Malware Analysis Report

2025-05-28 14:54

Sample ID 240821-h3s7vswbkg
Target ORDER CFC.docx.doc
SHA256 dcdd3c117ec0dc6af052496d1cc0d24da9b264f566e0e763380af879dfbcdf27
Tags
vipkeylogger collection credential_access discovery execution keylogger spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dcdd3c117ec0dc6af052496d1cc0d24da9b264f566e0e763380af879dfbcdf27

Threat Level: Known bad

The file ORDER CFC.docx.doc was found to be: Known bad.

Malicious Activity Summary

vipkeylogger collection credential_access discovery execution keylogger spyware stealer

VIPKeylogger

Credentials from Password Stores: Credentials from Web Browsers

Blocklisted process makes network request

Downloads MZ/PE file

Command and Scripting Interpreter: PowerShell

Reads user/profile data of local email clients

Executes dropped EXE

Loads dropped DLL

Abuses OpenXML format to download file from external location

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Office loads VBA resources, possible macro or embedded object present

outlook_win_path

Uses Volume Shadow Copy service COM API

Uses Task Scheduler COM API

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

Suspicious use of SetWindowsHookEx

Launches Equation Editor

Suspicious behavior: AddClipboardFormatListener

Uses Volume Shadow Copy WMI provider

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-21 07:16

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-21 07:16

Reported

2024-08-21 07:18

Platform

win7-20240708-en

Max time kernel

120s

Max time network

134s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ORDER CFC.docx"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Abuses OpenXML format to download file from external location

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\erdalpha03977.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\erdalpha03977.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\erdalpha03977.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\erdalpha03977.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\erdalpha03977.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1108 set thread context of 1984 N/A C:\Users\Admin\AppData\Roaming\erdalpha03977.exe C:\Users\Admin\AppData\Roaming\erdalpha03977.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\erdalpha03977.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\erdalpha03977.exe N/A

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor

exploit
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\erdalpha03977.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\erdalpha03977.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\erdalpha03977.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2176 wrote to memory of 1108 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\erdalpha03977.exe
PID 2176 wrote to memory of 1108 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\erdalpha03977.exe
PID 2176 wrote to memory of 1108 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\erdalpha03977.exe
PID 2176 wrote to memory of 1108 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\erdalpha03977.exe
PID 2700 wrote to memory of 2352 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2700 wrote to memory of 2352 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2700 wrote to memory of 2352 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2700 wrote to memory of 2352 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1108 wrote to memory of 528 N/A C:\Users\Admin\AppData\Roaming\erdalpha03977.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1108 wrote to memory of 528 N/A C:\Users\Admin\AppData\Roaming\erdalpha03977.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1108 wrote to memory of 528 N/A C:\Users\Admin\AppData\Roaming\erdalpha03977.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1108 wrote to memory of 528 N/A C:\Users\Admin\AppData\Roaming\erdalpha03977.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1108 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Roaming\erdalpha03977.exe C:\Users\Admin\AppData\Roaming\erdalpha03977.exe
PID 1108 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Roaming\erdalpha03977.exe C:\Users\Admin\AppData\Roaming\erdalpha03977.exe
PID 1108 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Roaming\erdalpha03977.exe C:\Users\Admin\AppData\Roaming\erdalpha03977.exe
PID 1108 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Roaming\erdalpha03977.exe C:\Users\Admin\AppData\Roaming\erdalpha03977.exe
PID 1108 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Roaming\erdalpha03977.exe C:\Users\Admin\AppData\Roaming\erdalpha03977.exe
PID 1108 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Roaming\erdalpha03977.exe C:\Users\Admin\AppData\Roaming\erdalpha03977.exe
PID 1108 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Roaming\erdalpha03977.exe C:\Users\Admin\AppData\Roaming\erdalpha03977.exe
PID 1108 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Roaming\erdalpha03977.exe C:\Users\Admin\AppData\Roaming\erdalpha03977.exe
PID 1108 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Roaming\erdalpha03977.exe C:\Users\Admin\AppData\Roaming\erdalpha03977.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\erdalpha03977.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\erdalpha03977.exe N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ORDER CFC.docx"

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Users\Admin\AppData\Roaming\erdalpha03977.exe

"C:\Users\Admin\AppData\Roaming\erdalpha03977.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\erdalpha03977.exe"

C:\Users\Admin\AppData\Roaming\erdalpha03977.exe

"C:\Users\Admin\AppData\Roaming\erdalpha03977.exe"

Network

Country Destination Domain Proto
US 154.216.18.222:80 154.216.18.222 tcp
US 154.216.18.222:80 154.216.18.222 tcp
US 154.216.18.222:80 154.216.18.222 tcp
US 8.8.8.8:53 checkip.dyndns.org udp
JP 132.226.8.169:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 172.67.177.134:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/2700-0-0x000000002F111000-0x000000002F112000-memory.dmp

memory/2700-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2700-2-0x0000000070B4D000-0x0000000070B58000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{174B072D-4820-4BB7-8F3C-A87E90898366}

MD5 1efc6f87b9d9905a7473cf88a5fa8b78
SHA1 22b3a7bfa6a21edeec1d09d3f612890c9b4c8b6a
SHA256 ac45f6eb2f26592f06156611612283910a5112e329f5b927a02545dd6d33e82b
SHA512 1485cb5d606d2be5332689dc7958f610b96dde1cb74561e01d2fe15ef8ccb30dbcedb66e9602777ced0a98c3a471a5cec4fa1029baf89cfc0acceea0f15406bf

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{1801A583-5FA4-43A0-9846-ED567702CEF2}.FSD

MD5 1fcf6ba39d294835197b61f89985cc19
SHA1 8bab32a1f09d4cacddf858bc5e935a76db5773e1
SHA256 5461b8f01c5d92d7fb36300dfe2e34de89f43f935649b08b168de874a502fcbd
SHA512 f305f3c4032d206ff4c7a5a546e03edf1a7659b6462cd5ae71d02f117f943d3c4e34a6e022bbe04e6925229dd11ef7181f4c89bfdbb46e8a4d9f905ad45d18ac

C:\Users\Admin\AppData\Local\Temp\{64F46B03-0918-41C3-B96A-B9048789725F}

MD5 6e8804585732974ade9bf90548f5bcec
SHA1 ccaa7a6d00b2b1c8ae90ec14c7e5cf2b4c74149e
SHA256 78e957f012dd9e284cd40e0cdeeb6057b3303500a6ba0ae333e6754b02d7bbcd
SHA512 743b8c906371927b0f0a991ed91c098fcbe66c60a7fe139f622e17f95f9b6098dbdc37fab2e80b5ed85e38a5beec2b577364271ab1a8ea991ed3aad93ab36696

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 db1a4477e0b4f604320eca76485dd8a4
SHA1 2099758d2ca0ca60b98d473ac8484d9b65cc83fd
SHA256 79270048b8d5e61b20a5f55f49aa5662ba98f25fbad25259c01d7bfb7437468e
SHA512 ef6d6e14ae50327875c177830616cb1bc4aa83e6fb8ff6dedc1bbbe5ba7d7fc58de9c75f13f845cb44a53e5cf271b6c846e0db51346c9e892bdde46d0054043a

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{4FE33FBD-CE63-4C22-998F-B1175D2E54D0}.FSD

MD5 e2fa37573389e12121abf95dcf30e0dc
SHA1 a00dd848288776e6afa8280cbdbf6b26948013b4
SHA256 a568bfa45a225fa4c1a706390bbd076ddbbb94fcc5bdb5a7a1d10515ba43ba7b
SHA512 ff124271f67ccd683d618dbea70b8895f798a69838bf792bed34f8a13670b4e84771ddc93ca5ea4e400aa4d8eb0aef23152a9de72677bc027c260bb3a0a716fa

memory/2700-61-0x0000000070B4D000-0x0000000070B58000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6XUZ2JLF\lOpkseAloegPhxxAcv[1].doc

MD5 77d04e68c46c843c399d83b858b9b46a
SHA1 8f4f41f26cd7bd6b60045cc878c83d132f79193a
SHA256 d718eb322dc9348cb1813a920ca739a5c4bd6b44ac32c0c085bd92148bf94161
SHA512 22986daa2bd352305885276d9c000caf89c171a6187caadb1d29bbbf1e89916e4a6a199aa6500890befaa9dfc92a14d87976b470b41ec49f5f050b40f9b8b81d

\Users\Admin\AppData\Roaming\erdalpha03977.exe

MD5 8457be7f4b6910dc68805dacb8009200
SHA1 a25c63862fe75623c6e69659ee7ae803ec8659b9
SHA256 496ba3f23ddaf5c1514228f1ca90b1de4392a159eaac3ecbd5fbe3fbb28f819f
SHA512 6ec632c69a19e1d36371aff5664f3c7c266bfab2fa2b321c3db2bb2e47c42fc9f0c60ebb71b7d3087d54b270368efee0a869888a325aa3d3c8af482f16b482b0

memory/1108-95-0x0000000001330000-0x00000000013E6000-memory.dmp

memory/1108-97-0x0000000000350000-0x0000000000362000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/1108-104-0x0000000000360000-0x0000000000370000-memory.dmp

memory/1108-105-0x0000000001280000-0x000000000130C000-memory.dmp

memory/1984-118-0x0000000000400000-0x000000000044A000-memory.dmp

memory/1984-117-0x0000000000400000-0x000000000044A000-memory.dmp

memory/1984-115-0x0000000000400000-0x000000000044A000-memory.dmp

memory/1984-114-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1984-112-0x0000000000400000-0x000000000044A000-memory.dmp

memory/1984-110-0x0000000000400000-0x000000000044A000-memory.dmp

memory/1984-108-0x0000000000400000-0x000000000044A000-memory.dmp

memory/1984-106-0x0000000000400000-0x000000000044A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 1b78260741a4818a9970e77e2187f33f
SHA1 5f6771cdfb33a9860e3032bb8038415c75600711
SHA256 99e6b00b7416bb9e83f48f19b9fed2ee1d46a8f3d538eb953cd900809549bf5f
SHA512 7ee24529e6b84473c929bf902f0e8cacb54f0c80bc55aa4125827351e8c0b90d7319b16c5351c26ffdec46fa8ebe49e27762f8a910187cba5c30b6c23f7412b4

memory/2700-144-0x0000000070B4D000-0x0000000070B58000-memory.dmp

memory/2700-143-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-21 07:16

Reported

2024-08-21 07:18

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ORDER CFC.docx" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ORDER CFC.docx" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 154.216.18.222:80 154.216.18.222 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 222.18.216.154.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 154.216.18.222:80 154.216.18.222 tcp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
IE 52.109.76.243:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 243.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 25.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 92.123.26.202:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 202.26.123.92.in-addr.arpa udp
US 8.8.8.8:53 24.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

memory/3076-0-0x00007FFE6824D000-0x00007FFE6824E000-memory.dmp

memory/3076-1-0x00007FFE28230000-0x00007FFE28240000-memory.dmp

memory/3076-3-0x00007FFE28230000-0x00007FFE28240000-memory.dmp

memory/3076-2-0x00007FFE28230000-0x00007FFE28240000-memory.dmp

memory/3076-5-0x00007FFE681B0000-0x00007FFE683A5000-memory.dmp

memory/3076-6-0x00007FFE681B0000-0x00007FFE683A5000-memory.dmp

memory/3076-7-0x00007FFE28230000-0x00007FFE28240000-memory.dmp

memory/3076-4-0x00007FFE28230000-0x00007FFE28240000-memory.dmp

memory/3076-10-0x00007FFE681B0000-0x00007FFE683A5000-memory.dmp

memory/3076-9-0x00007FFE681B0000-0x00007FFE683A5000-memory.dmp

memory/3076-8-0x00007FFE681B0000-0x00007FFE683A5000-memory.dmp

memory/3076-12-0x00007FFE681B0000-0x00007FFE683A5000-memory.dmp

memory/3076-13-0x00007FFE681B0000-0x00007FFE683A5000-memory.dmp

memory/3076-14-0x00007FFE25F70000-0x00007FFE25F80000-memory.dmp

memory/3076-11-0x00007FFE681B0000-0x00007FFE683A5000-memory.dmp

memory/3076-15-0x00007FFE681B0000-0x00007FFE683A5000-memory.dmp

memory/3076-16-0x00007FFE25F70000-0x00007FFE25F80000-memory.dmp

memory/3076-27-0x00007FFE681B0000-0x00007FFE683A5000-memory.dmp

memory/3076-28-0x00007FFE6824D000-0x00007FFE6824E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GENTSNHI\lOpkseAloegPhxxAcv[1].doc

MD5 77d04e68c46c843c399d83b858b9b46a
SHA1 8f4f41f26cd7bd6b60045cc878c83d132f79193a
SHA256 d718eb322dc9348cb1813a920ca739a5c4bd6b44ac32c0c085bd92148bf94161
SHA512 22986daa2bd352305885276d9c000caf89c171a6187caadb1d29bbbf1e89916e4a6a199aa6500890befaa9dfc92a14d87976b470b41ec49f5f050b40f9b8b81d

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 62c9af5ac082b66a7d18ceba044930a8
SHA1 b9ee17f314b7144fba48b6cfcac16a771f27a46b
SHA256 bdad9f7c432ea6aaf68639a0b4f995347fe196d436e20a1db8bfee55002a7250
SHA512 0d500fa8459655ba751b02c91a980ab49369a0e1a821ed8440474218f4d5364030582e2c8af9a964d37ea661d49b253d50394425ec7861ac58b8743cbfe2a7b8

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 d29962abc88624befc0135579ae485ec
SHA1 e40a6458296ec6a2427bcb280572d023a9862b31
SHA256 a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA512 4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 381b42c3b396bdde45d078d2165feca5
SHA1 8b9b4bf3eff6122ef0b6b32634281116bea7618a
SHA256 956d7b291050a6a71b48ad9f9691aeed6d91fb95047c30562b109e04fa2b143e
SHA512 e87d336961967f278485508ec8286d757b588089331231bb439453236e0a73d1827de594983d452cb9133469f408133ae421875dbb5a604aea8a75f2537b403b

C:\Users\Admin\AppData\Local\Temp\TCDFCA3.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

memory/3076-229-0x00007FFE28230000-0x00007FFE28240000-memory.dmp

memory/3076-228-0x00007FFE28230000-0x00007FFE28240000-memory.dmp

memory/3076-231-0x00007FFE28230000-0x00007FFE28240000-memory.dmp

memory/3076-230-0x00007FFE28230000-0x00007FFE28240000-memory.dmp

memory/3076-232-0x00007FFE681B0000-0x00007FFE683A5000-memory.dmp