD387D194CC9C6D15AC89
C:\Users\user\AppData\Local\Temp\TCD28EC.tmp\content.inf	Unicode text, UTF-16, little-endian text, with CRLF line terminators	960E28B1E0AB3522A8A8558C02694ECF	8387E9FD5179A8C811CCB5878BAC305E6A166F93	2707FCA8CEC54DF696F19F7BCAD5F0D824A2AC01B73815DE58F3FCF0AAB3F6A0
C:\Users\user\AppData\Local\Temp\TCD28FD.tmp\Parallax.thmx	Zip archive data, at least v2.0 to extract, compression method=deflate	97EEC245165F2296139EF8D4D43BBB66	0D91B68CCB6063EB342CFCED4F21A1CE4115C209	3C5CF7BDB27592791ADF4E7C5A09DDE4658E10ED8F47845064DB1153BE69487C
C:\Users\user\AppData\Local\Temp\TCD28FD.tmp\content.inf	Unicode text, UTF-16, little-endian text, with CRLF line terminators	7956D2B60E2A254A07D46BCA07D0EFF0	AF1AC8CA6FE2F521B2EE2B7ABAB612956A65B0B5	C92B7FD46B4553FF2A656FF5102616479F3B503341ED7A349ECCA2E12455969E
C:\Users\user\AppData\Local\Temp\TCD294E.tmp\Quotable.thmx	Microsoft OOXML	F03AB824395A8F1F1C4F92763E5C5CAD	A6E021918C3CEFFB6490222D37ECEED1FC435D52	D96F7A63A912CA058FB140138C41DCB3AF16638BA40820016AF78DF5D07FAEDD
C:\Users\user\AppData\Local\Temp\TCD294E.tmp\content.inf	Unicode text, UTF-16, little-endian text, with CRLF line terminators	BD6B5A98CA4E6C5DBA57C5AD167EDD00	CCFF7F635B31D12707DC0AC6D1191AB5C4760107	F22248FE60A55B6C7C1EB31908FAB7726813090DE887316791605714E6E3CEF7
C:\Users\user\AppData\Local\Temp\TCD295F.tmp\Berlin.thmx	Microsoft OOXML	9E563D44C28B9632A7CF4BD046161994	D3DB4E5F5B1CC6DD08BB3EBF488FF05411348A11	86A70CDBE4377C32729FD6C5A0B5332B7925A91C492292B7F9C636321E6FAD86
C:\Users\user\AppData\Local\Temp\TCD295F.tmp\content.inf	Unicode text, UTF-16, little-endian text, with CRLF line terminators	327DA4A5C757C0F1449976BE82653129	CF74ECDF94B4A8FD4C227313C8606FD53B8EEA71	341BABD413AA5E8F0A921AC309A8C760A4E9BA9CFF3CAD3FB2DD9DF70FD257A6
C:\Users\user\AppData\Local\Temp\TCD2A7B.tmp\Gallery.thmx	Microsoft OOXML	2192871A20313BEC581B277E405C6322	1F9A6A5E10E1C3FFEB6B6725C5D2FA9ECDF51085	A06B302954A4C9A6A104A8691864A9577B0BFEA240B0915D9BEA006E98CDFFEC
C:\Users\user\AppData\Local\Temp\TCD2A7B.tmp\content.inf	Unicode text, UTF-16, little-endian text, with CRLF line terminators	1C5D58A5ED3B40486BC22B254D17D1DD	69B8BB7B0112B37B9B5F9ADA83D11FBC99FEC80A	EBE031C340F04BB0235FE62C5A675CF65C5CC8CE908F4621A4F5D7EE85F83055
C:\Users\user\AppData\Local\Temp\TCD2A8D.tmp\Savon.thmx	Microsoft OOXML	FD5BBC58056522847B3B75750603DF0C	97313E85C0937739AF7C7FC084A10BF202AC9942	44976408BD6D2703BDBE177259061A502552193B1CD05E09B698C0DAC3653C5F
C:\Users\user\AppData\Local\Temp\TCD2A8D.tmp\content.inf	Unicode text, UTF-16, little-endian text, with CRLF line terminators	CD465E8DA15E26569897213CA9F6BC9C	9EA9B5E6C9B7BF72A777A21EC17FD82BC4386D4C	D4109317C2DBA1D7A94FC1A4B23FA51F4D0FC8E1D9433697AAFA72E335192610
C:\Users\user\AppData\Local\Temp\TCD2ABC.tmp\Circuit.thmx	Zip archive data, at least v2.0 to extract, compression method=deflate	ACBA78931B156E4AF5C4EF9E4AB3003B	2A1F506749A046ECFB049F23EC43B429530EC489	943E4044C40ABA93BD7EA31E8B5EBEBD7976085E8B1A89E905952FA8DAC7B878
C:\Users\user\AppData\Local\Temp\TCD2ABC.tmp\content.inf	Unicode text, UTF-16, little-endian text, with CRLF line terminators	40FF521ED2BA1B015F17F0B0E5D95068	0F29C084311084B8FDFE67855884D8EB60BDE1A6	CC3575BA195F0F271FFEBA6F6634BC9A2CF5F3BE448F58DBC002907D7C81CBBB
C:\Users\user\AppData\Local\Temp\TCD2B6A.tmp\Droplet.thmx	Microsoft OOXML	529795E0B55926752462CBF32C14E738	E72DFF8354DF2CB6A5698F14BBD1805D72FEEAFF	8D341D1C24176DC6B67104C2AF90FABD3BFF666CCC0E269381703D7659A6FA05
C:\Users\user\AppData\Local\Temp\TCD2B6A.tmp\content.inf	Unicode text, UTF-16, little-endian text, with CRLF line terminators	AA7B919B21FD42C457948DE1E2988CB3	19DA49CF5540E5840E95F4E722B54D44F3154E04	5FFF5F1EC1686C138192317D5A67E22A6B02E5AAE89D73D4B19A492C2F5BE2F9
C:\Users\user\AppData\Local\Temp\TCD3051.tmp\Damask.thmx	Microsoft OOXML	EE33FDA08FBF10EF6450B875717F8887	7DFA77B8F4559115A6BF186EDE51727731D7107D	5CF611069F281584DE3E63DE8B99253AA665867299DC0192E8274A32A82CAA20
C:\Users\user\AppData\Local\Temp\TCD3051.tmp\content.inf	Unicode text, UTF-16, little-endian text, with CRLF line terminators	06B3DDEFF905F75FA5FA5C5B70DCB938	E441B94F0621D593DC870A27B28AC6BE3842E7DB	72D49BDDE44DAE251AEADF963C336F72FA870C969766A2BB343951E756B3C28A
C:\Users\user\AppData\Local\Temp\TCD3052.tmp\Slate.thmx	Microsoft OOXML	5BDE450A4BD9EFC71C370C731E6CDF43	5B223FB902D06F9FCC70C37217277D1E95C8F39D	93BFC6AC1DC1CFF497DF92B30B42056C9D422B2321C21D65728B98E420D4ED50
C:\Users\user\AppData\Local\Temp\TCD3052.tmp\content.inf	Unicode text, UTF-16, little-endian text, with CRLF line terminators	5402138088A9CF0993C08A0CA81287B8	D734BD7F2FB2E0C7D5DB8F70B897376ECA935C9A	5C9F5E03EEA4415043E65172AD2729F34BBBFC1A1156A630C65A71CE578EF137
C:\Users\user\AppData\Local\Temp\TCD3082.tmp\Mesh.thmx	Microsoft OOXML	CDF98D6B111CF35576343B962EA5EEC6	D481A70EC9835B82BD6E54316BF27FAD05F13A1C	E3F108DDB3B8581A7A2290DD1E220957E357A802ECA5B3087C95ED13AD93A734
C:\Users\user\AppData\Local\Temp\TCD3082.tmp\content.inf	Unicode text, UTF-16, little-endian text, with CRLF line terminators	8D1E1991838307E4C2197ECB5BA9FA79	4AD8BB98DC9C5060B58899B3E9DCBA6890BC9E93	4ABA3D10F65D050A19A3C2F57A024DBA342D1E05706A8A3F66B6B8E16A980DB9
