Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
19-04-2024 18:56
Static task
static1
Behavioral task
behavioral1
Sample
dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
Resource
win11-20240412-en
General
-
Target
dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe
-
Size
998KB
-
MD5
88d19703623192e4ddf73cec4aa24a89
-
SHA1
c23025a02259e6da9a7db46ce7a12274a3cd4b18
-
SHA256
dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7
-
SHA512
83e366948e5a8e80fc31e98771029add13293387fa876a2ba8a420032db9b23c043e2ee228eaafce8c7224d1d3b5081a1c9de26b003b7877657d44741abc03e6
-
SSDEEP
24576:M1eKhP8/X0LknDY1zhdpACe+0RJ7Vz5xDIaTyEYKlZUOXJ:MXhP9LkD4T0htmJWt
Malware Config
Signatures
-
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral3/memory/964-34-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral3/memory/964-37-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral3/memory/964-36-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral3/memory/3544-70-0x0000000000400000-0x00000000004F0000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 5 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral3/memory/4972-43-0x0000000000400000-0x0000000000459000-memory.dmp WebBrowserPassView behavioral3/memory/4972-45-0x0000000000400000-0x0000000000459000-memory.dmp WebBrowserPassView behavioral3/memory/4972-46-0x0000000000400000-0x0000000000459000-memory.dmp WebBrowserPassView behavioral3/memory/4972-52-0x0000000000400000-0x0000000000459000-memory.dmp WebBrowserPassView behavioral3/memory/3544-70-0x0000000000400000-0x00000000004F0000-memory.dmp WebBrowserPassView -
Nirsoft 15 IoCs
Processes:
resource yara_rule behavioral3/memory/964-34-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral3/memory/964-37-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral3/memory/964-36-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral3/memory/4972-43-0x0000000000400000-0x0000000000459000-memory.dmp Nirsoft behavioral3/memory/4972-45-0x0000000000400000-0x0000000000459000-memory.dmp Nirsoft behavioral3/memory/4972-46-0x0000000000400000-0x0000000000459000-memory.dmp Nirsoft behavioral3/memory/4972-52-0x0000000000400000-0x0000000000459000-memory.dmp Nirsoft behavioral3/memory/1420-59-0x0000000000400000-0x0000000000415000-memory.dmp Nirsoft behavioral3/memory/1420-61-0x0000000000400000-0x0000000000415000-memory.dmp Nirsoft behavioral3/memory/1420-62-0x0000000000400000-0x0000000000415000-memory.dmp Nirsoft behavioral3/memory/1420-65-0x0000000000400000-0x0000000000415000-memory.dmp Nirsoft behavioral3/memory/3544-70-0x0000000000400000-0x00000000004F0000-memory.dmp Nirsoft behavioral3/memory/2944-90-0x0000000000400000-0x000000000044F000-memory.dmp Nirsoft behavioral3/memory/2944-92-0x0000000000400000-0x000000000044F000-memory.dmp Nirsoft behavioral3/memory/2944-97-0x0000000000400000-0x000000000044F000-memory.dmp Nirsoft -
Executes dropped EXE 8 IoCs
Processes:
LookupSvi.exesecdrv.exesecdrv.exeLookupSvi.exeLookupSvi.exesecdrv.exesecdrv.exeLookupSvi.exepid Process 2600 LookupSvi.exe 1652 secdrv.exe 3544 secdrv.exe 5068 LookupSvi.exe 4756 LookupSvi.exe 1616 secdrv.exe 4288 secdrv.exe 2348 LookupSvi.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
LookupSvi.exeLookupSvi.exeLookupSvi.exeLookupSvi.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Run\ Macrovision Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\LookupSvi.exe" LookupSvi.exe Set value (str) \REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Run\ Macrovision Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\LookupSvi.exe" LookupSvi.exe Set value (str) \REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Run\ Macrovision Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\LookupSvi.exe" LookupSvi.exe Set value (str) \REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Run\ Macrovision Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\LookupSvi.exe" LookupSvi.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 whatismyipaddress.com 4 whatismyipaddress.com -
Suspicious use of SetThreadContext 8 IoCs
Processes:
dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exedcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exesecdrv.exetakshost.exesecdrv.exedescription pid Process procid_target PID 1476 set thread context of 756 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 80 PID 756 set thread context of 964 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 84 PID 756 set thread context of 4972 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 85 PID 756 set thread context of 1420 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 87 PID 1652 set thread context of 3544 1652 secdrv.exe 88 PID 756 set thread context of 2944 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 90 PID 1032 set thread context of 1448 1032 takshost.exe 91 PID 1616 set thread context of 4288 1616 secdrv.exe 94 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exedcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exepid Process 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exepid Process 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exedcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exeLookupSvi.exesecdrv.exeLookupSvi.exetakshost.exeLookupSvi.exesecdrv.exeLookupSvi.exedescription pid Process Token: SeDebugPrivilege 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe Token: SeDebugPrivilege 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe Token: SeDebugPrivilege 2600 LookupSvi.exe Token: SeDebugPrivilege 1652 secdrv.exe Token: SeDebugPrivilege 5068 LookupSvi.exe Token: SeDebugPrivilege 1032 takshost.exe Token: SeDebugPrivilege 4756 LookupSvi.exe Token: SeDebugPrivilege 1616 secdrv.exe Token: SeDebugPrivilege 2348 LookupSvi.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exepid Process 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exeLookupSvi.exedcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exesecdrv.exedescription pid Process procid_target PID 1476 wrote to memory of 756 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 80 PID 1476 wrote to memory of 756 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 80 PID 1476 wrote to memory of 756 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 80 PID 1476 wrote to memory of 756 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 80 PID 1476 wrote to memory of 756 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 80 PID 1476 wrote to memory of 756 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 80 PID 1476 wrote to memory of 756 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 80 PID 1476 wrote to memory of 756 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 80 PID 1476 wrote to memory of 2600 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 81 PID 1476 wrote to memory of 2600 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 81 PID 1476 wrote to memory of 2600 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 81 PID 2600 wrote to memory of 1652 2600 LookupSvi.exe 83 PID 2600 wrote to memory of 1652 2600 LookupSvi.exe 83 PID 2600 wrote to memory of 1652 2600 LookupSvi.exe 83 PID 756 wrote to memory of 964 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 84 PID 756 wrote to memory of 964 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 84 PID 756 wrote to memory of 964 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 84 PID 756 wrote to memory of 964 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 84 PID 756 wrote to memory of 964 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 84 PID 756 wrote to memory of 964 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 84 PID 756 wrote to memory of 964 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 84 PID 756 wrote to memory of 964 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 84 PID 756 wrote to memory of 964 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 84 PID 756 wrote to memory of 4972 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 85 PID 756 wrote to memory of 4972 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 85 PID 756 wrote to memory of 4972 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 85 PID 756 wrote to memory of 4972 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 85 PID 756 wrote to memory of 4972 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 85 PID 756 wrote to memory of 4972 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 85 PID 756 wrote to memory of 4972 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 85 PID 756 wrote to memory of 4972 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 85 PID 756 wrote to memory of 4972 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 85 PID 1476 wrote to memory of 1032 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 86 PID 1476 wrote to memory of 1032 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 86 PID 1476 wrote to memory of 1032 1476 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 86 PID 756 wrote to memory of 1420 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 87 PID 756 wrote to memory of 1420 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 87 PID 756 wrote to memory of 1420 