Malware Analysis Report

2024-11-13 15:33

Sample ID 241003-pxb5qa1fmb
Target RICHIESTA_OFFERTA_RDO2400423.docx.doc
SHA256 b5b6a451d04745638c7ecf24dbcc73655bb5942bf63a8da317bd7a6badb8dddf
Tags
vipkeylogger discovery keylogger stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b5b6a451d04745638c7ecf24dbcc73655bb5942bf63a8da317bd7a6badb8dddf

Threat Level: Known bad

The file RICHIESTA_OFFERTA_RDO2400423.docx.doc was found to be: Known bad.

Malicious Activity Summary

vipkeylogger discovery keylogger stealer

VIPKeylogger

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Abuses OpenXML format to download file from external location

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtCreateThreadExHideFromDebugger

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Uses Task Scheduler COM API

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Launches Equation Editor

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Uses Volume Shadow Copy WMI provider

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-03 12:42

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-03 12:42

Reported

2024-10-03 12:44

Platform

win7-20240903-en

Max time kernel

132s

Max time network

121s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RICHIESTA_OFFERTA_RDO2400423.docx"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Downloads MZ/PE file

Abuses OpenXML format to download file from external location

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2244 set thread context of 2944 N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe C:\Users\Admin\AppData\Roaming\tmtcy20306.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\resources\0409\reproductivity.ini C:\Users\Admin\AppData\Roaming\tmtcy20306.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\tmtcy20306.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\tmtcy20306.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor

exploit
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2616 wrote to memory of 2244 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\tmtcy20306.exe
PID 2616 wrote to memory of 2244 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\tmtcy20306.exe
PID 2616 wrote to memory of 2244 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\tmtcy20306.exe
PID 2616 wrote to memory of 2244 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\tmtcy20306.exe
PID 1732 wrote to memory of 2220 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1732 wrote to memory of 2220 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1732 wrote to memory of 2220 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1732 wrote to memory of 2220 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2244 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe C:\Users\Admin\AppData\Roaming\tmtcy20306.exe
PID 2244 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe C:\Users\Admin\AppData\Roaming\tmtcy20306.exe
PID 2244 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe C:\Users\Admin\AppData\Roaming\tmtcy20306.exe
PID 2244 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe C:\Users\Admin\AppData\Roaming\tmtcy20306.exe
PID 2244 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe C:\Users\Admin\AppData\Roaming\tmtcy20306.exe
PID 2244 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe C:\Users\Admin\AppData\Roaming\tmtcy20306.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RICHIESTA_OFFERTA_RDO2400423.docx"

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Users\Admin\AppData\Roaming\tmtcy20306.exe

"C:\Users\Admin\AppData\Roaming\tmtcy20306.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Users\Admin\AppData\Roaming\tmtcy20306.exe

"C:\Users\Admin\AppData\Roaming\tmtcy20306.exe"

Network

Country Destination Domain Proto
US 154.216.20.22:80 154.216.20.22 tcp
US 154.216.20.22:80 154.216.20.22 tcp
US 154.216.20.22:80 154.216.20.22 tcp
US 8.8.8.8:53 drive.google.com udp
GB 216.58.212.206:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 172.217.169.67:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 172.217.169.67:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.180.1:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 checkip.dyndns.org udp
JP 132.226.8.169:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 172.67.177.134:443 reallyfreegeoip.org tcp

Files

memory/1732-0-0x000000002F511000-0x000000002F512000-memory.dmp

memory/1732-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1732-2-0x0000000070F4D000-0x0000000070F58000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

MD5 b8130507bb1d21ea0812e4482f283282
SHA1 ace6af046713cc56dfe43f626895f4d521570223
SHA256 71e559d7323878c874dc0b5fd1aaeaa519be15e016f8ba9b2aece54aa954b741
SHA512 3b58e8178c3becb664ad895f9a4fcf1bd4889a168c2c430022a2c7cff2d688d92afbbe6f66774f03f55e2b7068e73448e8cf44b50460cc8f303fa6bc1847908f

C:\Users\Admin\AppData\Local\Temp\{762A6861-D414-4972-A866-A17566436854}

MD5 094e9ee43afea0a1faed246fa5ec33bc
SHA1 45bcccccfd9732d609fd62c1a7d38debb8cad225
SHA256 6f608eadc52111b7ecabaf32b64add80986c04b1fb4acd7117101b1b63582316
SHA512 abfbc1a799f91dbf8ce87caccd8b9a162668956efa10b8c5921a5ab50d60a6bb053976dd0507c0980ba2bcd09da286d1cecf08ab4205439f1799198c1662de41

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{82BC30BC-A30C-424B-8293-BD79A8A205FF}.FSD

MD5 dfef4fbafd60d05996c6adc20ce824c1
SHA1 3807895dbbe0f6ca4549cda8dd7ae88ec0f2d54d
SHA256 6466e00323df8b2e756d6591915f642e01c0c8ddf38d20e4e4faabc6cca58090
SHA512 baf5b81097837b069f4386b5fb53f03dad9963a8bd782005818d0c3ffa8622c2889e41a45a93a6d7464c8604769e81a60a62b93f6e4e4a6f84455b2ceff0f074

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 b91c04645dafc928bbff479b60c519d1
SHA1 c6e5098f8e08308201805fa139273279ff167765
SHA256 c86a3e7bab7ca39aa4d936b186a281ebe13c68f828b0c46c1e8ad4b4cf94abce
SHA512 7a68491ea6c27bd52baef532fd0a0e6ea669b16537457fbe431bd622369bed7c6d471ddd7d69464d8a297ec152f7c29d32e3debc2ec0d662a5961a8fa8bd440e

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{7FBA0768-3630-4732-9275-29EA2DB2D6B3}.FSD

MD5 b884b8622f4aaf7a33dcf039bc14108c
SHA1 2968c2818bbab5a02f3fca235f3dc715798ec1b6
SHA256 a942fe6e57cc0f7c9af42ef641b519f93c00a577f27c480e63c3d742a2a1e9c2
SHA512 bfd50255ab392213c2a138ec537c22ac71955d8014f867437c2293a85cae8c02d1bfdacafc4159841e93f4d1410c1447e5934e02181bc354e3e065a257be13d0

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DJB1KT77\tmtzxc[1].doc

MD5 08d1a4e26971fd55013dbc7d2744b2a5
SHA1 dd813694fc67b536f242ae7dd3deff14458b82ba
SHA256 fd1ca8e9ebe962f23b55669ea495bdb32073b7359031e80a7067d387c0bfa8dc
SHA512 3c34748ed68738a24d6c7f1482b4b2f5a26fb6c2a85a1fc0a5303123928fb56974532af9d43b9bb9027558a03be79cf31b48a0c4cb28c41fd833f25e8bb035b6

\Users\Admin\AppData\Roaming\tmtcy20306.exe

MD5 f7e702effaaad33faa0cbc4f87da2d07
SHA1 b8be783f38b987f8c88f7de258d69a648033be72
SHA256 a44de00550c4b3adc9409fd1fb559cab02a9efab1a1352ff07b896a2cea98678
SHA512 43e29d3926317d7234f333e41177cafce5e4bd297d3a854f7959aad341eb68748b57113c41bf9173b5d838c7460ca146c21ba2dbf982535e5ad736118773cec9

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 3f03d0e5ddf454202ee9124e80a0bcea
SHA1 9c5263d03cb5d7a1ab093e9864f39035018563bf
SHA256 ffa5e96e0efd4c8af54f4b0fe427685b70c4a954562ba6cdd40f0b0583ede462
SHA512 cb3e99d7fee3447d286e402c093476f0ea2388aecf06f9aa90d208454031f35899615859438aadfc7abfdc04787664ee5adbec467922e74a1e87c3f9c03b12b4

