Forensic

Hello,

I found the word file in the dump : V***_****.***m.
After analyze it. I use tool like oletools and manually look in the vbaProject.bin.
I only found one url wich is the proxy i guess : http://***.***.*.**:****/B*****.***x
Nothing link with the domain for the validation password.
I miss something ? Any hint ?
Thanks.

I try a new approach.
I dump the infected process plus check Iexplorer history.
I found several domains like microsoft, linkedin and facebook.
The most occurence are msn and akamaized : Often link together.
But seems not to be the valid flag.
Thanks you for your help.