Malware analysis takeover.exe Malicious activity | ANY.RUN

Add for printing

File name:	takeover.exe
Full analysis:	https://app.any.run/tasks/d792f6c2-a5a7-4d4c-a65d-3078433e14b2
Verdict:	Malicious activity
Analysis date:	September 13, 2024, 16:52:03
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (console) Intel 80386, for MS Windows
MD5:	7E4881D42D244ED581E7BF87346CE699
SHA1:	FACB1FF39A735D7F8EEBDEC5FB1867C1C1BB0EE4
SHA256:	BDE8EC4D9E311D9A8E473C1827C51ED2844532C2A8EEAB4AD274CF01E30722FE
SSDEEP:	3072:FPML5Ch5uLb3pW6SQ329JmyxCPPMivT1bMH6IR:wWreEbihbM6m

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Starts NET.EXE to view/change users localgroup
  - cmd.exe (PID: 5720)
  - net.exe (PID: 5468)
  - net.exe (PID: 6924)
  - net.exe (PID: 1812)
- Starts NET.EXE to view/add/change user profiles
  - net.exe (PID: 5940)
  - cmd.exe (PID: 5720)
SUSPICIOUS
- Starts CMD.EXE for commands execution
  - takeover.exe (PID: 4976)
  - cmd.exe (PID: 5720)
- The system shut down or reboot
  - cmd.exe (PID: 5720)
- Application launched itself
  - cmd.exe (PID: 5720)
- Executing commands from a ".bat" file
  - takeover.exe (PID: 4976)
- Reads security settings of Internet Explorer
  - GameBar.exe (PID: 6240)
  - StartMenuExperienceHost.exe (PID: 5688)
- Reads the date of Windows installation
  - StartMenuExperienceHost.exe (PID: 5688)
  - SearchApp.exe (PID: 1644)
  - SystemSettings.exe (PID: 3852)
- Uses REG/REGEDIT.EXE to modify registry
  - cmd.exe (PID: 5720)
- Starts application with an unusual extension
  - cmd.exe (PID: 5720)
- Starts SC.EXE for service management
  - cmd.exe (PID: 5720)
INFO
- Checks supported languages
  - takeover.exe (PID: 4976)
  - StartMenuExperienceHost.exe (PID: 5688)
  - GameBar.exe (PID: 6240)
  - SearchApp.exe (PID: 1644)
  - SystemSettings.exe (PID: 3852)
  - chcp.com (PID: 5124)
- Reads security settings of Internet Explorer
  - dllhost.exe (PID: 4952)
  - dllhost.exe (PID: 6956)
  - ApplicationFrameHost.exe (PID: 2136)
- Checks proxy server information
  - SearchApp.exe (PID: 1644)
- Reads the computer name
  - GameBar.exe (PID: 6240)
  - SearchApp.exe (PID: 1644)
  - StartMenuExperienceHost.exe (PID: 5688)
  - SystemSettings.exe (PID: 3852)
- Process checks computer location settings
  - StartMenuExperienceHost.exe (PID: 5688)
  - SearchApp.exe (PID: 1644)
- Sends debugging messages
  - StartMenuExperienceHost.exe (PID: 5688)
- Reads the software policy settings
  - SearchApp.exe (PID: 1644)
- Reads the machine GUID from the registry
  - SearchApp.exe (PID: 1644)
- Creates files or folders in the user directory
  - dllhost.exe (PID: 4952)
  - dllhost.exe (PID: 6956)
- Reads Environment values
  - SearchApp.exe (PID: 1644)
- The process uses the downloaded file
  - SystemSettings.exe (PID: 3852)
- Changes the display of characters in the console
  - cmd.exe (PID: 5720)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (41)
.exe	\|	Win64 Executable (generic) (36.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.6)
.exe	\|	Win32 Executable (generic) (5.9)
.exe	\|	Win16/32 Executable Delphi generic (2.7)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2018:02:01 20:18:05+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	2.5
CodeSize:	70144
InitializedDataSize:	21504
UninitializedDataSize:	-
EntryPoint:	0x1000
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows command line

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

191

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

232

SC CONFIG RmSvc START= DISABLED

C:\Windows\System32\sc.exe

—

cmd.exe

User:

Administrator

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Service Control Manager Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

252

NET FILE

C:\Windows\System32\net.exe

—

cmd.exe

User:

Administrator

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Net Command

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\wkscli.dll

752

C:\WINDOWS\system32\net1 localgroup Users Administrator /add

C:\Windows\System32\net1.exe

—

net.exe

User:

Administrator

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Net Command

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\netutils.dll
c:\windows\system32\dsrole.dll

1644

"C:\WINDOWS\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Search application

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\systemapps\microsoft.windows.search_cw5n1h2txyewy\searchapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1812

net localgroup Users Administrator /add

C:\Windows\System32\net.exe

—

cmd.exe

User:

Administrator

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Net Command

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\wkscli.dll

2128

shutdown -L

C:\Windows\System32\shutdown.exe

—

cmd.exe

User:

Administrator

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Shutdown and Annotation Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\shutdown.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\shutdownext.dll

2136

C:\WINDOWS\system32\ApplicationFrameHost.exe -Embedding

C:\Windows\System32\ApplicationFrameHost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Application Frame Host

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\applicationframehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\win32u.dll

2456

"C:\Windows\System32\runas.exe" /user:administrator C:\Users\admin\Desktop\takeover.exe

C:\Windows\System32\runas.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Run As Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\runas.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

3044

C:\WINDOWS\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}

C:\Windows\System32\dllhost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

COM Surrogate

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll

3308

C:\WINDOWS\system32\net1 user 66541 foxxopower63 /add

C:\Windows\System32\net1.exe

—

net.exe

User:

Administrator

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Net Command

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\netutils.dll
c:\windows\system32\dsrole.dll

Add for printing

Total events

18 739

Read events

18 595

Write events

136

Delete events

Modification events


(PID) Process:	(5544) reg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
Operation:	write	Name:	Disable Restore
Value: 1
(PID) Process:	(5244) reg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:	write	Name:	legalnoticecaption
Value: Owned
(PID) Process:	(3852) reg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:	write	Name:	legalnoticetext
Value: A little reminder of your submission to the system <3
(PID) Process:	(5688) StartMenuExperienceHost.exe	Key:	\REGISTRY\A\{c6b18aa3-c425-7487-744d-b6c657dcd7e8}\LocalState\DataCorruptionRecovery
Operation:	write	Name:	InitializationAttemptCount
Value: 01000000E929E351FD05DB01
(PID) Process:	(6240) GameBar.exe	Key:	\REGISTRY\A\{a42095c9-b64d-57c1-3d7b-f7ed297b6a55}\LocalState
Operation:	write	Name:	InstalledVersionMajor
Value: 0200958EE551FD05DB01
(PID) Process:	(6240) GameBar.exe	Key:	\REGISTRY\A\{a42095c9-b64d-57c1-3d7b-f7ed297b6a55}\LocalState
Operation:	write	Name:	InstalledVersionMinor
Value: 22009FF2E751FD05DB01
(PID) Process:	(6240) GameBar.exe	Key:	\REGISTRY\A\{a42095c9-b64d-57c1-3d7b-f7ed297b6a55}\LocalState
Operation:	write	Name:	InstalledVersionBuild
Value: 616D9FF2E751FD05DB01
(PID) Process:	(6240) GameBar.exe	Key:	\REGISTRY\A\{a42095c9-b64d-57c1-3d7b-f7ed297b6a55}\LocalState
Operation:	write	Name:	InstalledVersionRevision
Value: 00009FF2E751FD05DB01
(PID) Process:	(6240) GameBar.exe	Key:	\REGISTRY\A\{a42095c9-b64d-57c1-3d7b-f7ed297b6a55}\LocalState
Operation:	write	Name:	PreviousAppTerminationFromSuspended
Value: 009FF2E751FD05DB01
(PID) Process:	(6240) GameBar.exe	Key:	\REGISTRY\A\{a42095c9-b64d-57c1-3d7b-f7ed297b6a55}\LocalState
Operation:	write	Name:	CurrentDisplayMonitor
Value: 670061006D006500000087BAEC51FD05DB01

Add for printing

Executable files

Suspicious files

112

Text files

171

Unknown types

Dropped files

PID	Process	Filename		Type
4952	dllhost.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat		—
		MD5:—	SHA256:—
4976	takeover.exe	C:\Users\Administrator\AppData\Local\Temp\B723.tmp\B724.tmp\B725.bat		text
		MD5:B8BA18D9CF6B2FB5D3E575A678D9E812	SHA256:02620E50C19AE3AFD44E462134F8E397704B034911343FB955B7310F01E20D77
4952	dllhost.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\65\appcache[1].man		text
		MD5:2C89B03BB6F597D6197D1D7A1F5CDE85	SHA256:C7651738BBDDEB592AE4CB45DFE8461BD8ECEDC27707BD3A32981A046E26A171
1644	SearchApp.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\65\eNojzGTgc6FFJi_kGAzzghOMEG4[1].css		text
		MD5:19F26B72543539AF1AC95C2418584250	SHA256:75958169CC923C3E5CFDA7D2783C4E7737D1477AE457E18A3F987485C02F664A
1644	SearchApp.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\65\-lxTjronWiCCazqIxFTp4HrDoXc.gz[1].js		binary
		MD5:8465A334065673EB6A6487C8D87539DB	SHA256:84ED6C495B322B0F2213CC33EC6C652D84D82E010C928B1141DB2290D4365F3D
1644	SearchApp.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\65\4bnLx4S3ZRMpYV30k3R5vRy8JVg[1].js		s
		MD5:97540BC45CFB7C7C4D859A7E1CE839BA	SHA256:4AE944B4A382D05A8A5B657105ADD88DD8B8F59D6309567E179CA64DF19F6075
1644	SearchApp.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\65\CYGXBN1kkA_ojDY5vKbCoG4Zy0E[1].css		text
		MD5:DF25912CCFEE50A9E57BC97B4D05B5C0	SHA256:3CA3D1262A62E919C72A641F7491B38769CFB8149704E69CB6C960836DD9C6F8
4952	dllhost.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\WebCache\V01.log		binary
		MD5:CA197F08E09B5D79D922C9010AB40B9F	SHA256:48805B11D3F8A9C376C0C26AE18F38CA29FD88810F8A7643870AD51F37D6F89F
4952	dllhost.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm		dbf
		MD5:D5EC0E16E7D7E892B953082E40AC4A54	SHA256:5BBBC348E9EDCF9F62282704E5446AC3FD28370FA51ABB7F3D86D8D91D6C0C75
1644	SearchApp.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\Q84V0JUH\-UAIppANYxiGpRWJy2NDph4qOEw.gz[1].js		s
		MD5:9E527B91C2D8B31B0017B76049B5E4E3	SHA256:38EDF0F961C1CCB287880B88F12F370775FC65B2E28227EEE215E849CDBE9BBC

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1752	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
5796	svchost.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1644	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
3896	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
3896	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
5796	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6164	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2120	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5796	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5796	svchost.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
3260	svchost.exe	40.113.110.67:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1752	svchost.exe	40.126.32.136:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1752	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
2120	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 51.104.136.2	whitelisted
google.com	142.250.184.238	whitelisted
www.microsoft.com	88.221.169.152 184.30.21.171	whitelisted
client.wns.windows.com	40.113.110.67	whitelisted
login.live.com	40.126.32.136 40.126.32.133 40.126.32.134 20.190.160.22 40.126.32.74 40.126.32.76 20.190.160.14 40.126.32.72	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
r.bing.com	2.23.209.160 2.23.209.154 2.23.209.141 2.23.209.150 2.23.209.158 2.23.209.149 2.23.209.156 2.23.209.142 2.23.209.143	whitelisted
www.bing.com	2.23.209.133 2.23.209.186 2.23.209.185 2.23.209.189 2.23.209.187 2.23.209.131 2.23.209.193 2.23.209.130 2.23.209.135	whitelisted
slscr.update.microsoft.com	13.85.23.86	whitelisted
fe3cr.delivery.mp.microsoft.com	20.3.187.198	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

takeover.exe

7E4881D42D244ED581E7BF87346CE699

FACB1FF39A735D7F8EEBDEC5FB1867C1C1BB0EE4

BDE8EC4D9E311D9A8E473C1827C51ED2844532C2A8EEAB4AD274CF01E30722FE

3072:FPML5Ch5uLb3pW6SQ329JmyxCPPMivT1bMH6IR:wWreEbihbM6m

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Starts NET.EXE to view/change users localgroup

Starts NET.EXE to view/add/change user profiles

SUSPICIOUS

Starts CMD.EXE for commands execution

The system shut down or reboot

Application launched itself

Executing commands from a ".bat" file

Reads security settings of Internet Explorer

Reads the date of Windows installation

Uses REG/REGEDIT.EXE to modify registry

Starts application with an unusual extension

Starts SC.EXE for service management

INFO

Checks supported languages

Reads security settings of Internet Explorer

Checks proxy server information

Reads the computer name

Process checks computer location settings

Sends debugging messages

Reads the software policy settings

Reads the machine GUID from the registry

Creates files or folders in the user directory

Reads Environment values

The process uses the downloaded file

Changes the display of characters in the console

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings