Malware Analysis Report

2025-06-16 02:24

Sample ID 220310-bkgmsaccg5
Target 71de05a6489374d3454f66de31e2f720f4e199d57caec38ea01a01bde3591a31
SHA256 71de05a6489374d3454f66de31e2f720f4e199d57caec38ea01a01bde3591a31
Tags
hawkeye collection keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

71de05a6489374d3454f66de31e2f720f4e199d57caec38ea01a01bde3591a31

Threat Level: Known bad

The file 71de05a6489374d3454f66de31e2f720f4e199d57caec38ea01a01bde3591a31 was found to be: Known bad.

Malicious Activity Summary

hawkeye collection keylogger spyware stealer trojan

Nirsoft

HawkEye

Nirsoft

NirSoft WebBrowserPassView

NirSoft MailPassView

Executes dropped EXE

Uses the VBS compiler for execution

Loads dropped DLL

Deletes itself

Looks up external IP address via web service

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-10 01:12

Signatures

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-10 01:12

Reported

2022-03-10 01:14

Platform

win7-20220223-en

Max time kernel

4294212s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\71de05a6489374d3454f66de31e2f720f4e199d57caec38ea01a01bde3591a31.exe"

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Uses the VBS compiler for execution

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 564 set thread context of 840 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 564 set thread context of 724 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ab8535dea0c55241b6e6a02dc814678c0000000002000000000010660000000100002000000043294b8e90bf0ed1aabe7fa1f64219a92f9ae7481e20bc6b48e52e1b213abcf2000000000e80000000020000200000003b78987f4d92ce5a8073426fe19201b970d309f07b3c14d9ee23048f0b5c8c33200000002b56409ad06e1ec579b5c96b53cffd860bd260b1e9ed47dbc958249bd6985620400000001674fe31c43e4440c58781f8f8f60a397c9b0b59eb5dfadb39d220690658a63ed1ba0a9da631511688fb78ecb6e85978ba465733afa4b73f28a0da2deb808afa C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1DBF1391-A00F-11EC-B621-626D424A30D2} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ab8535dea0c55241b6e6a02dc814678c00000000020000000000106600000001000020000000d122937e9d49bfd9745b010a1320c2eff84d993113145795362a4b43f3b1c325000000000e80000000020000200000004cf56671706e52d072d90d58aba8aaf437bfea825b4cf7f40c51eb1a7df017b190000000f95b52b638004f6eac106ab2563720f6b11bca55ed0ecaf525073a464dfdc9ef682cd2321e00634b0f81b4d44a1fe6a6ad633e7e07c329ae3893e36f31b089f85850f82bb01b6e59ea980cb9a4d0bbde3832fefac4435697476b35315c6d87525671284db9f7c58d68e4eef684f4ffd67aa3f34c14299ac3f431d792cd0598fa686911b4388098881c94d22c02396e7740000000dbdce9ddd7d6d3161cacc65d29d4a49a769b00b84bb59b36bde8ebb04559f281801dc526e21bd44bc5ceba836b4782744ef972e51020e868c0601b76c80ae127 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70ab00f61b34d801 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "353639707" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1776 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\71de05a6489374d3454f66de31e2f720f4e199d57caec38ea01a01bde3591a31.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1776 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\71de05a6489374d3454f66de31e2f720f4e199d57caec38ea01a01bde3591a31.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1776 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\71de05a6489374d3454f66de31e2f720f4e199d57caec38ea01a01bde3591a31.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1776 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\71de05a6489374d3454f66de31e2f720f4e199d57caec38ea01a01bde3591a31.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1776 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\71de05a6489374d3454f66de31e2f720f4e199d57caec38ea01a01bde3591a31.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1776 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\71de05a6489374d3454f66de31e2f720f4e199d57caec38ea01a01bde3591a31.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1776 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\71de05a6489374d3454f66de31e2f720f4e199d57caec38ea01a01bde3591a31.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 564 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 564 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 564 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 564 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1620 wrote to memory of 896 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1620 wrote to memory of 896 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1620 wrote to memory of 896 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1620 wrote to memory of 896 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 564 wrote to memory of 840 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 564 wrote to memory of 840 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 564 wrote to memory of 840 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 564 wrote to memory of 840 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 564 wrote to memory of 840 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 564 wrote to memory of 840 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 564 wrote to memory of 840 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 564 wrote to memory of 840 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 564 wrote to memory of 840 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 564 wrote to memory of 840 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 564 wrote to memory of 724 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 564 wrote to memory of 724 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 564 wrote to memory of 724 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 564 wrote to memory of 724 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 564 wrote to memory of 724 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 564 wrote to memory of 724 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 564 wrote to memory of 724 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 564 wrote to memory of 724 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 564 wrote to memory of 724 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 564 wrote to memory of 724 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\71de05a6489374d3454f66de31e2f720f4e199d57caec38ea01a01bde3591a31.exe

"C:\Users\Admin\AppData\Local\Temp\71de05a6489374d3454f66de31e2f720f4e199d57caec38ea01a01bde3591a31.exe"

C:\Users\Admin\AppData\Roaming\Windows Update.exe

"C:\Users\Admin\AppData\Roaming\Windows Update.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.helmet-heroes.com/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1620 CREDAT:275457 /prefetch:2

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.16.154.36:80 whatismyipaddress.com tcp
US 104.16.154.36:443 whatismyipaddress.com tcp
US 104.16.154.36:443 whatismyipaddress.com tcp
US 8.8.8.8:53 www.helmet-heroes.com udp
US 23.91.70.144:80 www.helmet-heroes.com tcp
US 23.91.70.144:80 www.helmet-heroes.com tcp
US 23.91.70.144:80 www.helmet-heroes.com tcp
US 23.91.70.144:80 www.helmet-heroes.com tcp
US 23.91.70.144:80 www.helmet-heroes.com tcp
US 23.91.70.144:80 www.helmet-heroes.com tcp
NL 142.250.179.206:80 www.google-analytics.com tcp
NL 142.250.179.206:80 www.google-analytics.com tcp
US 8.8.8.8:53 connect.facebook.net udp
US 8.8.8.8:53 freesecure.timeanddate.com udp
NL 31.13.64.21:80 connect.facebook.net tcp
US 151.101.1.176:443 freesecure.timeanddate.com tcp
US 151.101.1.176:443 freesecure.timeanddate.com tcp
NL 31.13.64.21:80 connect.facebook.net tcp
NL 31.13.64.21:443 connect.facebook.net tcp
US 8.8.8.8:53 stats.g.doubleclick.net udp
US 142.250.102.155:443 stats.g.doubleclick.net tcp
US 142.250.102.155:443 stats.g.doubleclick.net tcp
US 151.101.1.176:443 freesecure.timeanddate.com tcp
US 8.8.8.8:53 www.facebook.com udp
NL 31.13.64.35:443 www.facebook.com tcp
NL 31.13.64.35:443 www.facebook.com tcp
US 8.8.8.8:53 facebook.com udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
NL 31.13.64.21:443 static.xx.fbcdn.net tcp
NL 31.13.64.21:443 static.xx.fbcdn.net tcp
NL 31.13.64.21:443 static.xx.fbcdn.net tcp
NL 31.13.64.21:443 static.xx.fbcdn.net tcp
NL 31.13.64.21:443 static.xx.fbcdn.net tcp
NL 31.13.64.21:443 static.xx.fbcdn.net tcp
NL 31.13.64.35:443 facebook.com tcp
NL 31.13.64.35:443 facebook.com tcp
US 8.8.8.8:53 smtp.live.com udp
US 204.79.197.212:587 smtp.live.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1776-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

memory/1776-55-0x00000000747E0000-0x0000000074D8B000-memory.dmp

memory/1776-56-0x0000000000780000-0x0000000000781000-memory.dmp

memory/1776-57-0x00000000747E0000-0x0000000074D8B000-memory.dmp

\Users\Admin\AppData\Roaming\Windows Update.exe

MD5 ad6d2ef1e0cc7def5c5c7effa3bf948a
SHA1 217d95930dc50619b2f734a7757cbc37fe575fcf
SHA256 71de05a6489374d3454f66de31e2f720f4e199d57caec38ea01a01bde3591a31
SHA512 4878db553bfa0430e80c9890807f99ff7400f9af3c54a51af13a3332fe758c1ec446608dfe6710b76253357b8cee78853823e1e70495ed1256813f43908ab452

C:\Users\Admin\AppData\Roaming\Windows Update.exe

MD5 ad6d2ef1e0cc7def5c5c7effa3bf948a
SHA1 217d95930dc50619b2f734a7757cbc37fe575fcf
SHA256 71de05a6489374d3454f66de31e2f720f4e199d57caec38ea01a01bde3591a31
SHA512 4878db553bfa0430e80c9890807f99ff7400f9af3c54a51af13a3332fe758c1ec446608dfe6710b76253357b8cee78853823e1e70495ed1256813f43908ab452

C:\Users\Admin\AppData\Roaming\Windows Update.exe

MD5 ad6d2ef1e0cc7def5c5c7effa3bf948a
SHA1 217d95930dc50619b2f734a7757cbc37fe575fcf
SHA256 71de05a6489374d3454f66de31e2f720f4e199d57caec38ea01a01bde3591a31
SHA512 4878db553bfa0430e80c9890807f99ff7400f9af3c54a51af13a3332fe758c1ec446608dfe6710b76253357b8cee78853823e1e70495ed1256813f43908ab452

memory/564-63-0x0000000002150000-0x0000000002151000-memory.dmp

memory/564-62-0x00000000747E0000-0x0000000074D8B000-memory.dmp

memory/564-64-0x00000000747E0000-0x0000000074D8B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

MD5 2e1de131b31b7f4a170b06ffa35df8f9
SHA1 80ff747f6b4427967ec9c4fbc4edd2470667cca5
SHA256 20dd9e23aeb7da2b99b1e8b9dcb19e5ee28283941eb97c14a70799432134e856
SHA512 9ddbd96eb550ee1d18c235bc95bb948868c9ffeb46437c68c4ed7b732565d032ca7359a9a08ec0101ad7d384172afd593ce9de10490717df94fae72c19369c7c

memory/840-66-0x0000000000400000-0x000000000041B000-memory.dmp

memory/840-69-0x0000000000400000-0x000000000041B000-memory.dmp

memory/564-70-0x0000000002155000-0x0000000002166000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\rx62z5k\imagestore.dat

MD5 36926afee24d36910126ddf535eadb9d
SHA1 653f1d7fa072b2ff9ff6e15817bb6735d1939c4b
SHA256 bf03eb044eb306fd4e06a8e42ca07e296f6b3254524075bc16068b2741f4c698
SHA512 ac4de09f39435e4f6e14b09d59d27109b30a4c2e9069dd2907051d4fad8b705e99a2b91ff055a1d64b44680a420a37ed9982f799a8c3835e8c927f9d9dca9c60

memory/724-72-0x0000000000400000-0x0000000000458000-memory.dmp

memory/564-74-0x0000000002166000-0x0000000002167000-memory.dmp

memory/724-76-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\holderwb.txt

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fce7c24134ad881e3f5c61918bf311e6
SHA1 e6bff0c03cecc9a0ccf968172771bd94d6ab75b8
SHA256 62237fedd61a3b1dd9039965176fe36a52db7f5f0ad3d32fabbf1dd9cdc80214
SHA512 c75f882f8ae58371688a2c823f2d7c5b0582923276dff8f4b68f103e7ab8d29ebd8f46b11a2d709f25bceb67bddb90b3e19906af1dc91a1f2a5d2d7afb7cb2c7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 637481df32351129e60560d5a5c100b5
SHA1 a46aee6e5a4a4893fba5806bcc14fc7fb3ce80ae
SHA256 1f1029d94ca4656a577d554cedd79d447658f475af08620084897a5523587052
SHA512 604bfd0a78a57dfddd45872803501ad89491e37e89e0778b0f13644fa9164ff509955a57469dfdd65a05bbedaf0acb669f68430e84800d17efe7d360a70569e3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\T9E02VV0.txt

MD5 05d8debb9e41a2107dfb5f7b552c629f
SHA1 8fb52efd0817cea3b9adab19a9408228b70d5411
SHA256 3ff2931e4051fa37bb6ff7c2b02ccf931ecd682667bfffca1d73d85684695b0d
SHA512 2923c1db2a9f649dec0321c4a401d105f0f36c267b1b738144db119fa0f6ae1ce799764bcf6d3ec5fea632f08113f76fb7ba60ed16d721b26edc2edfe7f9223d

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-10 01:12

Reported

2022-03-10 01:14

Platform

win10v2004-en-20220113

Max time kernel

134s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\71de05a6489374d3454f66de31e2f720f4e199d57caec38ea01a01bde3591a31.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\71de05a6489374d3454f66de31e2f720f4e199d57caec38ea01a01bde3591a31.exe

"C:\Users\Admin\AppData\Local\Temp\71de05a6489374d3454f66de31e2f720f4e199d57caec38ea01a01bde3591a31.exe"

C:\Windows\SysWOW64\fondue.exe

"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll

C:\Windows\system32\FonDUE.EXE

"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll

Network

Files

N/A