C:\Users\user\AppData\Local\Temp\TCD3083.tmp\Main_Event.thmx	Microsoft OOXML	5AF1581E9E055B6E323129E4B07B1A45	B849F85BCAF0E1C58FA841FFAE3476D20D33F2DD	BDC9FBF81FBE91F5BF286B2CEA00EE76E70752F7E51FE801146B79F9ADCB8E98
C:\Users\user\AppData\Local\Temp\TCD3083.tmp\content.inf	Unicode text, UTF-16, little-endian text, with CRLF line terminators	C9812793A4E94320C49C7CA054EE6AA4	CC1F88C8F3868B3A9DE7E0E5F928DBD015234ABA	A535AE7DD5EDA6D31E1B5053E64D0D7600A7805C6C8F8AF1DB65451822848FFC
C:\Users\user\AppData\Local\Temp\TCD321C.tmp\Vapor_Trail.thmx	Microsoft OOXML	FB88BFB743EEA98506536FC44B053BD0	B27A67A5EEC1B5F9E7A9C3B76223EDE4FCAF5537	05057213BA7E5437AC3B8E9071A5577A8F04B1A67EFE25A08D3884249A22FBBF
C:\Users\user\AppData\Local\Temp\TCD321C.tmp\content.inf	Unicode text, UTF-16, little-endian text, with CRLF line terminators	0FEA64606C519B78B7A52639FEA11492	FC9A6D5185088318032FD212F6BDCBD1CF2FFE76	60059C4DD87A74A2DC36748941CF5A421ED394368E0AA19ACA90D850FA6E4A13
C:\Users\user\AppData\Local\Temp\TCD321D.tmp\Content.inf	data	55BA5B2974A072B131249FD9FD42EB91	6509F8AC0AA23F9B8F3986217190F10206A691EA	13FFAAFFC987BAAEF7833CD6A8994E504873290395DC2BD9B8E1D7E7E64199E7
C:\Users\user\AppData\Local\Temp\TCD321D.tmp\Insight design set.dotx	Microsoft Word 2007+	8BC84DB5A3B2F8AE2940D3FB19B43787	3A5FE7B14D020FAD0E25CD1DF67864E3E23254EE	AF1FDEEA092169BF794CDC290BCA20AEA07AC7097D0EFCAB76F783FA38FDACDD
C:\Users\user\AppData\Local\Temp\cab2551.tmp	Microsoft Cabinet archive data, many, 12767 bytes, 2 files, at 0x4c "ieee2006officeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression	6D787B1E223DB6B91B69238062CCA872	A02F3D847D1F8973E854B89D4558413EA2E349F7	DA2F261C3C82E229A097A9302C8580F014BB6442825DB47C008DA097CFCE0EE4
C:\Users\user\AppData\Local\Temp\cab2561.tmp	Microsoft Cabinet archive data, many, 15338 bytes, 2 files, at 0x4c "gosttitle.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression	F10DF902980F1D5BEEA96B2C668408A7	92D341581B9E24284B7C29E5623F8028DBBAAFE9	E0100320A4F63E07C77138A89EA24A1CBD69784A89FE3BF83E35576114B4CE02
C:\Users\user\AppData\Local\Temp\cab2562.tmp	Microsoft Cabinet archive data, many, 18672 bytes, 2 files, at 0x4c "APASixthEditionOfficeOnline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 11 datablocks, 0x1203 compression	62863124CDCDA135ECC0E722782CB888	2543B8A9D3B2304BB73D2ADBEC60DB040B732055	23CCFB7206A8F77A13080998EC6EF95B59B3C3E12B72B2D2AD4E53B0B26BB8C3
C:\Users\user\AppData\Local\Temp\cab2563.tmp	Microsoft Cabinet archive data, many, 15461 bytes, 2 files, at 0x4c "gostname.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression	69EDB3BF81C99FE8A94BBA03408C5AE1	1AC85B369A976F35244BEEFA9C06787055C869C1	CEBE759BC4509700E3D23C6A5DF8D889132A60EBC92260A74947EAA1089E2789
C:\Users\user\AppData\Local\Temp\cab2564.tmp	Microsoft Cabinet archive data, many, 15327 bytes, 2 files, at 0x4c "sist02.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression	91AADBEC4171CFA8292B618492F5EF34	A47DEB62A21056376DD8F862E1300F1E7DC69D1D	7E1A90CDB2BA7F03ABCB4687F0931858BF57E13552E0E4E54EC69A27325011EA
C:\Users\user\AppData\Local\Temp\cab2565.tmp	Microsoft Cabinet archive data, many, 14864 bytes, 2 files, at 0x4c "mlaseventheditionofficeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression	E033CCBC7BA787A2F824CE0952E57D44	EEEA573BEA217878CD9E47D7EA94E56BDAFFE22A	D250EB1F93B43EFB7654B831B4183C9CAEC2D12D4EFEE8607FEE70B9FAB20730
C:\Users\user\AppData\Local\Temp\cab2566.tmp	Microsoft Cabinet archive data, many, 19375 bytes, 2 files, at 0x4c "turabian.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 11 datablocks, 0x1203 compression	53EE9DA49D0B84357038ECF376838D2E	AB03F46783B2227F312187DD84DC0C517510DE20	9E46B8BA0BAD6E534AF33015C86396C33C5088D3AE5389217A5E90BA68252374
C:\Users\user\AppData\Local\Temp\cab2567.tmp	Microsoft Cabinet archive data, many, 15691 bytes, 2 files, at 0x4c "gb.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression	92A819D434A8AAEA2C65F0CC2F33BB3A	85C3F1801EFFEA1EA10A8429B0875FC30893F2C8	5D13F9907AC381D19F0A7552FD6D9FC07C9BD42C0F9CE017FFF75587E1890375
C:\Users\user\AppData\Local\Temp\cab258A.tmp	Microsoft Cabinet archive data, many, 16689 bytes, 2 files, at 0x4c "iso690.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression	205AF51604EF96EF1E8E60212541F742	D436FE689F8EF51FBA898454CF509DDB049C1545	DF3FFF163924D08517B41455F2D06788BA4E49C68337D15ECF329BE48CF7DA2D
C:\Users\user\AppData\Local\Temp\cab258B.tmp	Microsoft Cabinet archive data, many, 15418 bytes, 2 files, at 0x4c "harvardanglia2008officeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression	1D6F8E73A0662A48D332090A4C8C898F	CF9AD4F157772F5EDC0FDDEEFD9B05958B67549C	8077C92C66D15D7E03FBFF3A48BD9576B80F698A36A44316EABA81EE8043B673
C:\Users\user\AppData\Local\Temp\cab258D.tmp	Microsoft Cabinet archive data, many, 17466 bytes, 2 files, at 0x4c "chicago.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 10 datablocks, 0x1203 compression	51804E255C573176039F4D5B55C12AB2	A4822E5072B858A7CCA7DE948CAA7D2268F1BB4B	3C6F66790C543D4E9D8E0E6F476B1ACADF0A5FCDD561B8484D8DDDADFDF8134B
C:\Users\user\AppData\Local\Temp\cab258F.tmp	Microsoft Cabinet archive data, many, 14813 bytes, 2 files, at 0x4c "iso690nmerical.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 7 datablocks, 0x1203 compression	D3C9036E4E1159E832B1B4D2E9D42BF0	966E04B7A8016D7FDAFE2C611957F6E946FAB1B9	434576EB1A16C2D14D666A33EDDE76717C896D79F45DF56742AFD90ACB9F21CE
C:\Users\user\AppData\Local\Temp\cab25A2.tmp	Microsoft Cabinet archive data, many, 27509 bytes, 2 files, at 0x4c "Equations.dotx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 2 datablocks, 0x1203 compression	DA3380458170E60CBEA72602FDD0D955	1D059F8CFD69F193D363DA337C87136885018F0F	6F8FFB225F3B8C7ADE31A17A02F941FC534E4F7B5EE678B21CD9060282034701
C:\Users\user\AppData\Local\Temp\cab25A3.tmp	Microsoft Cabinet archive data, many, 30269 bytes, 2 files, at 0x4c "Text Sidebar (Annual Report Red and Black design).docx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 2 datablocks, 0x1203 compression	C455C4BC4BEC9E0DA67C4D1E53E46D5A	7674600C387114B0F98EC925BE74E811FB25C325	40E9AF9284FF07FDB75C33A11A794F5333712BAA4A6CF82FA529FBAF5AD0FED0
C:\Users\user\AppData\Local\Temp\cab25A6.tmp	Microsoft Cabinet archive data, many, 4313 bytes, 2 files, at 0x44 "chevronaccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression	4EFA48EC307EAF2F9B346A073C67FCFB	76A7E1234FF29A2B18C968F89082A14C9C851A43	3EE9AE1F8DAB4C498BD561D8FCC66D83E58F11B7BB4B2776DF99F4CDA4B850C2
C:\Users\user\AppData\Local\Temp\cab25B8.tmp	Microsoft Cabinet archive data, many, 6005 bytes, 2 files, at 0x44 "HexagonRadial.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression	66C5199CF4FB18BD4F9F3F2CCB074007	BA9D8765FFC938549CC19B69B3BF5E6522FB062E	4A7DC4ED098E580C8D623C51B57C0BC1D601C45F40B60F39BBA5F063377C3C1F
C:\Users\user\AppData\Local\Temp\cab25B9.tmp	Microsoft Cabinet archive data, many, 14939 bytes, 2 files, at 0x44 "CircleProcess.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression	89A9818E6658D73A73B642522FF8701F	E66C95E957B74E90B444FF16D9B270ADAB12E0F4	F747DD8B79FC69217FA3E36FAE0AB417C1A0759C28C2C4F8B7450C70171228E6
C:\Users\user\AppData\Local\Temp\cab25BA.tmp	Microsoft Cabinet archive data, many, 5864 bytes, 2 files, at 0x44 "architecture.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression	ABBF10CEE9480E41D81277E9538F98CB	F4EA53D180C95E78CC1DA88CD63F4C099BF0512C	557E0714D5536070131E7E7CDD18F0EF23FE6FB12381040812D022EC0FEE7957
C:\Users\user\AppData\Local\Temp\cab25BB.tmp	Microsoft Cabinet archive data, many, 4091 bytes, 2 files, at 0x44 "BracketList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression	E3C64173B2F4AA7AB72E1396A9514BD8	774E52F7E74B90E6A520359840B0CA54B3085D88	16C08547239E5B969041AB201EB55A3E30EAD400433E926257331CB945DFF094
C:\Users\user\AppData\Local\Temp\cab25BC.tmp	Microsoft Cabinet archive data, many, 10800 bytes, 2 files, at 0x44 "ConvergingText.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression	F913DD84915753042D856CEC4E5DABA5	FB1E423C8D09388C3F0B6D44364D94D786E8CF53	AA03AFB681A76C86C1BD8902EE2BBA31A644841CE6BCB913C8B5032713265578
C:\Users\user\AppData\Local\Temp\cab25CD.tmp	Microsoft Cabinet archive data, many, 9170 bytes, 2 files, at 0x44 "InterconnectedBlockProcess.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression	C47E3430AF813DF8B02E1CB4829DD94B	35F1F1A18AA4FD2336A4EA9C6005DBE70013C7FC	F2DB1E60533F0D108D5FB1004904C1F2E8557D4493F3B251A1B3055F8F1507A3
C:\Users\user\AppData\Local\Temp\cab25F5.tmp	Microsoft Cabinet archive data, many, 5647 bytes, 2 files, at 0x44 "RadialPictureList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression	7BF88B3CA20EB71ED453A3361908E010	F75F86557051160507397F653D7768836E3B5655	E555A610A61DB4F45A29A7FB196A9726C25772594252AD534453E69F05345283
C:\Users\user\AppData\Local\Temp\cab2606.tmp	Microsoft Cabinet archive data, many, 4410 bytes, 2 files, at 0x44 "PictureFrame.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression	486CBCB223B873132FFAF4B8AD0AD044	B0EC82CD986C2AB5A51C577644DE32CFE9B12F92	B217393FD2F95A11E2C594E736067870212E3C5242A212D6F9539450E8684616
C:\Users\user\AppData\Local\Temp\cab2619.tmp	Microsoft Cabinet archive data, many, 4967 bytes, 2 files, at 0x44 "TabList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression	D30AD26DBB6DECA4FDD294F48EDAD55D	CA767A1B6AF72CF170C9E10438F61797E0F2E8CE	6B1633DD765A11E7ED26F8F9A4DD45023B3E4ADB903C934DF3917D07A3856BFF
C:\Users\user\AppData\Local\Temp\cab261A.tmp	Microsoft Cabinet archive data, many, 7453 bytes, 2 files, at 0x44 "pictureorgchart.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression	7C645EC505982FE529D0E5035B378FFC	1488ED81B350938D68A47C7F0BCE8D91FB1673E2	298FD9DADF0ACEBB2AA058A09EEBFAE15E5D1C5A8982DEE6669C63FB6119A13D
C:\Users\user\AppData\Local\Temp\cab263E.tmp	Microsoft Cabinet archive data, many, 6450 bytes, 2 files, at 0x44 "ThemePictureAccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression	EE0129C7CC1AC92BBC3D6CB0F653FCAE	4ABAA858176B349BDAB826A7C5F9F00AC5499580	345AA5CA2496F975B7E33C182D5E57377F8B740F23E9A55F4B2B446723947B72
C:\Users\user\AppData\Local\Temp\cab263F.tmp	Microsoft Cabinet archive data, many, 3749 bytes, 2 files, at 0x44 "TabbedArc.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression	EF9CB8BDFBC08F03BEF519AD66BA642F	D98C275E9402462BF52A4D28FAF57DF0D232AF6B	93A2F873ACF5BEAD4BC0D1CC17B5E89A928D63619F70A1918B29E5230ABEAD8E
C:\Users\user\AppData\Local\Temp\cab2640.tmp	Microsoft Cabinet archive data, many, 6196 bytes, 2 files, at 0x44 "ThemePictureGrid.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression	8B29FAB506FD65C21C9CD6FE6BBBC146	CE1B8A57BB3C682F6A0AFC32955DAFD360720FDF	773AC516C9B9B28058128EC9BE099F817F3F90211AC70DC68077599929683D6F
C:\Users\user\AppData\Local\Temp\cab2663.tmp	Microsoft Cabinet archive data, many, 5731 bytes, 2 files, at 0x44 "ThemePictureAlternatingAccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression	E532038762503FFA1371DF03FA2E222D	F343B559AE21DAEF06CBCD8B2B3695DE1B1A46F0	5C70DD1551EB8B9B13EFAFEEAF70F08B307E110CAEE75AD9908A6A42BBCCB07E
C:\Users\user\AppData\Local\Temp\cab2664.tmp	Microsoft Cabinet archive data, many, 3144 bytes, 2 files, at 0x44 "VaryingWidthList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression	B9A6FF715719EE9DE16421AB983CA745	6B3F68B224020CD4BF142D7EDAAEC6B471870358	E3BE3F1E341C0FA5E9CB79E2739CF0565C6EA6C189EA3E53ACF04320459A7070
C:\Users\user\AppData\Local\Temp\cab2687.tmp	Microsoft Cabinet archive data, many, 5213 bytes, 2 files, at 0x44 "rings.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression	97F5B7B7E9E1281999468A5C42CB12E7	99481B2FA609D1D80A9016ADAA3D37E7707A2ED1	1CF5C2D0F6188FFFF117932C424CC55D1459E0852564C09D7779263ABD116118
C:\Users\user\AppData\Local\Temp\cab26B7.tmp	Microsoft Cabinet archive data, many, 291188 bytes, 2 files, at 0x44 +A "Banded.thmx" +A "content.inf", flags 0x4, ID 56338, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression	0EBC45AA0E67CC435D0745438371F948	5584210C4A8B04F9C78F703734387391D6B5B347	3744BFA286CFCFF46E51E6A68823A23F55416CD6619156B5929FED1F7778F1C7
C:\Users\user\AppData\Local\Temp\cab26F8.tmp	Microsoft Cabinet archive data, many, 26644 bytes, 2 files, at 0x4c "Element design set.dotx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 2 datablocks, 0x1203 compression	21A4B7B71631C2CCDA5FBBA63751F0D2	DE65DC641D188062EF9385CC573B070AAA8BDD28	AE0C5A2C8377DBA613C576B1FF73F01AE8EF4A3A4A10B078B5752FB712B3776C
C:\Users\user\AppData\Local\Temp\cab27A6.tmp	Microsoft Cabinet archive data, many, 259074 bytes, 2 files, at 0x44 +A "content.inf" +A "Dividend.thmx", flags 0x4, ID 58359, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression	84D8F3848E7424CBE3801F9570E05018	71D7F2621DA8B295CE6885F8C7C81016D583C6B1	B4BC3CD34BD328AAF68289CC0ED4D5CF8167F1EE1D7BE20232ED4747FF96A80A
C:\Users\user\AppData\Local\Temp\cab27B6.tmp	Microsoft Cabinet archive data, many, 252241 bytes, 2 files, at 0x44 +A "content.inf" +A "Frame.thmx", flags 0x4, ID 34169, number 1, extra bytes 20 in head, 16 datablocks, 0x1503 compression	21437897C9B88AC2CB2BB2FEF922D191	0CAD3D026AF2270013F67E43CB44F0568013162D	372572DCBAD590F64F5D18727757CBDF9366DDE90955C79A0FCC9F536DAB0384
C:\Users\user\AppData\Local\Temp\cab27B8.tmp	Microsoft Cabinet archive data, many, 279287 bytes, 2 files, at 0x44 +A "Basis.thmx" +A "content.inf", flags 0x4, ID 55632, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression	9A07035EF802BF89F6ED254D0DB02AB0	9A48C1962B5CF1EE37FEEC861A5B51CE11091E78	6CB03CEBAB2C28BF5318B13EEEE49FBED8DCEDAF771DE78126D1BFE9BD81C674
C:\Users\user\AppData\Local\Temp\cab27C9.tmp	Microsoft Cabinet archive data, many, 243642 bytes, 2 files, at 0x44 +A "content.inf" +A "Metropolitan.thmx", flags 0x4, ID 19054, number 1, extra bytes 20 in head, 24 datablocks, 0x1503 compression	65828DC7BE8BA1CE61AD7142252ACC54	538B186EAF960A076474A64F508B6C47B7699DD3	849E2E915AA61E2F831E54F337A745A5946467D539CCBD0214B4742F4E7E94FF
C:\Users\user\AppData\Local\Temp\cab27CA.tmp	Microsoft Cabinet archive data, many, 206792 bytes, 2 files, at 0x44 +A "content.inf" +A "View.thmx", flags 0x4, ID 33885, number 1, extra bytes 20 in head, 15 datablocks, 0x1503 compression	26BEAB9CCEAFE4FBF0B7C0362681A9D2	F63DD970040CA9F6CFCF5793FF7D4F1F4A69C601	217EC1B6E00A24583B166026DEC480D447FB564CF3BCA81984684648C272F767
C:\Users\user\AppData\Local\Temp\cab27CB.tmp	Microsoft Cabinet archive data, many, 704319 bytes, 2 files, at 0x44 +A "content.inf" +A "Wood_Type.thmx", flags 0x4, ID 5778, number 1, extra bytes 20 in head, 51 datablocks, 0x1503 compression	748A53C6BDD5CE97BD54A76C7A334286	7DD9EEDB13AC187E375AD70F0622518662C61D9F	9AF92B1671772E8E781B58217DAB481F0AFBCF646DE36BC1BFFC7D411D14E351
C:\Users\user\AppData\Local\Temp\cab28CB.tmp	Microsoft Cabinet archive data, many, 214772 bytes, 2 files, at 0x44 +A "content.inf" +A "Parcel.thmx", flags 0x4, ID 26500, number 1, extra bytes 20 in head, 19 datablocks, 0x1503 compression	93FA9F779520AB2D22AC4EA864B7BB34	D1E9F53A0E012A89978A3C9DED73FB1D380A9D8A	6A3801C1D4CF0C19A990282D93AC16007F6CACB645F0E0684EF2EDAC02647833
C:\Users\user\AppData\Local\Temp\cab28DC.tmp	Microsoft Cabinet archive data, many, 533290 bytes, 2 files, at 0x44 +A "content.inf" +A "Parallax.thmx", flags 0x4, ID 64081, number 1, extra bytes 20 in head, 29 datablocks, 0x1503 compression	1C12315C862A745A647DAD546EB4267E	B3FA11A511A634EEC92B051D04F8C1F0E84B3FD6	4E2E93EBAC4AD3F8690B020040D1AE3F8E7905AB7286FC25671E07AA0282CAC0
C:\Users\user\AppData\Local\Temp\cab292D.tmp	Microsoft Cabinet archive data, many, 624532 bytes, 2 files, at 0x44 +A "content.inf" +A "Quotable.thmx", flags 0x4, ID 13510, number 1, extra bytes 20 in head, 30 datablocks, 0x1503 compression	F93364EEC6C4FFA5768DE545A2C34F07	166398552F6B7F4509732E148F93E207DD60420B	296B915148B29751E68687AE37D3FAFD9FFDDF458C48EB059A964D8F2291E899
