hxxps://github[.]com/NTFS123/MalwareDatabase/blob/master/Virus/Virus[.]MSWord[.]Akuma[.]zip

Analysis

max time kernel
1655s
max time network
1406s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 02:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/NTFS123/MalwareDatabase/blob/master/Virus/Virus.MSWord.Akuma.zip

Score

8^/10

macro

Malware Config

Signatures

Suspicious Office macro 2 IoCs

Office document equipped with macros.

macro

Processes:

resource
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
C:\Users\Admin\Downloads\Virus.MSWord.Akuma\Virus.MSWord.Akuma.doc

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 19 IoCs

Processes:

WINWORD.EXEWINWORD.EXE

description	ioc	process
File created	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\~$rd2013BW.dotx	WINWORD.EXE
File created	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\~$ntered.dotx	WINWORD.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xml	WINWORD.EXE
File created	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\~$Numbered.dotx	WINWORD.EXE
File created	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\~$Classic.dotx	WINWORD.EXE
File created	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\~$Casual.dotx	WINWORD.EXE
File created	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\~$sicSimple.dotx	WINWORD.EXE
File opened for modification	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\BasicStylish.dotx	WINWORD.EXE
File created	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\~$sicStylish.dotx	WINWORD.EXE
File opened for modification	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\BWNumbered.dotx	WINWORD.EXE
File opened for modification	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\Casual.dotx	WINWORD.EXE
File opened for modification	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\Centered.dotx	WINWORD.EXE
File opened for modification	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\BasicElegant.dotx	WINWORD.EXE
File created	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\~$sicElegant.dotx	WINWORD.EXE
File created	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\~$Capitalized.dotx	WINWORD.EXE
File opened for modification	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\BWClassic.dotx	WINWORD.EXE
File opened for modification	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\Word2013BW.dotx	WINWORD.EXE
File opened for modification	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\BasicSimple.dotx	WINWORD.EXE
File opened for modification	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\BWCapitalized.dotx	WINWORD.EXE

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEWINWORD.EXEWINWORD.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 15 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exeWINWORD.EXEWINWORD.EXEWINWORD.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings chrome.exe
Suspicious behavior: AddClipboardFormatListener 8 IoCs

Processes:

WINWORD.EXEWINWORD.EXEWINWORD.EXEWINWORD.EXE

pid process

4060 WINWORD.EXE
4060 WINWORD.EXE
2768 WINWORD.EXE
2768 WINWORD.EXE
1796 WINWORD.EXE
1796 WINWORD.EXE
3908 WINWORD.EXE
3908 WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

pid	process
528	chrome.exe
528	chrome.exe
2796	chrome.exe
2796	chrome.exe
3896	chrome.exe
3896	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1040	chrome.exe
1040	chrome.exe
4148	chrome.exe
4148	chrome.exe
1576	chrome.exe
1576	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

2796 chrome.exe
2796 chrome.exe
2796 chrome.exe
2796 chrome.exe

Suspicious use of FindShellTrayWindow 43 IoCs

Processes:

chrome.exe

pid	process
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe

Suspicious use of SetWindowsHookEx 47 IoCs

Processes:

WINWORD.EXEWINWORD.EXEWINWORD.EXEWINWORD.EXE

pid	process
4060	WINWORD.EXE
2768	WINWORD.EXE
4060	WINWORD.EXE
2768	WINWORD.EXE
4060	WINWORD.EXE
2768	WINWORD.EXE
2768	WINWORD.EXE
2768	WINWORD.EXE
2768	WINWORD.EXE
2768	WINWORD.EXE
2768	WINWORD.EXE
2768	WINWORD.EXE
4060	WINWORD.EXE
2768	WINWORD.EXE
4060	WINWORD.EXE
4060	WINWORD.EXE
2768	WINWORD.EXE
2768	WINWORD.EXE
1796	WINWORD.EXE
1796	WINWORD.EXE
1796	WINWORD.EXE
1796	WINWORD.EXE
1796	WINWORD.EXE
1796	WINWORD.EXE
1796	WINWORD.EXE
1796	WINWORD.EXE
1796	WINWORD.EXE
1796	WINWORD.EXE
1796	WINWORD.EXE
1796	WINWORD.EXE
1796	WINWORD.EXE
1796	WINWORD.EXE
3908	WINWORD.EXE
3908	WINWORD.EXE
3908	WINWORD.EXE
3908	WINWORD.EXE
3908	WINWORD.EXE
3908	WINWORD.EXE
3908	WINWORD.EXE
3908	WINWORD.EXE
3908	WINWORD.EXE
3908	WINWORD.EXE
3908	WINWORD.EXE
3908	WINWORD.EXE
3908	WINWORD.EXE
3908	WINWORD.EXE
3908	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2796 wrote to memory of 1656	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 1656	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 344	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 344	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 344	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 344	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 344	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 344	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 344	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 344	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 344	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 344	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 344	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 344	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 344	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 344	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 344	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 344	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 344	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 344	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 344	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 344	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 344	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 344	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 344	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 344	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 344	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 344	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 344	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 344	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 344	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 344	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 344	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 344	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 344	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 344	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 344	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 344	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 344	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 344	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 344	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 344	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 528	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 528	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 1252	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 1252	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 1252	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 1252	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 1252	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 1252	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 1252	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 1252	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 1252	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 1252	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 1252	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 1252	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 1252	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 1252	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 1252	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 1252	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 1252	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 1252	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 1252	2796	chrome.exe	chrome.exe
PID 2796 wrote to memory of 1252	2796	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://github.com/NTFS123/MalwareDatabase/blob/master/Virus/Virus.MSWord.Akuma.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9d5f44f50,0x7ff9d5f44f60,0x7ff9d5f44f70
2⤵
PID:1656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1636,14689956761737365617,8253098754260770292,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1960 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1636,14689956761737365617,8253098754260770292,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1632 /prefetch:2
2⤵
PID:344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1636,14689956761737365617,8253098754260770292,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2400 /prefetch:8
2⤵
PID:1252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,14689956761737365617,8253098754260770292,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2876 /prefetch:1
2⤵
PID:1364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,14689956761737365617,8253098754260770292,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3012 /prefetch:1
2⤵
PID:928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,14689956761737365617,8253098754260770292,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4280 /prefetch:8
2⤵
PID:2500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,14689956761737365617,8253098754260770292,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4748 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,14689956761737365617,8253098754260770292,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4796 /prefetch:8
2⤵
PID:1836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,14689956761737365617,8253098754260770292,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
2⤵
PID:4832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1636,14689956761737365617,8253098754260770292,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5084 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1636,14689956761737365617,8253098754260770292,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
2⤵
PID:4052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,14689956761737365617,8253098754260770292,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4632 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,14689956761737365617,8253098754260770292,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4428 /prefetch:8
2⤵
PID:1780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1636,14689956761737365617,8253098754260770292,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4864 /prefetch:8
2⤵
PID:4180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,14689956761737365617,8253098754260770292,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4896 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,14689956761737365617,8253098754260770292,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4560 /prefetch:8
2⤵
PID:2132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,14689956761737365617,8253098754260770292,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4404 /prefetch:8
2⤵
PID:1964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1636,14689956761737365617,8253098754260770292,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,14689956761737365617,8253098754260770292,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2540 /prefetch:8
2⤵
PID:944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,14689956761737365617,8253098754260770292,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5596 /prefetch:8
2⤵
PID:4864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,14689956761737365617,8253098754260770292,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
2⤵
PID:4896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,14689956761737365617,8253098754260770292,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1480 /prefetch:8
2⤵
PID:1836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,14689956761737365617,8253098754260770292,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4344 /prefetch:8
2⤵
PID:4608

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4172

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4520

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\Virus.MSWord.Akuma\Virus.MSWord.Akuma.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2768

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\Virus.MSWord.Akuma\Virus.MSWord.Akuma.docx" /o ""
1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4060

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\Virus.MSWord.Akuma\Virus.MSWord.Akuma.doc" /o ""
1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1796

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\Virus.MSWord.Akuma\Virus.MSWord.Akuma.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3908

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:4240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3124

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xml
Filesize
118B

MD5
573220372da4ed487441611079b623cd

SHA1
8f9d967ac6ef34640f1f0845214fbc6994c0cb80

SHA256
be84b842025e4241bfe0c9f7b8f86a322e4396d893ef87ea1e29c74f47b6a22d

SHA512
f19fa3583668c3af92a9cef7010bd6ecec7285f9c8665f2e9528dba606f105d9af9b1db0cf6e7f77ef2e395943dc0d5cb37149e773319078688979e4024f9dd7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
Filesize
471B

MD5
0ceb959707bc4a9a9a94e3881584aab0

SHA1
80f8154bab75b5c54a116dcd25e2d8b20e187ce0

SHA256
34e300ba0c264a6dc331be37fa3874a0f793b86dfcb6fb7ad4b184cd246318cb

SHA512
26b482b5e4a489f080ebff21f6f267cf01938549ea8f413786f58b5fc5cb66f79fcca3c5e5ee89c6e49b34fd752b66f8f3c3ac790ecd7c8bbe2d608694248458

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
Filesize
471B

MD5
0ceb959707bc4a9a9a94e3881584aab0

SHA1
80f8154bab75b5c54a116dcd25e2d8b20e187ce0

SHA256
34e300ba0c264a6dc331be37fa3874a0f793b86dfcb6fb7ad4b184cd246318cb

SHA512
26b482b5e4a489f080ebff21f6f267cf01938549ea8f413786f58b5fc5cb66f79fcca3c5e5ee89c6e49b34fd752b66f8f3c3ac790ecd7c8bbe2d608694248458

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
Filesize
446B

MD5
636e14579a2259fe0394f9244aa8fe5c

SHA1
c325ee64a789ab4cbbb9758138e7696d3b3684f2

SHA256
c3d3b8c575940dc14f114163dc581de7b00885f4ad212c58a62892452ecbe0b1

SHA512
4e6c0b4c259ca4e0becc7e698e1917a2248fc4a2ec78580fcde67b04f24a3b002158533a86872498e3f86002eba2bc13af7fdf198b557d66989c0db28369aadf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
Filesize
446B

MD5
a975e37199b1320dc817bdd20ca82335

SHA1
2c00512d88f90fe59f6ac10991bdabb3be402c12

SHA256
5629fbe8cc5f18894eeccff022f17a1eb47f4c8338143bcb89939f963c70543d

SHA512
6881dab28b1da9409bb3f393e5c889cf3a88f0c464ad051bebdf0ec12da027f2af566242895c28b70482b4338327dd6bcb7068e41cc1084db3b506bf7de86161

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json
Filesize
21B

MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json
Filesize
21B

MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json
Filesize
21B

MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json
Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json
Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json
Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json
Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json
Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json
Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json
Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json
Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json
Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json
Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json
Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json
Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\1F3BB85D-7335-4067-A1AB-38F1CFF628D8
Filesize
148KB

MD5
992a8da765fe18cec37abaa281cd70f6

SHA1
9255d115706c594ebfbfa01df134b690d707ac16

SHA256
63d80845bdeef0d717b00206d328334cc6c57047dabe63dd2f2250eae39da82d

SHA512
02ac775931ec0c1f9ab140d97e7723980abbab160c8e17eeb1be41c5f73ee70965d046865c20ee542d1650cbfafef861fc39b60868931cabdee02fecd26c1d4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml
Filesize
328KB

MD5
a6398ad8a9494534305c0a7bfa8d88ed

SHA1
c3d2bf9e617964a0cc64dbbadab940db706e1baf

SHA256
da89159a736d886df9e358eceecc63048bc20000e604fb754e76680ccd5bb137

SHA512
14a539f1d5fe4eaa5828c63e73fdeee64daa3fa6ea938041afd4546c6263c55f9123d81f4256fa5e65b24de967c7e24bd51f434b57e5d068d99e413dd159610a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml
Filesize
328KB

MD5
a6398ad8a9494534305c0a7bfa8d88ed

SHA1
c3d2bf9e617964a0cc64dbbadab940db706e1baf

SHA256
da89159a736d886df9e358eceecc63048bc20000e604fb754e76680ccd5bb137

SHA512
14a539f1d5fe4eaa5828c63e73fdeee64daa3fa6ea938041afd4546c6263c55f9123d81f4256fa5e65b24de967c7e24bd51f434b57e5d068d99e413dd159610a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\TenantInfo.xml
Filesize
76B

MD5
0f8eb2423d2bf6cb5b8bdb44cb170ca3

SHA1
242755226012b4449a49b45491c0b1538ebf6410

SHA256
385347c0cbacdd3c61d2635fbd390e0095a008fd75eeb23af2f14f975c083944

SHA512
a9f23a42340b83a2f59df930d7563e8abd669b9f0955562cd3c2872e2e081f26d6d8b26357972b6d0423af05b2392bddbb46da769788e77fd169b3264ff53886

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db
Filesize
24KB

MD5
b00f3f56c104c94e03cd2ad8452c14e7

SHA1
51b78e45015e0d9d62fbdf31b75a22535a107204

SHA256
ba2b669020334ff01a85bfc900ea4371ea557bd315f154875d9bdfdc16ae8b50

SHA512
93e1609be5bbb414c285f37432ce93294c3d1583ef46c7c6c570c122f0b166c34b0ad87de708005c8af97dee27923ba53395a34c2563cdadf3c0a708848b3525

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db
Filesize
24KB

MD5
bb5122013e9da21ebcd7cf8bbfd442d8

SHA1
137dc37b75c41a0edca25bc20dab16729c23d5f5

SHA256
fa311153c8e26e115ed889e986eabf2c6f96123d7a3a7f89102bfa89321342c3

SHA512
6582f6d15a31dcaecc6e6fee0ebb21b6d2278c4b2c1f80580172181d457c47a8be7edb0bc007c701c8a3adc391656ee166a77f49f575539f4f7e5188f5da8a0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal
Filesize
32B

MD5
16a707178678921874dceba3bc2e5859

SHA1
22f3df9ea78db7a10887a8c521bb0efd69c2ecd2

SHA256
3a746768e396af19f2b3903492a2638833756a0be4feb1e719e2287c5024c89d

SHA512
6f3c85f9fab11af0792356faf879468d9be655a47dc8a4cb0b49eb7a9d5227739fd1d3d279e8ac75427d9a1cd58733e76b4a3a59e4a80222abd18714a00a3d5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd
Filesize
148KB

MD5
9d8dc45a03f64c41d83eb86efbf66bc2

SHA1
3639f1c506ca619e6024f7951249ce7e2bf112a4

SHA256
b31438410255ee3cff1b817d169d5a0308dda6dc62de074fe0d3c064c3045a9e

SHA512
a301336e7c3c36e9ce83582f7d34729b0c8d515058a198be6e6a67f2b060c4fd4459d0edd574a95f2a6f47288db730fefc0a84fa2fb94fd48fa54f8f9830d1bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\Virus.MSWord.Akuma.doc.LNK
Filesize
1KB

MD5
1c25601a8cffbeac36457f53cbe7d219

SHA1
f84805bb6c1ab673da9724a2ad91caafcc189150

SHA256
dda8c5cf5f1961bf371ad1688d9ba02173e20f57c3bfb326ea72e6a26d18ae79

SHA512
7145d23913fcfc9e0ea74e670f379e74ae4b61646a56c8f3c6b07b019de463c1d8790d643ede53ae4f30fffe5f4fc66065daed88feadf81ae3d5b75c89f7fcb3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
269B

MD5
864f7b42928ed3b1a246a091bd09b3c0

SHA1
9eac85818e244392015941da9b508a091e92a45b

SHA256
5764f4046439a5ca7d664fff4d8e7beeb516652cc7a0ffaa55323bdc6d0fc560

SHA512
31854ce5d31cc9f4d32bfa580aa4da3aadba3656ed5e9924c23b397452f1671ec03d7f47d5716860a84874c9b01101c1e04aaacf01b57114c91628d0aae439e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
26KB

MD5
8844906364b7b6b2d39c09188ef84841

SHA1
f11921884b4f4ab17c9b7fde41d6fc91b8d0a512

SHA256
87323870ba6751aedc9d9fb68e27b248d334e2b5f115aaf665f14080a05bb7f7

SHA512
c97185d33e67b9e2c648824362815a7fd76a51154595fc6c6d53e5d4826e50a0d2419d0af1714f37cdaca5b834537e7902e0dc7745f392d6e671002e62c51c62

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
3KB

MD5
aff08448e0b9eea5bacc936213835e4b

SHA1
1837f8c291c4cc2db26b9520a619831ba7f56854

SHA256
a6cb2b970d9b8cc991164864d1588f306be6e28ad7dfec9ac657c5d60e293d78

SHA512
6869a11cf6aad9d5531153803a18a85fcb4f74ef0e0cbf3d9b00530e4500e6f2a1b3404d80f3c2372ac7052cdb8d72a7be77d239213e4aed635d45042cfd7d8d

Download Submit
C:\Users\Admin\Downloads\Virus.MSWord.Akuma\Virus.MSWord.Akuma.doc
Filesize
71KB

MD5
8be45ded74bfab0a4781eb04bd8f6b45

SHA1
e14ddcf6fb381c5dff7e64677a1aa94c84a31098

SHA256
25fda4285c7a6ea601232f4b2ce8e373a3a38b7a4d01847b0ab00ea0dc5c3d52

SHA512
9a18483781d5e58f34ef36e8b98e7a401c0764282a1d64e08845152b9c6f65982a399966e8dd66a19ad7690e52aec7b3b45d701db3d60e4d3626c1012d14fba6

Download Submit
\??\pipe\crashpad_2796_RBYBELUKYPJEAPZZ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1796-188-0x00007FF9B2750000-0x00007FF9B2760000-memory.dmp

Filesize
64KB

Download
memory/1796-189-0x00007FF9B2750000-0x00007FF9B2760000-memory.dmp

Filesize
64KB

Download
memory/1796-170-0x00007FF9B2750000-0x00007FF9B2760000-memory.dmp

Filesize
64KB

Download
memory/1796-184-0x000002EA0EB84000-0x000002EA0EB86000-memory.dmp

Filesize
8KB

Download
memory/1796-186-0x00007FF9B2750000-0x00007FF9B2760000-memory.dmp

Filesize
64KB

Download
memory/1796-187-0x00007FF9B2750000-0x00007FF9B2760000-memory.dmp

Filesize
64KB

Download
memory/1796-166-0x00007FF9B2750000-0x00007FF9B2760000-memory.dmp

Filesize
64KB

Download
memory/1796-169-0x00007FF9B2750000-0x00007FF9B2760000-memory.dmp

Filesize
64KB

Download
memory/1796-168-0x00007FF9B2750000-0x00007FF9B2760000-memory.dmp

Filesize
64KB

Download
memory/1796-167-0x00007FF9B2750000-0x00007FF9B2760000-memory.dmp

Filesize
64KB

Download
memory/2768-136-0x00007FF9B2750000-0x00007FF9B2760000-memory.dmp

Filesize
64KB

Download
memory/2768-137-0x00007FF9B2750000-0x00007FF9B2760000-memory.dmp

Filesize
64KB

Download
memory/2768-135-0x00007FF9B2750000-0x00007FF9B2760000-memory.dmp

Filesize
64KB

Download
memory/2768-134-0x00007FF9B2750000-0x00007FF9B2760000-memory.dmp

Filesize
64KB

Download
memory/2768-133-0x00007FF9B2750000-0x00007FF9B2760000-memory.dmp

Filesize
64KB

Download
memory/3908-193-0x00007FF9B2750000-0x00007FF9B2760000-memory.dmp

Filesize
64KB

Download
memory/3908-194-0x00007FF9B2750000-0x00007FF9B2760000-memory.dmp

Filesize
64KB

Download
memory/3908-191-0x00007FF9B2750000-0x00007FF9B2760000-memory.dmp

Filesize
64KB

Download
memory/3908-192-0x00007FF9B2750000-0x00007FF9B2760000-memory.dmp

Filesize
64KB

Download
memory/3908-190-0x00007FF9B2750000-0x00007FF9B2760000-memory.dmp

Filesize
64KB

Download
memory/4060-155-0x00007FF9B2750000-0x00007FF9B2760000-memory.dmp

Filesize
64KB

Download
memory/4060-154-0x00007FF9B2750000-0x00007FF9B2760000-memory.dmp

Filesize
64KB

Download
memory/4060-153-0x00007FF9B2750000-0x00007FF9B2760000-memory.dmp

Filesize
64KB

Download
memory/4060-152-0x00007FF9B2750000-0x00007FF9B2760000-memory.dmp

Filesize
64KB

Download
memory/4060-145-0x00007FF9AFE90000-0x00007FF9AFEA0000-memory.dmp

Filesize
64KB

Download
memory/4060-143-0x00007FF9AFE90000-0x00007FF9AFEA0000-memory.dmp

Filesize
64KB

Download
memory/4240-209-0x0000000000000000-mapping.dmp

Download