\Users\Admin\AppData\Local\Temp\nsyB82B.tmp\System.dll

MD5 9625d5b1754bc4ff29281d415d27a0fd
SHA1 80e85afc5cccd4c0a3775edbb90595a1a59f5ce0
SHA256 c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
SHA512 dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/1732-113-0x0000000070F4D000-0x0000000070F58000-memory.dmp

memory/2944-134-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2944-135-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2944-136-0x0000000000480000-0x00000000004C8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-03 12:42

Reported

2024-10-03 12:44

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RICHIESTA_OFFERTA_RDO2400423.docx" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RICHIESTA_OFFERTA_RDO2400423.docx" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 154.216.20.22:80 154.216.20.22 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 154.216.20.22:80 154.216.20.22 tcp
US 8.8.8.8:53 22.20.216.154.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 2.18.63.39:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 39.63.18.2.in-addr.arpa udp
US 8.8.8.8:53 169.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

memory/4600-1-0x00007FF9AED8D000-0x00007FF9AED8E000-memory.dmp

memory/4600-4-0x00007FF96ED70000-0x00007FF96ED80000-memory.dmp

memory/4600-3-0x00007FF96ED70000-0x00007FF96ED80000-memory.dmp

memory/4600-2-0x00007FF96ED70000-0x00007FF96ED80000-memory.dmp

memory/4600-0-0x00007FF96ED70000-0x00007FF96ED80000-memory.dmp

memory/4600-5-0x00007FF9AECF0000-0x00007FF9AEEE5000-memory.dmp

memory/4600-6-0x00007FF9AECF0000-0x00007FF9AEEE5000-memory.dmp

memory/4600-8-0x00007FF9AECF0000-0x00007FF9AEEE5000-memory.dmp

memory/4600-11-0x00007FF9AECF0000-0x00007FF9AEEE5000-memory.dmp

memory/4600-10-0x00007FF9AECF0000-0x00007FF9AEEE5000-memory.dmp

memory/4600-9-0x00007FF9AECF0000-0x00007FF9AEEE5000-memory.dmp

memory/4600-12-0x00007FF96C470000-0x00007FF96C480000-memory.dmp

memory/4600-7-0x00007FF96ED70000-0x00007FF96ED80000-memory.dmp

memory/4600-13-0x00007FF96C470000-0x00007FF96C480000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4329235D\tmtzxc[1].doc

MD5 08d1a4e26971fd55013dbc7d2744b2a5
SHA1 dd813694fc67b536f242ae7dd3deff14458b82ba
SHA256 fd1ca8e9ebe962f23b55669ea495bdb32073b7359031e80a7067d387c0bfa8dc
SHA512 3c34748ed68738a24d6c7f1482b4b2f5a26fb6c2a85a1fc0a5303123928fb56974532af9d43b9bb9027558a03be79cf31b48a0c4cb28c41fd833f25e8bb035b6

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 6c1440e8e9ecd982eb7e45e2b4978e30
SHA1 8e92955240e731fce8b502bd9300aa21b1454ab9
SHA256 3e82182b60a3b4dfe0f7d775d6fe752af7600e06b1fe6bdebc6eb7ba9c61959f
SHA512 23400191b570276fd785913bfbd1df21b724d117083ec126e3e987d63d4e21d257a16fc7f1a04aa70ada60f2fe40b4681b5c73e3a9d826806e302de6be9baa0a

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/4600-74-0x00007FF9AECF0000-0x00007FF9AEEE5000-memory.dmp

memory/4600-76-0x00007FF9AECF0000-0x00007FF9AEEE5000-memory.dmp

memory/4600-75-0x00007FF9AED8D000-0x00007FF9AED8E000-memory.dmp

memory/4600-77-0x00007FF9AECF0000-0x00007FF9AEEE5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCDBDF.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d