blackcat | df8d000833243acc0004595b3a8d4b66fcd7b76d8685d5c2ff61ee2a40a0e92c

Resubmissions

15-12-2023 21:36

231215-1f5lgsagg5 10

15-12-2023 21:32

231215-1dlqlaagf5 10

Analysis

max time kernel
251s
max time network
259s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
15-12-2023 21:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sch1.exe
Size

12.6MB
MD5

a0cd8aa1cd7cc61d41977cceacd7d4f6
SHA1

83078ff956e5e441429257cfa3a3362d6ba3c0d5
SHA256

df8d000833243acc0004595b3a8d4b66fcd7b76d8685d5c2ff61ee2a40a0e92c
SHA512

2f147b25d3289f33623dd3fdfd339de75b71cab4eb6348d0a176815bc1a7a86889113c40b6b1d3a2eb275fd76c16dbbe0eb38e63584ce2f5005a13c7369e68db
SSDEEP

196608:zRXBBaGSqkZRLVupoP3/ih4a4kZLm77gZ9rwaATAZjiEjOvonfT:p/+j/ih4a4k9M5kjiOOvonfT

Score

10^/10

blackcat ransomware

Malware Config

Signatures

BlackCat
A Rust-based ransomware sold as RaaS first seen in late 2021.
ransomware blackcat

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
1884	NOTEPAD.EXE
4564	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 6 IoCs

