Malware Analysis Report

2024-11-15 07:58

Sample ID 241023-12cgtsterm
Target 2c1e44e7ddf88303822b2a9e7cbfaeedbdbe3ace36ce3e028d19b68cf33c11b3
SHA256 2c1e44e7ddf88303822b2a9e7cbfaeedbdbe3ace36ce3e028d19b68cf33c11b3
Tags
vipkeylogger collection discovery execution keylogger spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2c1e44e7ddf88303822b2a9e7cbfaeedbdbe3ace36ce3e028d19b68cf33c11b3

Threat Level: Known bad

The file 2c1e44e7ddf88303822b2a9e7cbfaeedbdbe3ace36ce3e028d19b68cf33c11b3 was found to be: Known bad.

Malicious Activity Summary

vipkeylogger collection discovery execution keylogger spyware stealer

VIPKeylogger

Blocklisted process makes network request

Downloads MZ/PE file

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Abuses OpenXML format to download file from external location

Reads user/profile data of web browsers

Loads dropped DLL

Reads user/profile data of local email clients

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Browser Information Discovery

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

outlook_win_path

Uses Task Scheduler COM API

Launches Equation Editor

Suspicious behavior: EnumeratesProcesses

outlook_office_path

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-23 22:08

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-23 22:08

Reported

2024-10-23 22:10

Platform

win7-20241010-en

Max time kernel

58s

Max time network

41s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2c1e44e7ddf88303822b2a9e7cbfaeedbdbe3ace36ce3e028d19b68cf33c11b3.docx"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Abuses OpenXML format to download file from external location

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\obiddjtrh.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\obiddjtrh.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\obiddjtrh.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\obiddjtrh.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\obiddjtrh.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2424 set thread context of 1648 N/A C:\Users\Admin\AppData\Roaming\obiddjtrh.exe C:\Users\Admin\AppData\Roaming\obiddjtrh.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\obiddjtrh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\obiddjtrh.exe N/A

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor

exploit
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\obiddjtrh.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\obiddjtrh.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3060 wrote to memory of 2424 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\obiddjtrh.exe
PID 3060 wrote to memory of 2424 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\obiddjtrh.exe
PID 3060 wrote to memory of 2424 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\obiddjtrh.exe
PID 3060 wrote to memory of 2424 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\obiddjtrh.exe
PID 2424 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Roaming\obiddjtrh.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Roaming\obiddjtrh.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Roaming\obiddjtrh.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Roaming\obiddjtrh.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Roaming\obiddjtrh.exe C:\Users\Admin\AppData\Roaming\obiddjtrh.exe
PID 2424 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Roaming\obiddjtrh.exe C:\Users\Admin\AppData\Roaming\obiddjtrh.exe
PID 2424 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Roaming\obiddjtrh.exe C:\Users\Admin\AppData\Roaming\obiddjtrh.exe
PID 2424 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Roaming\obiddjtrh.exe C:\Users\Admin\AppData\Roaming\obiddjtrh.exe
PID 2424 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Roaming\obiddjtrh.exe C:\Users\Admin\AppData\Roaming\obiddjtrh.exe
PID 2424 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Roaming\obiddjtrh.exe C:\Users\Admin\AppData\Roaming\obiddjtrh.exe
PID 2424 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Roaming\obiddjtrh.exe C:\Users\Admin\AppData\Roaming\obiddjtrh.exe
PID 2424 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Roaming\obiddjtrh.exe C:\Users\Admin\AppData\Roaming\obiddjtrh.exe
PID 2424 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Roaming\obiddjtrh.exe C:\Users\Admin\AppData\Roaming\obiddjtrh.exe
PID 2772 wrote to memory of 2124 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2772 wrote to memory of 2124 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2772 wrote to memory of 2124 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2772 wrote to memory of 2124 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\obiddjtrh.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\obiddjtrh.exe N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2c1e44e7ddf88303822b2a9e7cbfaeedbdbe3ace36ce3e028d19b68cf33c11b3.docx"

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Users\Admin\AppData\Roaming\obiddjtrh.exe

"C:\Users\Admin\AppData\Roaming\obiddjtrh.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\obiddjtrh.exe"

C:\Users\Admin\AppData\Roaming\obiddjtrh.exe

"C:\Users\Admin\AppData\Roaming\obiddjtrh.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

Country Destination Domain Proto
DE 87.120.84.38:80 87.120.84.38 tcp
DE 87.120.84.38:80 87.120.84.38 tcp
DE 87.120.84.38:80 87.120.84.38 tcp
US 8.8.8.8:53 checkip.dyndns.org udp
JP 132.226.8.169:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 172.67.177.134:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/2772-0-0x000000002FE71000-0x000000002FE72000-memory.dmp

memory/2772-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2772-2-0x00000000719CD000-0x00000000719D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{1E7A0E84-33BD-4B02-83F8-192E8B45EAA3}

