Malware Analysis Report

2024-11-30 14:46

Sample ID 240926-mx8gtatajl
Target 220d7eb3a1f0ef44cc9e4927d9169f44da933eef5931449666cf68d8193b16f8
SHA256 220d7eb3a1f0ef44cc9e4927d9169f44da933eef5931449666cf68d8193b16f8
Tags
vipkeylogger collection discovery execution keylogger stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

220d7eb3a1f0ef44cc9e4927d9169f44da933eef5931449666cf68d8193b16f8

Threat Level: Known bad

The file 220d7eb3a1f0ef44cc9e4927d9169f44da933eef5931449666cf68d8193b16f8 was found to be: Known bad.

Malicious Activity Summary

vipkeylogger collection discovery execution keylogger stealer

VIPKeylogger

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

outlook_office_path

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-26 10:51

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-26 10:51

Reported

2024-09-26 10:54

Platform

win10v2004-20240802-en

Max time kernel

129s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\payment Slip.exe"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\payment Slip.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4112 set thread context of 4556 N/A C:\Users\Admin\AppData\Local\Temp\payment Slip.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\payment Slip.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\payment Slip.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4112 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\payment Slip.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4112 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\payment Slip.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4112 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\payment Slip.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4112 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\payment Slip.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4112 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\payment Slip.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4112 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\payment Slip.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4112 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\payment Slip.exe C:\Windows\SysWOW64\schtasks.exe
PID 4112 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\payment Slip.exe C:\Windows\SysWOW64\schtasks.exe
PID 4112 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\payment Slip.exe C:\Windows\SysWOW64\schtasks.exe
PID 4112 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\payment Slip.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4112 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\payment Slip.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4112 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\payment Slip.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4112 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\payment Slip.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4112 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\payment Slip.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4112 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\payment Slip.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4112 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\payment Slip.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4112 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\payment Slip.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\payment Slip.exe

"C:\Users\Admin\AppData\Local\Temp\payment Slip.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\payment Slip.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\tovfeTCmVIfVuf.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tovfeTCmVIfVuf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF59B.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 checkip.dyndns.org udp
BR 132.226.247.73:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 73.247.226.132.in-addr.arpa udp
US 8.8.8.8:53 152.67.21.104.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 mail.afcargo.com.my udp
MY 210.1.224.79:587 mail.afcargo.com.my tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 79.224.1.210.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/4112-0-0x000000007471E000-0x000000007471F000-memory.dmp

memory/4112-1-0x0000000000CF0000-0x0000000000DA2000-memory.dmp

memory/4112-2-0x0000000005DE0000-0x0000000006384000-memory.dmp

memory/4112-3-0x0000000005780000-0x0000000005812000-memory.dmp

memory/4112-4-0x0000000074710000-0x0000000074EC0000-memory.dmp

memory/4112-5-0x0000000005920000-0x000000000592A000-memory.dmp

memory/4112-6-0x0000000005DD0000-0x0000000005DE0000-memory.dmp

memory/4112-7-0x000000007471E000-0x000000007471F000-memory.dmp

memory/4112-8-0x0000000074710000-0x0000000074EC0000-memory.dmp

memory/4112-9-0x0000000007170000-0x00000000071FC000-memory.dmp

memory/4112-10-0x00000000097F0000-0x000000000988C000-memory.dmp

memory/2060-15-0x0000000002740000-0x0000000002776000-memory.dmp

memory/2060-16-0x0000000074710000-0x0000000074EC0000-memory.dmp

memory/2060-18-0x0000000005170000-0x0000000005798000-memory.dmp

memory/2060-19-0x0000000074710000-0x0000000074EC0000-memory.dmp

memory/2060-17-0x0000000074710000-0x0000000074EC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF59B.tmp

MD5 9529a9ccbc7c5658f21f64d591c1160f
SHA1 b83ef58161fc5f38a071af9668627cbc50dcf370
SHA256 828132f5c17ff12a7dd3356377bc130d26e347138821a1d0c70aef0d08d86f9c
SHA512 39e476838668258f3b6c1aa908fa5e52201e5f1e9f9ed38ad871cfe5e6ade30b160676d56a79348bf80028ecaf93c0621ca452a6dbbc5f291bef2e91fb6af8ce

memory/4048-20-0x0000000074710000-0x0000000074EC0000-memory.dmp

memory/4048-22-0x0000000074710000-0x0000000074EC0000-memory.dmp

memory/2060-24-0x00000000057A0000-0x0000000005806000-memory.dmp

memory/2060-23-0x00000000050A0000-0x00000000050C2000-memory.dmp

memory/2060-25-0x0000000005810000-0x0000000005876000-memory.dmp

memory/4556-26-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2060-29-0x0000000005A00000-0x0000000005D54000-memory.dmp

memory/4048-27-0x0000000074710000-0x0000000074EC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gwg3rs3h.pag.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4112-30-0x0000000074710000-0x0000000074EC0000-memory.dmp

