Malware Analysis Report

2025-06-16 02:24

Sample ID 220310-cyn5fschf5
Target 6d51784aeffbe05410d9511802b2da247a5d3bacca27429b75578b35e9f9252e
SHA256 6d51784aeffbe05410d9511802b2da247a5d3bacca27429b75578b35e9f9252e
Tags
hawkeye collection keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6d51784aeffbe05410d9511802b2da247a5d3bacca27429b75578b35e9f9252e

Threat Level: Known bad

The file 6d51784aeffbe05410d9511802b2da247a5d3bacca27429b75578b35e9f9252e was found to be: Known bad.

Malicious Activity Summary

hawkeye collection keylogger persistence spyware stealer trojan

HawkEye

Nirsoft

NirSoft WebBrowserPassView

NirSoft MailPassView

Executes dropped EXE

Checks computer location settings

Uses the VBS compiler for execution

Loads dropped DLL

Adds Run key to start application

Accesses Microsoft Outlook accounts

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-10 02:29

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-10 02:29

Reported

2022-03-10 02:31

Platform

win10v2004-en-20220113

Max time kernel

133s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6d51784aeffbe05410d9511802b2da247a5d3bacca27429b75578b35e9f9252e.exe"

Signatures

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\presentacion de proyecto.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6d51784aeffbe05410d9511802b2da247a5d3bacca27429b75578b35e9f9252e.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\6d51784aeffbe05410d9511802b2da247a5d3bacca27429b75578b35e9f9252e.exe

"C:\Users\Admin\AppData\Local\Temp\6d51784aeffbe05410d9511802b2da247a5d3bacca27429b75578b35e9f9252e.exe"

C:\Users\Admin\AppData\Local\Temp\presentacion de proyecto.exe

"C:\Users\Admin\AppData\Local\Temp\presentacion de proyecto.exe"

C:\Windows\SysWOW64\fondue.exe

"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll

C:\Windows\system32\FonDUE.EXE

"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll

Network

Country Destination Domain Proto
DE 67.24.27.254:80 tcp
DE 67.24.27.254:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\presentacion de proyecto.exe

MD5 1dc3326c6046aacbc99da5b15e7c6e86
SHA1 8ca39947b7683b76ddb8e93e505d5e8368090793
SHA256 bdcc4422c16e50c9bf94d509481e7ba389a0eb648cfc83004d019f056f15118b
SHA512 d060f1a10e3207c18ca950bdfaa61759f0b5b1d56c2f46da00389674c70734844662490e2d5a6e446a6b03acf637f4f4efd75da6563352717faf3f3d6a2b9aac

C:\Users\Admin\AppData\Local\Temp\presentacion de proyecto.exe

MD5 1dc3326c6046aacbc99da5b15e7c6e86
SHA1 8ca39947b7683b76ddb8e93e505d5e8368090793
SHA256 bdcc4422c16e50c9bf94d509481e7ba389a0eb648cfc83004d019f056f15118b
SHA512 d060f1a10e3207c18ca950bdfaa61759f0b5b1d56c2f46da00389674c70734844662490e2d5a6e446a6b03acf637f4f4efd75da6563352717faf3f3d6a2b9aac

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-10 02:29

Reported

2022-03-10 02:31

Platform

win7-en-20211208

Max time kernel

139s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6d51784aeffbe05410d9511802b2da247a5d3bacca27429b75578b35e9f9252e.exe"

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\presentacion de proyecto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Uses the VBS compiler for execution

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1956 set thread context of 2020 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1956 set thread context of 1624 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1904 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\6d51784aeffbe05410d9511802b2da247a5d3bacca27429b75578b35e9f9252e.exe C:\Users\Admin\AppData\Local\Temp\presentacion de proyecto.exe
PID 1904 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\6d51784aeffbe05410d9511802b2da247a5d3bacca27429b75578b35e9f9252e.exe C:\Users\Admin\AppData\Local\Temp\presentacion de proyecto.exe
PID 1904 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\6d51784aeffbe05410d9511802b2da247a5d3bacca27429b75578b35e9f9252e.exe C:\Users\Admin\AppData\Local\Temp\presentacion de proyecto.exe
PID 1904 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\6d51784aeffbe05410d9511802b2da247a5d3bacca27429b75578b35e9f9252e.exe C:\Users\Admin\AppData\Local\Temp\presentacion de proyecto.exe
PID 1248 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\presentacion de proyecto.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1248 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\presentacion de proyecto.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1248 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\presentacion de proyecto.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1248 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\presentacion de proyecto.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1248 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\presentacion de proyecto.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1248 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\presentacion de proyecto.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1248 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\presentacion de proyecto.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1956 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1956 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1956 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1956 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1956 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1956 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1956 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1956 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1956 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1956 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1956 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1956 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1956 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1956 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1956 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1956 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1956 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1956 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1956 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1956 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1956 wrote to memory of 812 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
PID 1956 wrote to memory of 812 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
PID 1956 wrote to memory of 812 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
PID 1956 wrote to memory of 812 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6d51784aeffbe05410d9511802b2da247a5d3bacca27429b75578b35e9f9252e.exe

"C:\Users\Admin\AppData\Local\Temp\6d51784aeffbe05410d9511802b2da247a5d3bacca27429b75578b35e9f9252e.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}

C:\Users\Admin\AppData\Local\Temp\presentacion de proyecto.exe

"C:\Users\Admin\AppData\Local\Temp\presentacion de proyecto.exe"

C:\Users\Admin\AppData\Roaming\Windows Update.exe

"C:\Users\Admin\AppData\Roaming\Windows Update.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 448

Network

Country Destination Domain Proto
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.16.154.36:80 whatismyipaddress.com tcp
US 104.16.154.36:443 whatismyipaddress.com tcp
US 104.16.154.36:443 whatismyipaddress.com tcp
US 8.8.8.8:53 smtp.gmail.com udp
US 142.250.102.108:587 smtp.gmail.com tcp
US 142.250.102.108:587 smtp.gmail.com tcp

Files

memory/1904-55-0x0000000076731000-0x0000000076733000-memory.dmp

memory/1904-57-0x0000000000880000-0x0000000000882000-memory.dmp

memory/268-58-0x0000000000200000-0x0000000000202000-memory.dmp

\Users\Admin\AppData\Local\Temp\presentacion de proyecto.exe

MD5 1dc3326c6046aacbc99da5b15e7c6e86
SHA1 8ca39947b7683b76ddb8e93e505d5e8368090793
SHA256 bdcc4422c16e50c9bf94d509481e7ba389a0eb648cfc83004d019f056f15118b
SHA512 d060f1a10e3207c18ca950bdfaa61759f0b5b1d56c2f46da00389674c70734844662490e2d5a6e446a6b03acf637f4f4efd75da6563352717faf3f3d6a2b9aac

\Users\Admin\AppData\Local\Temp\presentacion de proyecto.exe

MD5 1dc3326c6046aacbc99da5b15e7c6e86
SHA1 8ca39947b7683b76ddb8e93e505d5e8368090793
SHA256 bdcc4422c16e50c9bf94d509481e7ba389a0eb648cfc83004d019f056f15118b
SHA512 d060f1a10e3207c18ca950bdfaa61759f0b5b1d56c2f46da00389674c70734844662490e2d5a6e446a6b03acf637f4f4efd75da6563352717faf3f3d6a2b9aac

\Users\Admin\AppData\Local\Temp\presentacion de proyecto.exe

MD5 1dc3326c6046aacbc99da5b15e7c6e86
SHA1 8ca39947b7683b76ddb8e93e505d5e8368090793
SHA256 bdcc4422c16e50c9bf94d509481e7ba389a0eb648cfc83004d019f056f15118b
SHA512 d060f1a10e3207c18ca950bdfaa61759f0b5b1d56c2f46da00389674c70734844662490e2d5a6e446a6b03acf637f4f4efd75da6563352717faf3f3d6a2b9aac

\Users\Admin\AppData\Local\Temp\presentacion de proyecto.exe

MD5 1dc3326c6046aacbc99da5b15e7c6e86
SHA1 8ca39947b7683b76ddb8e93e505d5e8368090793
SHA256 bdcc4422c16e50c9bf94d509481e7ba389a0eb648cfc83004d019f056f15118b
SHA512 d060f1a10e3207c18ca950bdfaa61759f0b5b1d56c2f46da00389674c70734844662490e2d5a6e446a6b03acf637f4f4efd75da6563352717faf3f3d6a2b9aac

C:\Users\Admin\AppData\Local\Temp\presentacion de proyecto.exe

MD5 1dc3326c6046aacbc99da5b15e7c6e86
SHA1 8ca39947b7683b76ddb8e93e505d5e8368090793
SHA256 bdcc4422c16e50c9bf94d509481e7ba389a0eb648cfc83004d019f056f15118b
SHA512 d060f1a10e3207c18ca950bdfaa61759f0b5b1d56c2f46da00389674c70734844662490e2d5a6e446a6b03acf637f4f4efd75da6563352717faf3f3d6a2b9aac

memory/268-64-0x0000000000400000-0x0000000000401000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\presentacion de proyecto.exe

MD5 1dc3326c6046aacbc99da5b15e7c6e86
SHA1 8ca39947b7683b76ddb8e93e505d5e8368090793
SHA256 bdcc4422c16e50c9bf94d509481e7ba389a0eb648cfc83004d019f056f15118b
SHA512 d060f1a10e3207c18ca950bdfaa61759f0b5b1d56c2f46da00389674c70734844662490e2d5a6e446a6b03acf637f4f4efd75da6563352717faf3f3d6a2b9aac

memory/1248-68-0x00000000009E0000-0x00000000009E1000-memory.dmp

memory/1248-67-0x0000000073440000-0x00000000739EB000-memory.dmp

memory/1248-69-0x0000000073440000-0x00000000739EB000-memory.dmp

\Users\Admin\AppData\Roaming\Windows Update.exe

MD5 1dc3326c6046aacbc99da5b15e7c6e86
SHA1 8ca39947b7683b76ddb8e93e505d5e8368090793
SHA256 bdcc4422c16e50c9bf94d509481e7ba389a0eb648cfc83004d019f056f15118b
SHA512 d060f1a10e3207c18ca950bdfaa61759f0b5b1d56c2f46da00389674c70734844662490e2d5a6e446a6b03acf637f4f4efd75da6563352717faf3f3d6a2b9aac

C:\Users\Admin\AppData\Roaming\Windows Update.exe

MD5 1dc3326c6046aacbc99da5b15e7c6e86
SHA1 8ca39947b7683b76ddb8e93e505d5e8368090793
SHA256 bdcc4422c16e50c9bf94d509481e7ba389a0eb648cfc83004d019f056f15118b
SHA512 d060f1a10e3207c18ca950bdfaa61759f0b5b1d56c2f46da00389674c70734844662490e2d5a6e446a6b03acf637f4f4efd75da6563352717faf3f3d6a2b9aac

C:\Users\Admin\AppData\Roaming\Windows Update.exe

MD5 1dc3326c6046aacbc99da5b15e7c6e86
SHA1 8ca39947b7683b76ddb8e93e505d5e8368090793
SHA256 bdcc4422c16e50c9bf94d509481e7ba389a0eb648cfc83004d019f056f15118b
SHA512 d060f1a10e3207c18ca950bdfaa61759f0b5b1d56c2f46da00389674c70734844662490e2d5a6e446a6b03acf637f4f4efd75da6563352717faf3f3d6a2b9aac

C:\Users\Admin\AppData\Local\Temp\presentacion proyecto.jpg

MD5 b813ecaef399ecbcde91be36256e47ef
SHA1 d938fff4d81e512a78b72b233bf21e0be7d5cf26
SHA256 f542abf4f4f0bf2ca34ee9db043940b172d4e33259fff97191b91f6043eeb293
SHA512 6c5e77cf9652bf51266f0c5df7bbaa7e9d0720a41aa1612f09ea504a3c2d35b07fc0289ebf8e9e23a605f066e9ff9636d313ec14cd52cf7a8bba8f39f3c84029

memory/1956-76-0x0000000000B00000-0x0000000000B01000-memory.dmp

memory/1956-75-0x0000000073440000-0x00000000739EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

MD5 9806edc00a4ed9d1706e97156f06ccfe
SHA1 b223839a2bad7b5fcaeb31b309192bd6f870de2b
SHA256 c250e87bab5b9ae4a54ee42496bc2162921304fcea50dc69631d3af9497e64aa
SHA512 1f7540456a5541b03fe8dd7bbe88963c70d4c7360ffe9ca8a8b80eb5b725cd70e6bbc87dae52ca9b913bd6ed247b63c1f5c27b8e34956a19f8e5f1f8b50f4a8e

memory/2020-78-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2020-81-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1956-82-0x0000000000B16000-0x0000000000B17000-memory.dmp

memory/1624-83-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1624-86-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\holderwb.txt

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

\Users\Admin\AppData\Roaming\Windows Update.exe

MD5 1dc3326c6046aacbc99da5b15e7c6e86
SHA1 8ca39947b7683b76ddb8e93e505d5e8368090793
SHA256 bdcc4422c16e50c9bf94d509481e7ba389a0eb648cfc83004d019f056f15118b
SHA512 d060f1a10e3207c18ca950bdfaa61759f0b5b1d56c2f46da00389674c70734844662490e2d5a6e446a6b03acf637f4f4efd75da6563352717faf3f3d6a2b9aac

memory/812-90-0x0000000001E80000-0x0000000001E81000-memory.dmp