Malware Analysis Report

2025-01-22 16:06

Sample ID 241105-qtel4ssaja
Target 9406991950efaebb87aff68e0d3573fd59655678366a5940956c37b25d02226a.xlsm
SHA256 9406991950efaebb87aff68e0d3573fd59655678366a5940956c37b25d02226a
Tags
discovery macro xlm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9406991950efaebb87aff68e0d3573fd59655678366a5940956c37b25d02226a

Threat Level: Known bad

The file 9406991950efaebb87aff68e0d3573fd59655678366a5940956c37b25d02226a.xlsm was found to be: Known bad.

Malicious Activity Summary

discovery macro xlm

Process spawned unexpected child process

Suspicious Office macro

System Location Discovery: System Language Discovery

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-05 13:32

Signatures

Suspicious Office macro

macro xlm
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-05 13:32

Reported

2024-11-05 13:35

Platform

win10ltsc2021-20241023-en

Max time kernel

133s

Max time network

150s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\9406991950efaebb87aff68e0d3573fd59655678366a5940956c37b25d02226a.xlsm"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWow64\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWow64\regsvr32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\9406991950efaebb87aff68e0d3573fd59655678366a5940956c37b25d02226a.xlsm"

C:\Windows\SysWow64\regsvr32.exe

C:\Windows\SysWow64\regsvr32.exe -s ..\adx.ocx

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
IE 52.109.76.243:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 blog.centerking.top udp
US 8.8.8.8:53 lucrecomconforto.com.br udp
US 8.8.8.8:53 academiasuccesului.ro udp
RO 46.102.146.33:80 academiasuccesului.ro tcp
US 8.8.8.8:53 243.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 melekler.atspace.cc udp
BG 185.176.43.80:80 melekler.atspace.cc tcp
US 8.8.8.8:53 acerestoration.co.za udp
ZA 41.203.18.35:80 acerestoration.co.za tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 33.146.102.46.in-addr.arpa udp
US 8.8.8.8:53 80.43.176.185.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 35.18.203.41.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/2056-1-0x00007FFB7118D000-0x00007FFB7118E000-memory.dmp

memory/2056-0-0x00007FFB31170000-0x00007FFB31180000-memory.dmp

memory/2056-3-0x00007FFB31170000-0x00007FFB31180000-memory.dmp

memory/2056-2-0x00007FFB31170000-0x00007FFB31180000-memory.dmp

memory/2056-4-0x00007FFB31170000-0x00007FFB31180000-memory.dmp

memory/2056-5-0x00007FFB31170000-0x00007FFB31180000-memory.dmp

memory/2056-8-0x00007FFB710F0000-0x00007FFB712E8000-memory.dmp

memory/2056-9-0x00007FFB710F0000-0x00007FFB712E8000-memory.dmp

memory/2056-10-0x00007FFB710F0000-0x00007FFB712E8000-memory.dmp

memory/2056-11-0x00007FFB710F0000-0x00007FFB712E8000-memory.dmp

memory/2056-13-0x00007FFB2F100000-0x00007FFB2F110000-memory.dmp

memory/2056-12-0x00007FFB710F0000-0x00007FFB712E8000-memory.dmp

memory/2056-7-0x00007FFB710F0000-0x00007FFB712E8000-memory.dmp

memory/2056-14-0x00007FFB2F100000-0x00007FFB2F110000-memory.dmp

memory/2056-16-0x00007FFB710F0000-0x00007FFB712E8000-memory.dmp

memory/2056-18-0x00007FFB710F0000-0x00007FFB712E8000-memory.dmp

memory/2056-19-0x00007FFB710F0000-0x00007FFB712E8000-memory.dmp

memory/2056-21-0x00007FFB710F0000-0x00007FFB712E8000-memory.dmp

memory/2056-20-0x00007FFB710F0000-0x00007FFB712E8000-memory.dmp

memory/2056-22-0x00007FFB710F0000-0x00007FFB712E8000-memory.dmp

memory/2056-24-0x00007FFB710F0000-0x00007FFB712E8000-memory.dmp

memory/2056-23-0x00007FFB710F0000-0x00007FFB712E8000-memory.dmp

memory/2056-17-0x00007FFB710F0000-0x00007FFB712E8000-memory.dmp

memory/2056-15-0x00007FFB710F0000-0x00007FFB712E8000-memory.dmp

memory/2056-6-0x00007FFB710F0000-0x00007FFB712E8000-memory.dmp

C:\Users\Admin\adx.ocx

MD5 8f7afabccec4bec42d5bf041dc45f7e5
SHA1 614359b31a2cdf02be8a12b0254f91171c32ba54
SHA256 ff0b128a0d1f6385dc4d265684b760d92be853e938e8e2e1aed3f120a5541933
SHA512 2b2e9b09d61e356cd569e097e2da2191e854590364141ad5f6d99c0a0910caa271100b26efa1457c8bd30cf4e82f54ed6fa6aa4d3fd0c0eccfd202bcc6bc4853

memory/2056-47-0x00007FFB710F0000-0x00007FFB712E8000-memory.dmp

memory/2056-48-0x00007FFB7118D000-0x00007FFB7118E000-memory.dmp

memory/2056-49-0x00007FFB710F0000-0x00007FFB712E8000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-05 13:32

Reported

2024-11-05 13:35

Platform

win11-20241007-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\9406991950efaebb87aff68e0d3573fd59655678366a5940956c37b25d02226a.xlsm"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWow64\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWow64\regsvr32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\9406991950efaebb87aff68e0d3573fd59655678366a5940956c37b25d02226a.xlsm"

C:\Windows\SysWow64\regsvr32.exe

C:\Windows\SysWow64\regsvr32.exe -s ..\adx.ocx

Network

Country Destination Domain Proto
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
GB 52.109.32.7:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RO 46.102.146.33:80 academiasuccesului.ro tcp
BG 185.176.43.80:80 melekler.atspace.cc tcp
ZA 41.203.18.35:80 acerestoration.co.za tcp

Files

memory/2892-1-0x00007FFDF2C63000-0x00007FFDF2C64000-memory.dmp

memory/2892-0-0x00007FFDB2C50000-0x00007FFDB2C60000-memory.dmp

memory/2892-3-0x00007FFDB2C50000-0x00007FFDB2C60000-memory.dmp

memory/2892-2-0x00007FFDB2C50000-0x00007FFDB2C60000-memory.dmp

memory/2892-4-0x00007FFDB2C50000-0x00007FFDB2C60000-memory.dmp

memory/2892-5-0x00007FFDB2C50000-0x00007FFDB2C60000-memory.dmp

memory/2892-6-0x00007FFDF2BC0000-0x00007FFDF2DC9000-memory.dmp

memory/2892-7-0x00007FFDF2BC0000-0x00007FFDF2DC9000-memory.dmp

memory/2892-9-0x00007FFDF2BC0000-0x00007FFDF2DC9000-memory.dmp

memory/2892-10-0x00007FFDF2BC0000-0x00007FFDF2DC9000-memory.dmp

memory/2892-8-0x00007FFDF2BC0000-0x00007FFDF2DC9000-memory.dmp

memory/2892-12-0x00007FFDF2BC0000-0x00007FFDF2DC9000-memory.dmp

memory/2892-13-0x00007FFDF2BC0000-0x00007FFDF2DC9000-memory.dmp

memory/2892-11-0x00007FFDB06C0000-0x00007FFDB06D0000-memory.dmp

memory/2892-14-0x00007FFDF2BC0000-0x00007FFDF2DC9000-memory.dmp

memory/2892-15-0x00007FFDF2BC0000-0x00007FFDF2DC9000-memory.dmp

memory/2892-16-0x00007FFDB06C0000-0x00007FFDB06D0000-memory.dmp

memory/2892-17-0x00007FFDF2BC0000-0x00007FFDF2DC9000-memory.dmp

memory/2892-18-0x00007FFDF2BC0000-0x00007FFDF2DC9000-memory.dmp

C:\Users\Admin\adx.ocx

MD5 8f7afabccec4bec42d5bf041dc45f7e5
SHA1 614359b31a2cdf02be8a12b0254f91171c32ba54
SHA256 ff0b128a0d1f6385dc4d265684b760d92be853e938e8e2e1aed3f120a5541933
SHA512 2b2e9b09d61e356cd569e097e2da2191e854590364141ad5f6d99c0a0910caa271100b26efa1457c8bd30cf4e82f54ed6fa6aa4d3fd0c0eccfd202bcc6bc4853

memory/2892-30-0x00007FFDF2BC0000-0x00007FFDF2DC9000-memory.dmp

memory/2892-31-0x00007FFDF2C63000-0x00007FFDF2C64000-memory.dmp

memory/2892-32-0x00007FFDF2BC0000-0x00007FFDF2DC9000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 5e6cc251915df5d75c2ee0ac022dbeff
SHA1 95104648c14fa7e8a68b054daf8d69d5260b268d
SHA256 7e8cfc1a39ca8bfb427f020cf34173e612cb566f741f527d58ff9536d3bd20be
SHA512 75cae064b52434e3b0a09cf59f2fc02f3e4318a47b00f862c496bb4f6860dc4c60819c24c8df7ba4ae1d279d38c88f887653b3143d7d0d545c7dbfd4391890ef

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-05 13:32

Reported

2024-11-05 13:35

Platform

win7-20240903-en

Max time kernel

141s

Max time network

150s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\9406991950efaebb87aff68e0d3573fd59655678366a5940956c37b25d02226a.xlsm

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWow64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWow64\regsvr32.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\9406991950efaebb87aff68e0d3573fd59655678366a5940956c37b25d02226a.xlsm

C:\Windows\SysWow64\regsvr32.exe

C:\Windows\SysWow64\regsvr32.exe -s ..\adx.ocx

Network

Country Destination Domain Proto
US 8.8.8.8:53 blog.centerking.top udp
US 8.8.8.8:53 lucrecomconforto.com.br udp
US 8.8.8.8:53 academiasuccesului.ro udp
RO 46.102.146.33:80 academiasuccesului.ro tcp
US 8.8.8.8:53 melekler.atspace.cc udp
BG 185.176.43.80:80 melekler.atspace.cc tcp
US 8.8.8.8:53 acerestoration.co.za udp
ZA 41.203.18.35:80 acerestoration.co.za tcp

Files

memory/2332-1-0x00000000723AD000-0x00000000723B8000-memory.dmp

memory/2332-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\adx.ocx

MD5 8f7afabccec4bec42d5bf041dc45f7e5
SHA1 614359b31a2cdf02be8a12b0254f91171c32ba54
SHA256 ff0b128a0d1f6385dc4d265684b760d92be853e938e8e2e1aed3f120a5541933
SHA512 2b2e9b09d61e356cd569e097e2da2191e854590364141ad5f6d99c0a0910caa271100b26efa1457c8bd30cf4e82f54ed6fa6aa4d3fd0c0eccfd202bcc6bc4853

memory/2332-7-0x00000000723AD000-0x00000000723B8000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-05 13:32

Reported

2024-11-05 13:35

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\9406991950efaebb87aff68e0d3573fd59655678366a5940956c37b25d02226a.xlsm"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWow64\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWow64\regsvr32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\9406991950efaebb87aff68e0d3573fd59655678366a5940956c37b25d02226a.xlsm"

C:\Windows\SysWow64\regsvr32.exe

C:\Windows\SysWow64\regsvr32.exe -s ..\adx.ocx

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 blog.centerking.top udp
US 8.8.8.8:53 lucrecomconforto.com.br udp
US 8.8.8.8:53 academiasuccesului.ro udp
RO 46.102.146.33:80 academiasuccesului.ro tcp
US 8.8.8.8:53 melekler.atspace.cc udp
BG 185.176.43.80:80 melekler.atspace.cc tcp
US 8.8.8.8:53 acerestoration.co.za udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 33.146.102.46.in-addr.arpa udp
ZA 41.203.18.35:80 acerestoration.co.za tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 80.43.176.185.in-addr.arpa udp
US 8.8.8.8:53 35.18.203.41.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/1444-1-0x00007FFA2E6AD000-0x00007FFA2E6AE000-memory.dmp

memory/1444-0-0x00007FF9EE690000-0x00007FF9EE6A0000-memory.dmp

memory/1444-3-0x00007FF9EE690000-0x00007FF9EE6A0000-memory.dmp

memory/1444-2-0x00007FF9EE690000-0x00007FF9EE6A0000-memory.dmp

memory/1444-5-0x00007FFA2E610000-0x00007FFA2E805000-memory.dmp

memory/1444-6-0x00007FFA2E610000-0x00007FFA2E805000-memory.dmp

memory/1444-4-0x00007FF9EE690000-0x00007FF9EE6A0000-memory.dmp

memory/1444-7-0x00007FF9EE690000-0x00007FF9EE6A0000-memory.dmp

memory/1444-8-0x00007FFA2E610000-0x00007FFA2E805000-memory.dmp

memory/1444-9-0x00007FFA2E610000-0x00007FFA2E805000-memory.dmp

memory/1444-10-0x00007FF9EC280000-0x00007FF9EC290000-memory.dmp

memory/1444-11-0x00007FF9EC280000-0x00007FF9EC290000-memory.dmp

C:\Users\Admin\adx.ocx

MD5 8f7afabccec4bec42d5bf041dc45f7e5
SHA1 614359b31a2cdf02be8a12b0254f91171c32ba54
SHA256 ff0b128a0d1f6385dc4d265684b760d92be853e938e8e2e1aed3f120a5541933
SHA512 2b2e9b09d61e356cd569e097e2da2191e854590364141ad5f6d99c0a0910caa271100b26efa1457c8bd30cf4e82f54ed6fa6aa4d3fd0c0eccfd202bcc6bc4853

memory/1444-26-0x00007FFA2E610000-0x00007FFA2E805000-memory.dmp

memory/1444-27-0x00007FFA2E6AD000-0x00007FFA2E6AE000-memory.dmp

memory/1444-28-0x00007FFA2E610000-0x00007FFA2E805000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 50ffb48ec86454dfda6a9bf0c548f870
SHA1 fdb780e3b784a129e0d582f5d661705b0da10743
SHA256 203e4302fa06cf7d14243ca3c321d40b0675b1637b608ef099e2e3f457e3c72a
SHA512 e0a83ff0382cd15e72c2dbfd80c061124a8e7c48348710c6c06174d9b5338fd2174e8976af8c4cf5f65ecd15fef5f5de3c1db74e0b69c3a50b49b34f1506f24f