Malware Analysis Report

2024-11-15 07:58

Sample ID 241023-1eyfsasfjj
Target 1ba4de3cf7421c893126c14e0a3212fe32f6f6a4dec449aefbcc31181a91ade0
SHA256 1ba4de3cf7421c893126c14e0a3212fe32f6f6a4dec449aefbcc31181a91ade0
Tags
vipkeylogger collection discovery execution keylogger spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1ba4de3cf7421c893126c14e0a3212fe32f6f6a4dec449aefbcc31181a91ade0

Threat Level: Known bad

The file 1ba4de3cf7421c893126c14e0a3212fe32f6f6a4dec449aefbcc31181a91ade0 was found to be: Known bad.

Malicious Activity Summary

vipkeylogger collection discovery execution keylogger spyware stealer

VIPKeylogger

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Reads user/profile data of local email clients

Executes dropped EXE

Abuses OpenXML format to download file from external location

Loads dropped DLL

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Browser Information Discovery

System Location Discovery: System Language Discovery

Office loads VBA resources, possible macro or embedded object present

outlook_win_path

Suspicious use of AdjustPrivilegeToken

Launches Equation Editor

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

outlook_office_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-23 21:34

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-23 21:34

Reported

2024-10-23 21:35

Platform

win7-20241010-en

Max time kernel

50s

Max time network

42s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1ba4de3cf7421c893126c14e0a3212fe32f6f6a4dec449aefbcc31181a91ade0.docx"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Abuses OpenXML format to download file from external location

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2988 set thread context of 2124 N/A C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor

exploit
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2932 wrote to memory of 2988 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe
PID 2932 wrote to memory of 2988 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe
PID 2932 wrote to memory of 2988 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe
PID 2932 wrote to memory of 2988 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe
PID 2880 wrote to memory of 2104 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2880 wrote to memory of 2104 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2880 wrote to memory of 2104 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2880 wrote to memory of 2104 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2988 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2988 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2988 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2988 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2988 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe
PID 2988 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe
PID 2988 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe
PID 2988 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe
PID 2988 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe
PID 2988 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe
PID 2988 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe
PID 2988 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe
PID 2988 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1ba4de3cf7421c893126c14e0a3212fe32f6f6a4dec449aefbcc31181a91ade0.docx"

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe

"C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe"

C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe

"C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe"

Network

Country Destination Domain Proto
DE 87.120.84.38:80 87.120.84.38 tcp
DE 87.120.84.38:80 87.120.84.38 tcp
DE 87.120.84.38:80 87.120.84.38 tcp
US 8.8.8.8:53 checkip.dyndns.org udp
US 193.122.130.0:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 172.67.177.134:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/2880-0-0x000000002F651000-0x000000002F652000-memory.dmp

memory/2880-2-0x00000000719AD000-0x00000000719B8000-memory.dmp

memory/2880-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{C60B06B9-DE51-43A2-AB0B-EEBC9C0A3BA5}

MD5 4ebff2972194b0f7198b78d5ae2597e5
SHA1 d85e66d64e61ef94c2d74c7b66dd5209bdb26974
SHA256 af260349702d69342539cd03e7b2b62eaef425617b153219b74166f943d281cf
SHA512 1b6ad5bb806c29dd7cbcfdb1d86ec53381d34e88f66574fc23140223bd22981156019f001b9d8fa0c938da28e3ed974c86ed528299fde611a77fbdc40597b776

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{27D1AF12-6AD0-41ED-AB56-4C22D121852F}.FSD

MD5 7ef73de08d75472aa988265c03d24f93
SHA1 0c196fc6d09a9b199b62bc429bb5a8ce4f757827
SHA256 00e88614c564f784f6aae23a13ab90bc885761d90de9a65c5d2bd00752c06852
SHA512 b3a14868be7add1c4124b2754bfc7e53f4c711b0a97494963cf725fd077337bfeeb4dc0e58472bffd1373113e1d6ed0fcb98635ed0a5cf30d4803dfffb1e608d

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 9ec0e715e27e24bf660e23efee455a80
SHA1 97b3ea920cf7677fb641581086f082024b9302ec
SHA256 a281317f668827fcaac0c02f7c6edeadb2ba2fd8d7f38964e5bc01b893852293
SHA512 2f19de772b46ff22b563b793ff2807d2112e12201268ef69e52f24c7a1e34e6c3b2c6934e89d4d399cb2e883fdcc53dad05a94b2a4846bc8385c5f20389572e5

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{7E33D178-75DD-4EE2-A135-EBE5AF2FF3BE}.FSD

MD5 bf7e49a90dd58a2699513485f60e6f6f
SHA1 541878439629682abd60ec33f87e7f21f49803c4
SHA256 f72307759d4d2ba041348407d096977bbf98459f5e7ff6924e154497f0caf9b0
SHA512 bbad74da2052818078c0046c59dc05b9925c48966a49f0e2e9a16021683aef9c0425d2f5ed10f35879b1fa4ad59ffb7c32bae34038254377b25387a67143e264

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\ixsT7yV1KrQcQ4E[1].doc

MD5 740b51e1a54c208e5c9c83fc3317fc0e
SHA1 e69ad6fc49440e561a14d119937d49e19b23a778
SHA256 a3e7d516e9bc973851dd727a31c525d8e946df586e528db14cbeee40cfc075d4
SHA512 b8811fec258e9fe20d8dd176364eb787358660a7f04f241635877d7f5354510fa78d13ac69144a3a9f62f631ed4aaf8f1245c6a576677fc884271f88205a77e8

C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe

MD5 ad8d15f3e02c29fa78cddad65dd3d3aa
SHA1 edfaeb194c0bf6e09dcc0cc873b96ffb97fd53e9
SHA256 6f26196bd7540338c9287b7a920abe2531a59f1007701604e585759afa3f551a
SHA512 e8d523ee65071fcfc32d51e380fa6a7929683383a0579f551e8facb0f2e5f4a8bd7e1643be94d75016a8f690613c55cb716131ce43173e0a9ed594d90ff692e5

memory/2988-97-0x0000000000FE0000-0x00000000010CE000-memory.dmp

memory/2880-98-0x00000000719AD000-0x00000000719B8000-memory.dmp

memory/2988-100-0x0000000000520000-0x000000000053C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2988-107-0x0000000004CF0000-0x0000000004D7C000-memory.dmp

memory/2124-108-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2124-116-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2124-120-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2124-119-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2124-114-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2124-112-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2124-110-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2124-117-0x0000000000400000-0x0000000000448000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-23 21:34

Reported

2024-10-24 07:47

Platform

win10v2004-20241007-en

Max time kernel

0s

Max time network

37s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1ba4de3cf7421c893126c14e0a3212fe32f6f6a4dec449aefbcc31181a91ade0.docx" /o ""

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1ba4de3cf7421c893126c14e0a3212fe32f6f6a4dec449aefbcc31181a91ade0.docx" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
DE 87.120.84.38:80 87.120.84.38 tcp
US 8.8.8.8:53 roaming.officeapps.live.com udp
IE 52.109.76.243:443 roaming.officeapps.live.com tcp
DE 87.120.84.38:80 87.120.84.38 tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 38.84.120.87.in-addr.arpa udp
US 8.8.8.8:53 243.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 154.141.79.40.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 2.18.27.146:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp

Files

memory/4604-0-0x00007FFB43F2D000-0x00007FFB43F2E000-memory.dmp

memory/4604-1-0x00007FFB03F10000-0x00007FFB03F20000-memory.dmp

memory/4604-9-0x00007FFB43E90000-0x00007FFB44085000-memory.dmp

memory/4604-14-0x00007FFB43E90000-0x00007FFB44085000-memory.dmp

memory/4604-18-0x00007FFB43E90000-0x00007FFB44085000-memory.dmp

memory/4604-19-0x00007FFB43E90000-0x00007FFB44085000-memory.dmp

memory/4604-21-0x00007FFB43E90000-0x00007FFB44085000-memory.dmp

memory/4604-20-0x00007FFB43E90000-0x00007FFB44085000-memory.dmp

memory/4604-17-0x00007FFB01C50000-0x00007FFB01C60000-memory.dmp

memory/4604-16-0x00007FFB43E90000-0x00007FFB44085000-memory.dmp

memory/4604-22-0x00007FFB01C50000-0x00007FFB01C60000-memory.dmp

memory/4604-15-0x00007FFB43E90000-0x00007FFB44085000-memory.dmp

memory/4604-13-0x00007FFB43E90000-0x00007FFB44085000-memory.dmp

memory/4604-12-0x00007FFB43E90000-0x00007FFB44085000-memory.dmp

memory/4604-11-0x00007FFB43E90000-0x00007FFB44085000-memory.dmp

memory/4604-10-0x00007FFB43E90000-0x00007FFB44085000-memory.dmp

memory/4604-8-0x00007FFB43E90000-0x00007FFB44085000-memory.dmp

memory/4604-7-0x00007FFB43E90000-0x00007FFB44085000-memory.dmp

memory/4604-6-0x00007FFB03F10000-0x00007FFB03F20000-memory.dmp

memory/4604-5-0x00007FFB43E90000-0x00007FFB44085000-memory.dmp

memory/4604-4-0x00007FFB03F10000-0x00007FFB03F20000-memory.dmp

memory/4604-2-0x00007FFB03F10000-0x00007FFB03F20000-memory.dmp

memory/4604-3-0x00007FFB03F10000-0x00007FFB03F20000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6IJLDY7V\ixsT7yV1KrQcQ4E[1].doc

MD5 740b51e1a54c208e5c9c83fc3317fc0e
SHA1 e69ad6fc49440e561a14d119937d49e19b23a778
SHA256 a3e7d516e9bc973851dd727a31c525d8e946df586e528db14cbeee40cfc075d4
SHA512 b8811fec258e9fe20d8dd176364eb787358660a7f04f241635877d7f5354510fa78d13ac69144a3a9f62f631ed4aaf8f1245c6a576677fc884271f88205a77e8

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 b94b03f50f79e8b035c973b51fcc70ba
SHA1 48c6c83aea54d27fc3f3ded527622e07692bba45
SHA256 fb19d7ccb511c899aefaff97d556082204a0da4d7da521caf94a7acc9eabf20e
SHA512 901e9dedd23533897c1dc8fab61d968d3000055757edd54f4a8223f9ed5b665c38d45a41e9f0ff8f9845a3dd012d515f45a103f0a93c55cefbc26f0721d24f7d

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 d29962abc88624befc0135579ae485ec
SHA1 e40a6458296ec6a2427bcb280572d023a9862b31
SHA256 a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA512 4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

memory/4604-83-0x00007FFB43E90000-0x00007FFB44085000-memory.dmp

memory/4604-82-0x00007FFB43F2D000-0x00007FFB43F2E000-memory.dmp

memory/4604-85-0x00007FFB43E90000-0x00007FFB44085000-memory.dmp

memory/4604-87-0x00007FFB43E90000-0x00007FFB44085000-memory.dmp

memory/4604-86-0x00007FFB43E90000-0x00007FFB44085000-memory.dmp

memory/4604-84-0x00007FFB43E90000-0x00007FFB44085000-memory.dmp

memory/4604-89-0x00007FFB43E90000-0x00007FFB44085000-memory.dmp

memory/4604-88-0x00007FFB43E90000-0x00007FFB44085000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851223[[fn=iso690]].xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d