b13b29772c29ccb412d6ab360ff38525836fcf0f65be637a7945a83a446dfd5e

Analysis

max time kernel
147s
max time network
139s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
25/03/2025, 09:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

metrofax.doc
Size

221KB
MD5

28e855032f83adbd2d8499af6d2d0e22
SHA1

6b590325e2e465d9762fa5d1877846667268558a
SHA256

b13b29772c29ccb412d6ab360ff38525836fcf0f65be637a7945a83a446dfd5e
SHA512

e401cbd41e044ff7d557f57960d50fb821244eaa97ce1218191d58e0935f6c069e6a0ff4788ed91ead279f36ba4eddfaa08dc3de01082c41dc9c2fc3c4b0ae34
SSDEEP

3072:zVIfFuR6AqFMa2fL3NtkWL90y7K4mlQCww7zDTW6HNRn0nPmaw:zVIf8RsOtZclptz78Pk

Score

4^/10

defense_evasion

Malware Config

Signatures

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\~$rd2013BW.dotx	WINWORD.EXE
File opened for modification	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\BasicSimple.dotx	WINWORD.EXE
File created	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\~$sicSimple.dotx	WINWORD.EXE
File opened for modification	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\BWClassic.dotx	WINWORD.EXE
File opened for modification	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\BWNumbered.dotx	WINWORD.EXE
File created	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\~$Numbered.dotx	WINWORD.EXE
File opened for modification	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\Word2013BW.dotx	WINWORD.EXE
File created	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\~$Casual.dotx	WINWORD.EXE
File created	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\~$ntered.dotx	WINWORD.EXE
File opened for modification	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\BasicElegant.dotx	WINWORD.EXE
File opened for modification	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\BasicStylish.dotx	WINWORD.EXE
File created	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\~$sicStylish.dotx	WINWORD.EXE
File opened for modification	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\BWCapitalized.dotx	WINWORD.EXE
File opened for modification	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\Casual.dotx	WINWORD.EXE
File created	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\~$Classic.dotx	WINWORD.EXE
File opened for modification	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\Centered.dotx	WINWORD.EXE
File created	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\~$sicElegant.dotx	WINWORD.EXE
File created	C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\~$Capitalized.dotx	WINWORD.EXE

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 3 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{2705AB21-FFF6-43CD-8603-753EA7C01D3E}\8tr.exe:Zone.Identifier	WINWORD.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{6D5BD8D2-A2E7-42AE-BB03-F4C31FFE1AD3}\8tr.exe:Zone.Identifier	WINWORD.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{6059795D-2F0C-4D6E-93FC-8AF11B273C29}\8tr.exe:Zone.Identifier	WINWORD.EXE

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{2705AB21-FFF6-43CD-8603-753EA7C01D3E}\8tr.exe:Zone.Identifier	WINWORD.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{6D5BD8D2-A2E7-42AE-BB03-F4C31FFE1AD3}\8tr.exe:Zone.Identifier	WINWORD.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{6059795D-2F0C-4D6E-93FC-8AF11B273C29}\8tr.exe:Zone.Identifier	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 5 IoCs

pid	Process
624	WINWORD.EXE
624	WINWORD.EXE
1128	WINWORD.EXE
3344	WINWORD.EXE
4656	WINWORD.EXE

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
624	WINWORD.EXE
624	WINWORD.EXE
624	WINWORD.EXE
624	WINWORD.EXE
624	WINWORD.EXE
624	WINWORD.EXE
624	WINWORD.EXE
1128	WINWORD.EXE
1128	WINWORD.EXE
1128	WINWORD.EXE
1128	WINWORD.EXE
624	WINWORD.EXE
624	WINWORD.EXE
624	WINWORD.EXE
624	WINWORD.EXE
624	WINWORD.EXE
624	WINWORD.EXE
3344	WINWORD.EXE
3344	WINWORD.EXE
3344	WINWORD.EXE
3344	WINWORD.EXE
4656	WINWORD.EXE
4656	WINWORD.EXE
4656	WINWORD.EXE
4656	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 1136	624	WINWORD.EXE	83
PID 624 wrote to memory of 1136	624	WINWORD.EXE	83

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\metrofax.doc" /o ""
1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:624
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1136

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
1⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1128

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
1⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3344

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
1⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
471B

MD5
e2c88652d0cb3ca5be75877f24726c32

SHA1
262a84c85f669b443621a763e237231330f1402f

SHA256
65eb33a2130a1cb8063a74327801f7d7a00abfd0abb9456593be43988177ff4f

SHA512
3b248611a319ef69ab5baab30a74fcf64a0c807b9338cd694f650c3e583a837ee9a2a3bc3275fabb6ce7a454f10260370c80f72cb9df5b6f96530ba91a071d40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
420B

MD5
39da3c6db8e1437df19a67d8ea5acbb8

SHA1
61f07064925c2de8269fe39bb72b2ff9fc8ffa9c

SHA256
7b14c8f75acebd98b33e7f00ecb014a25d38009f776207016b8a049d61f132f8

SHA512
719975154f008eaf59fea756405baadc40b5121fc79f0ef653c55319dd32ce9362cee3198caddaa529dfc8926d46a3ddb746cab4a3641f4714ac5cc374c93b04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

Filesize
21B

MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json

Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\270E512B-2D50-4494-81A9-37FA348BA578

Filesize
178KB

MD5
f4a2b714bc0d468fe785ea794812ebec

SHA1
ba7d1afc9e47c9414a0e5066cbe6427d9d21e5fe

SHA256
3868aa0c348c2a88d20fb9f28e4f2c9b8d73b93edf20c63557653f03a9afe38f

SHA512
ae4905474ef8a4efa415a510e37db5ca70359baacb7003d11c88e2c9881368c8657c39c4c5867be6e2df2fe67b3217edbdc510baac301511522062e841a12031

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml

Filesize
331KB

MD5
93b86dbf4b144be5b008e1cf103fc857

SHA1
65b7222eb6dc14a104558d62e28d4441838f1a14

SHA256
fbcc86f3fee25158e3445c60f44ed208ea64fa3c2cbd175fe07c689a330a2b1f

SHA512
8b3db391afafe1782937bf28caca0e5847b536bf0f846f098360a8ce59297f1a4793b96fbea1264fe19775daae4d9e5727a3f4295e82c8257ca0f705152c95bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
11KB

MD5
3fd561cb7d345dd10eadf692e2c477a8

SHA1
601df522c509dbedd1f0117f03254f80c931d830

SHA256
34fd6bff613f75a5fb64f704d8468f1a0a121319db0c3f497e39a8fff5fc0d8a

SHA512
6a272c37f8cbe77f9c4d2557d8108aff3478e4a2b2de0bda858b4083e3c50757198bbdba9358b5942a4b8d90e6f522c9536da0dda9c46e2ec353512bbd6afefd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
14KB

MD5
2f3667caf3cac144f13e5fa82441b7c8

SHA1
bfadd706c05b7e8c150289498f47732698be3d5c

SHA256
7c21d46fbb65737b3a28cd5174a8148ffe67b4a7c19a486827525ca241af0e99

SHA512
7637fe15dc8e2f49f6e130a1c11117c7c860c1ba5992ce83321dd6c5954c040f0384947a9734c7721ff127f241fb2c436ce47e5e6eb3587341d486f472fc7113

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
16KB

MD5
f2ffccd9abaa452d4a5c22251d1bf574

SHA1
46848863459a10a78e0e5e6b172ebaa0d5ebc35f

SHA256
354b8a29615832b8f0afbde43b512542aa32e09f391851198431ab2aafd77e53

SHA512
41abc13ef7f18e87d1eb0b9565b6d6358e0d398aadbf317299dda9d2238d7f198bc80cdb18bfd5377fdaed9b4613b89c424c8ce3da1a66d7d9906919b92f685c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

Filesize
8KB

MD5
3fad64093e38d56d318cb471b3ff8daf

SHA1
40179665f59d234f48db7ab0cce740b29ad452bc

SHA256
2b112dff079e20684660d7fb82c9ee7c490ae261e068af466c51950ffc137382

SHA512
d76725e25b2662fc53a8360ba55e51818411df398185e00ff604b98e1c806ae399a6cc075887977c423e68ddda2355d756a1e989cb7d3213a9a73e38e967f766

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

Filesize
12KB

MD5
8c361ccdcbbe8fea1314410f3de38164

SHA1
88708b28d6dfbb52079cb2879eff00bb7d8a72fc

SHA256
358506b2796d8af27c87506acc9ea8f99f3cabb2d74e4920826ac55a6466696a

SHA512
d614ce2ec68d4dfe3b5da778beb03c03c952f360a913d8e224891e32a7dcb14b4b03bcef63c3b1e72b17d61c7385eb94adae6afa3101fa9aad2842e4dfe214a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

Filesize
16KB

MD5
2da5b976dcf2839d65e2aae7ab354b05

SHA1
aa2ddae84272425f67a1e28348277dca90d359df

SHA256
5fb021aed4219b0b9bad7141dcac0080ba6852569a5e4593d732a2cff2dc0b14

SHA512
fe9647a8570cb290a55d000ecc18298daa7efa6af503c96740c76697fe9d39785b4ff55ce1c9ddd6eceb4f993347b5f57237665d7a509513b3ba0486430bea74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\B092B070.emf

Filesize
5KB

MD5
0ed5bc16545d23c325d756013579a697

SHA1
dcdde3196414a743177131d7d906cb67315d88e7

SHA256
3e430584cd9774ea3b21d8e19b485b48212fe356776158dd5f3c5f63a5bde7d3

SHA512
c93072d11058fa50e3b09ff4da9f3dbe2637c2b5df05e616bd8ddd04557ea1e8b0db106b1545fad334619118c467776f81cf97ca52d3f2fcbbe007f30032b8af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRC0000.tmp

Filesize
18KB

MD5
40227bec4361f7beeb78462ad7f581e4

SHA1
2c80fbc40215d7af5ba6a9ce4f91e5c35b158bb0

SHA256
da8ba7060c2e7613dde22bd4c8a31dea03cc239b83f962773657a69cba864c94

SHA512
815bd982bee9b295447423b607a546294d08dabeff0e411f11e9d118074ee8d61757db1421f08edaf821d82a2e8fb383384946e749b7fbacbe0b6a8474bdf5cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{76CEAAAA-EB38-449A-B088-2E238BBCB50B}.tmp

Filesize
1024B

MD5
5d4d94ee7e06bbb0af9584119797b23a

SHA1
dbb111419c704f116efa8e72471dd83e86e49677

SHA256
4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1

SHA512
95f83ae84cafcced5eaf504546725c34d5f9710e5ca2d11761486970f2fbeccb25f9cf50bbfc272bd75e1a66a18b7783f09e1c1454afda519624bc2bb2f28ba4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{FEE30E59-67EC-4B33-AD6F-4C909E593321}.tmp

Filesize
1024B

MD5
903f13b0512aafee31638c93b183c9d1

SHA1
fea4a179a9efb45d55ddfd0d40573a6751bec110

SHA256
a5abbce2b812627983d4db24fba0962a05640d173403b78db080241d0354b2a4

SHA512
4fd3d3b0d330ab828e5528f5c6b4bfb04dc9489177669cb24654c0fb2a4a5bee2cc1ff1d83e130718a1c2c84d73378f1dc73a3315dfbf4253bcb4eb1ad6ab3e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDC559.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbhja.rtf

Filesize
816KB

MD5
64d1c9f51238ba56ae7974b4e5790760

SHA1
3570374615b7d8bfb7672d7c7a2902aff89a95dd

SHA256
f7bb5cce6a6ccbd4050f65ef9a4e509fd81191e99ccd881080a3980cbcd0f99f

SHA512
1dc3552aa0dbec998f676681964d462d7e995648eeb21bfc8dcb19bce44e079f8b6ac6c815be7dc5b71062a1297a8815e06b58dc6be9ede6494a1194a1899eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbhja.rtf

Filesize
820KB

MD5
16f0f4d92ad4e5a4420d87e1d454e48f

SHA1
64a144f7eedeb22b9e41bcd4be04ce62f590604f

SHA256
1ca9acd510249148cdee07c637920230f53584c07600d0ec34436cd42fca0a03

SHA512
1979d9081225d82e3387e063685ad8e141b7b17a3456313e0a6b135d5ca50bfa721f512cffdea622282af23a3b9b679852dde33330cc4846fd4db50884cbce53

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbhja.rtf

Filesize
820KB

MD5
f28985e1e2944ebaab20f7a8b750a05c

SHA1
b0897c09bf7a6fc3859419520f769a07b08526db

SHA256
bacd3583349275f2652be643b085a95df95875c6f15c078756b0a76864504b5d

SHA512
6b4f339dc206e8c5cf568baae1782087aeb3de7e69ba1c5c975f6d8336d2c3cdb2312d9995da9ea77e92ae5866ee0cf4ad2cf55eedbfc9ec6f84da481d4db550

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Bibliography\Style\APASixthEditionOfficeOnline.xsl

Filesize
325KB

MD5
58aafddc9c9fc6a422c6b29e8c4fcca3

SHA1
1a83a0297fe83d91950b71114f06ce42f4978316

SHA256
9095fe60c9f5a135dfc22b23082574fbf2f223bd3551e75456f57787abc5797b

SHA512
1ebb116bae9fe02ca942366c8e55d479743abb549965f4f4302e27a21b28cdf8b75c8730508f045ba4954a5aa0b7eb593ee88226de3c94bf4e821dbe4513118a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
c2372cdd2d2ad438677b7e10df85afc0

SHA1
d7c658c2c41c15b6090f53ec69498f202ee38db6

SHA256
004af2aaf388075af56883e7a69f8d9dc62d9518ab90ab7d10dfa9073a58957b

SHA512
f32445bb4bb99086756b95c36767f84553be552f2ed49b77c23daac5aa722700b5b6cbcb1b7077bb207b3d15beb56549824c8d7bfe634b89b7b78547b55bdf06

Download Submit
memory/624-12-0x00007FFB1A960000-0x00007FFB1AB69000-memory.dmp

Filesize
2.0MB

Download
memory/624-14-0x00007FFB1A960000-0x00007FFB1AB69000-memory.dmp

Filesize
2.0MB

Download
memory/624-149-0x00007FFB1A960000-0x00007FFB1AB69000-memory.dmp

Filesize
2.0MB

Download
memory/624-1-0x00007FFADA9F0000-0x00007FFADAA00000-memory.dmp

Filesize
64KB

Download
memory/624-3-0x00007FFADA9F0000-0x00007FFADAA00000-memory.dmp

Filesize
64KB

Download
memory/624-2-0x00007FFADA9F0000-0x00007FFADAA00000-memory.dmp

Filesize
64KB

Download
memory/624-8-0x00007FFB1A960000-0x00007FFB1AB69000-memory.dmp

Filesize
2.0MB

Download
memory/624-15-0x00007FFB1A960000-0x00007FFB1AB69000-memory.dmp

Filesize
2.0MB

Download
memory/624-175-0x00007FFB1A960000-0x00007FFB1AB69000-memory.dmp

Filesize
2.0MB

Download
memory/624-17-0x00007FFB1A960000-0x00007FFB1AB69000-memory.dmp

Filesize
2.0MB

Download
memory/624-19-0x00007FFB1A960000-0x00007FFB1AB69000-memory.dmp

Filesize
2.0MB

Download
memory/624-18-0x00007FFAD7EF0000-0x00007FFAD7F00000-memory.dmp

Filesize
64KB

Download
memory/624-16-0x00007FFB1A960000-0x00007FFB1AB69000-memory.dmp

Filesize
2.0MB

Download
memory/624-162-0x00007FFB1A960000-0x00007FFB1AB69000-memory.dmp

Filesize
2.0MB

Download
memory/624-0-0x00007FFADA9F0000-0x00007FFADAA00000-memory.dmp

Filesize
64KB

Download
memory/624-13-0x00007FFAD7EF0000-0x00007FFAD7F00000-memory.dmp

Filesize
64KB

Download
memory/624-11-0x00007FFB1A960000-0x00007FFB1AB69000-memory.dmp

Filesize
2.0MB

Download
memory/624-4-0x00007FFADA9F0000-0x00007FFADAA00000-memory.dmp

Filesize
64KB

Download
memory/624-5-0x00007FFB1A960000-0x00007FFB1AB69000-memory.dmp

Filesize
2.0MB

Download
memory/624-10-0x00007FFB1A960000-0x00007FFB1AB69000-memory.dmp

Filesize
2.0MB

Download
memory/624-6-0x00007FFB1A960000-0x00007FFB1AB69000-memory.dmp

Filesize
2.0MB

Download
memory/624-9-0x00007FFB1A960000-0x00007FFB1AB69000-memory.dmp

Filesize
2.0MB

Download
memory/624-7-0x00007FFB1A960000-0x00007FFB1AB69000-memory.dmp

Filesize
2.0MB

Download
memory/1128-169-0x00007FFADA9F0000-0x00007FFADAA00000-memory.dmp

Filesize
64KB

Download
memory/1128-166-0x00007FFADA9F0000-0x00007FFADAA00000-memory.dmp

Filesize
64KB

Download
memory/1128-167-0x00007FFADA9F0000-0x00007FFADAA00000-memory.dmp

Filesize
64KB

Download
memory/1128-168-0x00007FFADA9F0000-0x00007FFADAA00000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads