Malware Analysis Report

2024-11-30 15:03

Sample ID 241029-pfty7swnhr
Target ZAPYTANIEOFERTOWEST-2024-S315CPA9170385.exe
SHA256 72292a987383f0079a0a846bae4ee6345f008f991a50f5f6d7fed2cad91339ad
Tags
vipkeylogger collection discovery evasion keylogger persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

72292a987383f0079a0a846bae4ee6345f008f991a50f5f6d7fed2cad91339ad

Threat Level: Known bad

The file ZAPYTANIEOFERTOWEST-2024-S315CPA9170385.exe was found to be: Known bad.

Malicious Activity Summary

vipkeylogger collection discovery evasion keylogger persistence stealer

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

VIPKeylogger

Vipkeylogger family

Boot or Logon Autostart Execution: Active Setup

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

AutoIT Executable

Suspicious use of SetThreadContext

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Browser Information Discovery

Program crash

Suspicious behavior: MapViewOfSection

outlook_win_path

Suspicious use of WriteProcessMemory

outlook_office_path

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-29 12:16

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-29 12:16

Reported

2024-10-29 12:19

Platform

win7-20240903-en

Max time kernel

150s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ZAPYTANIEOFERTOWEST-2024-S315CPA9170385.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

VIPKeylogger

stealer keylogger vipkeylogger

Vipkeylogger family

vipkeylogger

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2292 set thread context of 2732 N/A \??\c:\users\admin\appdata\local\temp\zapytanieofertowest-2024-s315cpa9170385.exe  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\at.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\zapytanieofertowest-2024-s315cpa9170385.exe  N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\at.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\at.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ZAPYTANIEOFERTOWEST-2024-S315CPA9170385.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\temp\zapytanieofertowest-2024-s315cpa9170385.exe  N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2136 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\ZAPYTANIEOFERTOWEST-2024-S315CPA9170385.exe \??\c:\users\admin\appdata\local\temp\zapytanieofertowest-2024-s315cpa9170385.exe 
PID 2136 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\ZAPYTANIEOFERTOWEST-2024-S315CPA9170385.exe \??\c:\users\admin\appdata\local\temp\zapytanieofertowest-2024-s315cpa9170385.exe 
PID 2136 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\ZAPYTANIEOFERTOWEST-2024-S315CPA9170385.exe \??\c:\users\admin\appdata\local\temp\zapytanieofertowest-2024-s315cpa9170385.exe 
PID 2136 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\ZAPYTANIEOFERTOWEST-2024-S315CPA9170385.exe \??\c:\users\admin\appdata\local\temp\zapytanieofertowest-2024-s315cpa9170385.exe 
PID 2136 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\ZAPYTANIEOFERTOWEST-2024-S315CPA9170385.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 2136 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\ZAPYTANIEOFERTOWEST-2024-S315CPA9170385.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 2136 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\ZAPYTANIEOFERTOWEST-2024-S315CPA9170385.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 2136 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\ZAPYTANIEOFERTOWEST-2024-S315CPA9170385.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 2052 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 2052 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 2052 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 2052 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 1460 wrote to memory of 1528 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1460 wrote to memory of 1528 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1460 wrote to memory of 1528 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1460 wrote to memory of 1528 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1528 wrote to memory of 3056 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1528 wrote to memory of 3056 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1528 wrote to memory of 3056 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1528 wrote to memory of 3056 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3056 wrote to memory of 2696 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3056 wrote to memory of 2696 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3056 wrote to memory of 2696 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3056 wrote to memory of 2696 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3056 wrote to memory of 2808 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3056 wrote to memory of 2808 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3056 wrote to memory of 2808 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3056 wrote to memory of 2808 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2292 wrote to memory of 2732 N/A \??\c:\users\admin\appdata\local\temp\zapytanieofertowest-2024-s315cpa9170385.exe  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2292 wrote to memory of 2732 N/A \??\c:\users\admin\appdata\local\temp\zapytanieofertowest-2024-s315cpa9170385.exe  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2292 wrote to memory of 2732 N/A \??\c:\users\admin\appdata\local\temp\zapytanieofertowest-2024-s315cpa9170385.exe  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2292 wrote to memory of 2732 N/A \??\c:\users\admin\appdata\local\temp\zapytanieofertowest-2024-s315cpa9170385.exe  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2292 wrote to memory of 2732 N/A \??\c:\users\admin\appdata\local\temp\zapytanieofertowest-2024-s315cpa9170385.exe  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2292 wrote to memory of 2732 N/A \??\c:\users\admin\appdata\local\temp\zapytanieofertowest-2024-s315cpa9170385.exe  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2292 wrote to memory of 2732 N/A \??\c:\users\admin\appdata\local\temp\zapytanieofertowest-2024-s315cpa9170385.exe  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2292 wrote to memory of 2732 N/A \??\c:\users\admin\appdata\local\temp\zapytanieofertowest-2024-s315cpa9170385.exe  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3056 wrote to memory of 1944 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3056 wrote to memory of 1944 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3056 wrote to memory of 1944 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3056 wrote to memory of 1944 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3056 wrote to memory of 2132 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3056 wrote to memory of 2132 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3056 wrote to memory of 2132 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3056 wrote to memory of 2132 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ZAPYTANIEOFERTOWEST-2024-S315CPA9170385.exe

"C:\Users\Admin\AppData\Local\Temp\ZAPYTANIEOFERTOWEST-2024-S315CPA9170385.exe"

\??\c:\users\admin\appdata\local\temp\zapytanieofertowest-2024-s315cpa9170385.exe 

c:\users\admin\appdata\local\temp\zapytanieofertowest-2024-s315cpa9170385.exe 

C:\Users\Admin\AppData\Local\icsys.icn.exe

C:\Users\Admin\AppData\Local\icsys.icn.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 12:18 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

c:\users\admin\appdata\local\temp\zapytanieofertowest-2024-s315cpa9170385.exe 

C:\Windows\SysWOW64\at.exe

at 12:19 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 12:20 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
JP 132.226.8.169:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 172.67.177.134:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 mail.tlakovec.si udp
SI 212.44.112.138:587 mail.tlakovec.si tcp

Files

memory/2136-0-0x0000000000400000-0x000000000043E000-memory.dmp

\Users\Admin\AppData\Local\Temp\zapytanieofertowest-2024-s315cpa9170385.exe 

MD5 6a6157cd22cd9558f8579c30632e62c1
SHA1 7451d8e77a65ff7e9ddebdf73183cbd684d3fdfd
SHA256 c3e272af01d2b5739d8f91ce17d80e13818a59fe50f5545d09fea9a669520667
SHA512 4e41562a7279af1b4b4a0513b4f75965f04729fc3d6d71a9c74634a24257143bee308c942abb3e5de5b29bdafde86ccfac5f906f1c26b4a0b40c54b0fe47fa3a

memory/2136-20-0x0000000002540000-0x000000000257E000-memory.dmp

memory/2052-19-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\icsys.icn.exe

MD5 30957be4d1d5957a9d6433367cef30ef
SHA1 df2d8a795bd221d77b0bc167d05203ab6b6b2fca
SHA256 cedcf4e2ffc34660e6e4bdd8e3cab70b2c805704ceb302f29e3b5a3c4e6eac5c
SHA512 36382e3597704764ae1300ca3c857b50f2fabe7f557c36240206749dfa89fb435f313511d72d5ded60db9b38237f0d983f0af78f3440ac7dfaa7014e3085e161

\Windows\system\explorer.exe

MD5 a679afe846f5a3514a55786579466585
SHA1 16e254f72383dbe5af3c16d059ac377b140754de
SHA256 211db987a993a34502567bbe92e89b5db26d015c296fd8d48ba51e2ffd5e1bc8
SHA512 52c0d894cc2c0aedffc15c6b3a0350d3dc77652725ebdca7ba77e67064cf699d9045376f46cb49a0d2172a80ee73472be91c4af687c2d56207951607a919915e

memory/2052-34-0x0000000002480000-0x00000000024BE000-memory.dmp

\Windows\system\spoolsv.exe

MD5 fec2b06686298128ac8fe408a0301610
SHA1 f3c269f8bbb0c0674bbd29fc8db4838769b5c6a9
SHA256 2662c5f790ff93b1cdcf06868a7abb6a10def1408b9dc6e2a48064e8a1db814b
SHA512 62cc1b7e3038a11ce771d5600f777d66f70b4674225e669bfcc9fcdb265205f3ec00fe256908c723d74ff27341b7d1fbb9a06acdd09b6a307f1cc7b358754c7f

memory/2292-54-0x0000000003330000-0x0000000003530000-memory.dmp

\Windows\system\svchost.exe

MD5 5e61b14b13e44f1c100991d25e8ea0ef
SHA1 03480d0c5b3e55df62f89a35dd496606ce838ca4
SHA256 8c721f4aa7e11f3f198d051c25a7d43247c28a99c18afade7f687282d3c7e339
SHA512 c1a0b1cafff6a47dc9b478691350e7bc69c7e66cf7fa6bd70038651ad1db004c17e5762613efd067e6979752d1071a1b42596c1544aa26d45f762902a17d91c9

memory/1528-58-0x0000000001ED0000-0x0000000001F0E000-memory.dmp

memory/3056-70-0x0000000001DA0000-0x0000000001DDE000-memory.dmp

memory/3056-69-0x0000000001DA0000-0x0000000001DDE000-memory.dmp

memory/2696-75-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1528-78-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2052-79-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2136-80-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 73d7ce5920acb68cea6f1ecf4f347a00
SHA1 c64a055341b201ce6420bf04254ecf19ba0c0c5e
SHA256 3404665dfc8e8743b83657ec8fa4e749f43c588dc08c670eb0e266ba705cee8e
SHA512 b41656d5417e65a5a3de5208a306a73fc5ca6b828ee60192fc3090a9f7017916adc31e838e6f7c985db0c0e889a3f17e24687b25575fb558e989668e12f95ed0

memory/2732-82-0x0000000000400000-0x000000000044A000-memory.dmp

memory/2732-84-0x0000000000400000-0x000000000044A000-memory.dmp

memory/2732-83-0x0000000000400000-0x000000000044A000-memory.dmp

memory/1460-85-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1460-86-0x0000000000520000-0x000000000055E000-memory.dmp

memory/3056-87-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3056-88-0x0000000001DA0000-0x0000000001DDE000-memory.dmp

memory/3056-89-0x0000000001DA0000-0x0000000001DDE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-29 12:16

Reported

2024-10-29 12:19

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ZAPYTANIEOFERTOWEST-2024-S315CPA9170385.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

VIPKeylogger

stealer keylogger vipkeylogger

Vipkeylogger family

vipkeylogger

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4180 set thread context of 2896 N/A \??\c:\users\admin\appdata\local\temp\zapytanieofertowest-2024-s315cpa9170385.exe  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\icsys.icn.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\at.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\at.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\at.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ZAPYTANIEOFERTOWEST-2024-S315CPA9170385.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\zapytanieofertowest-2024-s315cpa9170385.exe  N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1176 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\ZAPYTANIEOFERTOWEST-2024-S315CPA9170385.exe \??\c:\users\admin\appdata\local\temp\zapytanieofertowest-2024-s315cpa9170385.exe 
PID 1176 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\ZAPYTANIEOFERTOWEST-2024-S315CPA9170385.exe \??\c:\users\admin\appdata\local\temp\zapytanieofertowest-2024-s315cpa9170385.exe 
PID 1176 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\ZAPYTANIEOFERTOWEST-2024-S315CPA9170385.exe \??\c:\users\admin\appdata\local\temp\zapytanieofertowest-2024-s315cpa9170385.exe 
PID 1176 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\ZAPYTANIEOFERTOWEST-2024-S315CPA9170385.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 1176 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\ZAPYTANIEOFERTOWEST-2024-S315CPA9170385.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 1176 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\ZAPYTANIEOFERTOWEST-2024-S315CPA9170385.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 3984 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 3984 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 3984 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 4840 wrote to memory of 116 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4840 wrote to memory of 116 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4840 wrote to memory of 116 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 116 wrote to memory of 2540 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 116 wrote to memory of 2540 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 116 wrote to memory of 2540 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2540 wrote to memory of 4948 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2540 wrote to memory of 4948 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2540 wrote to memory of 4948 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2540 wrote to memory of 4424 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2540 wrote to memory of 4424 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2540 wrote to memory of 4424 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4180 wrote to memory of 2896 N/A \??\c:\users\admin\appdata\local\temp\zapytanieofertowest-2024-s315cpa9170385.exe  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4180 wrote to memory of 2896 N/A \??\c:\users\admin\appdata\local\temp\zapytanieofertowest-2024-s315cpa9170385.exe  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4180 wrote to memory of 2896 N/A \??\c:\users\admin\appdata\local\temp\zapytanieofertowest-2024-s315cpa9170385.exe  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4180 wrote to memory of 2896 N/A \??\c:\users\admin\appdata\local\temp\zapytanieofertowest-2024-s315cpa9170385.exe  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2540 wrote to memory of 3620 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2540 wrote to memory of 3620 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2540 wrote to memory of 3620 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2540 wrote to memory of 1992 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2540 wrote to memory of 1992 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2540 wrote to memory of 1992 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ZAPYTANIEOFERTOWEST-2024-S315CPA9170385.exe

"C:\Users\Admin\AppData\Local\Temp\ZAPYTANIEOFERTOWEST-2024-S315CPA9170385.exe"

\??\c:\users\admin\appdata\local\temp\zapytanieofertowest-2024-s315cpa9170385.exe 

c:\users\admin\appdata\local\temp\zapytanieofertowest-2024-s315cpa9170385.exe 

C:\Users\Admin\AppData\Local\icsys.icn.exe

C:\Users\Admin\AppData\Local\icsys.icn.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 12:18 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

c:\users\admin\appdata\local\temp\zapytanieofertowest-2024-s315cpa9170385.exe 

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4180 -ip 4180

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 784

C:\Windows\SysWOW64\at.exe

at 12:19 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 12:20 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 checkip.dyndns.org udp
BR 132.226.247.73:80 checkip.dyndns.org tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 73.247.226.132.in-addr.arpa udp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 172.67.177.134:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 134.177.67.172.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 mail.tlakovec.si udp
SI 212.44.112.138:587 mail.tlakovec.si tcp
US 8.8.8.8:53 138.112.44.212.in-addr.arpa udp
SI 212.44.112.138:587 mail.tlakovec.si tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/1176-0-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zapytanieofertowest-2024-s315cpa9170385.exe 

MD5 6a6157cd22cd9558f8579c30632e62c1
SHA1 7451d8e77a65ff7e9ddebdf73183cbd684d3fdfd
SHA256 c3e272af01d2b5739d8f91ce17d80e13818a59fe50f5545d09fea9a669520667
SHA512 4e41562a7279af1b4b4a0513b4f75965f04729fc3d6d71a9c74634a24257143bee308c942abb3e5de5b29bdafde86ccfac5f906f1c26b4a0b40c54b0fe47fa3a

C:\Users\Admin\AppData\Local\icsys.icn.exe

MD5 30957be4d1d5957a9d6433367cef30ef
SHA1 df2d8a795bd221d77b0bc167d05203ab6b6b2fca
SHA256 cedcf4e2ffc34660e6e4bdd8e3cab70b2c805704ceb302f29e3b5a3c4e6eac5c
SHA512 36382e3597704764ae1300ca3c857b50f2fabe7f557c36240206749dfa89fb435f313511d72d5ded60db9b38237f0d983f0af78f3440ac7dfaa7014e3085e161

memory/3984-12-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\System\explorer.exe

MD5 405052f211f1f3f5e988c434f9a3216c
SHA1 c0e9f6d033a57458f28b44800e468e9690e50780
SHA256 ab6537cc66782af1162994fe4fdc6bc7be6377a9165dd1509c6609ae13933a90
SHA512 5fad313c28b09900e0b739667334f00eb54be30e7ae01f42194013d3001ec9bbaa5b40a2f36e62368e882e93ca7dbcfcf1a55e51d7a7fe6c3de9e84268bbce7f

C:\Windows\System\spoolsv.exe

MD5 ed54ae559c2108499cf49a1997214dd1
SHA1 ded4a6694251dfad7bbdec904e996ff98a81c881
SHA256 d648889fbe7a298a8806426e810dfa7af642d229be98416b7f9accbbd230c2dc
SHA512 58b00408d757a21670a35ecfc9c827af244c712c273410a03d3564ce720931023e47b15df2890b8b5fb81a8640cafc67b571a2f75b3ce066632503bed2b59bcc

C:\Windows\System\svchost.exe

MD5 7412223a2553d593296eb2244fbf840e
SHA1 2d736e337dd000041e3655bc41e2b6dbaba07e3c
SHA256 7e89dd63b6a955293c1eed92be6efe0400e47e2ead2dc926def110ffa9e171cd
SHA512 15ee841338fa9e740464355e24a8a5df021a0ba52a6b8a99752225a8fd61529cc4bb9eb8c25288719437383e77a2ef93e5488de4fae1fc74369542f5ce737e9a

memory/4948-45-0x0000000000400000-0x000000000043E000-memory.dmp

memory/116-48-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 10acdce6e652baa896c765331f3fbb0b
SHA1 9e560bd6866f3c8d729ce0bc11512e97f9af2c8e
SHA256 86a5793cfa2b61eb258ec1aa2a66b727d5555f25ca0a207908aae9888d62fa73
SHA512 2d63cbdfffec990d6491929165d6b03d0fa2c405ea9e7be783be83373dedfdb11cd7bb9536dd2fc4cdddaae987abc2176c9f9f432b4061f5a174970252c8de23

memory/3984-50-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1176-51-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2896-53-0x0000000000720000-0x000000000076A000-memory.dmp

memory/2896-54-0x0000000005260000-0x0000000005804000-memory.dmp

memory/2896-55-0x0000000004D90000-0x0000000004E2C000-memory.dmp

memory/2896-56-0x0000000006220000-0x00000000063E2000-memory.dmp

memory/2896-57-0x00000000060C0000-0x0000000006110000-memory.dmp

memory/2896-58-0x0000000006920000-0x0000000006E4C000-memory.dmp

memory/2896-59-0x0000000006490000-0x0000000006522000-memory.dmp

memory/2896-60-0x0000000006400000-0x000000000640A000-memory.dmp

memory/4840-61-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2540-62-0x0000000000400000-0x000000000043E000-memory.dmp