C:\Users\user\AppData\Local\Temp\cab293D.tmp	Microsoft Cabinet archive data, many, 682092 bytes, 2 files, at 0x44 +A "Berlin.thmx" +A "content.inf", flags 0x4, ID 46672, number 1, extra bytes 20 in head, 30 datablocks, 0x1503 compression	E29CE2663A56A1444EAA3732FFB82940	767A14B51BE74D443B5A3FEFF4D870C61CB76501	3732EB6166945DB2BF792DA04199B5C4A0FB3C96621ECBFDEAF2EA1699BA88EE
C:\Users\user\AppData\Local\Temp\cab2A4A.tmp	Microsoft Cabinet archive data, many, 937309 bytes, 2 files, at 0x44 +A "content.inf" +A "Gallery.thmx", flags 0x4, ID 44349, number 1, extra bytes 20 in head, 34 datablocks, 0x1503 compression	D4EAC009E9E7B64B8B001AE82B8102FA	D8D166494D5813DB20EA1231DA4B1F8A9B312119	8B0631DA4DC79E036251379A0A68C3BA977F14BCC797BA0EB9692F8BB90DDB4D
C:\Users\user\AppData\Local\Temp\cab2A5B.tmp	Microsoft Cabinet archive data, many, 1049713 bytes, 2 files, at 0x44 +A "content.inf" +A "Savon.thmx", flags 0x4, ID 60609, number 1, extra bytes 20 in head, 37 datablocks, 0x1503 compression	E1101CCA6E3FEDB28B57AF4C41B50D37	990421B1D858B756E6695B004B26CDCCAE478C23	69B2675E47917A9469F771D0C634BD62B2DFA0F5D4AF3FD7AFE9196BF889C19E
C:\Users\user\AppData\Local\Temp\cab2A8C.tmp	Microsoft Cabinet archive data, many, 1081343 bytes, 2 files, at 0x44 +A "Circuit.thmx" +A "content.inf", flags 0x4, ID 11309, number 1, extra bytes 20 in head, 45 datablocks, 0x1503 compression	BF95E967E7D1CEC8EFE426BC0127D3DE	BA44C5500A36D748A9A60A23DB47116D37FD61BC	4C3B008E0EB10A722D8FEDB325BFB97EDAA609B1E901295F224DD4CB4DF5FC26
C:\Users\user\AppData\Local\Temp\cab2B3A.tmp	Microsoft Cabinet archive data, many, 1291243 bytes, 2 files, at 0x44 +A "content.inf" +A "Droplet.thmx", flags 0x4, ID 47417, number 1, extra bytes 20 in head, 54 datablocks, 0x1503 compression	9C9F49A47222C18025CC25575337A965	E42EDB33471D7C1752DCC42C06DD3F9FDA8B25F0	ADA7EFF0676D9CCE1935D5485F3DDE35C594D343658FB1DA42CB5A48FC3FC16A
C:\Users\user\AppData\Local\Temp\cab2FFF.tmp	Microsoft Cabinet archive data, many, 1750009 bytes, 2 files, at 0x44 +A "content.inf" +A "Slate.thmx", flags 0x4, ID 28969, number 1, extra bytes 20 in head, 72 datablocks, 0x1503 compression	828F96031F40BF8EBCB5E52AAEEB7E4C	CACC32738A0A66C8FE51A81ED8E27A6F82E69EB2	640AD075B555D4A2143F909EAFD91F54076F5DDE42A2B11CD897BC564B5D7FF7
C:\Users\user\AppData\Local\Temp\cab3000.tmp	Microsoft Cabinet archive data, many, 1865728 bytes, 2 files, at 0x44 +A "content.inf" +A "Damask.thmx", flags 0x4, ID 63852, number 1, extra bytes 20 in head, 68 datablocks, 0x1503 compression	53C5F45B22E133B28D4BD3B5A350FDBD	D180CFB1438D27F76E1919DA3E84F307CB83434F	8AF4C7CAC47D2B9C7ADEADF276EDAE830B4CC5FFE7E765E3C3D7B3FADCB5F273
C:\Users\user\AppData\Local\Temp\cab3030.tmp	Microsoft Cabinet archive data, many, 2511552 bytes, 2 files, at 0x44 +A "content.inf" +A "Main_Event.thmx", flags 0x4, ID 59889, number 1, extra bytes 20 in head, 90 datablocks, 0x1503 compression	F256ACA509B4C6C0144D278C7036B0A8	93F6106D0759AFD0061F73B876AA9CAB05AA8EF6	AD26761D59F1FA9783C2F49184A2E8FE55FCD46CD3C49FFC099C02310649DC67
C:\Users\user\AppData\Local\Temp\cab3031.tmp	Microsoft Cabinet archive data, many, 2573508 bytes, 2 files, at 0x44 +A "content.inf" +A "Mesh.thmx", flags 0x4, ID 62129, number 1, extra bytes 20 in head, 94 datablocks, 0x1503 compression	BEB12A0464D096CA33BAEA4352CE800F	F678D650B4A41676BA05C836D462F34BDC5BF648	A44166F5C9F2553555A43586BA5DB1C1DE54D72D308A48268F27C6A00076B1CA
C:\Users\user\AppData\Local\Temp\cab31BD.tmp	Microsoft Cabinet archive data, many, 3239239 bytes, 2 files, at 0x44 +A "content.inf" +A "Vapor_Trail.thmx", flags 0x4, ID 19811, number 1, extra bytes 20 in head, 111 datablocks, 0x1503 compression	8867BDF5FC754DA9DA6F5BA341334595	5067CCE84C6C682B75C1EF3DEA067A8D58D80FA9	42323DD1D3E88C3207E16E0C95CA1048F2E4CD66183AD23B90171DA381D37B58
C:\Users\user\AppData\Local\Temp\cab31BE.tmp	Microsoft Cabinet archive data, many, 3400898 bytes, 2 files, at 0x4c "Insight design set.dotx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 106 datablocks, 0x1203 compression	749C3615E54C8E6875518CFD84E5A1B2	64D51EB1156E850ECA706B00961C8B101F5AC2FC	F2D2DF37366F8E49106980377D2448080879027C380D90D5A25DA3BDAD771F8C
C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl	data	C88948A666EA075D44C12B8A3E16D231	23FFF9047F338CAC26546F2793F1C6AA04593849	C6F25F45668521DB15041B13104D1879BA2643D5DDA36C0EB8E7081EB09EA44E
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\BankPaymAdviceVend.Report.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Feb 7 13:57:18 2024, mtime=Wed Jul 31 10:53:39 2024, atime=Wed Jul 31 10:53:34 2024, length=449387, window=hide	09D7F813426B1D1E5E468BDE55F153B7	0176F720774669671766F871EDDF083C5B28A12F	CF88DF421765F53B91E2E78B5DB1779437C4B8354ECCFC141503B965C041B632
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	Generic INItialization configuration [folders]	69F19BFE26D67D893224974DFE875782	1448B74182A542FFD083C7E5E1ECB39042815B08	BAAE1C39C0D29BDC564F16FFB3697AAD9B98E52BDC4EEBC8FA904BE13A0FB4CA
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090430[[fn=Banded]].thmx (copy)	Microsoft OOXML	4A1657A3872F9A77EC257F41B8F56B3D	4DDEA85C649A2C1408B5B08A15DEF49BAA608A0B	C17103ADE455094E17AC182AD4B4B6A8C942FD3ACB381F9A5E34E3F8B416AE60
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090434[[fn=Wood Type]].thmx (copy)	Microsoft OOXML	35200E94CEB3BB7A8B34B4E93E039023	5BB55EDAA4CDF9D805E36C36FB092E451BDDB74D	6CE04E8827ABAEA9B292048C5F84D824DE3CEFDB493101C2DB207BD4475AF1FD
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457444[[fn=Basis]].thmx (copy)	Microsoft OOXML	3B5E44DDC6AE612E0346C58C2A5390E3	23BCF3FCB61F80C91D2CFFD8221394B1CB359C87	9ED9AD4EB45E664800A4876101CBEE65C232EF478B6DE502A330D7C89C9AE8E2
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457464[[fn=Dividend]].thmx (copy)	Microsoft OOXML	D676DE8877ACEB43EF0ED570A2B30F0E	6C8922697105CEC7894966C9C5553BEB64744717	DF012D101DE808F6CD872DFBB619B16732C23CF4ABC64149B6C3CE49E9EFDA01
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457475[[fn=Frame]].thmx (copy)	Microsoft OOXML	C276F590BB846309A5E30ADC35C502AD	CA6D9D6902475F0BE500B12B7204DD1864E7DD02	782996D93DEBD2AF9B91E7F529767A8CE84ACCC36CD62F24EBB5117228B98F58
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457485[[fn=Mesh]].thmx (copy)	Microsoft OOXML	CDF98D6B111CF35576343B962EA5EEC6	D481A70EC9835B82BD6E54316BF27FAD05F13A1C	E3F108DDB3B8581A7A2290DD1E220957E357A802ECA5B3087C95ED13AD93A734
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457491[[fn=Metropolitan]].thmx (copy)	Microsoft OOXML	B30D2EF0FC261AECE90B62E9C5597379	4893C5B9BE04ECBB19EE45FFCE33CA56C7894FE3	BB170D6DE4EE8466F56C93DC26E47EE8A229B9C4842EA8DD0D9CCC71BC8E2976
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457496[[fn=Parallax]].thmx (copy)	Zip archive data, at least v2.0 to extract, compression method=deflate	97EEC245165F2296139EF8D4D43BBB66	0D91B68CCB6063EB342CFCED4F21A1CE4115C209	3C5CF7BDB27592791ADF4E7C5A09DDE4658E10ED8F47845064DB1153BE69487C
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457503[[fn=Quotable]].thmx (copy)	Microsoft OOXML	F03AB824395A8F1F1C4F92763E5C5CAD	A6E021918C3CEFFB6490222D37ECEED1FC435D52	D96F7A63A912CA058FB140138C41DCB3AF16638BA40820016AF78DF5D07FAEDD
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457510[[fn=Savon]].thmx (copy)	Microsoft OOXML	FD5BBC58056522847B3B75750603DF0C	97313E85C0937739AF7C7FC084A10BF202AC9942	44976408BD6D2703BDBE177259061A502552193B1CD05E09B698C0DAC3653C5F
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457515[[fn=View]].thmx (copy)	Microsoft OOXML	0E37AECABDB3FDF8AAFEDB9C6D693D2F	F29254D2476DF70979F723DE38A4BF41C341AC78	7AC7629142C2508B070F09788217114A70DE14ACDB9EA30CBAB0246F45082349
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033917[[fn=Berlin]].thmx (copy)	Microsoft OOXML	9E563D44C28B9632A7CF4BD046161994	D3DB4E5F5B1CC6DD08BB3EBF488FF05411348A11	86A70CDBE4377C32729FD6C5A0B5332B7925A91C492292B7F9C636321E6FAD86
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033919[[fn=Circuit]].thmx (copy)	Zip archive data, at least v2.0 to extract, compression method=deflate	ACBA78931B156E4AF5C4EF9E4AB3003B	2A1F506749A046ECFB049F23EC43B429530EC489	943E4044C40ABA93BD7EA31E8B5EBEBD7976085E8B1A89E905952FA8DAC7B878
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033921[[fn=Damask]].thmx (copy)	Microsoft OOXML	EE33FDA08FBF10EF6450B875717F8887	7DFA77B8F4559115A6BF186EDE51727731D7107D	5CF611069F281584DE3E63DE8B99253AA665867299DC0192E8274A32A82CAA20
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033925[[fn=Droplet]].thmx (copy)	Microsoft OOXML	529795E0B55926752462CBF32C14E738	E72DFF8354DF2CB6A5698F14BBD1805D72FEEAFF	8D341D1C24176DC6B67104C2AF90FABD3BFF666CCC0E269381703D7659A6FA05
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033927[[fn=Main Event]].thmx (copy)	Microsoft OOXML	5AF1581E9E055B6E323129E4B07B1A45	B849F85BCAF0E1C58FA841FFAE3476D20D33F2DD	BDC9FBF81FBE91F5BF286B2CEA00EE76E70752F7E51FE801146B79F9ADCB8E98
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033929[[fn=Slate]].thmx (copy)	Microsoft OOXML	5BDE450A4BD9EFC71C370C731E6CDF43	5B223FB902D06F9FCC70C37217277D1E95C8F39D	93BFC6AC1DC1CFF497DF92B30B42056C9D422B2321C21D65728B98E420D4ED50
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033937[[fn=Vapor Trail]].thmx (copy)	Microsoft OOXML	FB88BFB743EEA98506536FC44B053BD0	B27A67A5EEC1B5F9E7A9C3B76223EDE4FCAF5537	05057213BA7E5437AC3B8E9071A5577A8F04B1A67EFE25A08D3884249A22FBBF
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001114[[fn=Gallery]].thmx (copy)	Microsoft OOXML	2192871A20313BEC581B277E405C6322	1F9A6A5E10E1C3FFEB6B6725C5D2FA9ECDF51085	A06B302954A4C9A6A104A8691864A9577B0BFEA240B0915D9BEA006E98CDFFEC
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001115[[fn=Parcel]].thmx (copy)	Microsoft OOXML	8BA551EEC497947FC39D1D48EC868B54	02FA15FDAF0D7E2F5D44CAE5FFAE49E8F91328DF	DB2E99B969546E431548EBD58707FC001BBD1A4BDECAD387D194CC9C6D15AC89
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328884[[fn=architecture]].glox (copy)	Microsoft OOXML	8109B3C170E6C2C114164B8947F88AA1	FC63956575842219443F4B4C07A8127FBD804C84	F320B4BB4E57825AA4A40E5A61C1C0189D808B3EACE072B35C77F38745A4C416
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328893[[fn=BracketList]].glox (copy)	Microsoft OOXML	5D9BAD7ADB88CEE98C5203883261ACA1	FBF1647FCF19BCEA6C3CF4365C797338CA282CD2	8CE600404BB3DB92A51B471D4AB8B166B566C6977C9BB63370718736376E0E2F