pid	Process
3968	WINWORD.EXE
3968	WINWORD.EXE
3536	WINWORD.EXE
3536	WINWORD.EXE
2496	WINWORD.EXE
2496	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2980	msedge.exe
2980	msedge.exe
4736	msedge.exe
4736	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4736	msedge.exe
4736	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
3968	WINWORD.EXE
3968	WINWORD.EXE
3968	WINWORD.EXE
3968	WINWORD.EXE
3968	WINWORD.EXE
3968	WINWORD.EXE
3968	WINWORD.EXE
3536	WINWORD.EXE
3536	WINWORD.EXE
3536	WINWORD.EXE
3536	WINWORD.EXE
3536	WINWORD.EXE
3536	WINWORD.EXE
3536	WINWORD.EXE
3536	WINWORD.EXE
3536	WINWORD.EXE
3536	WINWORD.EXE
3536	WINWORD.EXE
2496	WINWORD.EXE
2496	WINWORD.EXE
2496	WINWORD.EXE
2496	WINWORD.EXE
2496	WINWORD.EXE
2496	WINWORD.EXE
2496	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 1820	4736	msedge.exe	91
PID 4736 wrote to memory of 1820	4736	msedge.exe	91
PID 4736 wrote to memory of 2876	4736	msedge.exe	92
PID 4736 wrote to memory of 2876	4736	msedge.exe	92
PID 4736 wrote to memory of 2876	4736	msedge.exe	92
PID 4736 wrote to memory of 2876	4736	msedge.exe	92
PID 4736 wrote to memory of 2876	4736	msedge.exe	92
PID 4736 wrote to memory of 2876	4736	msedge.exe	92
PID 4736 wrote to memory of 2876	4736	msedge.exe	92
PID 4736 wrote to memory of 2876	4736	msedge.exe	92
PID 4736 wrote to memory of 2876	4736	msedge.exe	92
PID 4736 wrote to memory of 2876	4736	msedge.exe	92
PID 4736 wrote to memory of 2876	4736	msedge.exe	92
PID 4736 wrote to memory of 2876	4736	msedge.exe	92
PID 4736 wrote to memory of 2876	4736	msedge.exe	92
PID 4736 wrote to memory of 2876	4736	msedge.exe	92
PID 4736 wrote to memory of 2876	4736	msedge.exe	92
PID 4736 wrote to memory of 2876	4736	msedge.exe	92
PID 4736 wrote to memory of 2876	4736	msedge.exe	92
PID 4736 wrote to memory of 2876	4736	msedge.exe	92
PID 4736 wrote to memory of 2876	4736	msedge.exe	92
PID 4736 wrote to memory of 2876	4736	msedge.exe	92
PID 4736 wrote to memory of 2876	4736	msedge.exe	92
PID 4736 wrote to memory of 2876	4736	msedge.exe	92
PID 4736 wrote to memory of 2876	4736	msedge.exe	92
PID 4736 wrote to memory of 2876	4736	msedge.exe	92
PID 4736 wrote to memory of 2876	4736	msedge.exe	92
PID 4736 wrote to memory of 2876	4736	msedge.exe	92
PID 4736 wrote to memory of 2876	4736	msedge.exe	92
PID 4736 wrote to memory of 2876	4736	msedge.exe	92
PID 4736 wrote to memory of 2876	4736	msedge.exe	92
PID 4736 wrote to memory of 2876	4736	msedge.exe	92
PID 4736 wrote to memory of 2876	4736	msedge.exe	92
PID 4736 wrote to memory of 2876	4736	msedge.exe	92
PID 4736 wrote to memory of 2876	4736	msedge.exe	92
PID 4736 wrote to memory of 2876	4736	msedge.exe	92
PID 4736 wrote to memory of 2876	4736	msedge.exe	92
PID 4736 wrote to memory of 2876	4736	msedge.exe	92
PID 4736 wrote to memory of 2876	4736	msedge.exe	92
PID 4736 wrote to memory of 2876	4736	msedge.exe	92
PID 4736 wrote to memory of 2876	4736	msedge.exe	92
PID 4736 wrote to memory of 2876	4736	msedge.exe	92
PID 4736 wrote to memory of 2980	4736	msedge.exe	93
PID 4736 wrote to memory of 2980	4736	msedge.exe	93
PID 4736 wrote to memory of 4464	4736	msedge.exe	94
PID 4736 wrote to memory of 4464	4736	msedge.exe	94
PID 4736 wrote to memory of 4464	4736	msedge.exe	94
PID 4736 wrote to memory of 4464	4736	msedge.exe	94
PID 4736 wrote to memory of 4464	4736	msedge.exe	94
PID 4736 wrote to memory of 4464	4736	msedge.exe	94
PID 4736 wrote to memory of 4464	4736	msedge.exe	94
PID 4736 wrote to memory of 4464	4736	msedge.exe	94
PID 4736 wrote to memory of 4464	4736	msedge.exe	94
PID 4736 wrote to memory of 4464	4736	msedge.exe	94
PID 4736 wrote to memory of 4464	4736	msedge.exe	94
PID 4736 wrote to memory of 4464	4736	msedge.exe	94
PID 4736 wrote to memory of 4464	4736	msedge.exe	94
PID 4736 wrote to memory of 4464	4736	msedge.exe	94
PID 4736 wrote to memory of 4464	4736	msedge.exe	94
PID 4736 wrote to memory of 4464	4736	msedge.exe	94
PID 4736 wrote to memory of 4464	4736	msedge.exe	94
PID 4736 wrote to memory of 4464	4736	msedge.exe	94
PID 4736 wrote to memory of 4464	4736	msedge.exe	94
PID 4736 wrote to memory of 4464	4736	msedge.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\sch1.exe
"C:\Users\Admin\AppData\Local\Temp\sch1.exe"
1⤵
PID:2712

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1044

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\Are.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3968

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\DenySkip.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1884

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\DenySkip.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4564

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\Are.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3536

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\OptimizeResume.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Documents\RemoveDisconnect.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcb9b63cb8,0x7ffcb9b63cc8,0x7ffcb9b63cd8
  2⤵
  PID:1820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,10870360480267397399,3575223677575770439,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
  2⤵
  PID:2876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1872,10870360480267397399,3575223677575770439,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1872,10870360480267397399,3575223677575770439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2540 /prefetch:8
  2⤵
  PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,10870360480267397399,3575223677575770439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,10870360480267397399,3575223677575770439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:2936

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1648

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b09c5d9d170124cc803af2dd5f23e2b4

SHA1
41a3ddbafd6f3062f07ec162679bfab95fd88482

SHA256
5e6d5fcfb3805ecd4d9388837551cc02c5452f03cddba1b29b23fd02686befd8

SHA512
8fd1752211ec074f85d0ee59f39bea6e639199602d71ec947940575a9c515dda96b1eed5af10d513e21373f64a6d03146bb3251aa690830110ff4c6c486b4036

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
41d63f8f0a1ab994280c245f106401f8

SHA1
cd81c2d19cb695b3363515dc9d06768b9c602e8a

SHA256
6c03b787fd1f9896ae66684734c5b31bb89835e3df110da7ab05901ac3bd6496

SHA512
28e3f911d05d930d47ceaefc38f5fe80b8d9c44428ac4d033dded4513d90e489c58401829dee4e4620acfff8c9d519d8b2549caf14b1c8f478d30cfc01226665

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ca3665fda1a6fb57303262a601e8133f

SHA1
38d3c653f9a14dbae99e09714b4c247575c685c9

SHA256
583bafb1b7d2acfb29aa7a16f97b11adca3c0b42c2fc462cf36567956e42fa85

SHA512
9397f80cc23d3739b5bb34b00bebead49b2327a5b3bf3b465aa46625573e6b9128c6fe9feb85bdcc22bc9e527cc63351b80fb9d83ad7eed4d139b60a7abbd2f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
45ac5b333836629f2ef06367782874d2

SHA1
6bec34f38f3ca71b55651d9ee33f03dfe9d6e22a

SHA256
c4149ebf4b856284f79d350558e3beccbe7c0bf8a29b6fc6560a81c0e96ca93a

SHA512
43c746ae103d7479a5849591c52eb6c08e44584b2a2d5c033de2bdc0ee200ec483eb741bc8f8c1de4724e71657954cc97379baf66ac50787d700a2213cd970cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
72b8a0f8e1af40439730c3a8495c36c8

SHA1
ae79a819190991675cb12d1f963f1a4cbe96644b

SHA256
2f83b7d2408955e39c538d5ec5246f5b1701546c2c81afef49df55c2c319cb96

SHA512
24b5689556ba1f7012c41c1da31de8b4a4e14dcab6950521b7d983cf46c4f50e6951a374d3729546ca0edc713178deeaf9065cefa91bbfcc0011c7b0440461e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

Filesize
502B

MD5
8f536012cb6e7625b08ac8886b5ce7b9

SHA1
124caa512d651e959ba61f19811a6508083f3594

SHA256
472b527d1c99ac0c089264134b71e75d7aa409097da5ecc7eed2ad7fccb2185b

SHA512
e94fc48759e35cdc9633393df6636963f2d9d7d316b96e6e1ebe0a16b8c814d29546551ba707eeeb568f0cfce27e553e7004a24001351370e5ceaceb429d9855

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json

Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db

Filesize
24KB

MD5
b00f3f56c104c94e03cd2ad8452c14e7

SHA1
51b78e45015e0d9d62fbdf31b75a22535a107204

SHA256
ba2b669020334ff01a85bfc900ea4371ea557bd315f154875d9bdfdc16ae8b50

SHA512
93e1609be5bbb414c285f37432ce93294c3d1583ef46c7c6c570c122f0b166c34b0ad87de708005c8af97dee27923ba53395a34c2563cdadf3c0a708848b3525

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db

Filesize
24KB

MD5
bb5122013e9da21ebcd7cf8bbfd442d8

SHA1
137dc37b75c41a0edca25bc20dab16729c23d5f5

SHA256
fa311153c8e26e115ed889e986eabf2c6f96123d7a3a7f89102bfa89321342c3

SHA512
6582f6d15a31dcaecc6e6fee0ebb21b6d2278c4b2c1f80580172181d457c47a8be7edb0bc007c701c8a3adc391656ee166a77f49f575539f4f7e5188f5da8a0a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\Are.docx.LNK

Filesize
1KB

MD5
6e25043ab8e598c5a4ebf22a7a922d58

SHA1
f12c67c4bfa3a3b0960a723123fc7667ba135794

SHA256
0efceda7f7022f8799daedab0c7d81d2db278e1c3047b2f5fbf55672f38a81b5

SHA512
e45798244a0dcc71b8f02238e67cd2c6b43f91d5f82172b225ec2e3de7d44a0faad91ea1c206cdf885f0c8a34176086ad055990eb49e5dcab1125adcf3d03eff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
202B

MD5
add56ec49f8f478e84a934606effef1c

SHA1
1262ae87ef755e40752740df90d21352d5fc81ec

SHA256
22e509cf2b7202fc6b04c3d9a1b137477f11471d58a48c1f9514f89450217327

SHA512
c095f193d221696f3b087c3f224a559ad0efe4852a5392c8a3ab03f80183beec2a8327892aa481c85f1bf8165b76a029555f250e0dd5f396c823feacff4c06f1

Download Submit
memory/2496-143-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/2496-130-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/2496-144-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/2496-147-0x00007FFCE59B0000-0x00007FFCE5A6D000-memory.dmp

Filesize
756KB

Download
memory/2496-132-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/2496-142-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/2496-136-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/2496-135-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/2496-148-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/2496-134-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/2496-131-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/2496-146-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/2496-129-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/2496-127-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/2496-125-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/2496-123-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/2496-187-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/2496-258-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/2496-259-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/2496-277-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/2496-278-0x00007FFCE59B0000-0x00007FFCE5A6D000-memory.dmp

Filesize
756KB

Download
memory/2712-0-0x00000000000D0000-0x0000000000D70000-memory.dmp

Filesize
12.6MB

Download
memory/3536-78-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/3536-70-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/3536-77-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/3536-68-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/3536-79-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/3536-67-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/3536-82-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/3536-84-0x00007FFCE59B0000-0x00007FFCE5A6D000-memory.dmp

Filesize
756KB

Download
memory/3536-83-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/3536-80-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/3536-66-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/3536-65-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/3536-71-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/3536-63-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/3536-61-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/3536-119-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/3536-120-0x00007FFCE59B0000-0x00007FFCE5A6D000-memory.dmp

Filesize
756KB

Download
memory/3536-59-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/3968-53-0x00007FFCA6090000-0x00007FFCA60A0000-memory.dmp

Filesize
64KB

Download
memory/3968-15-0x00007FFCA3BE0000-0x00007FFCA3BF0000-memory.dmp

Filesize
64KB

Download
memory/3968-54-0x00007FFCA6090000-0x00007FFCA60A0000-memory.dmp

Filesize
64KB

Download
memory/3968-51-0x00007FFCA6090000-0x00007FFCA60A0000-memory.dmp

Filesize
64KB

Download
memory/3968-52-0x00007FFCA6090000-0x00007FFCA60A0000-memory.dmp

Filesize
64KB

Download
memory/3968-56-0x00007FFCE59B0000-0x00007FFCE5A6D000-memory.dmp

Filesize
756KB

Download
memory/3968-20-0x00007FFCA3BE0000-0x00007FFCA3BF0000-memory.dmp

Filesize
64KB

Download
memory/3968-22-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/3968-21-0x00007FFCE59B0000-0x00007FFCE5A6D000-memory.dmp

Filesize
756KB

Download
memory/3968-19-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/3968-18-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/3968-17-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/3968-16-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/3968-55-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/3968-14-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/3968-13-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/3968-12-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/3968-11-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/3968-10-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/3968-9-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/3968-7-0x00007FFCA6090000-0x00007FFCA60A0000-memory.dmp

Filesize
64KB

Download
memory/3968-8-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/3968-5-0x00007FFCA6090000-0x00007FFCA60A0000-memory.dmp

Filesize
64KB

Download
memory/3968-6-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/3968-3-0x00007FFCA6090000-0x00007FFCA60A0000-memory.dmp

Filesize
64KB

Download
memory/3968-4-0x00007FFCE6000000-0x00007FFCE6209000-memory.dmp

Filesize
2.0MB

Download
memory/3968-2-0x00007FFCA6090000-0x00007FFCA60A0000-memory.dmp

Filesize
64KB

Download
memory/3968-1-0x00007FFCA6090000-0x00007FFCA60A0000-memory.dmp

Filesize
64KB

Download