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 87 PID 756 wrote to memory of 1420 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 87 PID 756 wrote to memory of 1420 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 87 PID 756 wrote to memory of 1420 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 87 PID 756 wrote to memory of 1420 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 87 PID 756 wrote to memory of 1420 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 87 PID 756 wrote to memory of 1420 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 87 PID 1652 wrote to memory of 3544 1652 secdrv.exe 88 PID 1652 wrote to memory of 3544 1652 secdrv.exe 88 PID 1652 wrote to memory of 3544 1652 secdrv.exe 88 PID 1652 wrote to memory of 3544 1652 secdrv.exe 88 PID 1652 wrote to memory of 3544 1652 secdrv.exe 88 PID 1652 wrote to memory of 3544 1652 secdrv.exe 88 PID 1652 wrote to memory of 3544 1652 secdrv.exe 88 PID 1652 wrote to memory of 3544 1652 secdrv.exe 88 PID 1652 wrote to memory of 5068 1652 secdrv.exe 89 PID 1652 wrote to memory of 5068 1652 secdrv.exe 89 PID 1652 wrote to memory of 5068 1652 secdrv.exe 89 PID 756 wrote to memory of 2944 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 90 PID 756 wrote to memory of 2944 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 90 PID 756 wrote to memory of 2944 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 90 PID 756 wrote to memory of 2944 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 90 PID 756 wrote to memory of 2944 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 90 PID 756 wrote to memory of 2944 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 90 PID 756 wrote to memory of 2944 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 90 PID 756 wrote to memory of 2944 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 90 PID 756 wrote to memory of 2944 756 dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe"C:\Users\Admin\AppData\Local\Temp\dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Users\Admin\AppData\Local\Temp\dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe"C:\Users\Admin\AppData\Local\Temp\dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Accesses Microsoft Outlook accounts
PID:964
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"3⤵PID:4972
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderprodkey.txt"3⤵PID:1420
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderskypeview.txt"3⤵PID:2944
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"4⤵
- Executes dropped EXE
PID:3544
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:5068
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1032 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"3⤵PID:1448
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4756 -
C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1616 -
C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"5⤵
- Executes dropped EXE
PID:4288
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2348
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128B
MD592bbf9af7d2dce28ff72dad3bbffa852
SHA1b25288849fb939b02ce73a01a0252c4a2fd6c724
SHA2566a304948382083a059262e7792a1773ebd35e9e8d77d2cbfebc0e661a8956fa3
SHA51262f0ee8d580a1b73f4953fa998f6d0c892547bd8c93bb1644d907af7fd2471ce4b599bf6eb6118152a18f42182cb87a3dbf1f24276d171864fee8b9eb4877f21
-
Filesize
774B
MD5fd61b64fd2d3ee1cff51b55ab65bdd7d
SHA19c0cc4248004e7da57ac99f12daa6f461d41d6c1
SHA2568d7b77655763d9dd3be5b08e74fcaf2a8266ca400ead7d84c90ef145e76bd9aa
SHA512e7e472ed8cc5488d4aa4114f26cef3d6360719b096b420022647ee9b0ff836d0deefe0ab2c44950dca4cd553469e28a2cb7b5907b5253b6b993b0317600a566a
-
Filesize
725B
MD51dc27dfdd9bb31edae68bfaa7fe2a755
SHA1cc6d6eaee5d71d2ede042a131ccbd19c4724330f
SHA25678f06cc329abc11c31de49842956005f100a850c3c0bf8357a45fd9cccdff843
SHA5121d1227d93456287e29cdef5f6768f95cb7651383071c1ca53c7c914edb2db64d64cecd7e84011c9927ce5093bf30a944d1b51dc88abfff477bc9646568ab4fbc
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
7KB
MD5c283efa34a736e2e98e64da9b1f927ae
SHA153c991156979b3a7ecdcdb799fb33440cb73ed55
SHA2562a11fd8fdb1108cdac9c38d9b3fee701ece885e9de4766ab26779c4a994aabfa
SHA5129b7c433a2f0362d82af4d31000b108962ca2d6090f5d3aaaae4dd4be41c9cde3c27cf2869193755da8bd0880732f815b9875cbbb2d44f30b64d55659a38c90ec
-
Filesize
998KB
MD588d19703623192e4ddf73cec4aa24a89
SHA1c23025a02259e6da9a7db46ce7a12274a3cd4b18
SHA256dcae346b4fd3da14ef50ccfb5b5e06fd73fb17918c2ac00b324d89ed7b104fd7
SHA51283e366948e5a8e80fc31e98771029add13293387fa876a2ba8a420032db9b23c043e2ee228eaafce8c7224d1d3b5081a1c9de26b003b7877657d44741abc03e6