Malware Analysis Report

2024-11-30 14:54

Sample ID 241029-payefavgjd
Target ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exe
SHA256 72292a987383f0079a0a846bae4ee6345f008f991a50f5f6d7fed2cad91339ad
Tags
vipkeylogger collection discovery evasion keylogger persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

72292a987383f0079a0a846bae4ee6345f008f991a50f5f6d7fed2cad91339ad

Threat Level: Known bad

The file ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exe was found to be: Known bad.

Malicious Activity Summary

vipkeylogger collection discovery evasion keylogger persistence stealer

VIPKeylogger

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Vipkeylogger family

Boot or Logon Autostart Execution: Active Setup

Loads dropped DLL

Executes dropped EXE

Accesses Microsoft Outlook profiles

Adds Run key to start application

Looks up external IP address via web service

AutoIT Executable

Suspicious use of SetThreadContext

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Browser Information Discovery

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

outlook_office_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-29 12:08

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-29 12:08

Reported

2024-10-29 12:10

Platform

win7-20241010-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

VIPKeylogger

stealer keylogger vipkeylogger

Vipkeylogger family

vipkeylogger

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2200 set thread context of 2724 N/A \??\c:\users\admin\appdata\local\temp\zapytanie ofertowe st-2024-s315 cpa9170385.exe  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\zapytanie ofertowe st-2024-s315 cpa9170385.exe  N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\at.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\at.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\at.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2116 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exe \??\c:\users\admin\appdata\local\temp\zapytanie ofertowe st-2024-s315 cpa9170385.exe 
PID 2116 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exe \??\c:\users\admin\appdata\local\temp\zapytanie ofertowe st-2024-s315 cpa9170385.exe 
PID 2116 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exe \??\c:\users\admin\appdata\local\temp\zapytanie ofertowe st-2024-s315 cpa9170385.exe 
PID 2116 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exe \??\c:\users\admin\appdata\local\temp\zapytanie ofertowe st-2024-s315 cpa9170385.exe 
PID 2116 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 2116 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 2116 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 2116 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 1916 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 1916 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 1916 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 1916 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 2852 wrote to memory of 2136 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2852 wrote to memory of 2136 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2852 wrote to memory of 2136 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2852 wrote to memory of 2136 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2136 wrote to memory of 2748 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2136 wrote to memory of 2748 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2136 wrote to memory of 2748 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2136 wrote to memory of 2748 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2748 wrote to memory of 2736 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2748 wrote to memory of 2736 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2748 wrote to memory of 2736 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2748 wrote to memory of 2736 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2748 wrote to memory of 2708 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2748 wrote to memory of 2708 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2748 wrote to memory of 2708 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2748 wrote to memory of 2708 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2200 wrote to memory of 2724 N/A \??\c:\users\admin\appdata\local\temp\zapytanie ofertowe st-2024-s315 cpa9170385.exe  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2200 wrote to memory of 2724 N/A \??\c:\users\admin\appdata\local\temp\zapytanie ofertowe st-2024-s315 cpa9170385.exe  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2200 wrote to memory of 2724 N/A \??\c:\users\admin\appdata\local\temp\zapytanie ofertowe st-2024-s315 cpa9170385.exe  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2200 wrote to memory of 2724 N/A \??\c:\users\admin\appdata\local\temp\zapytanie ofertowe st-2024-s315 cpa9170385.exe  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2200 wrote to memory of 2724 N/A \??\c:\users\admin\appdata\local\temp\zapytanie ofertowe st-2024-s315 cpa9170385.exe  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2200 wrote to memory of 2724 N/A \??\c:\users\admin\appdata\local\temp\zapytanie ofertowe st-2024-s315 cpa9170385.exe  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2200 wrote to memory of 2724 N/A \??\c:\users\admin\appdata\local\temp\zapytanie ofertowe st-2024-s315 cpa9170385.exe  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2200 wrote to memory of 2724 N/A \??\c:\users\admin\appdata\local\temp\zapytanie ofertowe st-2024-s315 cpa9170385.exe  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2748 wrote to memory of 1748 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2748 wrote to memory of 1748 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2748 wrote to memory of 1748 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2748 wrote to memory of 1748 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2748 wrote to memory of 2500 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2748 wrote to memory of 2500 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2748 wrote to memory of 2500 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2748 wrote to memory of 2500 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exe

