Analysis
-
max time kernel
142s -
max time network
197s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 18:03
Static task
static1
Behavioral task
behavioral1
Sample
011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d.exe
Resource
win10v2004-20220812-en
General
-
Target
011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d.exe
-
Size
819KB
-
MD5
d01d00c8e3827ed23b6bfa86fa20ec64
-
SHA1
58206786f3cb06b38aa5131f1fd617df5846534e
-
SHA256
011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d
-
SHA512
1ba669e22373031ab06320cbaeb7f684abc7873bb17c397d68140f60f97238453a41ef41a8f970d910139532148b650a1f014c3340456a4c84a26a8548da01dd
-
SSDEEP
12288:sscf6Itg+WOMD4rEr1yq9sZfHZrijZUyOD2zzmQceG:WCIJnra1yHtZWlUyODo9cF
Malware Config
Signatures
-
NirSoft MailPassView 5 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/840-117-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/840-118-0x0000000000411654-mapping.dmp MailPassView behavioral1/memory/840-121-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/840-122-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/840-124-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
Nirsoft 10 IoCs
Processes:
resource yara_rule behavioral1/memory/1104-100-0x0000000000400000-0x0000000000418000-memory.dmp Nirsoft behavioral1/memory/1104-101-0x000000000040E758-mapping.dmp Nirsoft behavioral1/memory/1104-104-0x0000000000400000-0x0000000000418000-memory.dmp Nirsoft behavioral1/memory/1104-105-0x0000000000400000-0x0000000000418000-memory.dmp Nirsoft behavioral1/memory/1104-107-0x0000000000400000-0x0000000000418000-memory.dmp Nirsoft behavioral1/memory/840-117-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/840-118-0x0000000000411654-mapping.dmp Nirsoft behavioral1/memory/840-121-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/840-122-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/840-124-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft -
Drops startup file 2 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\takshost.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\takshost.exe cmd.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 17 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 4 IoCs
Processes:
011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d.exetakshost.exetakshost.exedescription pid process target process PID 1368 set thread context of 1068 1368 011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d.exe 011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d.exe PID 268 set thread context of 736 268 takshost.exe takshost.exe PID 736 set thread context of 1104 736 takshost.exe vbc.exe PID 736 set thread context of 840 736 takshost.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbafda4d2839344b902c87c07ddf25a10000000002000000000010660000000100002000000028ee76f176c3045212f5447942fd097bfff67888cd78ebed8a9135f8d038c802000000000e8000000002000020000000c7271ad582026ebd68cd439106b643ea740b00787c08e97e9d815c60911fdf629000000022d5297f678564e4adf65e953e8e5daaccc5b984baa754751c0680e9145e74528127092bbf3fa82592fcf477d061b25b11d0ad1bb66a7ec0ac4cddf0a0c377e9e53efd5dbea35999d6c0d83f43d0fe0faa02060844a501176e09f43b3c5e01e931bac73f15020d3f3e054d49aa58ea0aba87656491414c8d12fef8ed22d32a06e648ba8b03a0b719d5d3778bf9785464400000008f67814bc936e096875d1ab951a709a92f2c4d3f762b43bb6d37aaf0d3b14661c0aeabd7b405b6ec5d2052a916dbb347d172ce2b5418c7a81f5360dff162c0a4 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376002347" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a00891177fffd801 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbafda4d2839344b902c87c07ddf25a100000000020000000000106600000001000020000000d5f4a4a0d4145381169e5db7b3670f674a27413068302e3da1a2259c03bf0d46000000000e8000000002000020000000d70f8de345e2b05be95a3108f19868e4061a86a55393dbe0570e95e053325590200000006f36d8eeafb645457406d90d0904b6c64e99e51a8f1306b7c7b81fc9f69b3ec240000000b6d2de67770a5618e24c7c820c60416536ae3ed45be145a3a90fe0614b842e1a6ddb0b9fd48ecdf857f832ce9cf68ad1eaa6657f2f0227ef39e9cf50d5e52116 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3129DBC0-6B72-11ED-875B-62E10F117DDC} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
takshost.exepid process 736 takshost.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d.exepid process 1368 011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d.exetakshost.exetakshost.exedescription pid process Token: SeDebugPrivilege 1368 011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d.exe Token: SeDebugPrivilege 268 takshost.exe Token: SeDebugPrivilege 736 takshost.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 536 iexplore.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
iexplore.exeIEXPLORE.EXEtakshost.exepid process 536 iexplore.exe 536 iexplore.exe 1496 IEXPLORE.EXE 1496 IEXPLORE.EXE 736 takshost.exe 736 takshost.exe 1496 IEXPLORE.EXE 1496 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 58 IoCs
Processes:
011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d.exe011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d.exeiexplore.exetakshost.exetakshost.exedescription pid process target process PID 1368 wrote to memory of 1068 1368 011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d.exe 011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d.exe PID 1368 wrote to memory of 1068 1368 011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d.exe 011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d.exe PID 1368 wrote to memory of 1068 1368 011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d.exe 011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d.exe PID 1368 wrote to memory of 1068 1368 011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d.exe 011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d.exe PID 1368 wrote to memory of 1068 1368 011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d.exe 011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d.exe PID 1368 wrote to memory of 1068 1368 011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d.exe 011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d.exe PID 1368 wrote to memory of 1068 1368 011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d.exe 011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d.exe PID 1368 wrote to memory of 1068 1368 011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d.exe 011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d.exe PID 1368 wrote to memory of 1068 1368 011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d.exe 011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d.exe PID 1368 wrote to memory of 268 1368 011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d.exe takshost.exe PID 1368 wrote to memory of 268 1368 011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d.exe takshost.exe PID 1368 wrote to memory of 268 1368 011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d.exe takshost.exe PID 1368 wrote to memory of 268 1368 011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d.exe takshost.exe PID 1068 wrote to memory of 536 1068 011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d.exe iexplore.exe PID 1068 wrote to memory of 536 1068 011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d.exe iexplore.exe PID 1068 wrote to memory of 536 1068 011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d.exe iexplore.exe PID 1068 wrote to memory of 536 1068 011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d.exe iexplore.exe PID 536 wrote to memory of 1496 536 iexplore.exe IEXPLORE.EXE PID 536 wrote to memory of 1496 536 iexplore.exe IEXPLORE.EXE PID 536 wrote to memory of 1496 536 iexplore.exe IEXPLORE.EXE PID 536 wrote to memory of 1496 536 iexplore.exe IEXPLORE.EXE PID 268 wrote to memory of 736 268 takshost.exe takshost.exe PID 268 wrote to memory of 736 268 takshost.exe takshost.exe PID 268 wrote to memory of 736 268 takshost.exe takshost.exe PID 268 wrote to memory of 736 268 takshost.exe takshost.exe PID 268 wrote to memory of 736 268 takshost.exe takshost.exe PID 268 wrote to memory of 736 268 takshost.exe takshost.exe PID 268 wrote to memory of 736 268 takshost.exe takshost.exe PID 268 wrote to memory of 736 268 takshost.exe takshost.exe PID 268 wrote to memory of 736 268 takshost.exe takshost.exe PID 736 wrote to memory of 1208 736 takshost.exe cmd.exe PID 736 wrote to memory of 1208 736 takshost.exe cmd.exe PID 736 wrote to memory of 1208 736 takshost.exe cmd.exe PID 736 wrote to memory of 1208 736 takshost.exe cmd.exe PID 736 wrote to memory of 692 736 takshost.exe dw20.exe PID 736 wrote to memory of 692 736 takshost.exe dw20.exe PID 736 wrote to memory of 692 736 takshost.exe dw20.exe PID 736 wrote to memory of 692 736 takshost.exe dw20.exe PID 736 wrote to memory of 1104 736 takshost.exe vbc.exe PID 736 wrote to memory of 1104 736 takshost.exe vbc.exe PID 736 wrote to memory of 1104 736 takshost.exe vbc.exe PID 736 wrote to memory of 1104 736 takshost.exe vbc.exe PID 736 wrote to memory of 1104 736 takshost.exe vbc.exe PID 736 wrote to memory of 1104 736 takshost.exe vbc.exe PID 736 wrote to memory of 1104 736 takshost.exe vbc.exe PID 736 wrote to memory of 1104 736 takshost.exe vbc.exe PID 736 wrote to memory of 1104 736 takshost.exe vbc.exe PID 736 wrote to memory of 1104 736 takshost.exe vbc.exe PID 736 wrote to memory of 840 736 takshost.exe vbc.exe PID 736 wrote to memory of 840 736 takshost.exe vbc.exe PID 736 wrote to memory of 840 736 takshost.exe vbc.exe PID 736 wrote to memory of 840 736 takshost.exe vbc.exe PID 736 wrote to memory of 840 736 takshost.exe vbc.exe PID 736 wrote to memory of 840 736 takshost.exe vbc.exe PID 736 wrote to memory of 840 736 takshost.exe vbc.exe PID 736 wrote to memory of 840 736 takshost.exe vbc.exe PID 736 wrote to memory of 840 736 takshost.exe vbc.exe PID 736 wrote to memory of 840 736 takshost.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d.exe"C:\Users\Admin\AppData\Local\Temp\011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Users\Admin\AppData\Local\Temp\011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d.exe"C:\Users\Admin\AppData\Local\Temp\011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=011a83621fc115c02a133e887dfd4873520cbda105384a6eac1dd9008cc3421d.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.03⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:536 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1496 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /z "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\takshost.exe"4⤵
- Drops startup file
PID:1208 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 15884⤵PID:692
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\logff.txt4⤵PID:1104
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\logmail.txt4⤵
- Accesses Microsoft Outlook accounts
PID:840
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\logff.txtFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\F9B1UUVI.txtFilesize
601B
MD59c089eed82b3ac7d6034e5b3f82f2383
SHA1540aab7fdaedaad33fab5ab9347726705f294660
SHA25677595f570848dd81818fa5f0658c7bfdb112448cce63771b38d4517c1071906d
SHA5126f97040aef21f86106bbed6cf9d3b41e531228e127ebf5bebb6b30522951257b66c5201507598783dfedd225d39e5d15f5c105958761e01280fa04921f1d4948
-
memory/268-72-0x0000000074600000-0x0000000074BAB000-memory.dmpFilesize
5.7MB
-
memory/268-87-0x0000000074600000-0x0000000074BAB000-memory.dmpFilesize
5.7MB
-
memory/268-73-0x0000000074600000-0x0000000074BAB000-memory.dmpFilesize
5.7MB
-
memory/268-68-0x0000000000000000-mapping.dmp
-
memory/692-91-0x0000000000000000-mapping.dmp
-
memory/736-123-0x0000000000BD5000-0x0000000000BE6000-memory.dmpFilesize
68KB
-
memory/736-90-0x0000000000BD5000-0x0000000000BE6000-memory.dmpFilesize
68KB
-
memory/736-88-0x0000000074600000-0x0000000074BAB000-memory.dmpFilesize
5.7MB
-
memory/736-86-0x0000000074600000-0x0000000074BAB000-memory.dmpFilesize
5.7MB
-
memory/736-80-0x000000000047089E-mapping.dmp
-
memory/840-115-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/840-117-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/840-124-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/840-122-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/840-121-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/840-118-0x0000000000411654-mapping.dmp
-
memory/840-109-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/840-110-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/840-112-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/840-114-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1068-58-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/1068-57-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/1068-67-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/1068-65-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/1068-63-0x000000000047089E-mapping.dmp
-
memory/1068-61-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/1068-62-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/1068-60-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/1104-101-0x000000000040E758-mapping.dmp
-
memory/1104-98-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/1104-105-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/1104-95-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/1104-92-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/1104-97-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/1104-104-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/1104-107-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/1104-93-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/1104-100-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/1208-89-0x0000000000000000-mapping.dmp
-
memory/1368-70-0x0000000074600000-0x0000000074BAB000-memory.dmpFilesize
5.7MB
-
memory/1368-56-0x0000000074600000-0x0000000074BAB000-memory.dmpFilesize
5.7MB
-
memory/1368-54-0x0000000076301000-0x0000000076303000-memory.dmpFilesize
8KB
-
memory/1368-55-0x0000000074600000-0x0000000074BAB000-memory.dmpFilesize
5.7MB