'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2018-07-23 00:12:00.554372 2018-07-23 00:13:51.510631 110 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo win7 Clone 1 VirtualBox 2018-07-23 00:12:01 2018-07-23 00:13:51

File Details

File name cd17a89cda5f93417c62a317f7cdf9d39f12628a.docx
File size 69278 bytes
File type Microsoft Word 2007+
CRC32 53631042
MD5 aebb9d7e41c1aa42ed41368b2ab49739
SHA1 cd17a89cda5f93417c62a317f7cdf9d39f12628a
SHA256 9d6b921e968182361c93828111bde0cd5d37d42a5f95bdf91f77bc7b1e0a50e7
SHA512 7505a09648388f73d0aede2f47faf6e9d51f1ba8bb6806feefda9987627bbcaca19964820c7f83d01ff2ec9c5e1dd843570a2508fe3ac61e3f9b15e9fc6fa0bf
Ssdeep None
PEiD None matched
Yara None matched
VirusTotal File not found on VirusTotal

MetaFlows Scores

Metaflows Analysis Results (Signatures=150, Anomalies=0, PEiD=0, Yara=0, VT[1532319246]=0): Snort Events=0, AV Events=0
Total Score=150

Signatures

raises_exception details
create_process_suspended details
Roaming_Profile_Modified details
Startup_File_Accessed details
creates_doc details
nolookup_communication details
overwites_files details
suspicious_write_exe details

Screenshots

No screenshots available.

Static Analysis

Strings

Dropped Files

3b8b64f73ca273a0_628f9005.wmf

7c9bd5c416a2d2c9_28e422f5.wmf

852b5a7e1f71b0b4_9cb9455b.wmf

ad5824e527816e1f_b42332d7.wmf

8da58972134f3830_3f1cf34a.dat

730231f3f4ab7466_6bada8974a10c4bd62cc921d13e43b18_beb37abadf39714871232b4792417e04

85c3810d450e6c02_50d6b15d9f2dce1edbb0c098625fbe47_544b2bb0a8631da8bf33337df6899d1e

7da0624cdca22074_5d194c1d.dat

61850aa8689854a4_~$17a89cda5f93417c62a317f7cdf9d39f12628a.docx

0793770c80b6cee9_840df889.wmf

33f7ac966d2868f9_heartbeatcache.xml

cfb05f3845993866_1920e0eb.dat

decb411dc293f873_773a66bf.dat

692899ac91eb5e6f_f32fc247.wmf

15cdd3324a7c81aa_fddc0cdc.dat

1050fabbdfbe61e5_efd499e8.dat

9cada432ba28f3ea_e992b301.wmf

7f3eded4c85581d0_c302a4a9.dat

7379c38e2c8067f4_6da0faae-19a5-4775-92c8-50e6576856bb

d7b9ab4e7f8e8398_e3fcd59f.wmf

2501d18c1ad32df5_50d6b15d9f2dce1edbb0c098625fbe47_544b2bb0a8631da8bf33337df6899d1e

397ad878db2d20af_6bada8974a10c4bd62cc921d13e43b18_beb37abadf39714871232b4792417e04

40f262932db5e3e0_ce7f1133.dat

88eed86f8c37d032_msforms.exd

3b3cf9aa4e1f3432_51940341.dat

6a5327652649994d_~wrs{f9f61452-dccd-4e5b-8bc4-322975d077f1}.tmp

7d0dfc68b7f87ade_27dc366.dat

4826c0d860af884d_~wrs{79a4d9dc-d9d0-4c43-b205-761b404972d3}.tmp

741d42b4bc547186_94fa2aed.wmf

21a0e0e980fe375c_winword.exe_rules.xml

ee6e0409edec75cc_~wrs{c2057780-cf07-4c72-ab1e-ec65ec939339}.tmp

Network Analysis

Hosts Involved

DNS Requests

HTTP Requests

Behavior Summary

File-Written
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EFD499E8.dat
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B15443A.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\27DC366.dat
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5D194C1D.dat
  • C:\Users\Harry Dresden\AppData\Local\Temp\Word8.0\MSForms.exd
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\50D6B15D9F2DCE1EDBB0C098625FBE47_544B2BB0A8631DA8BF33337DF6899D1E
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\48AC587B.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B42332D7.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EE2AAD11.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\56B700CD.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E7BB64F8.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5133902F.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\837B2F24.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9B35C6A2.wmf
  • C:\Users\Harry Dresden\AppData\Local\Temp\~$17a89cda5f93417c62a317f7cdf9d39f12628a.docx
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\28099A13.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BD99BCFC.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D2C84F2D.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4AF6F099.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\87CFAEAE.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8CEDC7A0.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CB6BBF00.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9CB9455B.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EAC640C9.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5B8E51B4.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1174A7A3.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E3FCD59F.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\16B117DD.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6EF39C0A.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3F413F67.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9932E7F7.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B2ED92F3.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\48040.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1920E0EB.dat
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3F1CF34A.dat
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C840D97E.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\59C4279C.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B721318C.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\547D450D.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D32F00A8.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B1582DC6.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FC84763E.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\79E6BC79.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A1CA05E2.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CADE7D0E.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\778931E5.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CE7F1133.dat
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C302A4A9.dat
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A3DC85CB.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C2057780-CF07-4C72-AB1E-EC65EC939339}.tmp
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6F29104E.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7FA1D6C3.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\65A1B86A.wmf
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\230A3EEC.wmf
  • C:\ProgramData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\88612C87.wmf
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\87A0C826.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3D826036.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9C0D370F.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{79A4D9DC-D9D0-4C43-B205-761B404972D3}.tmp
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8B1D34F6.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\45294E42.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1A339FD.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\28E422F5.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E992B301.wmf
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\50D6B15D9F2DCE1EDBB0C098625FBE47_544B2BB0A8631DA8BF33337DF6899D1E
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FDDC0CDC.dat
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\555BDE25.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7E9F4DEF.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D5F3F4F1.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\6DA0FAAE-19A5-4775-92C8-50E6576856BB
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7B1F9AAB.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5C8DBCD5.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\573C0DF0.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\63706472.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2D7B3314.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CB493198.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\840DF889.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\297DEDB7.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\25E4B527.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F32FC247.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9D3C74D2.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\643CE321.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9112C5C4.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9C5D8412.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BCA27548.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7EFAFC4C.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\18584858.wmf
  • C:\Users\Harry Dresden\AppData\Local\Temp\mso3B64.tmp
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\93EB296.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\94FA2AED.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F224AFAA.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\51940341.dat
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4054AD50.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EF84E883.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E63C7915.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B80A5531.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\545214B9.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\628F9005.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FFC88FDE.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BFA80C64.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DF9BB47F.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F2EDFCB0.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F9F61452-DCCD-4E5B-8BC4-322975D077F1}.tmp
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C819BFDA.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\66A2423C.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\539C474.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B4B1A23B.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3D716B7A.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\773A66BF.dat
File-Opened
  • C:\Windows\Fonts\cour.ttf
  • C:\Windows\Fonts\ariali.ttf
  • C:\Users\Harry Dresden\AppData\Local\Temp
  • C:\
  • C:\Windows\System32\mscoree.dll
  • C:\Windows\SysWOW64\en-US\CRYPT32.dll.mui
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B15443A.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D32F00A8.wmf
  • C:\Windows\Fonts\tahoma.ttf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\27DC366.dat
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\Templates\Normal.dotm
  • C:\Users\Harry Dresden\Favorites\desktop.ini
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\FEE4C9D3-C3C3-4DD8-9A8A-E5EE2FB996B2
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\778931E5.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5D194C1D.dat
  • C:\Windows\Fonts\arial.ttf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EAC640C9.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\C642E3AC-C787-461C-8130-49BC8B3B8E54
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\48AC587B.wmf
  • C:\Users\Harry Dresden\
  • C:\Users\Harry Dresden\AppData\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B42332D7.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EFD499E8.dat
  • C:\Windows\SysWOW64\shell32.dll
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\OTele\{B873B1AD-6171-49BF-89FE-C4666F2C8444} (0) - 3872 - winword.exe - OTele.dat
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0
  • C:\Windows\WindowsShell.Manifest
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5133902F.wmf
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\MSO40UIRES.DLL
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\OTele\{B873B1AD-6171-49BF-89FE-C4666F2C8444} (0) - 3872 - winword.exe - OTeleMediumCost.dat
  • C:\Program Files (x86)\Microsoft Office\root\Office16\1033\WWINTL.DLL
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\83917C1B-CFCF-4F12-BA76-7138123D93FC
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9B35C6A2.wmf
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\
  • C:\Users\Harry Dresden\Links\desktop.ini
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\51792303-9B41-4132-AD62-E72F4D1C08D6
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache
  • C:\Windows\SysWOW64\en-US\USER32.dll.mui
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\16B117DD.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\93EB296.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4AF6F099.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7B1F9AAB.wmf
  • C:\Users\Harry Dresden\Videos\desktop.ini
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\1430F911-5AD3-4749-AFAC-24A34E4FD4A9
  • C:\Users\Harry Dresden\AppData\Roaming
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\68CF3A26-FE19-459A-A97F-7DAFCB3AD924
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\1033\msointl30.dll
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\230A3EEC.wmf
  • C:\Windows\System32\oleaccrc.dll
  • C:\Program Files (x86)\Microsoft Office\root\Office16\
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\
  • C:\Program Files (x86)\Common Files\Microsoft Shared\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CB6BBF00.wmf
  • C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\mso20win32client.dll
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\60B61A8B-72E6-431D-B56F-E4939E48D96C
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\7611C3D4-0673-442E-850F-6C64C041E91E
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft
  • C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\398C73D5-F266-4B67-A792-8EFC910B2A68
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\MSORES.DLL
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4054AD50.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\B146098F-4064-49C1-985D-AEC3D779A81B
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\MSO.DLL
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EF84E883.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5B8E51B4.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9D3C74D2.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers
  • C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
  • C:\Windows\System32\en-US\d2d1.dll.mui
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E3FCD59F.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\459A34E0-3D69-4909-8E7B-40D4C989545E
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6EF39C0A.wmf
  • C:\Users\Harry Dresden\Pictures\desktop.ini
  • C:\Program Files (x86)\
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\28099A13.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B2ED92F3.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\48040.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1920E0EB.dat
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\BEE1372A-C6B0-45A5-B2DF-946BCF71815A
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8CEDC7A0.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\27AE1074-21E3-40FA-AE57-4027C89A1728
  • C:\Users\Harry Dresden\AppData\Local\Microsoft
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E992B301.wmf
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\Office\16.0\62e47556\Proofing\RoamingCustom.dic
  • C:\Program Files (x86)\Microsoft Office\root\Office16\MSWORD.OLB
  • C:\Users\Harry Dresden\Searches\desktop.ini
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3F1CF34A.dat
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\71FD5FF9-FB04-4B94-95CF-F362AB85F4C7
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\59C4279C.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B80A5531.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BD99BCFC.wmf
  • C:\Users\Harry Dresden\Downloads\desktop.ini
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\2B482C5D-3A63-457D-BC30-53A361F3C4C2
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\D5CA04B0-F36E-4671-9B61-C281C22245A8
  • C:\Windows\Fonts\arialbd.ttf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3F413F67.wmf
  • C:\Users\Harry Dresden\Contacts\desktop.ini
  • C:\Users\Harry Dresden\AppData\Local\Temp\Word8.0\MSForms.exd
  • C:\Program Files (x86)\Microsoft Office\root\Office16\STARTUP\
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\88DDE652-0345-4105-81DB-355519848C29
  • C:\Users\Harry Dresden\AppData\Local\Temp\cd17a89cda5f93417c62a317f7cdf9d39f12628a.docx
  • C:\Windows\SysWOW64\en-US\setupapi.dll.mui
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FC84763E.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\5DD973A5-6B8F-40E7-93DC-F099B3954B65
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\79E6BC79.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A1CA05E2.wmf
  • C:\Users\Harry Dresden
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CADE7D0E.wmf
  • C:\Users\Harry Dresden\AppData\LocalLow
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\0136C3E2-C15B-4825-B21D-FD8681596A3A
  • C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSO.DLL
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\7DF8FCF3-C8C9-4CF7-8416-171D71D0C04A
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CE7F1133.dat
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C840D97E.wmf
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\Templates\
  • C:\Program Files (x86)\Microsoft Office\root\Office16\OART.DLL
  • C:\Users\Harry Dresden\Saved Games\desktop.ini
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms
  • C:\Windows\Fonts\courbd.ttf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\41998CBE-23F6-4A35-9D07-30563B2494C7
  • C:\Windows\Fonts\SEGOEUISL.TTF
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\ECB4A42C-1CD2-416B-A8EE-28711F2E4748
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6F29104E.wmf
  • C:\Windows\Fonts\
  • C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\mso40uiwin32client.dll
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7FA1D6C3.wmf
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\MSO99LRES.DLL
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\65A1B86A.wmf
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\Word\STARTUP\
  • C:\Windows\System32\en-US\shdocvw.dll.mui
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EE2AAD11.wmf
  • C:\Windows\Fonts\calibri.ttf
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
  • C:\Users\Harry Dresden\AppData\Local
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\56B700CD.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\45294E42.wmf
  • C:\Windows\SysWOW64\en-US\SETUPAPI.dll.mui
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\
  • C:\ProgramData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\88612C87.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\D8906D2F-B5FB-47A7-A48C-64280468337B
  • C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\87A0C826.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3D826036.wmf
  • C:\Windows\AppPatch\sysmain.sdb
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9C0D370F.wmf
  • C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\mso99Lwin32client.dll
  • C:\Users\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\OTele\
  • C:\Windows\Fonts\courbi.ttf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\87CFAEAE.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\DC7D18FE-1987-4CC1-A220-8C2AB3F89FE4
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\547D450D.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8B1D34F6.wmf
  • C:\Users
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E7BB64F8.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F2EDFCB0.wmf
  • C:\Windows\SysWOW64\stdole2.tlb
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\573C0DF0.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\28E422F5.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1174A7A3.wmf
  • C:\Windows\System32\shdocvw.dll
  • C:\Windows\Microsoft.NET\Framework\
  • C:\Windows\Fonts\arialbi.ttf
  • C:\Users\desktop.ini
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\1033\MSOINTL.DLL
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\141E62F4-A1F6-4895-AAD3-8A2A95D4A1E2
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\50D6B15D9F2DCE1EDBB0C098625FBE47_544B2BB0A8631DA8BF33337DF6899D1E
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\80B9ABAF-5777-40C6-9BCA-7FF88408BA18
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\A42028F2-CFF8-48B7-B283-04ADC903CA42
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\02F53DDF-4F31-4BA0-97DE-29F451F29819
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FDDC0CDC.dat
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\555BDE25.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B1582DC6.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\218BD889-250F-4009-AC70-37A89D831B8B
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7E9F4DEF.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\837B2F24.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\
  • C:\Windows\Fonts\simsun.ttc
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D5F3F4F1.wmf
  • C:\Users\Harry Dresden\AppData\Local\GDIPFONTCACHEV1.DAT
  • C:\Windows\Fonts\staticcache.dat
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\166A7C48-F18B-4F49-AD05-CA648AF56FB1
  • C:\Windows\Fonts\times.ttf
  • C:\Users\Harry Dresden\Music\desktop.ini
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\12E38A7D-EDAC-40BC-8980-4A83DF7AAB2E
  • C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\mso30win32client.dll
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7EFAFC4C.wmf
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\Templates
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\2B6C7C22-BAAE-4D80-8E6A-3176CC4E5946
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CB493198.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1A339FD.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\3F7A38BA-8B2B-4C7D-817A-A29170E7C939
  • C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\mso98win32client.dll
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\6E4E86D9-CE48-4E5A-BDC2-529EA93CE6D2
  • C:\Users\Harry Dresden\AppData\Local\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2D7B3314.wmf
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\
  • C:\Windows\SysWOW64\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\840DF889.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\297DEDB7.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\25E4B527.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\4A1D1BE3-CA4C-4C42-AE17-C9AD7D0BDD26
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F32FC247.wmf
  • C:\Users\Harry Dresden\AppData\Roaming\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\54235051-D104-456C-B62E-7BBA73FA48DC
  • C:\Users\Harry Dresden\Desktop\desktop.ini
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\643CE321.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9112C5C4.wmf
  • C:\Windows\System32
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\B3F75FA2-5E0D-426B-BC60-74C92AEBECEB
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5C8DBCD5.wmf
  • C:\Windows\
  • C:\Windows\SysWOW64\FM20.DLL
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9C5D8412.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A3DC85CB.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BCA27548.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9932E7F7.wmf
  • C:\Windows\splwow64.exe
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\D5741299-7A7A-4BE1-86B6-ADB88C449156
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\18584858.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\539C474.wmf
  • C:\Users\Harry Dresden\AppData\Local\Temp\mso3B64.tmp
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D2C84F2D.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\94FA2AED.wmf
  • C:\Windows\Fonts\wingding.ttf
  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F224AFAA.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\51940341.dat
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9CB9455B.wmf
  • C:\Users\Harry Dresden\AppData\Local\Temp\Word8.0\
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\SystemCertificates\My
  • C:\Program Files (x86)\Microsoft Office\root\Office16\WWLIB.DLL
  • C:\Windows
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E63C7915.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\D81F3CE6-A0F2-4E05-91A2-9A4B8276F8BE
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B721318C.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\545214B9.wmf
  • C:\Program Files (x86)\Microsoft Office\root\Office16\CHART.DLL
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\628F9005.wmf
  • C:\Windows\Fonts\segoeui.ttf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\
  • C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL
  • C:\Users\Harry Dresden\Documents\desktop.ini
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\62CA747E-A81B-485E-B093-BF90DBBAE9EC
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FFC88FDE.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\49196BB5-66DD-4A41-B334-5325D2D5E6C5
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BFA80C64.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DF9BB47F.wmf
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\Proof\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\F3721A83-BE42-474E-A0FE-86C399B43BD1
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C302A4A9.dat
  • C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL
  • C:\Windows\System32\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C819BFDA.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3D716B7A.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\66A2423C.wmf
  • C:\Users\Harry Dresden\AppData\Local\Temp\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B4B1A23B.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\63706472.wmf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\C88FD7A6-07CC-42CE-ABF8-77F23D1FCFAC
  • C:\Windows\Fonts\couri.ttf
  • C:\Users\Harry Dresden\AppData
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\773A66BF.dat

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 480, Parent PID: 384

"C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE" C:\Users\HARRYD~1\AppData\Local\Temp\cd17a89cda5f93417c62a317f7cdf9d39f12628a.docx PID: 2328, Parent PID: 2212

Volatility

Nothing to display.