487f4dd9bdbe94a9cf1a04a8fdec19f16f86864d05d06f0511544b3ff68c850c

Resubmissions

13/04/2025, 09:00

250413-kyfgbasydv 10

13/04/2025, 08:55

250413-kvgj7ssmw7 10

13/04/2025, 08:32

250413-kfmgxaskw4 10

13/04/2025, 08:10

250413-j22y2s1q13 10

Analysis

max time kernel
212s
max time network
213s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
13/04/2025, 08:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

virusshare/3/VirusShare_3fb34964fa7b8c6bfad8d960380ff04e.doc
Size

34KB
MD5

3fb34964fa7b8c6bfad8d960380ff04e
SHA1

9a3aec40056ce74bac833989ed71dfb6c2626f4c
SHA256

26026b1b3d0cb660c6be6c536df679acca0b5562a3adbb507d001474d23f5650
SHA512

a82b522dfd7eac30292a9e9ab19ddac94563804e77a1090e5f44de7e794ef4e5ebe0e7fb36e5177479417c8176ae0475613700755ca015c7ce941a4740215faa
SSDEEP

384:bzIPMepSbSsG/CdPvunCpeJzKoSS3D6JO5LfBqtjbjk4Eohubn3ezta:nIPMecWsGKVunFFRDE6pqjhust

Score

8^/10

macro macro_on_action

Malware Config

Signatures

Office macro that triggers on suspicious action 1 IoCs

Office document macro which triggers in special circumstances - often malicious.

macro macro_on_action

resource	yara_rule
behavioral1/files/0x000b0000000242c6-547.dat	office_macro_on_action

Deletes itself 1 IoCs

pid	Process
1908	WINWORD.EXE

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 49 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\0\MRUListEx = ffffffff	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 56003100000000008a5a1a9712004170704461746100400009000400efbe8a5a1a978d5a25442e00000067e101000000010000000000000000000000000000000f5e32004100700070004400610074006100000016000000	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 50003100000000008a5a199f10004c6f63616c003c0009000400efbe8a5a1a978d5a24442e0000007ae10100000001000000000000000000000000000000075e2b004c006f00630061006c00000014000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4e003100000000008d5a4744100054656d7000003a0009000400efbe8a5a1a978d5a49442e0000007be101000000010000000000000000000000000000009b9b6100540065006d007000000014000000	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\0	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 78003100000000008a5a1a971100557365727300640009000400efbe874f77488d5a24442e000000c70500000000010000000000000000003a00000000007aab400055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 50003100000000008a5a06a0100041646d696e003c0009000400efbe8a5a1a978d5a24442e0000005ce1010000000100000000000000000000000000000050381b01410064006d0069006e00000014000000	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\0 = 44003100000000008d5a474410003300340009000400efbe8d5a24448d5a47442e000000314202000000070000000000000000000000000000009b9b61003300000010000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\0\NodeSlot = "1"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 = 5e003100000000008d5a244410005649525553537e310000460009000400efbe8d5a24448d5a25442e0000002142020000000800000000000000000000000000000032780c017600690072007500730073006800610072006500000018000000	WINWORD.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\virusshare\3\~WRD0003.tmp\:Zone.Identifier:$DATA	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 4 IoCs

pid	Process
1908	WINWORD.EXE
1908	WINWORD.EXE
5632	WINWORD.EXE
5632	WINWORD.EXE

Suspicious use of SetWindowsHookEx 35 IoCs

pid	Process
1908	WINWORD.EXE
1908	WINWORD.EXE
1908	WINWORD.EXE
1908	WINWORD.EXE
1908	WINWORD.EXE
1908	WINWORD.EXE
1908	WINWORD.EXE
1908	WINWORD.EXE
1908	WINWORD.EXE
1908	WINWORD.EXE
1908	WINWORD.EXE
1908	WINWORD.EXE
1908	WINWORD.EXE
1908	WINWORD.EXE
1908	WINWORD.EXE
1908	WINWORD.EXE
1908	WINWORD.EXE
1908	WINWORD.EXE
1908	WINWORD.EXE
1908	WINWORD.EXE
1908	WINWORD.EXE
1908	WINWORD.EXE
1908	WINWORD.EXE
1908	WINWORD.EXE
1908	WINWORD.EXE
1908	WINWORD.EXE
1908	WINWORD.EXE
1908	WINWORD.EXE
5632	WINWORD.EXE
5632	WINWORD.EXE
5632	WINWORD.EXE
5632	WINWORD.EXE
5632	WINWORD.EXE
5632	WINWORD.EXE
5632	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 5424	1908	WINWORD.EXE	96
PID 1908 wrote to memory of 5424	1908	WINWORD.EXE	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\virusshare\3\VirusShare_3fb34964fa7b8c6bfad8d960380ff04e.doc" /o ""
1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:5424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3856

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2512

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\CopyUse.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5632

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

Filesize
21B

MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json

Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\D9BA0D1C-9F20-4905-A45C-222ABED97138

