Analysis
-
max time kernel
1655s -
max time network
1406s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2022 02:50
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/NTFS123/MalwareDatabase/blob/master/Virus/Virus.MSWord.Akuma.zip
Resource
win10v2004-20221111-en
General
-
Target
https://github.com/NTFS123/MalwareDatabase/blob/master/Virus/Virus.MSWord.Akuma.zip
Malware Config
Signatures
-
Processes:
resource C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm C:\Users\Admin\Downloads\Virus.MSWord.Akuma\Virus.MSWord.Akuma.doc -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 19 IoCs
Processes:
WINWORD.EXEWINWORD.EXEdescription ioc process File created C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\~$rd2013BW.dotx WINWORD.EXE File created C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\~$ntered.dotx WINWORD.EXE File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xml WINWORD.EXE File created C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\~$Numbered.dotx WINWORD.EXE File created C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\~$Classic.dotx WINWORD.EXE File created C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\~$Casual.dotx WINWORD.EXE File created C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\~$sicSimple.dotx WINWORD.EXE File opened for modification C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\BasicStylish.dotx WINWORD.EXE File created C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\~$sicStylish.dotx WINWORD.EXE File opened for modification C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\BWNumbered.dotx WINWORD.EXE File opened for modification C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\Casual.dotx WINWORD.EXE File opened for modification C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\Centered.dotx WINWORD.EXE File opened for modification C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\BasicElegant.dotx WINWORD.EXE File created C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\~$sicElegant.dotx WINWORD.EXE File created C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\~$Capitalized.dotx WINWORD.EXE File opened for modification C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\BWClassic.dotx WINWORD.EXE File opened for modification C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\Word2013BW.dotx WINWORD.EXE File opened for modification C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\BasicSimple.dotx WINWORD.EXE File opened for modification C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\BWCapitalized.dotx WINWORD.EXE -
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEWINWORD.EXEWINWORD.EXEWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 15 IoCs
Processes:
chrome.exeWINWORD.EXEWINWORD.EXEWINWORD.EXEWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings chrome.exe -
Suspicious behavior: AddClipboardFormatListener 8 IoCs
Processes:
WINWORD.EXEWINWORD.EXEWINWORD.EXEWINWORD.EXEpid process 4060 WINWORD.EXE 4060 WINWORD.EXE 2768 WINWORD.EXE 2768 WINWORD.EXE 1796 WINWORD.EXE 1796 WINWORD.EXE 3908 WINWORD.EXE 3908 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exepid process 528 chrome.exe 528 chrome.exe 2796 chrome.exe 2796 chrome.exe 3896 chrome.exe 3896 chrome.exe 1180 chrome.exe 1180 chrome.exe 1180 chrome.exe 1180 chrome.exe 1040 chrome.exe 1040 chrome.exe 4148 chrome.exe 4148 chrome.exe 1576 chrome.exe 1576 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
Processes:
chrome.exepid process 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe -
Suspicious use of FindShellTrayWindow 43 IoCs
Processes:
chrome.exepid process 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
chrome.exepid process 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe 2796 chrome.exe -
Suspicious use of SetWindowsHookEx 47 IoCs
Processes:
WINWORD.EXEWINWORD.EXEWINWORD.EXEWINWORD.EXEpid process 4060 WINWORD.EXE 2768 WINWORD.EXE 4060 WINWORD.EXE 2768 WINWORD.EXE 4060 WINWORD.EXE 2768 WINWORD.EXE 2768 WINWORD.EXE 2768 WINWORD.EXE 2768 WINWORD.EXE 2768 WINWORD.EXE 2768 WINWORD.EXE 2768 WINWORD.EXE 4060 WINWORD.EXE 2768 WINWORD.EXE 4060 WINWORD.EXE 4060 WINWORD.EXE 2768 WINWORD.EXE 2768 WINWORD.EXE 1796 WINWORD.EXE 1796 WINWORD.EXE 1796 WINWORD.EXE 1796 WINWORD.EXE 1796 WINWORD.EXE 1796 WINWORD.EXE 1796 WINWORD.EXE 1796 WINWORD.EXE 1796 WINWORD.EXE 1796 WINWORD.EXE 1796 WINWORD.EXE 1796 WINWORD.EXE 1796 WINWORD.EXE 1796 WINWORD.EXE 3908 WINWORD.EXE 3908 WINWORD.EXE 3908 WINWORD.EXE 3908 WINWORD.EXE 3908 WINWORD.EXE 3908 WINWORD.EXE 3908 WINWORD.EXE 3908 WINWORD.EXE 3908 WINWORD.EXE 3908 WINWORD.EXE 3908 WINWORD.EXE 3908 WINWORD.EXE 3908 WINWORD.EXE 3908 WINWORD.EXE 3908 WINWORD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 2796 wrote to memory of 1656 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 1656 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 344 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 344 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 344 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 344 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 344 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 344 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 344 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 344 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 344 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 344 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 344 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 344 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 344 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 344 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 344 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 344 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 344 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 344 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 344 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 344 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 344 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 344 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 344 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 344 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 344 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 344 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 344 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 344 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 344 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 344 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 344 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 344 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 344 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 344 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 344 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 344 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 344 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 344 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 344 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 344 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 528 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 528 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 1252 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 1252 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 1252 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 1252 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 1252 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 1252 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 1252 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 1252 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 1252 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 1252 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 1252 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 1252 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 1252 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 1252 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 1252 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 1252 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 1252 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 1252 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 1252 2796 chrome.exe chrome.exe PID 2796 wrote to memory of 1252 2796 chrome.exe chrome.exe
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://github.com/NTFS123/MalwareDatabase/blob/master/Virus/Virus.MSWord.Akuma.zip1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9d5f44f50,0x7ff9d5f44f60,0x7ff9d5f44f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1636,14689956761737365617,8253098754260770292,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1960 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1636,14689956761737365617,8253098754260770292,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1632 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1636,14689956761737365617,8253098754260770292,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2400 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,14689956761737365617,8253098754260770292,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2876 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,14689956761737365617,8253098754260770292,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3012 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,14689956761737365617,8253098754260770292,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4280 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,14689956761737365617,8253098754260770292,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4748 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,14689956761737365617,8253098754260770292,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4796 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,14689956761737365617,8253098754260770292,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1636,14689956761737365617,8253098754260770292,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5084 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1636,14689956761737365617,8253098754260770292,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,14689956761737365617,8253098754260770292,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4632 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,14689956761737365617,8253098754260770292,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4428 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1636,14689956761737365617,8253098754260770292,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4864 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,14689956761737365617,8253098754260770292,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4896 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,14689956761737365617,8253098754260770292,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4560 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,14689956761737365617,8253098754260770292,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4404 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1636,14689956761737365617,8253098754260770292,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,14689956761737365617,8253098754260770292,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2540 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,14689956761737365617,8253098754260770292,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5596 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,14689956761737365617,8253098754260770292,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,14689956761737365617,8253098754260770292,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1480 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,14689956761737365617,8253098754260770292,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4344 /prefetch:82⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\Virus.MSWord.Akuma\Virus.MSWord.Akuma.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\Virus.MSWord.Akuma\Virus.MSWord.Akuma.docx" /o ""1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\Virus.MSWord.Akuma\Virus.MSWord.Akuma.doc" /o ""1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\Virus.MSWord.Akuma\Virus.MSWord.Akuma.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlFilesize
118B
MD5573220372da4ed487441611079b623cd
SHA18f9d967ac6ef34640f1f0845214fbc6994c0cb80
SHA256be84b842025e4241bfe0c9f7b8f86a322e4396d893ef87ea1e29c74f47b6a22d
SHA512f19fa3583668c3af92a9cef7010bd6ecec7285f9c8665f2e9528dba606f105d9af9b1db0cf6e7f77ef2e395943dc0d5cb37149e773319078688979e4024f9dd7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECEFilesize
471B
MD50ceb959707bc4a9a9a94e3881584aab0
SHA180f8154bab75b5c54a116dcd25e2d8b20e187ce0
SHA25634e300ba0c264a6dc331be37fa3874a0f793b86dfcb6fb7ad4b184cd246318cb
SHA51226b482b5e4a489f080ebff21f6f267cf01938549ea8f413786f58b5fc5cb66f79fcca3c5e5ee89c6e49b34fd752b66f8f3c3ac790ecd7c8bbe2d608694248458
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECEFilesize
471B
MD50ceb959707bc4a9a9a94e3881584aab0
SHA180f8154bab75b5c54a116dcd25e2d8b20e187ce0
SHA25634e300ba0c264a6dc331be37fa3874a0f793b86dfcb6fb7ad4b184cd246318cb
SHA51226b482b5e4a489f080ebff21f6f267cf01938549ea8f413786f58b5fc5cb66f79fcca3c5e5ee89c6e49b34fd752b66f8f3c3ac790ecd7c8bbe2d608694248458
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECEFilesize
446B
MD5636e14579a2259fe0394f9244aa8fe5c
SHA1c325ee64a789ab4cbbb9758138e7696d3b3684f2
SHA256c3d3b8c575940dc14f114163dc581de7b00885f4ad212c58a62892452ecbe0b1
SHA5124e6c0b4c259ca4e0becc7e698e1917a2248fc4a2ec78580fcde67b04f24a3b002158533a86872498e3f86002eba2bc13af7fdf198b557d66989c0db28369aadf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECEFilesize
446B
MD5a975e37199b1320dc817bdd20ca82335
SHA12c00512d88f90fe59f6ac10991bdabb3be402c12
SHA2565629fbe8cc5f18894eeccff022f17a1eb47f4c8338143bcb89939f963c70543d
SHA5126881dab28b1da9409bb3f393e5c889cf3a88f0c464ad051bebdf0ec12da027f2af566242895c28b70482b4338327dd6bcb7068e41cc1084db3b506bf7de86161
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.jsonFilesize
21B
MD5f1b59332b953b3c99b3c95a44249c0d2
SHA11b16a2ca32bf8481e18ff8b7365229b598908991
SHA256138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA5123c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.jsonFilesize
21B
MD5f1b59332b953b3c99b3c95a44249c0d2
SHA11b16a2ca32bf8481e18ff8b7365229b598908991
SHA256138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA5123c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.jsonFilesize
21B
MD5f1b59332b953b3c99b3c95a44249c0d2
SHA11b16a2ca32bf8481e18ff8b7365229b598908991
SHA256138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA5123c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.jsonFilesize
417B
MD5c56ff60fbd601e84edd5a0ff1010d584
SHA1342abb130dabeacde1d8ced806d67a3aef00a749
SHA256200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.jsonFilesize
417B
MD5c56ff60fbd601e84edd5a0ff1010d584
SHA1342abb130dabeacde1d8ced806d67a3aef00a749
SHA256200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.jsonFilesize
417B
MD5c56ff60fbd601e84edd5a0ff1010d584
SHA1342abb130dabeacde1d8ced806d67a3aef00a749
SHA256200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.jsonFilesize
87B
MD5e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.jsonFilesize
87B
MD5e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.jsonFilesize
87B
MD5e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.jsonFilesize
14B
MD56ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.jsonFilesize
14B
MD56ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.jsonFilesize
14B
MD56ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.jsonFilesize
14B
MD56ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.jsonFilesize
14B
MD56ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.jsonFilesize
14B
MD56ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\1F3BB85D-7335-4067-A1AB-38F1CFF628D8Filesize
148KB
MD5992a8da765fe18cec37abaa281cd70f6
SHA19255d115706c594ebfbfa01df134b690d707ac16
SHA25663d80845bdeef0d717b00206d328334cc6c57047dabe63dd2f2250eae39da82d
SHA51202ac775931ec0c1f9ab140d97e7723980abbab160c8e17eeb1be41c5f73ee70965d046865c20ee542d1650cbfafef861fc39b60868931cabdee02fecd26c1d4b
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xmlFilesize
328KB
MD5a6398ad8a9494534305c0a7bfa8d88ed
SHA1c3d2bf9e617964a0cc64dbbadab940db706e1baf
SHA256da89159a736d886df9e358eceecc63048bc20000e604fb754e76680ccd5bb137
SHA51214a539f1d5fe4eaa5828c63e73fdeee64daa3fa6ea938041afd4546c6263c55f9123d81f4256fa5e65b24de967c7e24bd51f434b57e5d068d99e413dd159610a
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xmlFilesize
328KB
MD5a6398ad8a9494534305c0a7bfa8d88ed
SHA1c3d2bf9e617964a0cc64dbbadab940db706e1baf
SHA256da89159a736d886df9e358eceecc63048bc20000e604fb754e76680ccd5bb137
SHA51214a539f1d5fe4eaa5828c63e73fdeee64daa3fa6ea938041afd4546c6263c55f9123d81f4256fa5e65b24de967c7e24bd51f434b57e5d068d99e413dd159610a
-
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\TenantInfo.xmlFilesize
76B
MD50f8eb2423d2bf6cb5b8bdb44cb170ca3
SHA1242755226012b4449a49b45491c0b1538ebf6410
SHA256385347c0cbacdd3c61d2635fbd390e0095a008fd75eeb23af2f14f975c083944
SHA512a9f23a42340b83a2f59df930d7563e8abd669b9f0955562cd3c2872e2e081f26d6d8b26357972b6d0423af05b2392bddbb46da769788e77fd169b3264ff53886
-
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.dbFilesize
24KB
MD5b00f3f56c104c94e03cd2ad8452c14e7
SHA151b78e45015e0d9d62fbdf31b75a22535a107204
SHA256ba2b669020334ff01a85bfc900ea4371ea557bd315f154875d9bdfdc16ae8b50
SHA51293e1609be5bbb414c285f37432ce93294c3d1583ef46c7c6c570c122f0b166c34b0ad87de708005c8af97dee27923ba53395a34c2563cdadf3c0a708848b3525
-
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.dbFilesize
24KB
MD5bb5122013e9da21ebcd7cf8bbfd442d8
SHA1137dc37b75c41a0edca25bc20dab16729c23d5f5
SHA256fa311153c8e26e115ed889e986eabf2c6f96123d7a3a7f89102bfa89321342c3
SHA5126582f6d15a31dcaecc6e6fee0ebb21b6d2278c4b2c1f80580172181d457c47a8be7edb0bc007c701c8a3adc391656ee166a77f49f575539f4f7e5188f5da8a0a
-
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-walFilesize
32B
MD516a707178678921874dceba3bc2e5859
SHA122f3df9ea78db7a10887a8c521bb0efd69c2ecd2
SHA2563a746768e396af19f2b3903492a2638833756a0be4feb1e719e2287c5024c89d
SHA5126f3c85f9fab11af0792356faf879468d9be655a47dc8a4cb0b49eb7a9d5227739fd1d3d279e8ac75427d9a1cd58733e76b4a3a59e4a80222abd18714a00a3d5c
-
C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exdFilesize
148KB
MD59d8dc45a03f64c41d83eb86efbf66bc2
SHA13639f1c506ca619e6024f7951249ce7e2bf112a4
SHA256b31438410255ee3cff1b817d169d5a0308dda6dc62de074fe0d3c064c3045a9e
SHA512a301336e7c3c36e9ce83582f7d34729b0c8d515058a198be6e6a67f2b060c4fd4459d0edd574a95f2a6f47288db730fefc0a84fa2fb94fd48fa54f8f9830d1bf
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\Virus.MSWord.Akuma.doc.LNKFilesize
1KB
MD51c25601a8cffbeac36457f53cbe7d219
SHA1f84805bb6c1ab673da9724a2ad91caafcc189150
SHA256dda8c5cf5f1961bf371ad1688d9ba02173e20f57c3bfb326ea72e6a26d18ae79
SHA5127145d23913fcfc9e0ea74e670f379e74ae4b61646a56c8f3c6b07b019de463c1d8790d643ede53ae4f30fffe5f4fc66065daed88feadf81ae3d5b75c89f7fcb3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
269B
MD5864f7b42928ed3b1a246a091bd09b3c0
SHA19eac85818e244392015941da9b508a091e92a45b
SHA2565764f4046439a5ca7d664fff4d8e7beeb516652cc7a0ffaa55323bdc6d0fc560
SHA51231854ce5d31cc9f4d32bfa580aa4da3aadba3656ed5e9924c23b397452f1671ec03d7f47d5716860a84874c9b01101c1e04aaacf01b57114c91628d0aae439e5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
26KB
MD58844906364b7b6b2d39c09188ef84841
SHA1f11921884b4f4ab17c9b7fde41d6fc91b8d0a512
SHA25687323870ba6751aedc9d9fb68e27b248d334e2b5f115aaf665f14080a05bb7f7
SHA512c97185d33e67b9e2c648824362815a7fd76a51154595fc6c6d53e5d4826e50a0d2419d0af1714f37cdaca5b834537e7902e0dc7745f392d6e671002e62c51c62
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5aff08448e0b9eea5bacc936213835e4b
SHA11837f8c291c4cc2db26b9520a619831ba7f56854
SHA256a6cb2b970d9b8cc991164864d1588f306be6e28ad7dfec9ac657c5d60e293d78
SHA5126869a11cf6aad9d5531153803a18a85fcb4f74ef0e0cbf3d9b00530e4500e6f2a1b3404d80f3c2372ac7052cdb8d72a7be77d239213e4aed635d45042cfd7d8d
-
C:\Users\Admin\Downloads\Virus.MSWord.Akuma\Virus.MSWord.Akuma.docFilesize
71KB
MD58be45ded74bfab0a4781eb04bd8f6b45
SHA1e14ddcf6fb381c5dff7e64677a1aa94c84a31098
SHA25625fda4285c7a6ea601232f4b2ce8e373a3a38b7a4d01847b0ab00ea0dc5c3d52
SHA5129a18483781d5e58f34ef36e8b98e7a401c0764282a1d64e08845152b9c6f65982a399966e8dd66a19ad7690e52aec7b3b45d701db3d60e4d3626c1012d14fba6
-
\??\pipe\crashpad_2796_RBYBELUKYPJEAPZZMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1796-188-0x00007FF9B2750000-0x00007FF9B2760000-memory.dmpFilesize
64KB
-
memory/1796-189-0x00007FF9B2750000-0x00007FF9B2760000-memory.dmpFilesize
64KB
-
memory/1796-170-0x00007FF9B2750000-0x00007FF9B2760000-memory.dmpFilesize
64KB
-
memory/1796-184-0x000002EA0EB84000-0x000002EA0EB86000-memory.dmpFilesize
8KB
-
memory/1796-186-0x00007FF9B2750000-0x00007FF9B2760000-memory.dmpFilesize
64KB
-
memory/1796-187-0x00007FF9B2750000-0x00007FF9B2760000-memory.dmpFilesize
64KB
-
memory/1796-166-0x00007FF9B2750000-0x00007FF9B2760000-memory.dmpFilesize
64KB
-
memory/1796-169-0x00007FF9B2750000-0x00007FF9B2760000-memory.dmpFilesize
64KB
-
memory/1796-168-0x00007FF9B2750000-0x00007FF9B2760000-memory.dmpFilesize
64KB
-
memory/1796-167-0x00007FF9B2750000-0x00007FF9B2760000-memory.dmpFilesize
64KB
-
memory/2768-136-0x00007FF9B2750000-0x00007FF9B2760000-memory.dmpFilesize
64KB
-
memory/2768-137-0x00007FF9B2750000-0x00007FF9B2760000-memory.dmpFilesize
64KB
-
memory/2768-135-0x00007FF9B2750000-0x00007FF9B2760000-memory.dmpFilesize
64KB
-
memory/2768-134-0x00007FF9B2750000-0x00007FF9B2760000-memory.dmpFilesize
64KB
-
memory/2768-133-0x00007FF9B2750000-0x00007FF9B2760000-memory.dmpFilesize
64KB
-
memory/3908-193-0x00007FF9B2750000-0x00007FF9B2760000-memory.dmpFilesize
64KB
-
memory/3908-194-0x00007FF9B2750000-0x00007FF9B2760000-memory.dmpFilesize
64KB
-
memory/3908-191-0x00007FF9B2750000-0x00007FF9B2760000-memory.dmpFilesize
64KB
-
memory/3908-192-0x00007FF9B2750000-0x00007FF9B2760000-memory.dmpFilesize
64KB
-
memory/3908-190-0x00007FF9B2750000-0x00007FF9B2760000-memory.dmpFilesize
64KB
-
memory/4060-155-0x00007FF9B2750000-0x00007FF9B2760000-memory.dmpFilesize
64KB
-
memory/4060-154-0x00007FF9B2750000-0x00007FF9B2760000-memory.dmpFilesize
64KB
-
memory/4060-153-0x00007FF9B2750000-0x00007FF9B2760000-memory.dmpFilesize
64KB
-
memory/4060-152-0x00007FF9B2750000-0x00007FF9B2760000-memory.dmpFilesize
64KB
-
memory/4060-145-0x00007FF9AFE90000-0x00007FF9AFEA0000-memory.dmpFilesize
64KB
-
memory/4060-143-0x00007FF9AFE90000-0x00007FF9AFEA0000-memory.dmpFilesize
64KB
-
memory/4240-209-0x0000000000000000-mapping.dmp