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328905[[fn=Chevron Accent]].glox (copy)	Microsoft OOXML	7BC0A35807CD69C37A949BBD51880FF5	B5870846F44CAD890C6EFF2F272A037DA016F0D8	BD3A013F50EBF162AAC4CED11928101554C511BD40C2488CF9F5842A375B50CA
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328908[[fn=Circle Process]].glox (copy)	Zip archive data, at least v2.0 to extract, compression method=deflate	950F3AB11CB67CC651082FEBE523AF63	418DE03AD2EF93D0BD29C3D7045E94D3771DACB4	9C5E4D8966A0B30A22D92DB1DA2F0DBF06AC2EA75E7BB8501777095EA0196974
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328916[[fn=Converging Text]].glox (copy)	Zip archive data, at least v2.0 to extract, compression method=deflate	C9F9364C659E2F0C626AC0D0BB519062	C4036C576074819309D03BB74C188BF902D1AE00	6FC428CA0DCFC27D351736EF16C94D1AB08DDA50CB047A054F37EC028DD08AA2
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328919[[fn=Hexagon Radial]].glox (copy)	Microsoft OOXML	20621E61A4C5B0FFEEC98FFB2B3BCD31	4970C22A410DCB26D1BD83B60846EF6BEE1EF7C4	223EA2602C3E95840232CACC30F63AA5B050FA360543C904F04575253034E6D7
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328925[[fn=Interconnected Block Process]].glox (copy)	Zip archive data, at least v2.0 to extract, compression method=deflate	08D3A25DD65E5E0D36ADC602AE68C77D	F23B6DDB3DA0015B1D8877796F7001CABA25EA64	58B45B9DBA959F40294DA2A54270F145644E810290F71260B90F0A3A9FCDEBC1
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328932[[fn=Picture Frame]].glox (copy)	Microsoft OOXML	D32E93F7782B21785424AE2BEA62B387	1D5589155C319E28383BC01ED722D4C2A05EF593	2DC7E71759D84EF8BB23F11981E2C2044626FEA659383E4B9922FE5891F5F478
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328935[[fn=Picture Organization Chart]].glox (copy)	Microsoft OOXML	586CEBC1FAC6962F9E36388E5549FFE9	D1EF3BF2443AE75A78E9FDE8DD02C5B3E46F5F2E	1595C0C027B12FE4C2B506B907C795D14813BBF64A2F3F6F5D71912D7E57BC40
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328940[[fn=Radial Picture List]].glox (copy)	Microsoft OOXML	CDC1493350011DB9892100E94D5592FE	684B444ADE2A8DBE760B54C08F2D28F2D71AD0FA	F637A67799B492FEFFB65632FED7815226396B4102A7ED790E0D9BB4936E1548
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328951[[fn=Tabbed Arc]].glox (copy)	Zip archive data, at least v2.0 to extract, compression method=deflate	E8308DA3D46D0BC30857243E1B7D330D	C7F8E54A63EB254C194A23137F269185E07F9D10	6534D4D7EF31B967DD0A20AFFF092F8B93D3C0EFCBF19D06833F223A65C6E7C4
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328972[[fn=Tab List]].glox (copy)	Zip archive data, at least v2.0 to extract, compression method=deflate	0A4CA91036DC4F3CD8B6DBF18094CF25	6C7EED2530CD0032E9EEAB589AFBC296D106FBB9	E5A56CCB3B3898F76ABF909209BFAB401B5DDCD88289AD43CE96B02989747E50
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328975[[fn=Theme Picture Accent]].glox (copy)	Zip archive data, at least v2.0 to extract, compression method=deflate	42A840DC06727E42D42C352703EC72AA	21AAAF517AFB76BF1AF4E06134786B1716241D29	02CCE7D526F844F70093AC41731D1A1E9B040905DCBA63BA8BFFC0DBD4D3A7A7
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328983[[fn=Theme Picture Alternating Accent]].glox (copy)	Zip archive data, at least v2.0 to extract, compression method=deflate	2F8998AA9CF348F1D6DE16EAB2D92070	85B13499937B4A584BEA0BFE60475FD4C73391B6	8A216D16DEC44E02B9AB9BBADF8A11F97210D8B73277B22562A502550658E580
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328986[[fn=Theme Picture Grid]].glox (copy)	Zip archive data, at least v2.0 to extract, compression method=deflate	031C246FFE0E2B623BBBD231E414E0D2	A57CA6134779D54691A4EFD344BC6948E253E0BA	2D76C8D1D59EDB40D1FBBC6406A06577400582D1659A544269500479B6753CF7
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328990[[fn=Varying Width List]].glox (copy)	Microsoft OOXML	67766FF48AF205B771B53AA2FA82B4F4	0964F8B9DC737E954E16984A585BDC37CE143D84	160D05B4CB42E1200B859A2DE00770A5C9EBC736B70034AFC832A475372A1667
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328998[[fn=Rings]].glox (copy)	Microsoft OOXML	6C24ED9C7C868DB0D55492BB126EAFF8	C6D96D4D298573B70CF5C714151CF87532535888	48AF17267AD75C142EFA7AB7525CA48FAB579592339FB93E92C4C4DA577D4C9F
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851216[[fn=apasixtheditionofficeonline]].xsl (copy)	XML 1.0 document, ASCII text, with CRLF line terminators	5632C4A81D2193986ACD29EADF1A2177	E8FF4FDFEB0002786FCE1CF8F3D25F8E9631E346	06DE709513D7976690B3DD8F5FDF1E59CF456A2DFBA952B97EACC72FE47B238B
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851217[[fn=chicago]].xsl (copy)	XML 1.0 document, ASCII text, with CRLF line terminators	9AC6DE7B629A4A802A41F93DB2C49747	3D6E929AA1330C869D83F2BF8EBEBACD197FB367	52984BC716569120D57C8E6A360376E9934F00CF31447F5892514DDCCF546293
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851218[[fn=gb]].xsl (copy)	XML 1.0 document, ASCII text, with CRLF line terminators	51D32EE5BC7AB811041F799652D26E04	412193006AA3EF19E0A57E16ACF86B830993024A	6230814BF5B2D554397580613E20681752240AB87FD354ECECF188C1EABE0E97
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851219[[fn=gostname]].xsl (copy)	XML 1.0 document, ASCII text, with CRLF line terminators	9888A214D362470A6189DEFF775BE139	32B552EB3C73CD7D0D9D924C96B27A86753E0F97	C64ED5C2A323C00E84272AD3A701CAEBE1DCCEB67231978DE978042F09635FA7
