Malware Analysis Report

2025-05-28 17:40

Sample ID 250127-p6bwbayrez
Target PurchaseOrder.xls
SHA256 685a8fcb7894acbd04b96b69651870187dd9539a959a5b363522ce74b9ff741e
Tags
macro macro_on_action lokibot discovery spyware stealer trojan collection
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

685a8fcb7894acbd04b96b69651870187dd9539a959a5b363522ce74b9ff741e

Threat Level: Known bad

The file PurchaseOrder.xls was found to be: Known bad.

Malicious Activity Summary

macro macro_on_action lokibot discovery spyware stealer trojan collection

Lokibot family

Lokibot

Downloads MZ/PE file

Office macro that triggers on suspicious action

Suspicious Office macro

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

outlook_office_path

outlook_win_path

Suspicious use of SetWindowsHookEx

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-27 12:56

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-27 12:56

Reported

2025-01-27 12:58

Platform

win7-20240903-en

Max time kernel

144s

Max time network

146s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\PurchaseOrder.xls

Signatures

Lokibot

trojan spyware stealer lokibot

Lokibot family

lokibot

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2936 wrote to memory of 636 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
PID 2936 wrote to memory of 636 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
PID 2936 wrote to memory of 636 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
PID 2936 wrote to memory of 636 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
PID 636 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
PID 636 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
PID 636 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
PID 636 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
PID 636 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
PID 636 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
PID 636 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
PID 636 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
PID 636 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
PID 636 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
PID 636 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
PID 636 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
PID 636 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
PID 636 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
PID 636 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
PID 636 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
PID 636 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
PID 636 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
PID 636 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
PID 636 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\PurchaseOrder.xls

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe"

Network

Country Destination Domain Proto
LV 46.183.222.162:80 46.183.222.162 tcp

Files

memory/2936-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2936-1-0x000000007285D000-0x0000000072868000-memory.dmp

memory/2936-4-0x0000000000430000-0x0000000000530000-memory.dmp

memory/2936-3-0x0000000000430000-0x0000000000530000-memory.dmp

memory/2936-2-0x0000000000430000-0x0000000000530000-memory.dmp

memory/2936-5-0x0000000000430000-0x0000000000530000-memory.dmp

memory/2936-6-0x0000000000430000-0x0000000000530000-memory.dmp

memory/2936-7-0x0000000000430000-0x0000000000530000-memory.dmp

memory/2936-8-0x0000000000430000-0x0000000000530000-memory.dmp

memory/2936-9-0x0000000000430000-0x0000000000530000-memory.dmp

memory/2936-20-0x0000000000430000-0x0000000000530000-memory.dmp

memory/2936-24-0x0000000000430000-0x0000000000530000-memory.dmp

memory/2936-23-0x0000000000430000-0x0000000000530000-memory.dmp

memory/2936-22-0x0000000000430000-0x0000000000530000-memory.dmp

memory/2936-21-0x0000000000430000-0x0000000000530000-memory.dmp

memory/2936-19-0x0000000000430000-0x0000000000530000-memory.dmp

memory/2936-18-0x0000000000430000-0x0000000000530000-memory.dmp

memory/2936-17-0x0000000000430000-0x0000000000530000-memory.dmp

memory/2936-16-0x0000000000430000-0x0000000000530000-memory.dmp

memory/2936-14-0x0000000000430000-0x0000000000530000-memory.dmp

memory/2936-15-0x0000000000430000-0x0000000000530000-memory.dmp

memory/2936-13-0x0000000000430000-0x0000000000530000-memory.dmp

memory/2936-11-0x0000000000430000-0x0000000000530000-memory.dmp

memory/2936-12-0x0000000000430000-0x0000000000530000-memory.dmp

memory/2936-10-0x0000000000430000-0x0000000000530000-memory.dmp

memory/2936-27-0x0000000000430000-0x0000000000530000-memory.dmp

memory/2936-35-0x0000000000430000-0x0000000000530000-memory.dmp

memory/2936-37-0x0000000000430000-0x0000000000530000-memory.dmp

memory/2936-36-0x0000000000430000-0x0000000000530000-memory.dmp

memory/2936-34-0x0000000000430000-0x0000000000530000-memory.dmp

memory/2936-33-0x0000000000430000-0x0000000000530000-memory.dmp

memory/2936-32-0x0000000000430000-0x0000000000530000-memory.dmp

memory/2936-31-0x0000000000430000-0x0000000000530000-memory.dmp

memory/2936-30-0x0000000000430000-0x0000000000530000-memory.dmp

memory/2936-29-0x0000000000430000-0x0000000000530000-memory.dmp

memory/2936-28-0x0000000000430000-0x0000000000530000-memory.dmp

memory/2936-26-0x0000000000430000-0x0000000000530000-memory.dmp

memory/2936-25-0x0000000000430000-0x0000000000530000-memory.dmp

memory/2936-38-0x000000007285D000-0x0000000072868000-memory.dmp

\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe

MD5 8896e46cdf15e1dae71e64d61464b8d2
SHA1 f64c70192d830dce8daca2531662521bc7439af0
SHA256 6ecc82c2ba384129c19d83312baa7ccff19011a013b16f2459b29865484bfcab
SHA512 41716d412655fb55188e5ddb1a3e5517a2205c7bff49a3b98fc277b1a56a763a9009779787e8f0ba7c3265e4b05cf48c101b1ae0523f99e9296c9616bdf11b96

memory/636-55-0x00000000003F0000-0x0000000000442000-memory.dmp

memory/2540-57-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2936-59-0x0000000000430000-0x0000000000530000-memory.dmp

memory/2936-60-0x0000000000430000-0x0000000000530000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-27 12:56

Reported

2025-01-27 12:58

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

141s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PurchaseOrder.xls"

Signatures

Lokibot

trojan spyware stealer lokibot

Lokibot family

lokibot

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5092 wrote to memory of 512 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
PID 5092 wrote to memory of 512 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
PID 5092 wrote to memory of 512 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
PID 512 wrote to memory of 468 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
PID 512 wrote to memory of 468 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
PID 512 wrote to memory of 468 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
PID 512 wrote to memory of 468 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
PID 512 wrote to memory of 468 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
PID 512 wrote to memory of 468 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
PID 512 wrote to memory of 468 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
PID 512 wrote to memory of 468 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
PID 512 wrote to memory of 468 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
PID 512 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
PID 512 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
PID 512 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
PID 512 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
PID 512 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
PID 512 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
PID 512 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
PID 512 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe
PID 512 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PurchaseOrder.xls"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
IE 52.109.76.243:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 243.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 5.114.82.104.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
LV 46.183.222.162:80 46.183.222.162 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 162.222.183.46.in-addr.arpa udp
NL 85.31.47.84:5336 85.31.47.84 tcp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 84.47.31.85.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
NL 85.31.47.84:5336 85.31.47.84 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
NL 85.31.47.84:5336 85.31.47.84 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/5092-1-0x00007FF81C3CD000-0x00007FF81C3CE000-memory.dmp

memory/5092-0-0x00007FF7DC3B0000-0x00007FF7DC3C0000-memory.dmp

memory/5092-3-0x00007FF7DC3B0000-0x00007FF7DC3C0000-memory.dmp

memory/5092-4-0x00007FF7DC3B0000-0x00007FF7DC3C0000-memory.dmp

memory/5092-2-0x00007FF7DC3B0000-0x00007FF7DC3C0000-memory.dmp

memory/5092-5-0x00007FF7DC3B0000-0x00007FF7DC3C0000-memory.dmp

memory/5092-9-0x00007FF81C330000-0x00007FF81C525000-memory.dmp

memory/5092-8-0x00007FF81C330000-0x00007FF81C525000-memory.dmp

memory/5092-12-0x00007FF81C330000-0x00007FF81C525000-memory.dmp

memory/5092-11-0x00007FF81C330000-0x00007FF81C525000-memory.dmp

memory/5092-10-0x00007FF81C330000-0x00007FF81C525000-memory.dmp

memory/5092-13-0x00007FF7DA1E0000-0x00007FF7DA1F0000-memory.dmp

memory/5092-7-0x00007FF81C330000-0x00007FF81C525000-memory.dmp

memory/5092-14-0x00007FF81C330000-0x00007FF81C525000-memory.dmp

memory/5092-6-0x00007FF81C330000-0x00007FF81C525000-memory.dmp

memory/5092-15-0x00007FF7DA1E0000-0x00007FF7DA1F0000-memory.dmp

memory/5092-16-0x00007FF81C330000-0x00007FF81C525000-memory.dmp

memory/5092-19-0x00007FF81C330000-0x00007FF81C525000-memory.dmp

memory/5092-20-0x00007FF81C330000-0x00007FF81C525000-memory.dmp

memory/5092-18-0x00007FF81C330000-0x00007FF81C525000-memory.dmp

memory/5092-17-0x00007FF81C330000-0x00007FF81C525000-memory.dmp

memory/5092-56-0x00007FF81C330000-0x00007FF81C525000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RKORZNMUP.exe

MD5 8896e46cdf15e1dae71e64d61464b8d2
SHA1 f64c70192d830dce8daca2531662521bc7439af0
SHA256 6ecc82c2ba384129c19d83312baa7ccff19011a013b16f2459b29865484bfcab
SHA512 41716d412655fb55188e5ddb1a3e5517a2205c7bff49a3b98fc277b1a56a763a9009779787e8f0ba7c3265e4b05cf48c101b1ae0523f99e9296c9616bdf11b96

memory/5092-87-0x00007FF81C330000-0x00007FF81C525000-memory.dmp

memory/512-88-0x0000000000570000-0x00000000005C2000-memory.dmp

memory/512-89-0x0000000005040000-0x00000000050DC000-memory.dmp

memory/468-90-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/468-92-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/5092-97-0x00007FF81C3CD000-0x00007FF81C3CE000-memory.dmp

memory/5092-98-0x00007FF81C330000-0x00007FF81C525000-memory.dmp

memory/5092-102-0x00007FF81C330000-0x00007FF81C525000-memory.dmp

memory/5092-103-0x00007FF81C330000-0x00007FF81C525000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3442511616-637977696-3186306149-1000\0f5007522459c86e95ffcc62f32308f1_5ab270f5-f3a9-47d1-97d7-bbd50acf9955

MD5 d898504a722bff1524134c6ab6a5eaa5
SHA1 e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA512 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

memory/468-125-0x0000000000400000-0x00000000004A2000-memory.dmp