formbook | 16fd6d298d5601766ee8fd0e0164898436f9cad9ac79927a14af387166aac100

Resubmissions

26/03/2025, 03:45

250326-ebgszazqv5 10

26/03/2025, 03:31

250326-d3csnawzhz 10

Analysis

max time kernel
138s
max time network
146s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
26/03/2025, 03:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16fd6d298d5601766ee8fd0e0164898436f9cad9ac79927a14af387166aac100.exe
Size

631KB
MD5

485d4375ab8e346f7889e737df009764
SHA1

93cc3d5ec9b1052e68185c42f22fe7bd55b055db
SHA256

16fd6d298d5601766ee8fd0e0164898436f9cad9ac79927a14af387166aac100
SHA512

d436975a98bbd80210839297d03243f7f9facc87cb5c143ea2d28c62769539502f665661efbbb29d283c376f5e04f223778594e2fcd6ac1e3add38882e8cec9b
SSDEEP

12288:wyjvOn6nzxBZY8ZdLFgxfNH1aae0W8oUYrYB9QdTa7UL:Zj2n6n3qId5CaaeqoUTTQ5aQL

Score

10^/10

formbook bs03 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bs03

Decoy

aindirectiveteam.info

itchen-remodeling-up.world

avadacasino21.buzz

urumsbicard.net

ental-care-2762127.fyi

raveline.tech

camtech.online

leartec.health

odkacasino-333.buzz

oans-credits-73480.bond

ubstrate360.xyz

dalang.click

on66my.xyz

elegilgh.run

wlf.dev

ex-in-wien.net

riminal-mischief.cfd

0ns.pro

klopcy.xyz

ssetexcelstrongmanageroot.xyz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/8-11-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5028	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5812 set thread context of 8	5812	16fd6d298d5601766ee8fd0e0164898436f9cad9ac79927a14af387166aac100.exe	86

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	16fd6d298d5601766ee8fd0e0164898436f9cad9ac79927a14af387166aac100.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Winword.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Winword.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133874344178733500"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3712238951-2226310826-298817577-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: AddClipboardFormatListener 5 IoCs

pid	Process
5060	Winword.exe
5060	Winword.exe
3716	vlc.exe
2924	WINWORD.EXE
2924	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
8	16fd6d298d5601766ee8fd0e0164898436f9cad9ac79927a14af387166aac100.exe
8	16fd6d298d5601766ee8fd0e0164898436f9cad9ac79927a14af387166aac100.exe
5028	powershell.exe
5028	powershell.exe
3704	chrome.exe
3704	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5296	OpenWith.exe
3716	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeDebugPrivilege	5028	powershell.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe
Token: SeShutdownPrivilege	3704	chrome.exe
Token: SeCreatePagefilePrivilege	3704	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3716	vlc.exe
3716	vlc.exe
3716	vlc.exe
3716	vlc.exe
3716	vlc.exe
3716	vlc.exe
3716	vlc.exe
3716	vlc.exe
3716	vlc.exe
3716	vlc.exe

Suspicious use of SendNotifyMessage 39 IoCs

pid	Process
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3704	chrome.exe
3716	vlc.exe
3716	vlc.exe
3716	vlc.exe
3716	vlc.exe
3716	vlc.exe
3716	vlc.exe
3716	vlc.exe
3716	vlc.exe
3716	vlc.exe
3716	vlc.exe
3716	vlc.exe
3716	vlc.exe
3716	vlc.exe
3716	vlc.exe
3716	vlc.exe

Suspicious use of SetWindowsHookEx 29 IoCs

pid	Process
5296	OpenWith.exe
5296	OpenWith.exe
5296	OpenWith.exe
5296	OpenWith.exe
5296	OpenWith.exe
5296	OpenWith.exe
5296	OpenWith.exe
5296	OpenWith.exe
5296	OpenWith.exe
5296	OpenWith.exe
5296	OpenWith.exe
5060	Winword.exe
5060	Winword.exe
5060	Winword.exe
5060	Winword.exe
5060	Winword.exe
5060	Winword.exe
5060	Winword.exe
5060	Winword.exe
5060	Winword.exe
3716	vlc.exe
2924	WINWORD.EXE
2924	WINWORD.EXE
2924	WINWORD.EXE
2924	WINWORD.EXE
2924	WINWORD.EXE
2924	WINWORD.EXE
2924	WINWORD.EXE
2924	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5812 wrote to memory of 5028	5812	16fd6d298d5601766ee8fd0e0164898436f9cad9ac79927a14af387166aac100.exe	84
PID 5812 wrote to memory of 5028	5812	16fd6d298d5601766ee8fd0e0164898436f9cad9ac79927a14af387166aac100.exe	84
PID 5812 wrote to memory of 5028	5812	16fd6d298d5601766ee8fd0e0164898436f9cad9ac79927a14af387166aac100.exe	84
PID 5812 wrote to memory of 8	5812	16fd6d298d5601766ee8fd0e0164898436f9cad9ac79927a14af387166aac100.exe	86
PID 5812 wrote to memory of 8	5812	16fd6d298d5601766ee8fd0e0164898436f9cad9ac79927a14af387166aac100.exe	86
PID 5812 wrote to memory of 8	5812	16fd6d298d5601766ee8fd0e0164898436f9cad9ac79927a14af387166aac100.exe	86
PID 5812 wrote to memory of 8	5812	16fd6d298d5601766ee8fd0e0164898436f9cad9ac79927a14af387166aac100.exe	86
PID 5812 wrote to memory of 8	5812	16fd6d298d5601766ee8fd0e0164898436f9cad9ac79927a14af387166aac100.exe	86
PID 5812 wrote to memory of 8	5812	16fd6d298d5601766ee8fd0e0164898436f9cad9ac79927a14af387166aac100.exe	86
PID 5296 wrote to memory of 5060	5296	OpenWith.exe	87
PID 5296 wrote to memory of 5060	5296	OpenWith.exe	87
PID 3704 wrote to memory of 5940	3704	chrome.exe	93
PID 3704 wrote to memory of 5940	3704	chrome.exe	93
PID 3704 wrote to memory of 2160	3704	chrome.exe	94
PID 3704 wrote to memory of 2160	3704	chrome.exe	94
PID 3704 wrote to memory of 2160	3704	chrome.exe	94
PID 3704 wrote to memory of 2160	3704	chrome.exe	94
PID 3704 wrote to memory of 2160	3704	chrome.exe	94
PID 3704 wrote to memory of 2160	3704	chrome.exe	94
PID 3704 wrote to memory of 2160	3704	chrome.exe	94
PID 3704 wrote to memory of 2160	3704	chrome.exe	94
PID 3704 wrote to memory of 2160	3704	chrome.exe	94
PID 3704 wrote to memory of 2160	3704	chrome.exe	94
PID 3704 wrote to memory of 2160	3704	chrome.exe	94
PID 3704 wrote to memory of 2160	3704	chrome.exe	94
PID 3704 wrote to memory of 2160	3704	chrome.exe	94
PID 3704 wrote to memory of 2160	3704	chrome.exe	94
PID 3704 wrote to memory of 2160	3704	chrome.exe	94
PID 3704 wrote to memory of 2160	3704	chrome.exe	94
PID 3704 wrote to memory of 2160	3704	chrome.exe	94
PID 3704 wrote to memory of 2160	3704	chrome.exe	94
PID 3704 wrote to memory of 2160	3704	chrome.exe	94
PID 3704 wrote to memory of 2160	3704	chrome.exe	94
PID 3704 wrote to memory of 2160	3704	chrome.exe	94
PID 3704 wrote to memory of 2160	3704	chrome.exe	94
PID 3704 wrote to memory of 2160	3704	chrome.exe	94
PID 3704 wrote to memory of 2160	3704	chrome.exe	94
PID 3704 wrote to memory of 2160	3704	chrome.exe	94
PID 3704 wrote to memory of 2160	3704	chrome.exe	94
PID 3704 wrote to memory of 2160	3704	chrome.exe	94
PID 3704 wrote to memory of 2160	3704	chrome.exe	94
PID 3704 wrote to memory of 2160	3704	chrome.exe	94
PID 3704 wrote to memory of 2160	3704	chrome.exe	94
PID 3704 wrote to memory of 6040	3704	chrome.exe	95
PID 3704 wrote to memory of 6040	3704	chrome.exe	95
PID 3704 wrote to memory of 2292	3704	chrome.exe	96
PID 3704 wrote to memory of 2292	3704	chrome.exe	96
PID 3704 wrote to memory of 2292	3704	chrome.exe	96
PID 3704 wrote to memory of 2292	3704	chrome.exe	96
PID 3704 wrote to memory of 2292	3704	chrome.exe	96
PID 3704 wrote to memory of 2292	3704	chrome.exe	96
PID 3704 wrote to memory of 2292	3704	chrome.exe	96
PID 3704 wrote to memory of 2292	3704	chrome.exe	96
PID 3704 wrote to memory of 2292	3704	chrome.exe	96
PID 3704 wrote to memory of 2292	3704	chrome.exe	96
PID 3704 wrote to memory of 2292	3704	chrome.exe	96
PID 3704 wrote to memory of 2292	3704	chrome.exe	96
PID 3704 wrote to memory of 2292	3704	chrome.exe	96
PID 3704 wrote to memory of 2292	3704	chrome.exe	96
PID 3704 wrote to memory of 2292	3704	chrome.exe	96
PID 3704 wrote to memory of 2292	3704	chrome.exe	96
PID 3704 wrote to memory of 2292	3704	chrome.exe	96
PID 3704 wrote to memory of 2292	3704	chrome.exe	96
PID 3704 wrote to memory of 2292	3704	chrome.exe	96

C:\Users\Admin\AppData\Local\Temp\16fd6d298d5601766ee8fd0e0164898436f9cad9ac79927a14af387166aac100.exe
"C:\Users\Admin\AppData\Local\Temp\16fd6d298d5601766ee8fd0e0164898436f9cad9ac79927a14af387166aac100.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5812
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\16fd6d298d5601766ee8fd0e0164898436f9cad9ac79927a14af387166aac100.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5028
- C:\Users\Admin\AppData\Local\Temp\16fd6d298d5601766ee8fd0e0164898436f9cad9ac79927a14af387166aac100.exe
  "C:\Users\Admin\AppData\Local\Temp\16fd6d298d5601766ee8fd0e0164898436f9cad9ac79927a14af387166aac100.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:8

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5296
- C:\Program Files\Microsoft Office\root\Office16\Winword.exe
  "C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\Desktop\LimitRename.sys"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:5060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffacf58dcf8,0x7ffacf58dd04,0x7ffacf58dd10
  2⤵
  PID:5940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1980,i,8885505975459918661,2971989207332998117,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=1972 /prefetch:2
  2⤵
  PID:2160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1480,i,8885505975459918661,2971989207332998117,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2292 /prefetch:11
  2⤵
  PID:6040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2384,i,8885505975459918661,2971989207332998117,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2396 /prefetch:13
  2⤵
  PID:2292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3236,i,8885505975459918661,2971989207332998117,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:4068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3292,i,8885505975459918661,2971989207332998117,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:2928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3816,i,8885505975459918661,2971989207332998117,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4188 /prefetch:9
  2⤵
  PID:2984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4548,i,8885505975459918661,2971989207332998117,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4676 /prefetch:1
  2⤵
  PID:1412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4136,i,8885505975459918661,2971989207332998117,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4348 /prefetch:1
  2⤵
  PID:1260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5484,i,8885505975459918661,2971989207332998117,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5488 /prefetch:14
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5524,i,8885505975459918661,2971989207332998117,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5528 /prefetch:14
  2⤵
  PID:956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5844,i,8885505975459918661,2971989207332998117,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5892 /prefetch:1
  2⤵
  PID:1032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5000,i,8885505975459918661,2971989207332998117,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5868 /prefetch:1
  2⤵
  PID:1616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=6128,i,8885505975459918661,2971989207332998117,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=6160 /prefetch:1
  2⤵
  PID:5996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=6184,i,8885505975459918661,2971989207332998117,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=6216 /prefetch:9
  2⤵
  PID:2036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --disable-databases --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=6072,i,8885505975459918661,2971989207332998117,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4916 /prefetch:1
  2⤵
  PID:2388

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:3040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:232

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\RestartWrite.au"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1824

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\UnblockAssert.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2924

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
471B

MD5
e2c88652d0cb3ca5be75877f24726c32

SHA1
262a84c85f669b443621a763e237231330f1402f

SHA256
65eb33a2130a1cb8063a74327801f7d7a00abfd0abb9456593be43988177ff4f

SHA512
3b248611a319ef69ab5baab30a74fcf64a0c807b9338cd694f650c3e583a837ee9a2a3bc3275fabb6ce7a454f10260370c80f72cb9df5b6f96530ba91a071d40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
420B

MD5
e1d7af946b25258dc97d4b828af93a00

SHA1
75145c78c1a70b1a60c7a721647b662bc1af203b

SHA256
50332f8c9136400d8ad007c4b26faca116b5ff5b8510c067d028cf054e9c6a36

SHA512
7586215ca2a0c901d55408244ed0505862d4bfc7704e44fa4f54a4bd7af00d30ef5e1a0f121bd1841b8af3f1be14fe7e1c75c3b9f98fe9c1ee4c3cbbdb3f2319

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
71f282b7d8bee7ef97fb56f213dce891

SHA1
04b026d5fec475ce267b12d1e570ccbec2f5d113

SHA256
5c1c496301494cbe5de5039fe4b7b7ee4035fbe1ae032882d72a8e048283c48b

SHA512
0af65a565967c0d3c56a5107084c341448060b34f1187e50bea8ade12d64fdfc96a5006d3373f270f417ebf607ef6a7adb2314177712ed121e76f52ace355b67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
827241c6c7cf9904b40536497b3de1c1

SHA1
fa7e89c89031e832babbe1a0cc67aecbc30a7835

SHA256
9f1bf9313fd5da9ccc03efca10d6801b6bfee4426f02c37c0522ba1a6e39fac2

SHA512
e50f0ce463a778686014efdc6adf23da0f9bc7f5f541308cae4c948891b3a0acfc1ef086b0655dafcfcc94f98ffca6a7f95f690f9517fd5eed458917c460c23e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
a89d17b5aeac17756119d35eb86a36ae

SHA1
641d111451742aebff50b50d73282cef871c71fd

SHA256
18147197f0245fded4379215327c99b3f114b71657c21cb2668907a732aae3db

SHA512
99b10df34c8de9f2b0e9afe553b2c4f45eb70a64cba99f860a09351e33e28bbb88eec5d4b775431275c0d1ab82721816f315d3da8df3cb64f2192401df71e16a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnGraphiteCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
dc62ca7a06b6fe258bb090b3d97aa4ed

SHA1
e5d29cc785a709dd3332d6b4c1a5ea10123f0458

SHA256
824808293fc675ce894afdeb933fe0629cafb7518aab268f1ca5da21f5b1bb16

SHA512
e9918606801c5f132e1c65f4b780b1a0e3258869778a20fc14de037cce3f275acd826ab222a2b22a724dda94a0e7e2fc86986d92e03ce705df592690cb28635d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
689B

MD5
7360d86315f84296ae7dbfb5f41c2bc5

SHA1
0e90b60c68a777a9eb9ca9026f2f1b0f8e3294c1

SHA256
4120c5972282ec03b1fa23ecdfa5cbbe82de13063dbc396991dd9577fa70db6c

SHA512
528398111910817209119d2118fe405b1879c3fb6b08708cff12f50ddc9728fe2be904f5b7bdd6377b195fe48ce5588c92b4156e2e4ad77a24f36604d1b03542

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ff15798f40b326f9146ef8752ed637e4

SHA1
f3d1db95136229b33da8cd1801cf044ceb6d9a92

SHA256
3e9c3dce78d2b928d8b919abb40d6ba884521b13e7a2904b61468bb733b5fc89

SHA512
273ab9ac5a076299bfb998fb589d18a1e3af5f3cbb7dba41c4cae30c953070828e5c30c21bc6bdfcf70df11d5db34c87a240ff38dda8d520e90ac5808a21450f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
36ccef6f373ccb118760317c33df8d69

SHA1
72541a7e36ec9b89f50acc33ab8d28b5bf4b8c71

SHA256
98917201c9dd5beab71a9a7b45280255b78a309116e8fe5be55522398a5102f0

SHA512
89a43439a93eaa1f5138c1270e9b5fefb45aa653783308b80a6b4422dc4541934d6f15b25b036f6aeeac241b53d692d23743d8a26eaf67b6cf13f069fc1adb4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
e6d9d78dc1cd99913a9606692f28bb96

SHA1
049da37f5862a6cd93d54346c892b09918f17b54

SHA256
665ef08706c6114fd1ae382135441be222fa8feede0d2214635ae4714acc177b

SHA512
9af4c8362ecb841ef9ff0b85240dc4fa90cb662392b4f24a197ed629899acac5fd9cb445ca8dc7a16484d925ebc42210c5f64a25c8d2720bf17baf3c51f5d9a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
9a5e82e7704e8e4b08f06f123b9f95d0

SHA1
f5d49006ca2413c14e174abc8b544eddaeb4e9c5

SHA256
ceee4b2a5a3581cbea6107cc59fad787abefb312bef8d085868033246061d43a

SHA512
3abad7c4d551e847bc2bd5ff89838556182221dec29f087f58422c946eb2f6aa9279932d7168aae22bbff7f6674d236a678c5acff8a50fe95ec2aa8c0b3a46ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5887f8.TMP

Filesize
48B

MD5
9c751a474f66d5434980fc7837df8cbb

SHA1
9d6753dcffcd13f12f707c6d2ff24bd7fe08fa10

SHA256
5f637fd76e113b81e460e4ffa354d52b73b83b8d1a5837d379804229f96d787f

SHA512
d17dcfd4a7f3d0319027e0720b9623a68aa7f6b3ced0f4a6750fe9ae1f1b241ceb5a8584f5efa706cc752ba3605bcbc06ab61f20e216172f8c214ae8eefc68ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Network\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Network\Network Persistent State~RFe5897a7.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Preferences

Filesize
2KB

MD5
e8c40bb3bc8b1f29f5a6d471bcd4cfe2

SHA1
830f34e287a843fa763fd15d038ae016436ae25b

SHA256
11738eaf18de786076288252826aaf2a1bca2a9ee137676b0ccdc327dba71378

SHA512
8580c5fbbf7fbbc3af090083d3d9cac5decbb9871e744aaaef8aab369e0953705cf05137caf213ea6e8badd48a12a4d40d83b78c04419d314ff1ee6477165007

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Preferences~RFe589798.TMP

Filesize
2KB

MD5
eee169c4d6997f7893a88da6449a8e5b

SHA1
163560d360d4ec28b027400cd1e9addacbe3878e

SHA256
e4d63d78442170d6f4e950456798ee29d1b0953443b3b9c0a3c994f487cd9c3d

SHA512
ebd92a1aae171bff9b2d8559680c3db19f88771f5ade525637d8e38d906071abc6dee38f2773d996f1feeffe08faa803ae330d809e45de6a70ab050f3372eed1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Site Characteristics Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\shared_proto_db\metadata\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
5ba350405e49896c92c693784081081c

SHA1
f8ec93febdbbeef9292515efed343cd9587de716

SHA256
823c1a286574b6b3fc5599017eddebbc2e04f8e76deb95265833fd3460725285

SHA512
869ff6b4ae1b8708a5b185d1b4fb6c49cb6c96221b10083d61266afd6027e505d982f96720a2d03cfd82e9877890be9777b114b2436eb0d2c04fac57a05f3802

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
78f22ff97380fc5c87f76c3241180c9c

SHA1
b52eafdb24d8efc5037a922a2ab001e34f054c85

SHA256
7ebc2e04b37148c6198a5dfa2d1cfc87da2b3b489d51bcb7126d56b371b644b4

SHA512
14fa08897f7ab278c7f4c4a2b9c5a6d8a36dfc28cba5f4bfe3e1f2d5daa7ac91dea18a7958858a52951010b60bdf16d78a7332b178d92aaa0465e137eac0b869

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
8c760f3d1df04520499ea7ae1de4084a

SHA1
ff8d63664d81d79f4d04c9964d560b5761182250

SHA256
de0f89df4ae3473bccd4fe97ca43e8f5d3adbe1b6ad9188e5084392ff356f82a

SHA512
93840a1586edc08628ac973a9de19237d6c1c77f27fbb8ef5c54c3ca5e7970ff6fa4ffae8b82b2a703e4eda63c9dfdc0dc8aab45320d7e8b0f9669c360411c8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

Filesize
21B

MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json

Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\3BCC7597-9139-4C0A-B624-0084F965E812

Filesize
178KB

MD5
04ff7e6de6960178ad3e19e782fca43a

SHA1
9d9623af3c983ec036cce3db3a08e7d42df6dd75

SHA256
b842b8fb3f7e9e90528c3fd86cccabb70f756ce04d39e8787b213542c01aafb8

SHA512
d11197bc04b5363440dea3725bd3669bed83b081c10c72193083b7137fcc192527f622e68be1ff527a1081c408f899b7625e4a7cc10837e61def5d8f3297c968

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
12KB

MD5
af374937b781b006a5dd38dc0313572d

SHA1
6437adbf0521b8568d5fcd032b511e50ee017f03

SHA256
572c34b9feb68052a28ba07b2cd1bfa0ee313ba1a3f180b72d0cfdb34987e9df

SHA512
c590c0a6688d7b0f62030f3ba170bd6e436d2ced30415cdde197945d0f044a9ff840d37adcb27ce5c00c3c5868031e80068bc8b58fab76433737b280a85e2bb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db

Filesize
24KB

MD5
8665de22b67e46648a5a147c1ed296ca

SHA1
b289a96fee9fa77dd8e045ae8fd161debd376f48

SHA256
b5cbae5c48721295a51896f05abd4c9566be7941cda7b8c2aecb762e6e94425f

SHA512
bb03ea9347d302abf3b6fece055cdae0ad2d7c074e8517f230a90233f628e5803928b9ba7ba79c343e58dacb3e7a6fc16b94690a5ab0c71303959654a18bb5da

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rzs5inlh.ai4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
352B

MD5
d9a37c00ecd7fe61897b18e2316ed169

SHA1
c4903fbf12dfa55049da703039d9ef1c3efa8862

SHA256
21211a2219706369b6c5813694b94e71a75a90efd658bb1bedb0b308d98ad85c

SHA512
87d88a4b3a7eaf20fbddaa906e5a3e3dfd057232390009e114281e1e1cf1817c75af221de2eb69db462d3dc38849fd0cbf7d617d7fde7e907882eea406516363

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
352B

MD5
91127bc6c1c38be5776c329676dec49d

SHA1
e4cfe1f898f85f6557afaabe99a0317108f00135

SHA256
910fccb106ae56fc3c739a96096ccbe9a1fa91e39d5aeb24728ceb2f8653960c

SHA512
de95481f591f0fbeb036cd9b767c14378e07ae68508affce14006b8211219afc0df27f2a56758ad26997056f508e1c1ca62a31bd87f975941d09161b47ff4b7f

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
77B

MD5
965f984e9d7b8a1c0cfccc6ae86b756c

SHA1
5af8ff4fd23d7c6e8b40afc0ccdc5d86b6e65047

SHA256
dc4a4104183d2d1e4f3ca5bd03fe31158932e3a6aa71c32b559e776fa46e23d8

SHA512
a8f272f0ee44beb9cff2784ecad72cbec4a7c623600e053a34f541343ab89c33d816733688871ae5fed09a5c1c10bbc3ef6a3b6ce3234c92469345de00e48d0a

Download Submit
memory/8-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2924-556-0x00007FFAA3090000-0x00007FFAA30A0000-memory.dmp

Filesize
64KB

Download
memory/2924-558-0x00007FFAA3090000-0x00007FFAA30A0000-memory.dmp

Filesize
64KB

Download
memory/2924-557-0x00007FFAA3090000-0x00007FFAA30A0000-memory.dmp

Filesize
64KB

Download
memory/2924-559-0x00007FFAA3090000-0x00007FFAA30A0000-memory.dmp

Filesize
64KB

Download
memory/2924-560-0x00007FFAA3090000-0x00007FFAA30A0000-memory.dmp

Filesize
64KB

Download
memory/2924-561-0x00007FFAA04F0000-0x00007FFAA0500000-memory.dmp

Filesize
64KB

Download
memory/2924-565-0x00007FFAA04F0000-0x00007FFAA0500000-memory.dmp

Filesize
64KB

Download
memory/2924-605-0x00007FFAA3090000-0x00007FFAA30A0000-memory.dmp

Filesize
64KB

Download
memory/2924-606-0x00007FFAA3090000-0x00007FFAA30A0000-memory.dmp

Filesize
64KB

Download
memory/2924-604-0x00007FFAA3090000-0x00007FFAA30A0000-memory.dmp

Filesize
64KB

Download
memory/2924-603-0x00007FFAA3090000-0x00007FFAA30A0000-memory.dmp

Filesize
64KB

Download
memory/3716-529-0x00007FFAD6FB0000-0x00007FFAD6FC1000-memory.dmp

Filesize
68KB

Download
memory/3716-516-0x00007FFACF190000-0x00007FFACF446000-memory.dmp

Filesize
2.7MB

Download
memory/3716-555-0x00007FFAC0F20000-0x00007FFAC1FD0000-memory.dmp

Filesize
16.7MB

Download
memory/3716-554-0x00007FFACF190000-0x00007FFACF446000-memory.dmp

Filesize
2.7MB

Download
memory/3716-553-0x00007FFADC960000-0x00007FFADC994000-memory.dmp

Filesize
208KB

Download
memory/3716-552-0x00007FF6895B0000-0x00007FF6896A8000-memory.dmp

Filesize
992KB

Download
memory/3716-541-0x0000020ED7650000-0x0000020ED8EBF000-memory.dmp

Filesize
24.4MB

Download
memory/3716-526-0x00007FFAD70C0000-0x00007FFAD7101000-memory.dmp

Filesize
260KB

Download
memory/3716-532-0x00007FFAD36D0000-0x00007FFAD36EB000-memory.dmp

Filesize
108KB

Download
memory/3716-534-0x00007FFAD32C0000-0x00007FFAD32D8000-memory.dmp

Filesize
96KB

Download
memory/3716-527-0x00007FFAD45D0000-0x00007FFAD45F1000-memory.dmp

Filesize
132KB

Download
memory/3716-528-0x00007FFAD7080000-0x00007FFAD7098000-memory.dmp

Filesize
96KB

Download
memory/3716-530-0x00007FFAD44F0000-0x00007FFAD4501000-memory.dmp

Filesize
68KB

Download
memory/3716-531-0x00007FFAD3980000-0x00007FFAD3991000-memory.dmp

Filesize
68KB

Download
memory/3716-533-0x00007FFAD32E0000-0x00007FFAD32F1000-memory.dmp

Filesize
68KB

Download
memory/3716-535-0x00007FFAD3290000-0x00007FFAD32C0000-memory.dmp

Filesize
192KB

Download
memory/3716-525-0x00007FFAC0F20000-0x00007FFAC1FD0000-memory.dmp

Filesize
16.7MB

Download
memory/3716-537-0x00007FFAC8660000-0x00007FFAC86DC000-memory.dmp

Filesize
496KB

Download
memory/3716-538-0x00007FFAD3270000-0x00007FFAD3281000-memory.dmp

Filesize
68KB

Download
memory/3716-540-0x00007FFAC0AD0000-0x00007FFAC0AE2000-memory.dmp

Filesize
72KB

Download
memory/3716-539-0x00007FFAC8600000-0x00007FFAC8657000-memory.dmp

Filesize
348KB

Download
memory/3716-536-0x00007FFAC9870000-0x00007FFAC98D7000-memory.dmp

Filesize
412KB

Download
memory/3716-515-0x00007FFADC960000-0x00007FFADC994000-memory.dmp

Filesize
208KB

Download
memory/3716-514-0x00007FF6895B0000-0x00007FF6896A8000-memory.dmp

Filesize
992KB

Download
memory/3716-523-0x00007FFAD7110000-0x00007FFAD7121000-memory.dmp

Filesize
68KB

Download
memory/3716-522-0x00007FFAD7130000-0x00007FFAD714D000-memory.dmp

Filesize
116KB

Download
memory/3716-524-0x00007FFACEF80000-0x00007FFACF18B000-memory.dmp

Filesize
2.0MB

Download
memory/3716-521-0x00007FFAD7150000-0x00007FFAD7161000-memory.dmp

Filesize
68KB

Download
memory/3716-520-0x00007FFAD7210000-0x00007FFAD7227000-memory.dmp

Filesize
92KB

Download
memory/3716-519-0x00007FFAD7230000-0x00007FFAD7241000-memory.dmp

Filesize
68KB

Download
memory/3716-518-0x00007FFAD7250000-0x00007FFAD7267000-memory.dmp

Filesize
92KB

Download
memory/3716-517-0x00007FFAD97A0000-0x00007FFAD97B8000-memory.dmp

Filesize
96KB

Download
memory/5028-43-0x0000000006DA0000-0x0000000006DBA000-memory.dmp

Filesize
104KB

Download
memory/5028-41-0x0000000006C40000-0x0000000006CE4000-memory.dmp

Filesize
656KB

Download
memory/5028-42-0x00000000073E0000-0x0000000007A5A000-memory.dmp

Filesize
6.5MB

Download
memory/5028-14-0x0000000002290000-0x00000000022C6000-memory.dmp

Filesize
216KB

Download
memory/5028-44-0x0000000006E20000-0x0000000006E2A000-memory.dmp

Filesize
40KB

Download
memory/5028-45-0x0000000007030000-0x00000000070C6000-memory.dmp

Filesize
600KB

Download
memory/5028-46-0x0000000006FB0000-0x0000000006FC1000-memory.dmp

Filesize
68KB

Download
memory/5028-47-0x0000000006FE0000-0x0000000006FEE000-memory.dmp

Filesize
56KB

Download
memory/5028-48-0x0000000006FF0000-0x0000000007005000-memory.dmp

Filesize
84KB

Download
memory/5028-49-0x00000000070F0000-0x000000000710A000-memory.dmp

Filesize
104KB

Download
memory/5028-50-0x00000000070E0000-0x00000000070E8000-memory.dmp

Filesize
32KB

Download
memory/5028-15-0x0000000004C70000-0x000000000529A000-memory.dmp

Filesize
6.2MB

Download
memory/5028-17-0x0000000005370000-0x00000000053D6000-memory.dmp

Filesize
408KB

Download
memory/5028-16-0x00000000052D0000-0x00000000052F2000-memory.dmp

Filesize
136KB

Download
memory/5028-18-0x00000000053E0000-0x0000000005446000-memory.dmp

Filesize
408KB

Download
memory/5028-19-0x0000000005510000-0x0000000005867000-memory.dmp

Filesize
3.3MB

Download
memory/5028-28-0x0000000005A60000-0x0000000005A7E000-memory.dmp

Filesize
120KB

Download
memory/5028-29-0x0000000005B60000-0x0000000005BAC000-memory.dmp

Filesize
304KB

Download
memory/5028-40-0x00000000069E0000-0x00000000069FE000-memory.dmp

Filesize
120KB

Download
memory/5028-30-0x0000000006A00000-0x0000000006A34000-memory.dmp

Filesize
208KB

Download
memory/5028-31-0x0000000070790000-0x00000000707DC000-memory.dmp

Filesize
304KB

Download
memory/5060-107-0x00007FFAA3090000-0x00007FFAA30A0000-memory.dmp

Filesize
64KB

Download
memory/5060-105-0x00007FFAA3090000-0x00007FFAA30A0000-memory.dmp

Filesize
64KB

Download
memory/5060-104-0x00007FFAA3090000-0x00007FFAA30A0000-memory.dmp

Filesize
64KB

Download
memory/5060-59-0x00007FFAA04F0000-0x00007FFAA0500000-memory.dmp

Filesize
64KB

Download
memory/5060-58-0x00007FFAA04F0000-0x00007FFAA0500000-memory.dmp

Filesize
64KB

Download
memory/5060-54-0x00007FFAA3090000-0x00007FFAA30A0000-memory.dmp

Filesize
64KB

Download
memory/5060-55-0x00007FFAA3090000-0x00007FFAA30A0000-memory.dmp

Filesize
64KB

Download
memory/5060-56-0x00007FFAA3090000-0x00007FFAA30A0000-memory.dmp

Filesize
64KB

Download
memory/5060-57-0x00007FFAA3090000-0x00007FFAA30A0000-memory.dmp

Filesize
64KB

Download
memory/5060-53-0x00007FFAA3090000-0x00007FFAA30A0000-memory.dmp

Filesize
64KB

Download
memory/5060-106-0x00007FFAA3090000-0x00007FFAA30A0000-memory.dmp

Filesize
64KB

Download
memory/5812-0-0x000000007452E000-0x000000007452F000-memory.dmp

Filesize
4KB

Download
memory/5812-13-0x0000000074520000-0x0000000074CD1000-memory.dmp

Filesize
7.7MB

Download
memory/5812-10-0x0000000009180000-0x000000000921C000-memory.dmp

Filesize
624KB

Download
memory/5812-9-0x00000000066D0000-0x000000000674A000-memory.dmp

Filesize
488KB

Download
memory/5812-8-0x0000000074520000-0x0000000074CD1000-memory.dmp

Filesize
7.7MB

Download
memory/5812-7-0x000000007452E000-0x000000007452F000-memory.dmp

Filesize
4KB

Download
memory/5812-6-0x0000000005C60000-0x0000000005C78000-memory.dmp

Filesize
96KB

Download
memory/5812-5-0x0000000004E90000-0x0000000004E9A000-memory.dmp

Filesize
40KB

Download
memory/5812-4-0x0000000074520000-0x0000000074CD1000-memory.dmp

Filesize
7.7MB

Download
memory/5812-3-0x0000000004CE0000-0x0000000004D72000-memory.dmp

Filesize
584KB

Download
memory/5812-2-0x00000000051B0000-0x0000000005756000-memory.dmp

Filesize
5.6MB

Download
memory/5812-1-0x0000000000190000-0x0000000000234000-memory.dmp

Filesize
656KB

Download