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851220[[fn=gosttitle]].xsl (copy)	XML 1.0 document, ASCII text, with CRLF line terminators	F425D8C274A8571B625EE66A8CE60287	29899E309C56F2517C7D9385ECDBB719B9E2A12B	DD7B7878427276AF5DBF8355ECE0D1FE5D693DF55AF3F79347F9D20AE50DB938
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851221[[fn=harvardanglia2008officeonline]].xsl (copy)	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	33A829B4893044E1851725F4DAF20271	DAC368749004C255FB0777E79F6E4426E12E5EC8	C40451CADF8944A9625DD690624EA1BA19CECB825A67081E8144AD5526116924
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851222[[fn=ieee2006officeonline]].xsl (copy)	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	0C9731C90DD24ED5CA6AE283741078D0	BDD3D7E5B0DE9240805EA53EF2EB784A4A121064	ABCE25D1EB3E70742EC278F35E4157EDB1D457A7F9D002AC658AAA6EA4E4DCDF
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851223[[fn=iso690]].xsl (copy)	XML 1.0 document, ASCII text, with CRLF line terminators	FF0E07EFF1333CDF9FC2523D323DD654	77A1AE0DD8DBC3FEE65DD6266F31E2A564D088A4	3F925E0CC1542F09DE1F99060899EAFB0042BB9682507C907173C392115A44B5
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851224[[fn=iso690nmerical]].xsl (copy)	XML 1.0 document, ASCII text, with CRLF line terminators	3BF8591E1D808BCCAD8EE2B822CC156B	9CC1E5EFD715BD0EAE5AF983FB349BAC7A6D7BA0	7194396E5C833E6C8710A2E5D114E8E24338C64EC9818D51A929D57A5E4A76C8
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851225[[fn=mlaseventheditionofficeonline]].xsl (copy)	XML 1.0 document, ASCII text, with CRLF line terminators	377B3E355414466F3E3861BCE1844976	0B639A3880ACA3FD90FA918197A669CC005E2BA4	4AC5B26C5E66E122DE80243EF621CA3E1142F643DD2AD61B75FF41CFEE3DFFAF
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851226[[fn=turabian]].xsl (copy)	XML 1.0 document, ASCII text, with CRLF line terminators	F079EC5E2CCB9CD4529673BCDFB90486	FBA6696E6FA918F52997193168867DD3AEBE1AD6	3B651258F4D0EE1BFFC7FB189250DED1B920475D1682370D6685769E3A9346DB
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851227[[fn=sist02]].xsl (copy)	XML 1.0 document, ASCII text, with CRLF line terminators	F883B260A8D67082EA895C14BF56DD56	7954565C1F243D46AD3B1E2F1BAF3281451FC14B	EF4835DB41A485B56C2EF0FF7094BC2350460573A686182BC45FD6613480E353
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM01840907[[fn=Equations]].dotx (copy)	Microsoft Word 2007+	2AB22AC99ACFA8A82742E774323C0DBD	790F8B56DF79641E83A16E443A75A66E6AA2F244	BC9D45D0419A08840093B0BF4DCF96264C02DFE5BD295CD9B53722E1DA02929D
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx (copy)	Microsoft Word 2007+	5A53F55DD7DA8F10A8C0E711F548B335	035E685927DA2FECB88DE9CAF0BECEC88BC118A7	66501B659614227584DA04B64F44309544355E3582F59DBCA3C9463F67B7E303
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998158[[fn=Element]].dotx (copy)	Microsoft Word 2007+	7CDFFC23FB85AD5737452762FA36AAA0	CFBC97247959B3142AFD7B6858AD37B18AFB3237	68A8FBFBEE4C903E17C9421082E839144C205C559AFE61338CBDB3AF79F0D270
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998159[[fn=Insight]].dotx (copy)	Microsoft Word 2007+	8BC84DB5A3B2F8AE2940D3FB19B43787	3A5FE7B14D020FAD0E25CD1DF67864E3E23254EE	AF1FDEEA092169BF794CDC290BCA20AEA07AC7097D0EFCAB76F783FA38FDACDD
C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC	Unicode text, UTF-16, little-endian text, with CRLF line terminators	C5A12EA2F9C2D2A79155C1BC161C350C	75004B4B6C6C4EE37BE7C3FD7EE4AF4A531A1B1A	61EC0DAA23CBC92167446DADEFB919D86E592A31EBBD0AB56E64148EBF82152D
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FKY7RET4ECOXUNROUC5J.temp	data	E4A1661C2C886EBB688DEC494532431C	A2AE2A7DB83B33DC95396607258F553114C9183C	B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GXM4FEHKJMSN4YVSRXLJ.temp	data	E4A1661C2C886EBB688DEC494532431C	A2AE2A7DB83B33DC95396607258F553114C9183C	B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms (copy)	data	E4A1661C2C886EBB688DEC494532431C	A2AE2A7DB83B33DC95396607258F553114C9183C	B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms~RF2040d.TMP (copy)	data	E4A1661C2C886EBB688DEC494532431C	A2AE2A7DB83B33DC95396607258F553114C9183C	B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
C:\Users\user\Desktop\~$nkPaymAdviceVend.Report.docx	data	DC31BBE5B446ACFE8611DAE2BA7DF264	38443668D0AD84CAE6CC05AEE5579F053B49F30C	3CD6B9AD08521F6ADC9D04152C7F4E33F9742B993FEE0EC617C12FAB2F8C390D

ID:	1502190
Product:	CloudBasic
Start time:	13:53:06
Start date:	31.08.2024
Sample:	BankPaymAdviceVend.Report.docx
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	22eede72746e7a9a26f3f6d311a12a7e
SHA1:	6738d1a969194359c7c7579956269d77fed8d26f
SHA256:	2e1408013503cbc13466e2041bd3e045833ce65f5c91b7226e28e27d43d6eaf9
Filetype:	Word Microsoft Office Open XML Format document (49504/1) 58.23%

Windows Analysis Report
BankPaymAdviceVend.Report.docx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://tt.vg/BVhaS	true	8%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://tt.vg/BVhaS	true	8%, Virustotal, Browse Avira URL Cloud: phishing	unknown

Windows Analysis Report BankPaymAdviceVend.Report.docx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
BankPaymAdviceVend.Report.docx