memory/2060-49-0x0000000006020000-0x000000000603E000-memory.dmp

memory/2060-50-0x00000000060E0000-0x000000000612C000-memory.dmp

memory/4048-53-0x0000000070E60000-0x0000000070EAC000-memory.dmp

memory/2060-51-0x0000000006FF0000-0x0000000007022000-memory.dmp

memory/2060-52-0x0000000070E60000-0x0000000070EAC000-memory.dmp

memory/4048-72-0x0000000007730000-0x000000000774E000-memory.dmp

memory/4048-73-0x0000000007960000-0x0000000007A03000-memory.dmp

memory/4048-75-0x00000000080E0000-0x000000000875A000-memory.dmp

memory/2060-74-0x0000000007360000-0x000000000737A000-memory.dmp

memory/4048-76-0x0000000007B10000-0x0000000007B1A000-memory.dmp

memory/4048-77-0x0000000007D10000-0x0000000007DA6000-memory.dmp

memory/4048-78-0x0000000007C90000-0x0000000007CA1000-memory.dmp

memory/2060-79-0x0000000007590000-0x000000000759E000-memory.dmp

memory/4048-80-0x0000000007CD0000-0x0000000007CE4000-memory.dmp

memory/4048-82-0x0000000007DB0000-0x0000000007DB8000-memory.dmp

memory/4048-81-0x0000000007DD0000-0x0000000007DEA000-memory.dmp

memory/2060-85-0x0000000074710000-0x0000000074EC0000-memory.dmp

memory/4048-86-0x0000000074710000-0x0000000074EC0000-memory.dmp

memory/4556-87-0x0000000006240000-0x0000000006402000-memory.dmp

memory/4556-88-0x00000000060E0000-0x0000000006130000-memory.dmp

memory/4556-89-0x0000000006940000-0x0000000006E6C000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-26 10:51

Reported

2024-09-26 10:54

Platform

win7-20240903-en

Max time kernel

122s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\payment Slip.exe"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2960 set thread context of 2792 N/A C:\Users\Admin\AppData\Local\Temp\payment Slip.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\payment Slip.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\payment Slip.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2960 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\payment Slip.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2960 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\payment Slip.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2960 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\payment Slip.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2960 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\payment Slip.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2960 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\payment Slip.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2960 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\payment Slip.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2960 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\payment Slip.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2960 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\payment Slip.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2960 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\payment Slip.exe C:\Windows\SysWOW64\schtasks.exe
PID 2960 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\payment Slip.exe C:\Windows\SysWOW64\schtasks.exe
PID 2960 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\payment Slip.exe C:\Windows\SysWOW64\schtasks.exe
PID 2960 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\payment Slip.exe C:\Windows\SysWOW64\schtasks.exe
PID 2960 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\payment Slip.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2960 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\payment Slip.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2960 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\payment Slip.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2960 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\payment Slip.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2960 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\payment Slip.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2960 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\payment Slip.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2960 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\payment Slip.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2960 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\payment Slip.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2960 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\payment Slip.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2960 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\payment Slip.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2960 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\payment Slip.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2960 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\payment Slip.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\payment Slip.exe

"C:\Users\Admin\AppData\Local\Temp\payment Slip.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\payment Slip.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\tovfeTCmVIfVuf.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tovfeTCmVIfVuf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1536.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
DE 193.122.6.168:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 172.67.177.134:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 mail.afcargo.com.my udp
MY 210.1.224.79:587 mail.afcargo.com.my tcp

Files

memory/2960-0-0x000000007408E000-0x000000007408F000-memory.dmp

memory/2960-1-0x0000000000A90000-0x0000000000B42000-memory.dmp

memory/2960-2-0x0000000074080000-0x000000007476E000-memory.dmp

memory/2960-3-0x00000000005D0000-0x00000000005E0000-memory.dmp

memory/2960-4-0x000000007408E000-0x000000007408F000-memory.dmp

memory/2960-5-0x0000000074080000-0x000000007476E000-memory.dmp

memory/2960-6-0x0000000005110000-0x000000000519C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1536.tmp

MD5 a36cd43ed17a94b10fcfa5a9e6a94bbb
SHA1 65f7c940977fa9c4a27371dda63cd17a9377758f
SHA256 7366316ae4fe7c6ed03e643d2c8b152e3a2c1f6f50777a3164e8f7f8a6d400f7
SHA512 0c4355261b972f8f4cf84e50566f3789e55887de4e656731dc7dab51655239fff098eca01ba1129864def47585f2ee07216ba943d7371cab78ac3240bf6bb362

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 e6794d88400510aacd2a2b9886a9ee9b
SHA1 7163ca40f1c69bd08a464198839c53739e8be345
SHA256 00fadc14e21d8c2e497d8c4bab4f0bfe78f6ae703e17069f7af585f7dd19aaa0
SHA512 5039914aa98e9ede57d42ac1192f0d394b95fe5ad94d1d4f44e5410e2e725428fc38b2cb9c91895b9acdc35525eb3457036325ba63c6e619098235610f726803

memory/2792-19-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2792-25-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2792-30-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2792-29-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2792-28-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2792-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2792-23-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2792-21-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2960-31-0x0000000074080000-0x000000007476E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabD31A.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarD34B.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b