"C:\Users\Admin\AppData\Local\Temp\ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exe"

\??\c:\users\admin\appdata\local\temp\zapytanie ofertowe st-2024-s315 cpa9170385.exe 

"c:\users\admin\appdata\local\temp\zapytanie ofertowe st-2024-s315 cpa9170385.exe "

C:\Users\Admin\AppData\Local\icsys.icn.exe

C:\Users\Admin\AppData\Local\icsys.icn.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"c:\users\admin\appdata\local\temp\zapytanie ofertowe st-2024-s315 cpa9170385.exe "

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 12:10 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 12:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 12:12 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
US 193.122.130.0:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 mail.tlakovec.si udp
SI 212.44.112.138:587 mail.tlakovec.si tcp

Files

memory/2116-0-0x0000000000400000-0x000000000043E000-memory.dmp

\Users\Admin\AppData\Local\Temp\zapytanie ofertowe st-2024-s315 cpa9170385.exe 

MD5 6a6157cd22cd9558f8579c30632e62c1
SHA1 7451d8e77a65ff7e9ddebdf73183cbd684d3fdfd
SHA256 c3e272af01d2b5739d8f91ce17d80e13818a59fe50f5545d09fea9a669520667
SHA512 4e41562a7279af1b4b4a0513b4f75965f04729fc3d6d71a9c74634a24257143bee308c942abb3e5de5b29bdafde86ccfac5f906f1c26b4a0b40c54b0fe47fa3a

\Users\Admin\AppData\Local\icsys.icn.exe

MD5 30957be4d1d5957a9d6433367cef30ef
SHA1 df2d8a795bd221d77b0bc167d05203ab6b6b2fca
SHA256 cedcf4e2ffc34660e6e4bdd8e3cab70b2c805704ceb302f29e3b5a3c4e6eac5c
SHA512 36382e3597704764ae1300ca3c857b50f2fabe7f557c36240206749dfa89fb435f313511d72d5ded60db9b38237f0d983f0af78f3440ac7dfaa7014e3085e161

\Windows\system\explorer.exe

MD5 c8ff10180b9296ebe9ea7b27492ecd63
SHA1 c5c4de55f81a839072cc5961de58b5006c29003f
SHA256 1a3e01839e34c61759eca1a476837b89e0d177e5b5f122b2cd997c28eb079d81
SHA512 f6d8b2cdc66c51e36ebbecdd87ebb9c36d761b7e65f53d19ebaccef4b5127b383d6c7f4fd5b7e030e3b3166e8b678aa0b829c4e63f46235c137b8a0ac47377cb

memory/2852-34-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1916-33-0x0000000001F30000-0x0000000001F6E000-memory.dmp

memory/1916-32-0x0000000001F30000-0x0000000001F6E000-memory.dmp

\Windows\system\spoolsv.exe

MD5 ebcf421ada009f3085d8fab0b52b3d91
SHA1 7ae06aac6ef82d01edf390d3317ea3600118085f
SHA256 29e0748a5133138bdfcfbd0495a5541b899579c02b6f39d42d950f5f44ae06ab
SHA512 b8b326635d593e3a73d666162c7a484463c7987ff44eb7359e43ff8e94ba309e607b5af947a41151980ea4f2195210165bb5b79f044ce8bce37713b1ec5ffe62

memory/2200-48-0x0000000003410000-0x0000000003610000-memory.dmp

\Windows\system\svchost.exe

MD5 d0da88cdf5bb9fc621ffc6271851ef74
SHA1 44dd145e7fc17e0c7eb1fbb477c0fb2f016b4475
SHA256 987e6f8cd24c10417cbe9002305e435a904e6496af3273eb1ff8215986aa380f
SHA512 a7c72c09c858b59322ddcabc9374d83bd1ea669b9a6dc73917d471fcfa18d372429243d6c8988666c4372fdc1ab480dbe5cb09fcede37470a96b7f6a0d7aa6c4

memory/2136-61-0x0000000002CD0000-0x0000000002D0E000-memory.dmp

memory/2736-73-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2748-69-0x0000000001CF0000-0x0000000001D2E000-memory.dmp

memory/2736-75-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2136-78-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1916-80-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2116-79-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 6e034af865693d8bc904f35bfe173655
SHA1 a9c0e119b2198c0e4b9bc8b17961be82fd40027d
SHA256 81dd712efe3abe786dd22323316ba7710fde90ac7a2057fb2193bd0250cea901
SHA512 26a96a9d69cfcb60df8a3ade3976576c4069e895d3f9e5f342606aebc1e80df28eda196f591d43b603d6fad6ebcd27aeb90da6b9423695920a7e91392ba46e9a

memory/2724-82-0x0000000000090000-0x00000000000DA000-memory.dmp

memory/2724-90-0x0000000000090000-0x00000000000DA000-memory.dmp

memory/2724-87-0x0000000000090000-0x00000000000DA000-memory.dmp

memory/2724-83-0x0000000000090000-0x00000000000DA000-memory.dmp

memory/2852-91-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2852-92-0x0000000002660000-0x000000000269E000-memory.dmp

memory/2748-93-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2748-94-0x0000000001CF0000-0x0000000001D2E000-memory.dmp

\??\PIPE\atsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-29 12:08

Reported

2024-10-29 12:10

Platform

win10v2004-20241007-en

Max time kernel

117s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

VIPKeylogger

stealer keylogger vipkeylogger

Vipkeylogger family

vipkeylogger

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2952 set thread context of 4676 N/A \??\c:\users\admin\appdata\local\temp\zapytanie ofertowe st-2024-s315 cpa9170385.exe  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\zapytanie ofertowe st-2024-s315 cpa9170385.exe  N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\at.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\at.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4268 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exe \??\c:\users\admin\appdata\local\temp\zapytanie ofertowe st-2024-s315 cpa9170385.exe 
PID 4268 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exe \??\c:\users\admin\appdata\local\temp\zapytanie ofertowe st-2024-s315 cpa9170385.exe 
PID 4268 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exe \??\c:\users\admin\appdata\local\temp\zapytanie ofertowe st-2024-s315 cpa9170385.exe 
PID 4268 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 4268 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 4268 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 4628 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 4628 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 4628 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 1112 wrote to memory of 1132 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1112 wrote to memory of 1132 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1112 wrote to memory of 1132 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1132 wrote to memory of 5060 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1132 wrote to memory of 5060 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1132 wrote to memory of 5060 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 5060 wrote to memory of 3444 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 5060 wrote to memory of 3444 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 5060 wrote to memory of 3444 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 5060 wrote to memory of 3560 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 5060 wrote to memory of 3560 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 5060 wrote to memory of 3560 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2952 wrote to memory of 4676 N/A \??\c:\users\admin\appdata\local\temp\zapytanie ofertowe st-2024-s315 cpa9170385.exe  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2952 wrote to memory of 4676 N/A \??\c:\users\admin\appdata\local\temp\zapytanie ofertowe st-2024-s315 cpa9170385.exe  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2952 wrote to memory of 4676 N/A \??\c:\users\admin\appdata\local\temp\zapytanie ofertowe st-2024-s315 cpa9170385.exe  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2952 wrote to memory of 4676 N/A \??\c:\users\admin\appdata\local\temp\zapytanie ofertowe st-2024-s315 cpa9170385.exe  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5060 wrote to memory of 3388 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 5060 wrote to memory of 3388 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 5060 wrote to memory of 3388 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exe

"C:\Users\Admin\AppData\Local\Temp\ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exe"

\??\c:\users\admin\appdata\local\temp\zapytanie ofertowe st-2024-s315 cpa9170385.exe 

"c:\users\admin\appdata\local\temp\zapytanie ofertowe st-2024-s315 cpa9170385.exe "

C:\Users\Admin\AppData\Local\icsys.icn.exe

C:\Users\Admin\AppData\Local\icsys.icn.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 12:10 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"c:\users\admin\appdata\local\temp\zapytanie ofertowe st-2024-s315 cpa9170385.exe "

C:\Windows\SysWOW64\at.exe

at 12:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 12:12 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 checkip.dyndns.org udp
US 193.122.130.0:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 0.130.122.193.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 152.67.21.104.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 mail.tlakovec.si udp
SI 212.44.112.138:587 mail.tlakovec.si tcp
US 8.8.8.8:53 138.112.44.212.in-addr.arpa udp
SI 212.44.112.138:587 mail.tlakovec.si tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/4268-0-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zapytanie ofertowe st-2024-s315 cpa9170385.exe 

MD5 6a6157cd22cd9558f8579c30632e62c1
SHA1 7451d8e77a65ff7e9ddebdf73183cbd684d3fdfd
SHA256 c3e272af01d2b5739d8f91ce17d80e13818a59fe50f5545d09fea9a669520667
SHA512 4e41562a7279af1b4b4a0513b4f75965f04729fc3d6d71a9c74634a24257143bee308c942abb3e5de5b29bdafde86ccfac5f906f1c26b4a0b40c54b0fe47fa3a

C:\Users\Admin\AppData\Local\icsys.icn.exe

MD5 30957be4d1d5957a9d6433367cef30ef
SHA1 df2d8a795bd221d77b0bc167d05203ab6b6b2fca
SHA256 cedcf4e2ffc34660e6e4bdd8e3cab70b2c805704ceb302f29e3b5a3c4e6eac5c
SHA512 36382e3597704764ae1300ca3c857b50f2fabe7f557c36240206749dfa89fb435f313511d72d5ded60db9b38237f0d983f0af78f3440ac7dfaa7014e3085e161

memory/4628-12-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\System\explorer.exe

MD5 634d776b3acf86031073920b683186ed
SHA1 a6d0c3210d4e7974aea1da4f5a77459f5a61937c
SHA256 e216b2076d7b0c86a20390b534dbbf7d0d8d356f01b4a96511b3baf144adebe4
SHA512 3a7ac8a6c965c7fe02022b11ed8fb017f41e4026c2d46315f6328cd9ff0e592cdabd69d807959f0b0b4a080a699f939fdefe64bf3cf1ff85dcd75a6ff34eb577

\??\c:\windows\system\spoolsv.exe

MD5 ea540c56bfc391a069fe879c78e93e77
SHA1 87b130178fe062c08adc81c679a9c265f8019682
SHA256 3a68a880c7ea71e858346a2eb6bcee4032a38d36607372c9b81e0ef7e30da390
SHA512 b5547609e2ea0cb8d6adbbd3b5da8ed2e1fc767b7e8b61942a98f28330ef7c9eb2e93b89e281019a5d5c8cbdc02f7923130548c6bf8a771e6066afd489cbf17d

C:\Windows\System\svchost.exe

MD5 3940c5ba47e079d5f193ae70025bee64
SHA1 f78f6c6417bb11d85fd55c366d026e012e02ec3e
SHA256 e18d31fe8d8831c9256f255d0e71527cf38f3e4fa68cb3b0c191aa025085d767
SHA512 c20b1cf7b36651decc3db2b5f8c8ee4acc15fd5ed482969f0e4edd0249c7e14b4532190ef492aa4c07610317deb6b3a2706a413f43d7ae032bfc43da5f4c89b7

memory/3444-45-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1132-48-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4268-50-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4628-49-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 691fece2d9f6f0f1affd8b7a5c4e3695
SHA1 e8a86926734f1c8646589b4497e0c614fd755021
SHA256 3e337c9986cdba16db7985ce836f55259a7797429820043edbaefee4375804e8
SHA512 ee1736194ec39444fa0bb6b836a786a6051cdc0d80bd5094a305724b566c19ade6d1ee97c83607d288c91c55adfd4277997eea4218495391ee784637d23cf7a3

memory/4676-53-0x0000000000500000-0x000000000054A000-memory.dmp

memory/4676-54-0x0000000005130000-0x00000000056D4000-memory.dmp

memory/4676-55-0x0000000004B80000-0x0000000004C1C000-memory.dmp

memory/4676-56-0x0000000005EB0000-0x0000000006072000-memory.dmp

memory/4676-57-0x0000000005D30000-0x0000000005D80000-memory.dmp

memory/4676-58-0x00000000065B0000-0x0000000006ADC000-memory.dmp

memory/4676-59-0x0000000005E00000-0x0000000005E92000-memory.dmp

memory/4676-60-0x00000000060B0000-0x00000000060BA000-memory.dmp

memory/1112-61-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5060-62-0x0000000000400000-0x000000000043E000-memory.dmp

\??\PIPE\atsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e