Malware Analysis Report

2024-12-07 14:12

Sample ID 241114-xtsbjasbpn
Target Bank Swift Copy.docx
SHA256 27a37162f8f0baf5fe161825f8108f1f3e20bada83c2be08fe9919c60e4727b8
Tags
vipkeylogger collection discovery execution keylogger spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

27a37162f8f0baf5fe161825f8108f1f3e20bada83c2be08fe9919c60e4727b8

Threat Level: Known bad

The file Bank Swift Copy.docx was found to be: Known bad.

Malicious Activity Summary

vipkeylogger collection discovery execution keylogger spyware stealer

Vipkeylogger family

VIPKeylogger

Blocklisted process makes network request

Downloads MZ/PE file

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

Abuses OpenXML format to download file from external location

Executes dropped EXE

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Browser Information Discovery

Office loads VBA resources, possible macro or embedded object present

outlook_office_path

Suspicious behavior: AddClipboardFormatListener

Checks processor information in registry

Enumerates system info in registry

Uses Volume Shadow Copy WMI provider

Launches Equation Editor

Uses Task Scheduler COM API

outlook_win_path

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 19:09

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 19:09

Reported

2024-11-14 19:11

Platform

win7-20240903-en

Max time kernel

131s

Max time network

126s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Bank Swift Copy.docx"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Vipkeylogger family

vipkeylogger

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Abuses OpenXML format to download file from external location

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2960 set thread context of 2492 N/A C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor

exploit
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1044 wrote to memory of 2960 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe
PID 1044 wrote to memory of 2960 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe
PID 1044 wrote to memory of 2960 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe
PID 1044 wrote to memory of 2960 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe
PID 2300 wrote to memory of 1668 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2300 wrote to memory of 1668 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2300 wrote to memory of 1668 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2300 wrote to memory of 1668 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2960 wrote to memory of 876 N/A C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2960 wrote to memory of 876 N/A C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2960 wrote to memory of 876 N/A C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2960 wrote to memory of 876 N/A C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2960 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe
PID 2960 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe
PID 2960 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe
PID 2960 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe
PID 2960 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe
PID 2960 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe
PID 2960 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe
PID 2960 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe
PID 2960 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Bank Swift Copy.docx"

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe

"C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe"

C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe

"C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe"

Network

Country Destination Domain Proto
DE 87.120.84.39:80 87.120.84.39 tcp
DE 87.120.84.39:80 87.120.84.39 tcp
DE 87.120.84.39:80 87.120.84.39 tcp
US 8.8.8.8:53 checkip.dyndns.org udp
BR 132.226.247.73:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 172.67.177.134:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/2300-0-0x000000002F121000-0x000000002F122000-memory.dmp

memory/2300-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2300-2-0x00000000715DD000-0x00000000715E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{7707201D-9AE5-44E0-983E-8936FD11A26B}

MD5 60e9869e7f4aae14e14f3f2a31bcd235
SHA1 76411eecc53de656f5cb745ed06bb460df1005ac
SHA256 6ed108b686176f739681fe81a82f0a6a7645ded805b312cbc2ae242102dd3711
SHA512 b2b1fc43f012c677055b712b5f1fa330cd9eb40c6c42f3307bd117e94f1f408e53175f336954773dc44912e56f733d14ee50236f0363991c951e48a71ec0be8a

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{1AA8CAA7-A5C1-4586-8C98-7D83CBE4BECF}.FSD

MD5 3118613e067dce24e4419e9a2d0751ad
SHA1 60ba86f9eebf8775fa1a7d6ef939fb02e4396805
SHA256 ff7cb0a13d15b533d5cfc4144ada1326e02cce9d42df82388dc0439e432fc1a8
SHA512 33fa660555275f9fb4cb5a3069b376e8d8c492e45e747752f4fdf78c66ec51806e29831e6e5b07510e089df823dc1de3960a85a7d72d4c0418c99e885776e969

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 219708439b7443bd56d775d3c81d0c04
SHA1 3c7588c435f31d4c9531af8713868b43feb5d161
SHA256 4723a73651ac22e6e73d890eb9a07302139716a89cbfed7df2b4925b8ea90452
SHA512 fc89080405a86517bf6761c7c35a857727895395a5a7d47d5c2b4ec82a9800787e6a82e05f9f713cec18231486f4ad5cd218b803f12d17615c2ed0efc421df06

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{4FFE8154-F967-4E24-9842-676AD0BF4B94}.FSD

MD5 3922f15dfdb111daadac884dfdfcbe72
SHA1 c0fb9d22863b1bf13ecc378f4e6e930024998016
SHA256 b97bd17da16501a3bb88fe4c370e1e93c64386750e16b31f1bebd5fb4e58c3de
SHA512 8de8fafa4cf0088b747c4cbe69e3b9e5a5ed0d48e9bb6212e0f63a092361deeb1ddf23ad75b273df4c90a29b69cc85fa3ca224d91b44ba00fa6c59aac26ed2b7

memory/2300-61-0x00000000715DD000-0x00000000715E8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3VL8XEP\xXdquUOrM1vD3An[1].doc

MD5 2087de574fefae441db7ced132da6407
SHA1 6d8b4083d71075be31068808232805ea486f77d8
SHA256 dc8ae41681fdf19abcf62b27b3d8359c32ba6f20bee1e24b7ce9b37d4faebe8b
SHA512 02ead1047af13379ee161c25e1db2c83033daf752629159b9c5836ed0c1d5f6436da73299d920cc10cefe6d4edd3272266d9b4f2088225bc434a53c20ba43ce9

\Users\Admin\AppData\Roaming\obigfdsdfgh.exe

MD5 4f80565082ea4d95d933decf9cd50c61
SHA1 2830f9d5f41bbecd2ae105ed0b9a8d49327c8594
SHA256 d854f347061d9d7b8a9788ab8633c3f07619e29bd440924507a0147484c217c3
SHA512 9dcdae5c7a5b4181ade738884e208508bf317742ca2be0726716aa71236670a50dae2bec947b3fcc12cfc85c756810f18a9f403de4eb428b4a73a4759037f227

memory/2960-98-0x0000000001010000-0x00000000010DA000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2960-106-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2960-108-0x0000000005E90000-0x0000000005F1E000-memory.dmp

memory/2492-111-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2492-109-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2492-122-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2492-120-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2492-118-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2492-117-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2492-115-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2492-113-0x0000000000400000-0x0000000000448000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 19:09

Reported

2024-11-14 19:11

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

134s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Bank Swift Copy.docx" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Bank Swift Copy.docx" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 18.89.109.52.in-addr.arpa udp
DE 87.120.84.39:80 87.120.84.39 tcp
DE 87.120.84.39:80 87.120.84.39 tcp
US 8.8.8.8:53 88.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 39.84.120.87.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 134.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 129.68.109.52.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 95.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 103.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp

Files

memory/3088-0-0x00007FFD6E98D000-0x00007FFD6E98E000-memory.dmp

memory/3088-3-0x00007FFD2E970000-0x00007FFD2E980000-memory.dmp

memory/3088-2-0x00007FFD2E970000-0x00007FFD2E980000-memory.dmp

memory/3088-1-0x00007FFD2E970000-0x00007FFD2E980000-memory.dmp

memory/3088-4-0x00007FFD2E970000-0x00007FFD2E980000-memory.dmp

memory/3088-6-0x00007FFD6E8F0000-0x00007FFD6EAE5000-memory.dmp

memory/3088-7-0x00007FFD2E970000-0x00007FFD2E980000-memory.dmp

memory/3088-5-0x00007FFD6E8F0000-0x00007FFD6EAE5000-memory.dmp

memory/3088-8-0x00007FFD6E8F0000-0x00007FFD6EAE5000-memory.dmp

memory/3088-9-0x00007FFD2C550000-0x00007FFD2C560000-memory.dmp

memory/3088-10-0x00007FFD6E8F0000-0x00007FFD6EAE5000-memory.dmp

memory/3088-12-0x00007FFD6E8F0000-0x00007FFD6EAE5000-memory.dmp

memory/3088-14-0x00007FFD2C550000-0x00007FFD2C560000-memory.dmp

memory/3088-16-0x00007FFD6E8F0000-0x00007FFD6EAE5000-memory.dmp

memory/3088-17-0x00007FFD6E8F0000-0x00007FFD6EAE5000-memory.dmp

memory/3088-19-0x00007FFD6E8F0000-0x00007FFD6EAE5000-memory.dmp

memory/3088-18-0x00007FFD6E8F0000-0x00007FFD6EAE5000-memory.dmp

memory/3088-15-0x00007FFD6E8F0000-0x00007FFD6EAE5000-memory.dmp

memory/3088-13-0x00007FFD6E8F0000-0x00007FFD6EAE5000-memory.dmp

memory/3088-11-0x00007FFD6E8F0000-0x00007FFD6EAE5000-memory.dmp

memory/3088-26-0x00007FFD6E98D000-0x00007FFD6E98E000-memory.dmp

memory/3088-27-0x00007FFD6E8F0000-0x00007FFD6EAE5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VKYZDMA5\xXdquUOrM1vD3An[1].doc

MD5 2087de574fefae441db7ced132da6407
SHA1 6d8b4083d71075be31068808232805ea486f77d8
SHA256 dc8ae41681fdf19abcf62b27b3d8359c32ba6f20bee1e24b7ce9b37d4faebe8b
SHA512 02ead1047af13379ee161c25e1db2c83033daf752629159b9c5836ed0c1d5f6436da73299d920cc10cefe6d4edd3272266d9b4f2088225bc434a53c20ba43ce9

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 5617b91c16ea99a0f3041eff7cbecf35
SHA1 bbf184de7592e808a38354e44de620cfb59d098c
SHA256 bc125e2e9ce2977b0182287efe15d8d2a4845b78d99bd93363e9c2fd26e987f2
SHA512 033fe7d64e797037eb02024de68d34125c7ebba95faa61ee6920be5acbc86837467897603fc7884089fb514503fec78987453a5b58196b5504d5e3089cb16758