MD5 471764df93ff7257c47c794c067e75c4
SHA1 9092ad8f5a2f3a05dd0be245d868b37bdd2da922
SHA256 217f10971b581c1726af6f7369abfe2b1a0be1ddc6f920e108834157f90e59df
SHA512 e98e4778424b6f4cfe274529908a3abb014b2d87f33e2c87c158dd531b5e907e882e4a24bee5b5b32bdb5fb95720dc4a630d2618f1cbf214c9e5d4ad2e262ec4

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{1FE467FB-A141-4D39-A5DB-49CF09953C91}.FSD

MD5 5791285cd18d9e442f201b98ecb461e0
SHA1 fffe7b3475b9411384272ab38da20adf2e31b222
SHA256 897010b9b6574b79b3f2e556f10a46b2afe9d155c30f798a346efd34c315dbb7
SHA512 dc778dbdc2ae53b79d79fc131e735a4e9530680efbe764abc8179913a9e20f9a080f8891c4d2f5482753894111112a5cee8968fcfbb03437f7d5c843d060723b

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{1FE467FB-A141-4D39-A5DB-49CF09953C91}.FSD

MD5 51920b4880837021bc3121636f3ec2ac
SHA1 a2ac5c986a51c3022fa6111ae0c118856ea87c4a
SHA256 191bd1eba9f4a1a0ba514cba57cf7e12b7ea8ce9b43e8be97a2b8ac899bbfec0
SHA512 05aaf38a1b548c5bf2069b8275d38f5ea47c2fce52e273dcb5521537486962813a26393e9677aaef4be2417637a70b309f9fafdcadfabde4ecfb8392bb65d221

C:\Users\Admin\AppData\Local\Temp\{976B6BC7-1CF8-49FB-8420-BCA2F17A08ED}

MD5 210ecf6225273b2a042b089ab8d87eae
SHA1 41f847b5cd033781aeda52a28a3ad3abdb8fc6a8
SHA256 eabe0cafadbb7c555b9eeb30a0a6ea5e8589210c25513f1525506deaa3e37a73
SHA512 31c57607064f7071a799d8fa990927aa9f9732810612a3013076661da53c0f520e0c08f1c00a366d5e4a0db651998fd2013aabd3d12d7d9028865807a3450211

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{BF7512C9-92C2-4519-887A-7C2C28ABB8D8}.FSD

MD5 1634efc39f6c78623672c7e38caf96d7
SHA1 3e11d0bc044659cad5ab8761f60742f360c93725
SHA256 b2def1ff464aa3740e1a0d473128788156b34796ee4af851a36533a15cbc016a
SHA512 7e341a53ed6d587657a4409fc52ae0ce11175568e6627a7504859a9609a1c2fb8523457403d715295bb2480d8b83ba015335821fef0bfe0cb84a81a765c8d2b5

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\mnobizxv[1].doc

MD5 c00a17e56e7eeaf2d72456692c36eec7
SHA1 72fbbce62454aaa611317d1c23a1980712d44613
SHA256 ee1c72ebaf43badfd7469960a19c0b2c54dc7485eff720cab2eb6bb9cf623c04
SHA512 ba0273b1afeb40e3c877fadc20e3ab3960e4db79272b042e500bc896d3986f607de401a2c300f97c42442e2ce4a03c241913a62439e96ff73b9795ad6527db97

\Users\Admin\AppData\Roaming\obiddjtrh.exe

MD5 7578316e563e8a4a2983ae041a5fff39
SHA1 fa5a6777784f272b191803d03a49dfe40354bcf2
SHA256 2b845ff4c5ee973861ccb905e73fed0bbd46ce5e311fc8910d188ec839226f58
SHA512 225fa056dff9c59915fbfe593d3d336c133eeab6be80f48de976f8d14cd773bde21716f489b45c007310da6eb61c9bd6681a7ec0a80559b246af07a1346dc9ba

memory/2772-97-0x00000000719CD000-0x00000000719D8000-memory.dmp

memory/2424-98-0x00000000002D0000-0x0000000000392000-memory.dmp

memory/2424-99-0x00000000003F0000-0x000000000040E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2424-107-0x0000000005F00000-0x0000000005F8C000-memory.dmp

memory/1648-110-0x0000000000400000-0x0000000000448000-memory.dmp

memory/1648-120-0x0000000000400000-0x0000000000448000-memory.dmp

memory/1648-119-0x0000000000400000-0x0000000000448000-memory.dmp

memory/1648-117-0x0000000000400000-0x0000000000448000-memory.dmp

memory/1648-116-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1648-114-0x0000000000400000-0x0000000000448000-memory.dmp

memory/1648-112-0x0000000000400000-0x0000000000448000-memory.dmp

memory/1648-108-0x0000000000400000-0x0000000000448000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-23 22:08

Reported

2024-10-24 08:04

Platform

win10v2004-20241007-en

Max time kernel

3s

Max time network

35s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2c1e44e7ddf88303822b2a9e7cbfaeedbdbe3ace36ce3e028d19b68cf33c11b3.docx" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2c1e44e7ddf88303822b2a9e7cbfaeedbdbe3ace36ce3e028d19b68cf33c11b3.docx" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
DE 87.120.84.38:80 87.120.84.38 tcp
DE 87.120.84.38:80 87.120.84.38 tcp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 240.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 38.84.120.87.in-addr.arpa udp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 66.229.138.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 2.18.27.153:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 153.27.18.2.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp

Files

memory/4136-1-0x00007FFEC7F90000-0x00007FFEC7FA0000-memory.dmp

memory/4136-3-0x00007FFEC7F90000-0x00007FFEC7FA0000-memory.dmp

memory/4136-4-0x00007FFEC7F90000-0x00007FFEC7FA0000-memory.dmp

memory/4136-2-0x00007FFEC7F90000-0x00007FFEC7FA0000-memory.dmp

memory/4136-7-0x00007FFF07F10000-0x00007FFF08105000-memory.dmp

memory/4136-9-0x00007FFF07F10000-0x00007FFF08105000-memory.dmp

memory/4136-11-0x00007FFF07F10000-0x00007FFF08105000-memory.dmp

memory/4136-12-0x00007FFEC5710000-0x00007FFEC5720000-memory.dmp

memory/4136-10-0x00007FFF07F10000-0x00007FFF08105000-memory.dmp

memory/4136-13-0x00007FFF07F10000-0x00007FFF08105000-memory.dmp

memory/4136-8-0x00007FFF07F10000-0x00007FFF08105000-memory.dmp

memory/4136-16-0x00007FFF07F10000-0x00007FFF08105000-memory.dmp

memory/4136-18-0x00007FFEC5710000-0x00007FFEC5720000-memory.dmp

memory/4136-21-0x00007FFF07F10000-0x00007FFF08105000-memory.dmp

memory/4136-20-0x00007FFF07F10000-0x00007FFF08105000-memory.dmp

memory/4136-19-0x00007FFF07F10000-0x00007FFF08105000-memory.dmp

memory/4136-15-0x00007FFF07F10000-0x00007FFF08105000-memory.dmp

memory/4136-14-0x00007FFF07F10000-0x00007FFF08105000-memory.dmp

memory/4136-17-0x00007FFF07F10000-0x00007FFF08105000-memory.dmp

memory/4136-5-0x00007FFEC7F90000-0x00007FFEC7FA0000-memory.dmp

memory/4136-6-0x00007FFF07F10000-0x00007FFF08105000-memory.dmp

memory/4136-0-0x00007FFF07FAD000-0x00007FFF07FAE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P2UT3MS5\mnobizxv[1].doc

MD5 c00a17e56e7eeaf2d72456692c36eec7
SHA1 72fbbce62454aaa611317d1c23a1980712d44613
SHA256 ee1c72ebaf43badfd7469960a19c0b2c54dc7485eff720cab2eb6bb9cf623c04
SHA512 ba0273b1afeb40e3c877fadc20e3ab3960e4db79272b042e500bc896d3986f607de401a2c300f97c42442e2ce4a03c241913a62439e96ff73b9795ad6527db97

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 d403210f97b96dbb11154f497d2b33d2
SHA1 26311bac4d14e9dd13b199497dceb294cde9746b
SHA256 911557e80f3c04b0a9888033bbb790c327f9465eb6b0cffd43cb49614e6c0190
SHA512 63168adfeeb3b22347e355c8f44cfc382f45c36c0a2c7c80d3daddeb6821bf8fc7be45733eaaafca8c55408f13f90677ec02d8cd0151400357a4a8ae4fe330c8

memory/4136-66-0x00007FFF07F10000-0x00007FFF08105000-memory.dmp

memory/4136-67-0x00007FFF07FAD000-0x00007FFF07FAE000-memory.dmp

memory/4136-69-0x00007FFF07F10000-0x00007FFF08105000-memory.dmp

memory/4136-68-0x00007FFF07F10000-0x00007FFF08105000-memory.dmp

memory/4136-75-0x00007FFF07F10000-0x00007FFF08105000-memory.dmp

memory/4136-74-0x00007FFF07F10000-0x00007FFF08105000-memory.dmp

memory/4136-73-0x00007FFF07F10000-0x00007FFF08105000-memory.dmp

memory/4136-72-0x00007FFF07F10000-0x00007FFF08105000-memory.dmp

memory/4136-71-0x00007FFF07F10000-0x00007FFF08105000-memory.dmp

memory/4136-70-0x00007FFF07F10000-0x00007FFF08105000-memory.dmp

memory/4136-76-0x00007FFF07F10000-0x00007FFF08105000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 be8ad73208910bd9f6c8737ad12ece32
SHA1 1567f777e635ba5594ba0f54824a9261076986e2
SHA256 d45c5fc464139df6f3fceb5fb2cb1a2976ea6e3d32efc316872db47b95ed4c70
SHA512 deed6a3a51fe2280318eea5f060596eac746c51466eeb378df088fb3665a0159a7a14a1bd3b7adfe6b7dead06c5c534f261d3165997bf64498f5ec19fa246064

C:\Users\Admin\AppData\Local\Temp\TCD38C2.tmp\sist02.xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84