Filesize
178KB

MD5
2f701443f317b2948f132882b51c1d84

SHA1
45bb66cc95aa3bc553960c873e30142fa3837ed2

SHA256
272e0c10070ba60ca54ea88800b85dceff8e8ad3b6971e043f81a25b65d4f2ba

SHA512
25e56d33178b2fdf79a945687ecf230ee83951a464d2c5435b33aaf161182a7838b99f5328972fc75af0c98c6f4bf4d2f18b25ff2a28e48944e5994477dede25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml

Filesize
333KB

MD5
f17301bdb75b75fc090bc027156e6eb7

SHA1
e38c39df185e19d0cbec8b91f5f3cef712407204

SHA256
cde2198bd1da248935802e2dd9a12747210d3a57a9a392d5b42bb6b51a451f86

SHA512
585f73b2c2ad21ec31ca0849c32b5fb41b6a3a118631412e88629e759789649ef9e30d2bb3f3b9c18bfc97bbbb987503809e93df071a5edfa8055396a0e9c810

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db

Filesize
24KB

MD5
8665de22b67e46648a5a147c1ed296ca

SHA1
b289a96fee9fa77dd8e045ae8fd161debd376f48

SHA256
b5cbae5c48721295a51896f05abd4c9566be7941cda7b8c2aecb762e6e94425f

SHA512
bb03ea9347d302abf3b6fece055cdae0ad2d7c074e8517f230a90233f628e5803928b9ba7ba79c343e58dacb3e7a6fc16b94690a5ab0c71303959654a18bb5da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
9801db54ccb2e5e2982f63cdfeb8dd1f

SHA1
0c0784a39d070aee125f87e0a929e40f97ddaa0a

SHA256
73a3d92750a23ea9911d0ed889caa6d79375b92903e4b192693fb92fd4192e9d

SHA512
bc99515195a440bbb351c08a5c5b7de8ba3a02d0954f4ff9f339a79bbd02d9e5efc8a586ae455c4c874411553dbb440def5f21d6d001c47a4cc1b11c371d3dc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
5c4009ec300bc26fcdaeed07fd3483b6

SHA1
e828fe5c7f3f605f32a0158dcd1e2aa3422ed480

SHA256
ee0efce1b80f5f29932d4d7d9d0ce078e76045850bf5c01f0eec661dc7beab9a

SHA512
9b45322a6a7f72955a0156c0aeee4f14a547c60e2acb783826f19e3fb307b386890f95f4c7da71b1335bd5cb0f4f9f219a06ac28508f07abdbe4a4aec81726f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRD3009.docx

Filesize
45KB

MD5
fc813e8d6e7728535d9576044281979b

SHA1
9e99e8f9f9383a0e62f52788e8dc70de9a31b315

SHA256
2e88e05e3af8ae0d9422a7726b021afa9ff13f70bf26ff9d6fdf18a46347fea4

SHA512
0fa87be3da2223886fb121b42a8b5b8de1aa3bf0b83ecb51bdb602ce68731562bd7dc6d7162c3fc79644a7b64788bb96e2f8a1402d49bb3eb22650ff4f17e717

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRD3025.docx

Filesize
45KB

MD5
bfc97f847a77f8061b58c24e9a97ab4a

SHA1
65598281efe6d7ce9787e76291ce11103a4243aa

SHA256
9657e0b4d76800067de641ebebf1b52fc5de077fbaca7b7d79953fe031b821e6

SHA512
51ebfa10fed431e8d2ccb77eda1fdb5f0d623238eaede23ab53742a6a6c1d77cab55fdd97183d2827afb3aa941d9415d62248d5a9d8003f42d92957dcc355fac

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDEF74.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\virusshare\3\~WRD0003.tmp

Filesize
35KB

MD5
9fddd97350c393fdb4a4021f8cee9bbb

SHA1
c4f577c85224df820d27e798c2451cbbe025344f

SHA256
5772dfd6e0e2fa19aa41932b0d7ed9888648842870ff4e7f0996168a947c3fac

SHA512
4d60eeafb01ea9e3c6e8d7ead5ba22bf9cf6fedbcd795b4326b2a5c741a2e9e71c74268fb75f50a87a8d465eb3ffc22e8cdc0e571dd7beaaae18bc50949d7b97

Download Submit
C:\Users\Admin\AppData\Local\Temp\virusshare\3\~WRL1752.tmp.txt

Filesize
35KB

MD5
fdd3035f03b6324f8e5f643dabc6d3cd

SHA1
5e04b015efb975e82d6178f2af5ff762f86180e8

SHA256
c218803a4bbbf1acab194d33de64b3ec810c5c4a20657e12fa00079f4a23d50b

SHA512
cd97cbe5283efe0a242b8ceca192376a91010bc4f6261bf29531f085d6bb653b5fb753e0121afaafbf2197ad51a0fbfe60da1c7e800a12a88329c7d2d0736f5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/1908-14-0x00007FFFC2370000-0x00007FFFC2565000-memory.dmp

