blackcat | df8d000833243acc0004595b3a8d4b66fcd7b76d8685d5c2ff61ee2a40a0e92c

Resubmissions

15-12-2023 21:36

231215-1f5lgsagg5 10

15-12-2023 21:32

231215-1dlqlaagf5 10

Analysis

max time kernel
199s
max time network
216s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
15-12-2023 21:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sch1.exe
Size

12.6MB
MD5

a0cd8aa1cd7cc61d41977cceacd7d4f6
SHA1

83078ff956e5e441429257cfa3a3362d6ba3c0d5
SHA256

df8d000833243acc0004595b3a8d4b66fcd7b76d8685d5c2ff61ee2a40a0e92c
SHA512

2f147b25d3289f33623dd3fdfd339de75b71cab4eb6348d0a176815bc1a7a86889113c40b6b1d3a2eb275fd76c16dbbe0eb38e63584ce2f5005a13c7369e68db
SSDEEP

196608:zRXBBaGSqkZRLVupoP3/ih4a4kZLm77gZ9rwaATAZjiEjOvonfT:p/+j/ih4a4k9M5kjiOOvonfT

Score

10^/10

blackcat ransomware

Malware Config

Signatures

BlackCat
A Rust-based ransomware sold as RaaS first seen in late 2021.
ransomware blackcat

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 5 IoCs

pid	Process
464	WINWORD.EXE
464	WINWORD.EXE
1944	EXCEL.EXE
2700	WINWORD.EXE
2700	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1492	msedge.exe
1492	msedge.exe
4836	msedge.exe
4836	msedge.exe
4316	identity_helper.exe
4316	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4836	msedge.exe
4836	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe

Suspicious use of SetWindowsHookEx 28 IoCs

pid	Process
464	WINWORD.EXE
464	WINWORD.EXE
464	WINWORD.EXE
464	WINWORD.EXE
464	WINWORD.EXE
464	WINWORD.EXE
464	WINWORD.EXE
1944	EXCEL.EXE
1944	EXCEL.EXE
1944	EXCEL.EXE
1944	EXCEL.EXE
1944	EXCEL.EXE
1944	EXCEL.EXE
1944	EXCEL.EXE
1944	EXCEL.EXE
1944	EXCEL.EXE
1944	EXCEL.EXE
1944	EXCEL.EXE
1944	EXCEL.EXE
1944	EXCEL.EXE
1944	EXCEL.EXE
2700	WINWORD.EXE
2700	WINWORD.EXE
2700	WINWORD.EXE
2700	WINWORD.EXE
2700	WINWORD.EXE
2700	WINWORD.EXE
2700	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 1472	4836	msedge.exe	96
PID 4836 wrote to memory of 1472	4836	msedge.exe	96
PID 4836 wrote to memory of 4760	4836	msedge.exe	97
PID 4836 wrote to memory of 4760	4836	msedge.exe	97
PID 4836 wrote to memory of 4760	4836	msedge.exe	97
PID 4836 wrote to memory of 4760	4836	msedge.exe	97
PID 4836 wrote to memory of 4760	4836	msedge.exe	97
PID 4836 wrote to memory of 4760	4836	msedge.exe	97
PID 4836 wrote to memory of 4760	4836	msedge.exe	97
PID 4836 wrote to memory of 4760	4836	msedge.exe	97
PID 4836 wrote to memory of 4760	4836	msedge.exe	97
PID 4836 wrote to memory of 4760	4836	msedge.exe	97
PID 4836 wrote to memory of 4760	4836	msedge.exe	97
PID 4836 wrote to memory of 4760	4836	msedge.exe	97
PID 4836 wrote to memory of 4760	4836	msedge.exe	97
PID 4836 wrote to memory of 4760	4836	msedge.exe	97
PID 4836 wrote to memory of 4760	4836	msedge.exe	97
PID 4836 wrote to memory of 4760	4836	msedge.exe	97
PID 4836 wrote to memory of 4760	4836	msedge.exe	97
PID 4836 wrote to memory of 4760	4836	msedge.exe	97
PID 4836 wrote to memory of 4760	4836	msedge.exe	97
PID 4836 wrote to memory of 4760	4836	msedge.exe	97
PID 4836 wrote to memory of 4760	4836	msedge.exe	97
PID 4836 wrote to memory of 4760	4836	msedge.exe	97
PID 4836 wrote to memory of 4760	4836	msedge.exe	97
PID 4836 wrote to memory of 4760	4836	msedge.exe	97
PID 4836 wrote to memory of 4760	4836	msedge.exe	97
PID 4836 wrote to memory of 4760	4836	msedge.exe	97
PID 4836 wrote to memory of 4760	4836	msedge.exe	97
PID 4836 wrote to memory of 4760	4836	msedge.exe	97
PID 4836 wrote to memory of 4760	4836	msedge.exe	97
PID 4836 wrote to memory of 4760	4836	msedge.exe	97
PID 4836 wrote to memory of 4760	4836	msedge.exe	97
PID 4836 wrote to memory of 4760	4836	msedge.exe	97
PID 4836 wrote to memory of 4760	4836	msedge.exe	97
PID 4836 wrote to memory of 4760	4836	msedge.exe	97
PID 4836 wrote to memory of 4760	4836	msedge.exe	97
PID 4836 wrote to memory of 4760	4836	msedge.exe	97
PID 4836 wrote to memory of 4760	4836	msedge.exe	97
PID 4836 wrote to memory of 4760	4836	msedge.exe	97
PID 4836 wrote to memory of 4760	4836	msedge.exe	97
PID 4836 wrote to memory of 4760	4836	msedge.exe	97
PID 4836 wrote to memory of 1492	4836	msedge.exe	98
PID 4836 wrote to memory of 1492	4836	msedge.exe	98
PID 4836 wrote to memory of 3324	4836	msedge.exe	99
PID 4836 wrote to memory of 3324	4836	msedge.exe	99
PID 4836 wrote to memory of 3324	4836	msedge.exe	99
PID 4836 wrote to memory of 3324	4836	msedge.exe	99
PID 4836 wrote to memory of 3324	4836	msedge.exe	99
PID 4836 wrote to memory of 3324	4836	msedge.exe	99
PID 4836 wrote to memory of 3324	4836	msedge.exe	99
PID 4836 wrote to memory of 3324	4836	msedge.exe	99
PID 4836 wrote to memory of 3324	4836	msedge.exe	99
PID 4836 wrote to memory of 3324	4836	msedge.exe	99
PID 4836 wrote to memory of 3324	4836	msedge.exe	99
PID 4836 wrote to memory of 3324	4836	msedge.exe	99
PID 4836 wrote to memory of 3324	4836	msedge.exe	99
PID 4836 wrote to memory of 3324	4836	msedge.exe	99
PID 4836 wrote to memory of 3324	4836	msedge.exe	99
PID 4836 wrote to memory of 3324	4836	msedge.exe	99
PID 4836 wrote to memory of 3324	4836	msedge.exe	99
PID 4836 wrote to memory of 3324	4836	msedge.exe	99
PID 4836 wrote to memory of 3324	4836	msedge.exe	99
PID 4836 wrote to memory of 3324	4836	msedge.exe	99

C:\Users\Admin\AppData\Local\Temp\sch1.exe
"C:\Users\Admin\AppData\Local\Temp\sch1.exe"
1⤵
PID:2340

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Documents\AddExport.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb4ac346f8,0x7ffb4ac34708,0x7ffb4ac34718
  2⤵
  PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,13562448376766853550,14225075316529664723,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
  2⤵
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,13562448376766853550,14225075316529664723,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,13562448376766853550,14225075316529664723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2576 /prefetch:8
  2⤵
  PID:3324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13562448376766853550,14225075316529664723,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1
  2⤵
  PID:624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13562448376766853550,14225075316529664723,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,13562448376766853550,14225075316529664723,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 /prefetch:8
  2⤵
  PID:1804
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,13562448376766853550,14225075316529664723,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4316

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4868

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4072

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\Files.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:464

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Documents\RestartClose.csv"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1944

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\Files.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5e77545b7e1c504b2f5ce7c5cc2ce1fe

SHA1
d81a6af13cf31fa410b85471e4509124ebeaff7e

SHA256
cbb617cd6cde793f367df016b200d35ce3c521ab901bbcb52928576bb180bc11

SHA512
cbc65c61334a8b18ece79acdb30a4af80aa9448c3edc3902b00eb48fd5038bf6013d1f3f6436c1bcb637e78c485ae8e352839ca3c9ddf7e45b3b82d23b0e6e37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f8fb0ee9fe05d455656ed292caa59565

SHA1
6605ee1217d5719e2c88bd89bd6022abbf2a7e9f

SHA256
18387224838c9c2d0d7d10ca115861f0ecb07b71fc1b7660f7ab6eb47dfa226a

SHA512
d5ef7aeccbbb8f2ee65c097ce3c4f9e111be903e9db6cc75bf10d40ee2df69c101d524705e9ed7a100f976a5bd2ab2121d89c81915bf635104f4cdcfeec8f4e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
75e2e1e78ca1a4bd1d4275ee9f1961b6

SHA1
daf111387bcf6058836b4976a46935d31ab5f0f9

SHA256
8a47f1943909a92071210821c316763ea27e137df3307b44133fba96857a46ab

SHA512
049a1ae8d164dd769b0ef06e60a947571c1bcd430418d10942872c918ee7a736d900b109877925c4edb8a3530e6ddaf8f4d85664b465da86dd0bb9e53fd026fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
c8861261aef4afefc60cee3751e96237

SHA1
181848196acb4f949923d609615687e08bc518b0

SHA256
635836dae92f722177899c5bc6af2dcc359db10f047c3b995423ab1c9232d3f6

SHA512
f664575558ac4f6a5b21f14235b693b9a8c33c37c2fb226358b61ec38d5153c63ee42539e669208087b2b0590b023fc2f1cae0b79dad3bdaf53818fc445cc09f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
39c9f65ccbe9ac98aabb8e77483083c6

SHA1
33894546f3d634e7a033222383199d848a63e8ff

SHA256
fc75a224223aa1860e4147b15c59277a0efdb092b3fd5b6b6d0d04beba553cd2

SHA512
8470c842fe3389e19c44be04881ef5e140aaa9e141e4cd1a3eaa9021c50e103800b0f429fa1bbf882391814913b92da4c46db0875410d41ebc4f4a659989b455

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

Filesize
21B

MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json

Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db

Filesize
24KB

MD5
b00f3f56c104c94e03cd2ad8452c14e7

SHA1
51b78e45015e0d9d62fbdf31b75a22535a107204

SHA256
ba2b669020334ff01a85bfc900ea4371ea557bd315f154875d9bdfdc16ae8b50

SHA512
93e1609be5bbb414c285f37432ce93294c3d1583ef46c7c6c570c122f0b166c34b0ad87de708005c8af97dee27923ba53395a34c2563cdadf3c0a708848b3525

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
41d80ce8803638934d552b1f62bc8069

SHA1
33dbf834778a14f62e0d0f2d5aca83468a2ea4a8

SHA256
b39099e6056a81449e14781856f5a7952e298fa76f0698f4b04ba09a4ac7585b

SHA512
f796c4cddc6ad6ea623e4e881fceb73cda346a8d88dd391055a9da29fdf4c77319cfc717f5895aa1cbc529fd58a9b2eafb7d01abd5f5db09fc0c83bf75fc4a8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
894ec617df42825aba2c8dc149273dab

SHA1
8c2b01fcb7bb65d4d67b79a24ea567480be47d40

SHA256
e4a447eec27f662cb3f2e8e8429b65da6894dc280ed75267d5bf493b998025fe

SHA512
5e69ccdcf2728b1df8556f4778e815d1f4043fcf8d8487c480f3408fc4ea6f0aa906af20d6ddb877ae0550428206729c2b26b72cf7747a9458588cdc45d1927f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
f485965e793431ccbc452a01ac6fa6e9

SHA1
aade8010bd0e6a28a662e5c39871768461fa8c4f

SHA256
4e350d91955447596a90ea4e42616f28df6b25a35010d45da6b56bdfe7e5120a

SHA512
5218c3995c841573a7f9d007673eb36f3a5921dcaa4a0bac026a26fcbe8754b4e9026f0e901f3633d97444b111e84d73010c1807e37f8adf7bca7ad2d7897582

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\Files.docx.LNK

Filesize
1KB

MD5
8f5e08e9241d82e516066186a06bfa36

SHA1
7c0b1fe8cec4f33bc5a85b58a2ed80c16841c89e

SHA256
1b255e6f24550af02bbb71006534c70009dab6afc5783fd44b63d4351ab4f7d7

SHA512
5ae4b995f9f39101e76e5ba73ef81003d852b9a9d3d46c70f42d1d67bd00b18d6e561cd9aeff07cd2df1da0afe9175934fdbdf252b856d0a518775f350f1c49a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
201B

MD5
35375f95b1430c8b11ebeb931fba0dda

SHA1
5122d139ac357db969c191b941bd479ceb9dc59f

SHA256
fd5691afe44306226fa973037fe144c3214867067cf88cb2285394888d959d5b

SHA512
b9043a4d4470ac90f83244a81fad5de8944b83ba1e8ab6bbc7d29fb216c2ded74bf1c7b1ca8c84535b989075660e83f676e273a1b524f9e5dd8e04fee412cc6b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
260B

MD5
e948aad16f9122dce8e55894f9bdb292

SHA1
9124b7d1114e2a4f39129126dbf325bdd63e5c29

SHA256
b7a94fdc377e84ed25f5554b448ceae4bbe2d546d1a77d7f06aa8372363f2933

SHA512
8d08bf6c294c36eb3a1369e8c00569a5737fa99e0d3f689b2f9305671512b2a05243703f322a15026122e5f18d1ee1800d46d2549a87abbd1ef4aabd71bffee5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
260B

MD5
36d64c5e9c5bf9dfd826532b1e0c6623

SHA1
6f34b9c1c2b4969b3821216c17c8eaa70e4b9622

SHA256
790e95448a5eb454612d9b30249a4cc75c861d0810468a1d482602f7abb4437a

SHA512
740fa67341e378839216268ffbe123ff2cf0c36e7ac001b67ccb14c9ac7f06f677596ffc06785daa4df0ba256f62b54e47425c1faa6ecd2a7caafc72cd9de706

Download Submit
memory/464-132-0x00007FFB68DF0000-0x00007FFB68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/464-135-0x00007FFB266D0000-0x00007FFB266E0000-memory.dmp

Filesize
64KB

Download
memory/464-134-0x00007FFB266D0000-0x00007FFB266E0000-memory.dmp

Filesize
64KB

Download
memory/464-133-0x00007FFB68DF0000-0x00007FFB68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/464-170-0x00007FFB28E70000-0x00007FFB28E80000-memory.dmp

Filesize
64KB

Download
memory/464-171-0x00007FFB28E70000-0x00007FFB28E80000-memory.dmp

Filesize
64KB

Download
memory/464-172-0x00007FFB28E70000-0x00007FFB28E80000-memory.dmp

Filesize
64KB

Download
memory/464-174-0x00007FFB68DF0000-0x00007FFB68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/464-173-0x00007FFB28E70000-0x00007FFB28E80000-memory.dmp

Filesize
64KB

Download
memory/464-175-0x00007FFB68DF0000-0x00007FFB68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/464-176-0x00007FFB68DF0000-0x00007FFB68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/464-131-0x00007FFB28E70000-0x00007FFB28E80000-memory.dmp

Filesize
64KB

Download
memory/464-129-0x00007FFB28E70000-0x00007FFB28E80000-memory.dmp

Filesize
64KB

Download
memory/464-130-0x00007FFB68DF0000-0x00007FFB68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/464-127-0x00007FFB68DF0000-0x00007FFB68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/464-128-0x00007FFB68DF0000-0x00007FFB68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/464-125-0x00007FFB28E70000-0x00007FFB28E80000-memory.dmp

Filesize
64KB

Download
memory/464-126-0x00007FFB28E70000-0x00007FFB28E80000-memory.dmp

Filesize
64KB

Download
memory/464-124-0x00007FFB68DF0000-0x00007FFB68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/464-122-0x00007FFB28E70000-0x00007FFB28E80000-memory.dmp

Filesize
64KB

Download
memory/464-123-0x00007FFB68DF0000-0x00007FFB68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/1944-189-0x00007FFB266D0000-0x00007FFB266E0000-memory.dmp

Filesize
64KB

Download
memory/1944-186-0x00007FFB68DF0000-0x00007FFB68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/1944-195-0x00007FFB68DF0000-0x00007FFB68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/1944-196-0x00007FFB68DF0000-0x00007FFB68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/1944-193-0x00007FFB68DF0000-0x00007FFB68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/1944-197-0x00007FFB68DF0000-0x00007FFB68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/1944-192-0x00007FFB266D0000-0x00007FFB266E0000-memory.dmp

Filesize
64KB

Download
memory/1944-191-0x00007FFB68DF0000-0x00007FFB68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/1944-190-0x00007FFB68DF0000-0x00007FFB68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/1944-216-0x00007FFB684A0000-0x00007FFB6856D000-memory.dmp

Filesize
820KB

Download
memory/1944-225-0x00007FFB68DF0000-0x00007FFB68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/1944-226-0x00007FFB684A0000-0x00007FFB6856D000-memory.dmp

Filesize
820KB

Download
memory/1944-179-0x00007FFB68DF0000-0x00007FFB68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/1944-181-0x00007FFB68DF0000-0x00007FFB68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/1944-183-0x00007FFB68DF0000-0x00007FFB68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/1944-194-0x00007FFB68DF0000-0x00007FFB68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/1944-185-0x00007FFB68DF0000-0x00007FFB68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/1944-188-0x00007FFB68DF0000-0x00007FFB68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/1944-187-0x00007FFB68DF0000-0x00007FFB68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/2340-0-0x0000000000880000-0x0000000001520000-memory.dmp

Filesize
12.6MB

Download
memory/2700-255-0x00007FFB68DF0000-0x00007FFB68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/2700-247-0x00007FFB68DF0000-0x00007FFB68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/2700-256-0x00007FFB68DF0000-0x00007FFB68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/2700-258-0x00007FFB68DF0000-0x00007FFB68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/2700-234-0x00007FFB68DF0000-0x00007FFB68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/2700-248-0x00007FFB68DF0000-0x00007FFB68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/2700-235-0x00007FFB68DF0000-0x00007FFB68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/2700-249-0x00007FFB68DF0000-0x00007FFB68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/2700-251-0x00007FFB68DF0000-0x00007FFB68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/2700-239-0x00007FFB68DF0000-0x00007FFB68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/2700-237-0x00007FFB68DF0000-0x00007FFB68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/2700-245-0x00007FFB68DF0000-0x00007FFB68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/2700-246-0x00007FFB68DF0000-0x00007FFB68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/2700-253-0x00007FFB68DF0000-0x00007FFB68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/2700-233-0x00007FFB68DF0000-0x00007FFB68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/2700-232-0x00007FFB68DF0000-0x00007FFB68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/2700-238-0x00007FFB68DF0000-0x00007FFB68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/2700-289-0x00007FFB68DF0000-0x00007FFB68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/2700-291-0x00007FFB68DF0000-0x00007FFB68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/2700-292-0x00007FFB68DF0000-0x00007FFB68FE5000-memory.dmp

Filesize
2.0MB

Download
memory/2700-293-0x00007FFB68DF0000-0x00007FFB68FE5000-memory.dmp

Filesize
2.0MB

Download