487f4dd9bdbe94a9cf1a04a8fdec19f16f86864d05d06f0511544b3ff68c850c

Resubmissions

13/04/2025, 07:17

250413-h4j1ks1lt5 10

13/04/2025, 07:12

250413-h1v9fa1ky7 10

13/04/2025, 06:41

250413-hft6ms1taw 10

Analysis

max time kernel
445s
max time network
447s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
13/04/2025, 07:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

virusshare/3/VirusShare_3fb34964fa7b8c6bfad8d960380ff04e.doc
Size

34KB
MD5

3fb34964fa7b8c6bfad8d960380ff04e
SHA1

9a3aec40056ce74bac833989ed71dfb6c2626f4c
SHA256

26026b1b3d0cb660c6be6c536df679acca0b5562a3adbb507d001474d23f5650
SHA512

a82b522dfd7eac30292a9e9ab19ddac94563804e77a1090e5f44de7e794ef4e5ebe0e7fb36e5177479417c8176ae0475613700755ca015c7ce941a4740215faa
SSDEEP

384:bzIPMepSbSsG/CdPvunCpeJzKoSS3D6JO5LfBqtjbjk4Eohubn3ezta:nIPMecWsGKVunFFRDE6pqjhust

Score

8^/10

macro macro_on_action

Malware Config

Signatures

Office macro that triggers on suspicious action 1 IoCs

Office document macro which triggers in special circumstances - often malicious.

macro macro_on_action

resource	yara_rule
behavioral1/files/0x0029000000024305-549.dat	office_macro_on_action

Deletes itself 1 IoCs

pid	Process
4116	WINWORD.EXE

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Modifies registry class 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 = 50003100000000006e5a4a94100041646d696e003c0009000400efbe6e5af08c8d5a593a2e0000005ce101000000010000000000000000000000000000008fe5f500410064006d0069006e00000014000000	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\MRUListEx = 00000000ffffffff	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\0 = 5e003100000000008d5a593a10005649525553537e310000460009000400efbe8d5a593a8d5a593a2e000000aa420200000007000000000000000000000000000000339f07017600690072007500730073006800610072006500000018000000	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 01000000030000000200000000000000ffffffff	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\MRUListEx = 00000000ffffffff	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 78003100000000006e5af08c1100557365727300640009000400efbe874f77488d5a593a2e000000c70500000000010000000000000000003a0000000000cd12870055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0 = 50003100000000006e5ad99310004c6f63616c003c0009000400efbe6e5af08c8d5a593a2e0000007ae10100000001000000000000000000000000000000132b34004c006f00630061006c00000014000000	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\MRUListEx = 00000000ffffffff	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\0\0\MRUListEx = ffffffff	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 19002f433a5c000000000000000000000000000000000000000000	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\MRUListEx = 00000000ffffffff	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\0\0	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\0\0\NodeSlot = "6"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = 00000000ffffffff	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\0	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0 = 56003100000000006e5af08c12004170704461746100400009000400efbe6e5af08c8d5a593a2e00000067e101000000010000000000000000000000000000002c267b004100700070004400610074006100000016000000	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0 = 4e003100000000008d5a013b100054656d7000003a0009000400efbe6e5af08c8d5a023b2e0000007be101000000010000000000000000000000000000001caf2b00540065006d007000000014000000	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\0\0 = 44003100000000008d5a023b10003300340009000400efbe8d5a593a8d5a023b2e000000ba4202000000070000000000000000000000000000003e0e6c003300000010000000	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	WINWORD.EXE

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\virusshare\3\~WRD0003.tmp\:Zone.Identifier:$DATA	WINWORD.EXE
File created	C:\Users\Admin\AppData\Local\Temp\virusshare\3\~WRD3672.tmp\:Zone.Identifier:$DATA	WINWORD.EXE

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
2196	NOTEPAD.EXE
2572	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 6 IoCs

pid	Process
4116	WINWORD.EXE
4116	WINWORD.EXE
4564	WINWORD.EXE
4564	WINWORD.EXE
2968	WINWORD.EXE
2968	WINWORD.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5484	OpenWith.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4116	WINWORD.EXE
4116	WINWORD.EXE

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
5484	OpenWith.exe
5484	OpenWith.exe
5484	OpenWith.exe
5484	OpenWith.exe
5484	OpenWith.exe
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE
4116	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5484 wrote to memory of 2572	5484	OpenWith.exe	119
PID 5484 wrote to memory of 2572	5484	OpenWith.exe	119
PID 4116 wrote to memory of 5168	4116	WINWORD.EXE	124
PID 4116 wrote to memory of 5168	4116	WINWORD.EXE	124

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\virusshare\3\VirusShare_3fb34964fa7b8c6bfad8d960380ff04e.doc" /o ""
1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:5168

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:5648

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4696

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\virusshare\3\VirusShare_3fb34964fa7b8c6bfad8d960380ff04e.doc" /o ""
1⤵
PID:6096

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5484
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2572

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml
1⤵
- Opens file in notepad (likely ransom note)
PID:2196

C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
1⤵
PID:5448

C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
1⤵
PID:3036

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\virusshare\3\VirusShare_3fb34964fa7b8c6bfad8d960380ff04e.doc" /o ""
1⤵
PID:3888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4804

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\virusshare\3\VirusShare_3fb34964fa7b8c6bfad8d960380ff04e.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
PID:4564

C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
PID:2968

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
471B

MD5
15edd1b18d01ba2a613d62919ed706ab

SHA1
702cd3e62466b46eaa362e11fdeb5add76ba97f1

SHA256
beecd9f01075baf462dfc3e075918ee42b914d03e6704f94fe1a41526a6f0f72

SHA512
9176a541226bb43e5ff8ef7dcb558e44776e788ff80aff00b3ea8715a64d850b714586aafb0bdd1bac5d24b85357367a991915b89818242fb693f54edf7859f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
412B

MD5
eb7d8b7b63c4c48f941b9df12bd443b0

SHA1
e9f94cb62b2126c01556955c5d314050f9d3fbed

SHA256
83aa120934a4ea4dac52e76a73998f5e1dc7e069a755d00be932d94e10b80e0d

SHA512
ac7f4899cacdce4b459f50035dd41d9e67e3c89e6eae49fe90d255ac397d47a314888ca78eed43e227dbe162fab0c827db3045826892a8632b5448253477e66b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

Filesize
21B

MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json

Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\5C113FF1-F15A-4B41-857B-78DA9664D09A

Filesize
178KB

MD5
142936e8f1f3dbd3cc44e1370012b8f3

SHA1
1f6fd86a8c3cdfc245f03de1ea862e834f721360

SHA256
d9acba64a5dbbbb25f32918048be896e1b8b1d71c78b4a2e28de62ab2f93fea3

SHA512
54f2b8522a8a662e8ffd5cf197d17f0a76e67745cfdb1644fb4f89243a1d0438d5932dda9cb9cffee0eb3e7118fad046430b7f81e0e43aec11aa5f0d47f84f94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml

Filesize
331KB

MD5
93b86dbf4b144be5b008e1cf103fc857

SHA1
65b7222eb6dc14a104558d62e28d4441838f1a14

SHA256
fbcc86f3fee25158e3445c60f44ed208ea64fa3c2cbd175fe07c689a330a2b1f

SHA512
8b3db391afafe1782937bf28caca0e5847b536bf0f846f098360a8ce59297f1a4793b96fbea1264fe19775daae4d9e5727a3f4295e82c8257ca0f705152c95bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
10KB

MD5
8c19910bc7e347a8a7630bf122086f9f

SHA1
675afa3f3fa4be4ca6c22a277a871e22a596c10a

SHA256
910ee62f923d44c9cc2d102391bd95cd795468b056e8ffbd5c2970eec0630639

SHA512
b82769216040fa99c4b1dcc8f7af34e2e61f3c7740d07b16ddb002f05e84f7bd0b15b6025b7ec241e300169fada07bc955c6f60466c2018e96992b28bd833fff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db

Filesize
24KB

MD5
8665de22b67e46648a5a147c1ed296ca

SHA1
b289a96fee9fa77dd8e045ae8fd161debd376f48

SHA256
b5cbae5c48721295a51896f05abd4c9566be7941cda7b8c2aecb762e6e94425f

SHA512
bb03ea9347d302abf3b6fece055cdae0ad2d7c074e8517f230a90233f628e5803928b9ba7ba79c343e58dacb3e7a6fc16b94690a5ab0c71303959654a18bb5da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db

Filesize
24KB

MD5
085ebd119f5fc6b8f63720fac1166ff5

SHA1
af066018aadec31b8e70a124a158736aca897306

SHA256
b8411fe8ec499074fca9047f6983d920279e84ddf3b02b2dd5c08cf07ec44687

SHA512
adb0522830db26123347cb485c43b156f5c888510e52091ba0fafc22b650ad29630c027746c920321905c28259dce7ff63dded93a79efddd5567c68312117875

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
1fc1ff5d847933e7d532f17399ff487b

SHA1
4417ec8ade799d4ebbd5eeb2c9e22b5ba72f19ca

SHA256
9ae34e263ec63959a0d2532ebbac17ca34794d7cb74bbedf4651c01834064b46

SHA512
c6fa2c6f8fb3249b4fdbe8c62f4264e35fc3afafbf7669d86489c0ab9d5820f00354c97077be0f58db7ef9227bfbd3bf9ab53d9db8753db9459aa74b93fc48d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
92e9ad788dc839d9a35683f219a26cd3

SHA1
22279280c8ae8bbf08f589db31198ccddea920cf

SHA256
3d611aa0b94ab2f9039fec4f158c5cb4b1d406f78b7af8252acae9ead1b0708d

SHA512
e9af9eb31216b172948e4e59a35fa03d56dc0189bc50336434b4fcba057a2e6c16470f3058f0a320b243353e4f084917617ecabfce3ee4a739ef6447130dd321

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
f9c46161dc91d96d51438bd722d6da51

SHA1
739171b29d50c2235da02433f24b36bd03adaae8

SHA256
a056f71e6436fba3e8f9d97ac56e82e75d7e361c4adab3df9357bed037904d59

SHA512
b3483b181c628aea42afc290710ee01e8f069cb28ab5ca75216e60ab56e7cce3b8229170810866a4842667714de72e0f3fd0592c181587eb07a1a8d827ff87d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRD3811.docx

Filesize
11KB

MD5
dd5a7940ab67ffc044bbf8d6a9b5328f

SHA1
60299f30709e9ed4d47d8758839a646bbd2b7234

SHA256
cb52a0d6f3e7523a4511ff7e027e636cfe2c8616340118e87f5a7f8cbc1b2ca6

SHA512
eb4215caf7a53f5b1e7f53a44f6e97f290e348594047a741ff320ae6cb3bfb8d530e709185308d34a4ffc0ac41c9d9c3e04713085bf06312c7a85e4b313509e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRD3815.docx

Filesize
11KB

MD5
de2ea2baef5e88499c51c107d9261e42

SHA1
f923873647e21e3b3837b2e1e2c8639d45c61ae2

SHA256
334874e8b8b9bb01ac3633b1ffb4380db8bc49b615648249626ef864ed87bf2a

SHA512
bdbd70b8fbb9fb790d45a11bdfca140597efd59b1fd04f8ae6672108f2340ddc8571cd24dab553d86bab537e3fb0bf2e202aea88a367fa8b04971c165bb85f3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD1E7D.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Local\Temp\virusshare\3\VirusShare_3fb34964fa7b8c6bfad8d960380ff04e.doc:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\AppData\Local\Temp\virusshare\3\~WRD0003.tmp

Filesize
35KB

MD5
a6502577ad6d9d8bcf9274d39dd67b01

SHA1
d73fd3295cb0122948149577377b80ada8b1d511

SHA256
074f477955a11e47333a0bf65debd9bf24981e3bb3aabb9c25957735f0dcb9ae

SHA512
a39e19de8086f6dc4a647a984461cad22a2897c73a62df3efa3cfe671c1c02c91b6f308122dd0b9246195f542bfb111332d72dd761bb70504af1f56b47fadd4d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
337B

MD5
ca757bbdc720d655c89547ceee38e148

SHA1
ba131a87f7b2c3688bac1e4a1c8353539653cecd

SHA256
a14e47e696881891bc945da2568cb7fa6931adc06605fef0f1fd98a6be3eb10c

SHA512
023ed460b7b8044ffb73fe735c1253794c0d2c1472dc25047176eb1bdb271b1b06becce3ec0d79439321f1a39b1410187b8d4b3d27c63f7a292ac340ecaba9df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
678B

MD5
d0f14ac5cc8728e86f4b82c0112121bd

SHA1
b37f2200747c40989b15e7fc74a910aea48f670b

SHA256
1208394d432a4ae43768c0b436ea16f9d2464d20c6db0175f83a9180b8d2234e

SHA512
68e751c8e50bac97a3e6f9a628a4c2f53f220cf5a4614a8c1d72ad786e61634e43d351fde3dc492e81ea6695ef024740bf615421f2bcd7c9143ef8e90373b078

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
678B

MD5
6802527a1a670e1362afbf3fb39def0f

SHA1
03c7c730e187f21f10f43be8c2801e69dace7465

SHA256
24d11f627ad433f9bfb75d5edcf2bed60bb3343cab75e2420a651ad41e4e0d47

SHA512
09ba668679321b30c2ef3d7fc7407efdd7c6cb3db773dd6892b75fb1857f1388130b7390e7566d123020048c8a036fbbb6fd095c5f3c7bc3c06cf30f3bde5989

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Word\AutoRecovery save of ~WRL3675.asd

Filesize
95KB

MD5
0b71130e2cf6e03bbd661cf797af7e14

SHA1
bbe86bb45d799e0883c25b73bb97e059d495262d

SHA256
db1c8cc18c64a2c45e7e97e5b24a10451a9ff57d45d70b18acc6200a0e6398ee

SHA512
9b5be7e9d9afd6557b0b3b81adc41d251b6c78f07cf03cc5095eb172ec92730afe1890f6ec3a482e08acb8d0b932ef2c63d2a5dab2df20765a2171d9b376a6d6

Download Submit
memory/4116-8-0x00007FF879D70000-0x00007FF879F65000-memory.dmp

Filesize
2.0MB

Download
memory/4116-31-0x00007FF879D70000-0x00007FF879F65000-memory.dmp

Filesize
2.0MB

Download
memory/4116-0-0x00007FF839DF0000-0x00007FF839E00000-memory.dmp

Filesize
64KB

Download
memory/4116-3-0x00007FF839DF0000-0x00007FF839E00000-memory.dmp

Filesize
64KB

Download
memory/4116-13-0x00007FF879D70000-0x00007FF879F65000-memory.dmp

Filesize
2.0MB

Download
memory/4116-1-0x00007FF879E0D000-0x00007FF879E0E000-memory.dmp

Filesize
4KB

Download
memory/4116-2-0x00007FF839DF0000-0x00007FF839E00000-memory.dmp

Filesize
64KB

Download
memory/4116-29-0x00007FF879D70000-0x00007FF879F65000-memory.dmp

Filesize
2.0MB

Download
memory/4116-30-0x00007FF879E0D000-0x00007FF879E0E000-memory.dmp

Filesize
4KB

Download
memory/4116-17-0x00007FF879D70000-0x00007FF879F65000-memory.dmp

Filesize
2.0MB

Download
memory/4116-15-0x00007FF837880000-0x00007FF837890000-memory.dmp

Filesize
64KB

Download
memory/4116-16-0x00007FF879D70000-0x00007FF879F65000-memory.dmp

Filesize
2.0MB

Download
memory/4116-769-0x00007FF879D70000-0x00007FF879F65000-memory.dmp

Filesize
2.0MB

Download
memory/4116-4-0x00007FF839DF0000-0x00007FF839E00000-memory.dmp

Filesize
64KB

Download
memory/4116-6-0x00007FF879D70000-0x00007FF879F65000-memory.dmp

Filesize
2.0MB

Download
memory/4116-10-0x00007FF879D70000-0x00007FF879F65000-memory.dmp

Filesize
2.0MB

Download
memory/4116-11-0x00007FF879D70000-0x00007FF879F65000-memory.dmp

Filesize
2.0MB

Download
memory/4116-9-0x00007FF879D70000-0x00007FF879F65000-memory.dmp

Filesize
2.0MB

Download
memory/4116-14-0x00007FF879D70000-0x00007FF879F65000-memory.dmp

Filesize
2.0MB

Download
memory/4116-12-0x00007FF837880000-0x00007FF837890000-memory.dmp

Filesize
64KB

Download
memory/4116-5-0x00007FF879D70000-0x00007FF879F65000-memory.dmp

Filesize
2.0MB

Download
memory/4116-7-0x00007FF839DF0000-0x00007FF839E00000-memory.dmp

Filesize
64KB

Download
memory/4564-770-0x00007FF839DF0000-0x00007FF839E00000-memory.dmp

Filesize
64KB

Download
memory/4564-773-0x00007FF839DF0000-0x00007FF839E00000-memory.dmp

Filesize
64KB

Download
memory/4564-772-0x00007FF839DF0000-0x00007FF839E00000-memory.dmp

Filesize
64KB

Download
memory/4564-808-0x00007FF839DF0000-0x00007FF839E00000-memory.dmp

Filesize
64KB

Download
memory/4564-809-0x00007FF839DF0000-0x00007FF839E00000-memory.dmp

Filesize
64KB

Download
memory/4564-807-0x00007FF839DF0000-0x00007FF839E00000-memory.dmp

Filesize
64KB

Download
memory/4564-806-0x00007FF839DF0000-0x00007FF839E00000-memory.dmp

Filesize
64KB

Download
memory/4564-771-0x00007FF839DF0000-0x00007FF839E00000-memory.dmp

Filesize
64KB

Download
memory/4564-774-0x00007FF839DF0000-0x00007FF839E00000-memory.dmp

Filesize
64KB

Download
memory/6096-567-0x00007FF839DF0000-0x00007FF839E00000-memory.dmp

Filesize
64KB

Download
memory/6096-566-0x00007FF839DF0000-0x00007FF839E00000-memory.dmp

Filesize
64KB

Download
memory/6096-569-0x00007FF839DF0000-0x00007FF839E00000-memory.dmp

Filesize
64KB

Download
memory/6096-568-0x00007FF839DF0000-0x00007FF839E00000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads