hawkeye | 7b74117a34e84a659a35437ab43b27c55f129c1717f92b116dc5533c27bdbc5a

Analysis

max time kernel
151s
max time network
137s
platform
windows10_x64
resource
win10v20201028
submitted
12-12-2020 16:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Vape V4 Crack.bin.exe
Size

1.7MB
MD5

6a669de1d724cc4874c42ae535ca892d
SHA1

de905655fd632fff874bc907726e9b9a16886ea9
SHA256

5d45d76577ec4d7429bab8dbfa6f5ff52d947a5c7c6f9ff373456e0c3703e454
SHA512

23ed610d8a5803934a2a35de40fbd3e55a91d89b436812e0bb8cc692e8d10ce5a9e10e63267084461b13d50a5eeac5ed45df67950e164654e6ba8de859921708

Score

10^/10

hawkeye evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
motionalt1@gmail.com
Password:
you@regay

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

Defender.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "3" Defender.exe
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

svchost.exe

description pid process target process

PID 1388 created 3968 1388 svchost.exe Defender.exe
PID 1388 created 2700 1388 svchost.exe Defender.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "3"	Defender.exe

description	pid	process	target process
PID 1388 created 3968	1388	svchost.exe	Defender.exe
PID 1388 created 2700	1388	svchost.exe	Defender.exe

ServiceHost packer 5 IoCs

Detects ServiceHost packer used for .NET malware

Processes:

resource	yara_rule
behavioral2/memory/1496-31-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/1496-32-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/1496-34-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/1496-35-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/1496-33-0x0000000000000000-mapping.dmp	servicehost

Executes dropped EXE 6 IoCs

Processes:

Windows Update.exeEBFile_2.exeEBFile_3.exeDefender.exeDefender.exeDefender.exe

pid process

188 Windows Update.exe
1496 EBFile_2.exe
3872 EBFile_3.exe
3968 Defender.exe
2700 Defender.exe
1996 Defender.exe
Deletes itself 1 IoCs

Processes:

Windows Update.exe

pid process

188 Windows Update.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

Defender.exeDefender.exeDefender.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Defender.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection	Defender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiSpyware = "1"	Defender.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection	Defender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Defender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiSpyware = "1"	Defender.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection	Defender.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Windows Update.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	Windows Update.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 whatismyipaddress.com
15 whatismyipaddress.com

flow	ioc
13	whatismyipaddress.com
15	whatismyipaddress.com

Drops file in System32 directory 2 IoCs

Processes:

Defender.exe

description	ioc	process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	Defender.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	Defender.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Windows Update.exe

description	pid	process	target process
PID 188 set thread context of 780	188	Windows Update.exe	vbc.exe
PID 188 set thread context of 3152	188	Windows Update.exe	vbc.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

740 1496 WerFault.exe EBFile_2.exe

pid	pid_target	process	target process
740	1496	WerFault.exe	EBFile_2.exe

Modifies registry class 3 IoCs

Processes:

Windows Update.exeEBFile_3.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	Windows Update.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	EBFile_3.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	WScript.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

3732 NOTEPAD.EXE

pid	process
3732	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 1210 IoCs

Processes:

Windows Update.exe

pid	process
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe
188	Windows Update.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

Windows Update.exeEBFile_3.exeDefender.exesvchost.exeDefender.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	188	Windows Update.exe
Token: SeDebugPrivilege	3872	EBFile_3.exe
Token: SeDebugPrivilege	3968	Defender.exe
Token: SeAssignPrimaryTokenPrivilege	3968	Defender.exe
Token: SeIncreaseQuotaPrivilege	3968	Defender.exe
Token: 0	3968	Defender.exe
Token: SeTcbPrivilege	1388	svchost.exe
Token: SeTcbPrivilege	1388	svchost.exe
Token: SeDebugPrivilege	2700	Defender.exe
Token: SeAssignPrimaryTokenPrivilege	2700	Defender.exe
Token: SeIncreaseQuotaPrivilege	2700	Defender.exe
Token: SeRestorePrivilege	740	WerFault.exe
Token: SeBackupPrivilege	740	WerFault.exe
Token: SeDebugPrivilege	740	WerFault.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Defender.exe

pid process

3968 Defender.exe
3968 Defender.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Windows Update.exe

pid process

188 Windows Update.exe

pid	process
3968	Defender.exe
3968	Defender.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

Vape V4 Crack.bin.exeWindows Update.exeEBFile_2.exesvchost.exeEBFile_3.exeWScript.exeWScript.exe

description	pid	process	target process
PID 636 wrote to memory of 188	636	Vape V4 Crack.bin.exe	Windows Update.exe
PID 636 wrote to memory of 188	636	Vape V4 Crack.bin.exe	Windows Update.exe
PID 636 wrote to memory of 188	636	Vape V4 Crack.bin.exe	Windows Update.exe
PID 188 wrote to memory of 3732	188	Windows Update.exe	NOTEPAD.EXE
PID 188 wrote to memory of 3732	188	Windows Update.exe	NOTEPAD.EXE
PID 188 wrote to memory of 3732	188	Windows Update.exe	NOTEPAD.EXE
PID 188 wrote to memory of 1496	188	Windows Update.exe	EBFile_2.exe
PID 188 wrote to memory of 1496	188	Windows Update.exe	EBFile_2.exe
PID 188 wrote to memory of 1496	188	Windows Update.exe	EBFile_2.exe
PID 188 wrote to memory of 3872	188	Windows Update.exe	EBFile_3.exe
PID 188 wrote to memory of 3872	188	Windows Update.exe	EBFile_3.exe
PID 188 wrote to memory of 780	188	Windows Update.exe	vbc.exe
PID 188 wrote to memory of 780	188	Windows Update.exe	vbc.exe
PID 188 wrote to memory of 780	188	Windows Update.exe	vbc.exe
PID 188 wrote to memory of 780	188	Windows Update.exe	vbc.exe
PID 188 wrote to memory of 780	188	Windows Update.exe	vbc.exe
PID 188 wrote to memory of 780	188	Windows Update.exe	vbc.exe
PID 188 wrote to memory of 780	188	Windows Update.exe	vbc.exe
PID 188 wrote to memory of 780	188	Windows Update.exe	vbc.exe
PID 188 wrote to memory of 780	188	Windows Update.exe	vbc.exe
PID 1496 wrote to memory of 3968	1496	EBFile_2.exe	Defender.exe
PID 1496 wrote to memory of 3968	1496	EBFile_2.exe	Defender.exe
PID 1496 wrote to memory of 3968	1496	EBFile_2.exe	Defender.exe
PID 1388 wrote to memory of 2700	1388	svchost.exe	Defender.exe
PID 1388 wrote to memory of 2700	1388	svchost.exe	Defender.exe
PID 1388 wrote to memory of 2700	1388	svchost.exe	Defender.exe
PID 1388 wrote to memory of 1996	1388	svchost.exe	Defender.exe
PID 1388 wrote to memory of 1996	1388	svchost.exe	Defender.exe
PID 1388 wrote to memory of 1996	1388	svchost.exe	Defender.exe
PID 3872 wrote to memory of 1236	3872	EBFile_3.exe	WScript.exe
PID 3872 wrote to memory of 1236	3872	EBFile_3.exe	WScript.exe
PID 3872 wrote to memory of 2888	3872	EBFile_3.exe	cmd.exe
PID 3872 wrote to memory of 2888	3872	EBFile_3.exe	cmd.exe
PID 1236 wrote to memory of 496	1236	WScript.exe	WScript.exe
PID 1236 wrote to memory of 496	1236	WScript.exe	WScript.exe
PID 188 wrote to memory of 3152	188	Windows Update.exe	vbc.exe
PID 188 wrote to memory of 3152	188	Windows Update.exe	vbc.exe
PID 188 wrote to memory of 3152	188	Windows Update.exe	vbc.exe
PID 188 wrote to memory of 3152	188	Windows Update.exe	vbc.exe
PID 188 wrote to memory of 3152	188	Windows Update.exe	vbc.exe
PID 188 wrote to memory of 3152	188	Windows Update.exe	vbc.exe
PID 188 wrote to memory of 3152	188	Windows Update.exe	vbc.exe
PID 188 wrote to memory of 3152	188	Windows Update.exe	vbc.exe
PID 188 wrote to memory of 3152	188	Windows Update.exe	vbc.exe
PID 496 wrote to memory of 3860	496	WScript.exe	cmd.exe
PID 496 wrote to memory of 3860	496	WScript.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Vape V4 Crack.bin.exe
"C:\Users\Admin\AppData\Local\Temp\Vape V4 Crack.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:636

C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:188

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\BFile_1.txt
3⤵
- Opens file in notepad (likely ransom note)
PID:3732

C:\Users\Admin\AppData\Local\Temp\EBFile_2.exe
"C:\Users\Admin\AppData\Local\Temp\EBFile_2.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496

C:\Users\Admin\AppData\Local\Temp\Defender.exe
"C:\Users\Admin\AppData\Local\Temp\Defender.exe" /D
4⤵
- Executes dropped EXE
- Windows security modification
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3968

C:\Users\Admin\AppData\Local\Temp\Defender.exe
"C:\Users\Admin\AppData\Local\Temp\Defender.exe" /SYS 1
5⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Users\Admin\AppData\Local\Temp\Defender.exe
"C:\Users\Admin\AppData\Local\Temp\Defender.exe" /TI 1
6⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 840
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:740

C:\Users\Admin\AppData\Local\Temp\EBFile_3.exe
"C:\Users\Admin\AppData\Local\Temp\EBFile_3.exe"
3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3872

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\finalres.vbs"
4⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1236

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\finalres2.vbs"
5⤵
- Suspicious use of WriteProcessMemory
PID:496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\finalres.bat" "
6⤵
PID:3860

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\EBFile_3.exe"
4⤵
PID:2888

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
PID:780

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
3⤵
PID:3152

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1388

\??\c:\windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:4044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3608

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:1904

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BFile_1.txt
MD5
1a315f228b55458f972213ed7d06a82d

SHA1
abd233b01b6532ff259e574f95f218a11c5b6caa

SHA256
f31a1549c0ded4a9de1cfc44a7fe54b95c233379dae6dc58c56609a2381cc7f5

SHA512
9427ec6918639f3e0f12f2cbcb6a4f2b379cdb5e7042993a53b74077139817f711e5ded15579a3a8e5ae9c47216c618dfee96847b340e58cf8e8475a5ac828cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Defender.exe
MD5
ac34ba84a5054cd701efad5dd14645c9

SHA1
dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b

SHA256
c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e

SHA512
df491306a3c8ddb580b7cca1dce9e22a87fd43ca3632f3630cdcbe114bef243e847b2ce774d688f6e142516f2e0fc49d30fad7c7168e627523da21e2fe06836a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Defender.exe
MD5
ac34ba84a5054cd701efad5dd14645c9

SHA1
dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b

SHA256
c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e

SHA512
df491306a3c8ddb580b7cca1dce9e22a87fd43ca3632f3630cdcbe114bef243e847b2ce774d688f6e142516f2e0fc49d30fad7c7168e627523da21e2fe06836a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Defender.exe
MD5
ac34ba84a5054cd701efad5dd14645c9

SHA1
dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b

SHA256
c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e

SHA512
df491306a3c8ddb580b7cca1dce9e22a87fd43ca3632f3630cdcbe114bef243e847b2ce774d688f6e142516f2e0fc49d30fad7c7168e627523da21e2fe06836a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Defender.exe
MD5
ac34ba84a5054cd701efad5dd14645c9

SHA1
dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b

SHA256
c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e

SHA512
df491306a3c8ddb580b7cca1dce9e22a87fd43ca3632f3630cdcbe114bef243e847b2ce774d688f6e142516f2e0fc49d30fad7c7168e627523da21e2fe06836a

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBFile_2.exe
MD5
1d6a2397610b09dd6b49785182fd13d2

SHA1
4a4ccd35f98544d0dd5bd6a30f9101c7babb36d3

SHA256
e96c14e2853a64717b64d3972e436dcfb39daa539ed1b67c8a58caafdf22c923

SHA512
fe0c86e696e39386e58355ed887238ddb3ae5f1013cbcbae16fe61f968a537a831bae7c3deb4cd0342d898d5fa5b20d662831d83ad7ab22fb0ce9e7834d9cb82

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBFile_2.exe
MD5
1d6a2397610b09dd6b49785182fd13d2

SHA1
4a4ccd35f98544d0dd5bd6a30f9101c7babb36d3

SHA256
e96c14e2853a64717b64d3972e436dcfb39daa539ed1b67c8a58caafdf22c923

SHA512
fe0c86e696e39386e58355ed887238ddb3ae5f1013cbcbae16fe61f968a537a831bae7c3deb4cd0342d898d5fa5b20d662831d83ad7ab22fb0ce9e7834d9cb82

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBFile_3.exe
MD5
fde2f12ea09556a7d28e4d10a80c0e88

SHA1
9c44959deda54054be62d00fc1bd8254efcf4f69

SHA256
53509887881cb405ddb046fb70dcaa55c7e8f02b23799384dbfb7b97cc898968

SHA512
c7832129ec62fd788394a5622b95b4536e1e3cac3938572a85c9b5deb17da13ac86166f322aab83a4baed97a990e2323e84dca3f518931897970da039e343cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBFile_3.exe
MD5
fde2f12ea09556a7d28e4d10a80c0e88

SHA1
9c44959deda54054be62d00fc1bd8254efcf4f69

SHA256
53509887881cb405ddb046fb70dcaa55c7e8f02b23799384dbfb7b97cc898968

SHA512
c7832129ec62fd788394a5622b95b4536e1e3cac3938572a85c9b5deb17da13ac86166f322aab83a4baed97a990e2323e84dca3f518931897970da039e343cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
MD5
6d36037988c328ba2fe31d405e118572

SHA1
db5d7a91456262daa9c9807602730fc92f490f8b

SHA256
af1deef9bf3f5a67a2e594ffe2092d52520806c63df035d664de4dda83f697e5

SHA512
8fe19e4aee0e351230a21b5a8152f48e6f163af64fcd9918bca28178db38f12e5b953294941756d87871b25390e6d999e78e01c529ed87653e0044d181464fe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\finalres.bat
MD5
2574c5b67cffffae5c7a056455d1d3ae

SHA1
2386d127b47e27b236eb0cb6d90ffa67376891d2

SHA256
b25df4870b5e471b57431771df6dbb10c68b0eb8f9d5fef9c72e4cf3844dc9fc

SHA512
be6930b803980d1ed71cb2c9907884d172a93ad3f34cffda2ceadf3afad9fe3e354d95bebc250bf2db1179fd9cbaa57da71925e45f2f2430d3ae72f587a9d610

Download Submit
C:\Users\Admin\AppData\Local\Temp\finalres.vbs
MD5
cbca85af83070314b060c23175f9f4df

SHA1
a881531b0a737c4cd2a910478836ad0d78a5d4c0

SHA256
97de4041a56e13945df8a7db417de01f4ea5f1ece5623fb557b5d8e36e4f2f91

SHA512
ea74acef42ca1558a0734b7adf5ee9192e244f0d9b30985ae7ad3dfb0d303205d51f863e10b0f4ad00165c0aa70edf48a4a9f002c8752e75c7e059b567b5c46d

Download Submit
C:\Users\Admin\AppData\Local\Temp\finalres2.vbs
MD5
50f631e85016c256f4f103d8a8f711b1

SHA1
2e39050ce0bc06e9426f3ac440fec9067777eba2

SHA256
8610901e51055bcbbef41f30194f46a13ecfaf1876a2019de0c9078d67d63bb4

SHA512
b5e643cbdaac4a07d31ea71c001e514ccf165a03e207f773a87c633f4d8728049eccb775d7f594ad6225dda2b73538e323861438957ab5453ca1140529a3f80b

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderwb.txt
MD5
f94dc819ca773f1e3cb27abbc9e7fa27

SHA1
9a7700efadc5ea09ab288544ef1e3cd876255086

SHA256
a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

SHA512
72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
MD5
6a669de1d724cc4874c42ae535ca892d

SHA1
de905655fd632fff874bc907726e9b9a16886ea9

SHA256
5d45d76577ec4d7429bab8dbfa6f5ff52d947a5c7c6f9ff373456e0c3703e454

SHA512
23ed610d8a5803934a2a35de40fbd3e55a91d89b436812e0bb8cc692e8d10ce5a9e10e63267084461b13d50a5eeac5ed45df67950e164654e6ba8de859921708

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
MD5
6a669de1d724cc4874c42ae535ca892d

SHA1
de905655fd632fff874bc907726e9b9a16886ea9

SHA256
5d45d76577ec4d7429bab8dbfa6f5ff52d947a5c7c6f9ff373456e0c3703e454

SHA512
23ed610d8a5803934a2a35de40fbd3e55a91d89b436812e0bb8cc692e8d10ce5a9e10e63267084461b13d50a5eeac5ed45df67950e164654e6ba8de859921708

Download Submit
memory/188-2-0x0000000000000000-mapping.dmp

Download
memory/496-47-0x0000000000000000-mapping.dmp

Download
memory/740-30-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/780-21-0x0000000000411654-mapping.dmp

Download
memory/780-20-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/780-25-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1236-37-0x0000000000000000-mapping.dmp

Download
memory/1496-35-0x0000000000000000-mapping.dmp

Download
memory/1496-18-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/1496-14-0x0000000070B70000-0x000000007125E000-memory.dmp

Filesize
6.9MB

Download
memory/1496-31-0x0000000000000000-mapping.dmp

Download
memory/1496-32-0x0000000000000000-mapping.dmp

Download
memory/1496-34-0x0000000000000000-mapping.dmp

Download
memory/1496-7-0x0000000000000000-mapping.dmp

Download
memory/1496-33-0x0000000000000000-mapping.dmp

Download
memory/1996-28-0x0000000000000000-mapping.dmp

Download
memory/2700-26-0x0000000000000000-mapping.dmp

Download
memory/2888-41-0x0000000000000000-mapping.dmp

Download
memory/3152-50-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3152-51-0x0000000000442628-mapping.dmp

Download
memory/3152-52-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3732-6-0x0000000000000000-mapping.dmp

Download
memory/3860-54-0x0000000000000000-mapping.dmp

Download
memory/3872-15-0x0000025AC60D0000-0x0000025AC60D1000-memory.dmp

Filesize
4KB

Download
memory/3872-13-0x00007FF9E7010000-0x00007FF9E79FC000-memory.dmp

Filesize
9.9MB

Download
memory/3872-10-0x0000000000000000-mapping.dmp

Download
memory/3968-22-0x0000000000000000-mapping.dmp

Download