Malware Analysis Report

2025-05-05 21:47

Sample ID 240829-l175saxfqk
Target Autofill Manufacturing Sdn Bhd 28-08-2024.exe
SHA256 8fcc14a7d1f657fd1cf84282ad1d81404e7ccc253e9ad8f36ccd9118a674d6cc
Tags
vipkeylogger collection credential_access discovery execution keylogger spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8fcc14a7d1f657fd1cf84282ad1d81404e7ccc253e9ad8f36ccd9118a674d6cc

Threat Level: Known bad

The file Autofill Manufacturing Sdn Bhd 28-08-2024.exe was found to be: Known bad.

Malicious Activity Summary

vipkeylogger collection credential_access discovery execution keylogger spyware stealer

VIPKeylogger

Credentials from Password Stores: Credentials from Web Browsers

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Checks computer location settings

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

Browser Information Discovery

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

outlook_office_path

outlook_win_path

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-29 10:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-29 10:01

Reported

2024-08-29 10:03

Platform

win7-20240704-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2520 set thread context of 2968 N/A C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2520 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2520 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2520 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2520 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2520 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2520 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2520 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2520 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2520 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe C:\Windows\SysWOW64\schtasks.exe
PID 2520 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe C:\Windows\SysWOW64\schtasks.exe
PID 2520 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe C:\Windows\SysWOW64\schtasks.exe
PID 2520 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe C:\Windows\SysWOW64\schtasks.exe
PID 2520 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe
PID 2520 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe
PID 2520 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe
PID 2520 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe
PID 2520 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe
PID 2520 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe
PID 2520 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe
PID 2520 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe
PID 2520 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe

"C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GhrKoSGuCdvpJ.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GhrKoSGuCdvpJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFE2D.tmp"

C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe

"C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
DE 193.122.6.168:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/2520-0-0x0000000074D9E000-0x0000000074D9F000-memory.dmp

memory/2520-1-0x0000000000C00000-0x0000000000CC6000-memory.dmp

memory/2520-2-0x0000000074D90000-0x000000007547E000-memory.dmp

memory/2520-3-0x0000000004E30000-0x0000000004EEA000-memory.dmp

memory/2520-4-0x0000000000590000-0x00000000005A8000-memory.dmp

memory/2520-5-0x0000000074D9E000-0x0000000074D9F000-memory.dmp

memory/2520-6-0x0000000074D90000-0x000000007547E000-memory.dmp

memory/2520-7-0x00000000050F0000-0x000000000517A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UOJVQV06B1W4BWK0GSGN.temp

MD5 6c3d8a2c1e35052b2281fe96db99edb3
SHA1 a9fca35258ac71292e8ae6c920594e0da2d7b87c
SHA256 b4c4c8beb4f613f5a2c7dbfe00321fcbe0bd050da6aca48824f1b748949268c0
SHA512 8f51c71415b75a8daa6b2152b74243e4a9d3897db24b555e543e0d945249b5276c14de2f0ee42c72ed2bfae69ff671e1236fbaaf10cfaf891d847e438c8c8add

C:\Users\Admin\AppData\Local\Temp\tmpFE2D.tmp

MD5 18ccc89de76da9ed6bf7550a67272600
SHA1 9eeadc813df27e8fb660b69ba6b7cd644d2727c8
SHA256 3cce9857d9afecfad9ec1386fa05366c80a10d31ae5c95955930f8ff93fd5bfa
SHA512 c9ce7c11a47527c97f73cc7a206e4a76f2d8781853829d08b9c09977b3243df16e543df4a82b0ab5acd7ba550b7771f831efff0ffe312faa506551a9c0cf64cb

memory/2968-22-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2520-32-0x0000000074D90000-0x000000007547E000-memory.dmp

memory/2968-31-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2968-30-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2968-29-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2968-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2968-26-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2968-24-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2968-20-0x0000000000400000-0x0000000000448000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-29 10:01

Reported

2024-08-29 10:03

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3240 set thread context of 3064 N/A C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3240 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3240 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3240 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3240 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3240 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3240 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3240 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe C:\Windows\SysWOW64\schtasks.exe
PID 3240 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe C:\Windows\SysWOW64\schtasks.exe
PID 3240 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe C:\Windows\SysWOW64\schtasks.exe
PID 3240 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe
PID 3240 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe
PID 3240 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe
PID 3240 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe
PID 3240 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe
PID 3240 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe
PID 3240 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe
PID 3240 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe

"C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GhrKoSGuCdvpJ.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GhrKoSGuCdvpJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9FF9.tmp"

C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe

"C:\Users\Admin\AppData\Local\Temp\Autofill Manufacturing Sdn Bhd 28-08-2024.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 checkip.dyndns.org udp
US 193.122.130.0:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 188.114.96.0:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 0.130.122.193.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
N/A 13.89.179.11:443 tcp
SE 192.229.221.95:80 tcp

Files

memory/3240-0-0x000000007506E000-0x000000007506F000-memory.dmp

memory/3240-1-0x00000000002C0000-0x0000000000386000-memory.dmp

memory/3240-2-0x00000000053A0000-0x0000000005944000-memory.dmp

memory/3240-3-0x0000000004D40000-0x0000000004DD2000-memory.dmp

memory/3240-4-0x0000000004EF0000-0x0000000004EFA000-memory.dmp

memory/3240-5-0x0000000075060000-0x0000000075810000-memory.dmp

memory/3240-6-0x00000000063C0000-0x000000000647A000-memory.dmp

memory/3240-7-0x0000000004FD0000-0x0000000004FE8000-memory.dmp

memory/3240-8-0x000000007506E000-0x000000007506F000-memory.dmp

memory/3240-9-0x0000000075060000-0x0000000075810000-memory.dmp

memory/3240-10-0x0000000005F80000-0x000000000600A000-memory.dmp

memory/3240-11-0x00000000087E0000-0x000000000887C000-memory.dmp

memory/4548-16-0x0000000004440000-0x0000000004476000-memory.dmp

memory/4548-18-0x0000000004AE0000-0x0000000005108000-memory.dmp

memory/4548-17-0x0000000075060000-0x0000000075810000-memory.dmp

memory/4548-19-0x0000000075060000-0x0000000075810000-memory.dmp

memory/3176-20-0x0000000075060000-0x0000000075810000-memory.dmp

memory/4548-21-0x0000000005280000-0x00000000052A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9FF9.tmp

MD5 789ed597d7cae7eff222b1792419a29a
SHA1 f466fffa561189b3cc0a6abf72d7cc572b311cf5
SHA256 c5bb853e3f2b602692c0a3d3169ce410ab66114d0ddf2c71f570927f5a2c6189
SHA512 205a343088b2821dc04f8ecf0307134d6a79a713d25382a8ddff25e987409c9400a4b3dfdff2a6506c15cfadf22127aefb7dac67cc1fe2d8b5cae6f82e979932

memory/4548-25-0x0000000075060000-0x0000000075810000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jbutnhsi.wuz.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3176-36-0x0000000075060000-0x0000000075810000-memory.dmp

memory/4548-35-0x0000000005400000-0x0000000005754000-memory.dmp

memory/4548-23-0x0000000005390000-0x00000000053F6000-memory.dmp

memory/3064-46-0x0000000000400000-0x0000000000448000-memory.dmp

memory/4548-22-0x0000000005320000-0x0000000005386000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Autofill Manufacturing Sdn Bhd 28-08-2024.exe.log

MD5 8ec831f3e3a3f77e4a7b9cd32b48384c
SHA1 d83f09fd87c5bd86e045873c231c14836e76a05c
SHA256 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA512 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

memory/4548-49-0x0000000005A10000-0x0000000005A2E000-memory.dmp

memory/3240-50-0x0000000075060000-0x0000000075810000-memory.dmp

memory/4548-51-0x0000000005FB0000-0x0000000005FFC000-memory.dmp

memory/3176-53-0x0000000075910000-0x000000007595C000-memory.dmp

memory/4548-64-0x0000000075910000-0x000000007595C000-memory.dmp

memory/3176-63-0x0000000006C90000-0x0000000006CAE000-memory.dmp

memory/4548-74-0x0000000006A10000-0x0000000006AB3000-memory.dmp

memory/3176-52-0x0000000006A50000-0x0000000006A82000-memory.dmp

memory/3176-76-0x0000000006E00000-0x0000000006E1A000-memory.dmp

memory/4548-75-0x0000000007390000-0x0000000007A0A000-memory.dmp

memory/3176-77-0x0000000006E70000-0x0000000006E7A000-memory.dmp

memory/3176-78-0x0000000007080000-0x0000000007116000-memory.dmp

memory/3176-79-0x0000000007000000-0x0000000007011000-memory.dmp

memory/4548-80-0x0000000006F70000-0x0000000006F7E000-memory.dmp

memory/4548-81-0x0000000006F80000-0x0000000006F94000-memory.dmp

memory/4548-82-0x0000000007080000-0x000000000709A000-memory.dmp

memory/4548-83-0x0000000007060000-0x0000000007068000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 42a76eb9b878639f3d656cc17acdfe34
SHA1 db860bd144d2addc4d71f10665191de3f6353edc
SHA256 62294744fa530db04326fe37725058059aa8278bfab86896e81f534a14980f83
SHA512 62c252ef0569cd5f5adfbfac980c87b85fe87715a10b632d5198f945a9fec5e34f5a45150cd5e9da003b91469f663a7c252b82e889e082a1699701c77ce1f21d

memory/4548-90-0x0000000075060000-0x0000000075810000-memory.dmp

memory/3176-89-0x0000000075060000-0x0000000075810000-memory.dmp

memory/3064-91-0x0000000006950000-0x0000000006B12000-memory.dmp

memory/3064-92-0x00000000067D0000-0x0000000006820000-memory.dmp