Malware Analysis Report

2024-11-15 07:58

Sample ID 241023-l44lrswcjq
Target RFQ PO 2.docx
SHA256 2c1e44e7ddf88303822b2a9e7cbfaeedbdbe3ace36ce3e028d19b68cf33c11b3
Tags
vipkeylogger collection discovery execution keylogger spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2c1e44e7ddf88303822b2a9e7cbfaeedbdbe3ace36ce3e028d19b68cf33c11b3

Threat Level: Known bad

The file RFQ PO 2.docx was found to be: Known bad.

Malicious Activity Summary

vipkeylogger collection discovery execution keylogger spyware stealer

VIPKeylogger

Blocklisted process makes network request

Downloads MZ/PE file

Command and Scripting Interpreter: PowerShell

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Abuses OpenXML format to download file from external location

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Office loads VBA resources, possible macro or embedded object present

Suspicious use of SetWindowsHookEx

Launches Equation Editor

outlook_office_path

outlook_win_path

Uses Volume Shadow Copy WMI provider

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Enumerates system info in registry

Checks processor information in registry

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-23 10:06

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-23 10:06

Reported

2024-10-23 10:08

Platform

win10v2004-20241007-en

Max time kernel

138s

Max time network

126s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RFQ PO 2.docx" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RFQ PO 2.docx" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
DE 87.120.84.38:80 87.120.84.38 tcp
DE 87.120.84.38:80 87.120.84.38 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 129.68.109.52.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 38.84.120.87.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 2.18.27.146:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 146.27.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/3684-2-0x00007FFD9D3B0000-0x00007FFD9D3C0000-memory.dmp

memory/3684-3-0x00007FFDDD3CD000-0x00007FFDDD3CE000-memory.dmp

memory/3684-1-0x00007FFD9D3B0000-0x00007FFD9D3C0000-memory.dmp

memory/3684-0-0x00007FFD9D3B0000-0x00007FFD9D3C0000-memory.dmp

memory/3684-7-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

memory/3684-6-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

memory/3684-8-0x00007FFD9D3B0000-0x00007FFD9D3C0000-memory.dmp

memory/3684-4-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

memory/3684-9-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

memory/3684-11-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

memory/3684-14-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

memory/3684-16-0x00007FFD9B0E0000-0x00007FFD9B0F0000-memory.dmp

memory/3684-15-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

memory/3684-13-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

memory/3684-17-0x00007FFD9B0E0000-0x00007FFD9B0F0000-memory.dmp

memory/3684-18-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

memory/3684-12-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

memory/3684-10-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

memory/3684-5-0x00007FFD9D3B0000-0x00007FFD9D3C0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FQRZN8O7\mnobizxv[1].doc

MD5 c00a17e56e7eeaf2d72456692c36eec7
SHA1 72fbbce62454aaa611317d1c23a1980712d44613
SHA256 ee1c72ebaf43badfd7469960a19c0b2c54dc7485eff720cab2eb6bb9cf623c04
SHA512 ba0273b1afeb40e3c877fadc20e3ab3960e4db79272b042e500bc896d3986f607de401a2c300f97c42442e2ce4a03c241913a62439e96ff73b9795ad6527db97

memory/3684-68-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

memory/3684-69-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

memory/3684-71-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

memory/3684-75-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

memory/3684-79-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

memory/3684-78-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

memory/3684-77-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

memory/3684-76-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

memory/3684-74-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

memory/3684-73-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

memory/3684-72-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

memory/3684-70-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

memory/3684-67-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

memory/3684-66-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

memory/3684-65-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 d29962abc88624befc0135579ae485ec
SHA1 e40a6458296ec6a2427bcb280572d023a9862b31
SHA256 a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA512 4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Temp\TCD80D8.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-23 10:06

Reported

2024-10-23 10:08

Platform

win7-20241010-en

Max time kernel

121s

Max time network

133s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RFQ PO 2.docx"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Abuses OpenXML format to download file from external location

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\obiddjtrh.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\obiddjtrh.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\obiddjtrh.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\obiddjtrh.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\obiddjtrh.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\obiddjtrh.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2204 set thread context of 2428 N/A C:\Users\Admin\AppData\Roaming\obiddjtrh.exe C:\Users\Admin\AppData\Roaming\obiddjtrh.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\obiddjtrh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\obiddjtrh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor

exploit
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\obiddjtrh.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\obiddjtrh.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1444 wrote to memory of 2204 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\obiddjtrh.exe
PID 1444 wrote to memory of 2204 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\obiddjtrh.exe
PID 1444 wrote to memory of 2204 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\obiddjtrh.exe
PID 1444 wrote to memory of 2204 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\obiddjtrh.exe
PID 2204 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Roaming\obiddjtrh.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2204 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Roaming\obiddjtrh.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2204 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Roaming\obiddjtrh.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2204 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Roaming\obiddjtrh.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2204 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Roaming\obiddjtrh.exe C:\Users\Admin\AppData\Roaming\obiddjtrh.exe
PID 2204 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Roaming\obiddjtrh.exe C:\Users\Admin\AppData\Roaming\obiddjtrh.exe
PID 2204 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Roaming\obiddjtrh.exe C:\Users\Admin\AppData\Roaming\obiddjtrh.exe
PID 2204 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Roaming\obiddjtrh.exe C:\Users\Admin\AppData\Roaming\obiddjtrh.exe
PID 2204 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\obiddjtrh.exe C:\Users\Admin\AppData\Roaming\obiddjtrh.exe
PID 2204 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\obiddjtrh.exe C:\Users\Admin\AppData\Roaming\obiddjtrh.exe
PID 2204 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\obiddjtrh.exe C:\Users\Admin\AppData\Roaming\obiddjtrh.exe
PID 2204 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\obiddjtrh.exe C:\Users\Admin\AppData\Roaming\obiddjtrh.exe
PID 2204 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\obiddjtrh.exe C:\Users\Admin\AppData\Roaming\obiddjtrh.exe
PID 2204 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\obiddjtrh.exe C:\Users\Admin\AppData\Roaming\obiddjtrh.exe
PID 2204 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\obiddjtrh.exe C:\Users\Admin\AppData\Roaming\obiddjtrh.exe
PID 2204 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\obiddjtrh.exe C:\Users\Admin\AppData\Roaming\obiddjtrh.exe
PID 2204 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\obiddjtrh.exe C:\Users\Admin\AppData\Roaming\obiddjtrh.exe
PID 1680 wrote to memory of 2548 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1680 wrote to memory of 2548 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1680 wrote to memory of 2548 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1680 wrote to memory of 2548 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\obiddjtrh.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\obiddjtrh.exe N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RFQ PO 2.docx"

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Users\Admin\AppData\Roaming\obiddjtrh.exe

"C:\Users\Admin\AppData\Roaming\obiddjtrh.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\obiddjtrh.exe"

C:\Users\Admin\AppData\Roaming\obiddjtrh.exe

"C:\Users\Admin\AppData\Roaming\obiddjtrh.exe"

C:\Users\Admin\AppData\Roaming\obiddjtrh.exe

"C:\Users\Admin\AppData\Roaming\obiddjtrh.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

Country Destination Domain Proto
DE 87.120.84.38:80 87.120.84.38 tcp
DE 87.120.84.38:80 87.120.84.38 tcp
DE 87.120.84.38:80 87.120.84.38 tcp
US 8.8.8.8:53 checkip.dyndns.org udp
JP 132.226.8.169:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 172.67.177.134:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/1680-0-0x000000002FC51000-0x000000002FC52000-memory.dmp

memory/1680-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1680-2-0x0000000070B3D000-0x0000000070B48000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{F6A2EF43-2F89-4CCF-B774-03630D310ED7}

MD5 695acb97252394349c7b336a95692351
SHA1 56d1dad9d474902d19fdcc8e51e554016d12d6fe
SHA256 699afb0617d3d5c1bb8ecd6dad0299a3b834285d2097127af30874eaee719518
SHA512 381766c3dff8c394ff3c4d36f783dabc6c975719057682415aeca99b340553cd808b55fd31fbb2e61ace39cf2d2cf6129660cc5dc55fabcf989065e6fd2ed56c

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{1247DD2D-3272-4038-A20F-8AE4FFDA0787}.FSD

MD5 9ced85241b91d1da1a17c5facd482e05
SHA1 d7a87004beb0710bbe4456046442e40e81dd88a9
SHA256 14b06e4e76d50e478b67f0696914f3f76c25db13d34ac7bc3cafb59ddc4c044a
SHA512 7020a9cc0269900ad22e02797df8f2f071850b9e8776695c83d3880351b1f8b107dc851a10d4bb4eb26ab949d8d4f6588a33476cfffa4a801cf32adaee7d7e0b

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 bf3f1023b2631463966f355b60846c49
SHA1 cea9b7988b4e2459bfbc4fe3b18fb7a22f325477
SHA256 88efbd7fb48c3e0f6581ef9e78d09650db5315747ec0e3ceee9ea1d5aa717e2b
SHA512 0e01d31b8d3640c790376ce2f43da4d4a8df29b1731c479f8ec1b60e35b3e6946039fb9365398c689c81648d06d2c67e035a63041963d1ebcf01095ed8742bf4

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{FC6607DB-CD33-4982-B836-620E593AC738}.FSD

MD5 de7cbb3dbb3f3b74235e6c3e9a2f5c18
SHA1 9bf4d8215af862e12249fe79138ebe0bed2293da
SHA256 52b64b1b1d8034ff878310a482bc79c5d40c22b25e56ac9ecf851464db37926b
SHA512 1d1efcdeb5dd3576172c6bfeb6460c44fcd88af31201fffec69a668358684cc221ac9950261a019af82d11754feacddb393baea3194ab7663585c5a0b916ff43

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\mnobizxv[1].doc

MD5 c00a17e56e7eeaf2d72456692c36eec7
SHA1 72fbbce62454aaa611317d1c23a1980712d44613
SHA256 ee1c72ebaf43badfd7469960a19c0b2c54dc7485eff720cab2eb6bb9cf623c04
SHA512 ba0273b1afeb40e3c877fadc20e3ab3960e4db79272b042e500bc896d3986f607de401a2c300f97c42442e2ce4a03c241913a62439e96ff73b9795ad6527db97

C:\Users\Admin\AppData\Roaming\obiddjtrh.exe

MD5 7578316e563e8a4a2983ae041a5fff39
SHA1 fa5a6777784f272b191803d03a49dfe40354bcf2
SHA256 2b845ff4c5ee973861ccb905e73fed0bbd46ce5e311fc8910d188ec839226f58
SHA512 225fa056dff9c59915fbfe593d3d336c133eeab6be80f48de976f8d14cd773bde21716f489b45c007310da6eb61c9bd6681a7ec0a80559b246af07a1346dc9ba

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 080d84d06e96e51fd365b7fb6cdd073e
SHA1 2b07b84b522b8b52b5419ffbe36601b678e5109c
SHA256 da15367cb302dfa30fb3bd6081060479e86515f2c0e48a0b44098ce7d63beb6b
SHA512 77e8bbefc9f8553bf1b1797af60856f32ab499c7e2417a87de5304f987890aab095e306cdd0dfc4a091f78b7a7a76751f3a40e3507c24318561d2e42c6cc89f2

memory/2204-97-0x0000000000050000-0x0000000000112000-memory.dmp

memory/2204-98-0x0000000000810000-0x000000000082E000-memory.dmp

memory/1680-100-0x0000000070B3D000-0x0000000070B48000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2204-107-0x0000000005EA0000-0x0000000005F2C000-memory.dmp

memory/2428-121-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2428-120-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2428-118-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2428-117-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2428-115-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2428-113-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2428-111-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2428-109-0x0000000000400000-0x0000000000448000-memory.dmp