Filesize
2.0MB

Download
memory/1908-648-0x000002BA6D580000-0x000002BA6D5AC000-memory.dmp

Filesize
176KB

Download
memory/1908-21-0x00007FFFC2370000-0x00007FFFC2565000-memory.dmp

Filesize
2.0MB

Download
memory/1908-20-0x00007FFFC2370000-0x00007FFFC2565000-memory.dmp

Filesize
2.0MB

Download
memory/1908-19-0x00007FFFC2370000-0x00007FFFC2565000-memory.dmp

Filesize
2.0MB

Download
memory/1908-17-0x00007FFFC2370000-0x00007FFFC2565000-memory.dmp

Filesize
2.0MB

Download
memory/1908-16-0x00007FFFC2370000-0x00007FFFC2565000-memory.dmp

Filesize
2.0MB

Download
memory/1908-30-0x00007FFFC240D000-0x00007FFFC240E000-memory.dmp

Filesize
4KB

Download
memory/1908-31-0x00007FFFC2370000-0x00007FFFC2565000-memory.dmp

Filesize
2.0MB

Download
memory/1908-32-0x00007FFFC2370000-0x00007FFFC2565000-memory.dmp

Filesize
2.0MB

Download
memory/1908-33-0x000002BA6D580000-0x000002BA6D5AC000-memory.dmp

Filesize
176KB

Download
memory/1908-15-0x00007FFF7FA90000-0x00007FFF7FAA0000-memory.dmp

Filesize
64KB

Download
memory/1908-2-0x00007FFF823F0000-0x00007FFF82400000-memory.dmp

Filesize
64KB

Download
memory/1908-13-0x00007FFF7FA90000-0x00007FFF7FAA0000-memory.dmp

Filesize
64KB

Download
memory/1908-10-0x00007FFFC2370000-0x00007FFFC2565000-memory.dmp

Filesize
2.0MB

Download
memory/1908-11-0x00007FFFC2370000-0x00007FFFC2565000-memory.dmp

Filesize
2.0MB

Download
memory/1908-12-0x00007FFFC2370000-0x00007FFFC2565000-memory.dmp

Filesize
2.0MB

Download
memory/1908-644-0x00007FFF823F0000-0x00007FFF82400000-memory.dmp

Filesize
64KB

Download
memory/1908-647-0x00007FFF823F0000-0x00007FFF82400000-memory.dmp

Filesize
64KB

Download
memory/1908-645-0x00007FFF823F0000-0x00007FFF82400000-memory.dmp

Filesize
64KB

Download
memory/1908-646-0x00007FFF823F0000-0x00007FFF82400000-memory.dmp

Filesize
64KB

Download
memory/1908-18-0x00007FFFC2370000-0x00007FFFC2565000-memory.dmp

Filesize
2.0MB

Download
memory/1908-649-0x00007FFFC2370000-0x00007FFFC2565000-memory.dmp

Filesize
2.0MB

Download
memory/1908-3-0x00007FFF823F0000-0x00007FFF82400000-memory.dmp

Filesize
64KB

Download
memory/1908-5-0x00007FFF823F0000-0x00007FFF82400000-memory.dmp

Filesize
64KB

Download
memory/1908-4-0x00007FFF823F0000-0x00007FFF82400000-memory.dmp

Filesize
64KB

Download
memory/1908-1-0x00007FFFC240D000-0x00007FFFC240E000-memory.dmp

Filesize
4KB

Download
memory/1908-0-0x00007FFF823F0000-0x00007FFF82400000-memory.dmp

Filesize
64KB

Download
memory/1908-6-0x00007FFFC2370000-0x00007FFFC2565000-memory.dmp

Filesize
2.0MB

Download
memory/1908-8-0x00007FFFC2370000-0x00007FFFC2565000-memory.dmp

Filesize
2.0MB

Download
memory/1908-9-0x00007FFFC2370000-0x00007FFFC2565000-memory.dmp

Filesize
2.0MB

Download
memory/1908-7-0x00007FFFC2370000-0x00007FFFC2565000-memory.dmp

Filesize
2.0MB

Download
memory/5632-655-0x00007FFF7FA90000-0x00007FFF7FAA0000-memory.dmp

Filesize
64KB

Download
memory/5632-661-0x00007FFF7FA90000-0x00007FFF7FAA0000-memory.dmp

Filesize
64KB

Download
memory/5632-654-0x00007FFF823F0000-0x00007FFF82400000-memory.dmp

Filesize
64KB

Download
memory/5632-653-0x00007FFF823F0000-0x00007FFF82400000-memory.dmp

Filesize
64KB

Download
memory/5632-651-0x00007FFF823F0000-0x00007FFF82400000-memory.dmp

Filesize
64KB

Download
memory/5632-652-0x00007FFF823F0000-0x00007FFF82400000-memory.dmp

Filesize
64KB

Download
memory/5632-650-0x00007FFF823F0000-0x00007FFF82400000-memory.dmp

Filesize
64KB

Download
memory/5632-688-0x00007FFF823F0000-0x00007FFF82400000-memory.dmp

Filesize
64KB

Download
memory/5632-687-0x00007FFF823F0000-0x00007FFF82400000-memory.dmp

Filesize
64KB

Download
memory/5632-690-0x00007FFF823F0000-0x00007FFF82400000-memory.dmp

Filesize
64KB

Download
memory/5632-689-0x00007FFF823F0000-0x00007FFF82400000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads