Malware Analysis Report

2025-01-02 14:18

Sample ID 220720-cjsjbsadc2
Target 4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3
SHA256 4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3
Tags
hawkeye keylogger spyware stealer trojan collection
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3

Threat Level: Known bad

The file 4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3 was found to be: Known bad.

Malicious Activity Summary

hawkeye keylogger spyware stealer trojan collection

HawkEye

NirSoft MailPassView

Nirsoft

NirSoft WebBrowserPassView

Executes dropped EXE

Deletes itself

Uses the VBS compiler for execution

Checks computer location settings

Loads dropped DLL

Looks up external IP address via web service

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of UnmapMainImage

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-07-20 02:06

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-20 02:06

Reported

2022-07-20 02:10

Platform

win7-20220718-en

Max time kernel

148s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe"

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Uses the VBS compiler for execution

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1696 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe C:\Users\Admin\AppData\Local\Temp\4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe
PID 1696 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe C:\Users\Admin\AppData\Local\Temp\4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe
PID 1696 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe C:\Users\Admin\AppData\Local\Temp\4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe
PID 1696 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe C:\Users\Admin\AppData\Local\Temp\4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe
PID 1728 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1728 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1728 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1728 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1728 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1728 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1728 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1760 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1760 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1760 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1760 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1760 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1760 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1760 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1004 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1004 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1004 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1004 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1004 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1004 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1004 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1004 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1004 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1004 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1004 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1004 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1004 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe

"C:\Users\Admin\AppData\Local\Temp\4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe"

C:\Users\Admin\AppData\Local\Temp\4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe

C:\Users\Admin\AppData\Local\Temp\4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe"

C:\Users\Admin\AppData\Roaming\Windows Update.exe

"C:\Users\Admin\AppData\Roaming\Windows Update.exe"

C:\Users\Admin\AppData\Roaming\Windows Update.exe

C:\Users\Admin\AppData\Roaming\Windows Update.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.16.155.36:80 whatismyipaddress.com tcp
US 104.16.155.36:443 whatismyipaddress.com tcp
US 104.16.155.36:443 whatismyipaddress.com tcp

Files

memory/1696-56-0x0000000000290000-0x0000000000297000-memory.dmp

memory/1696-57-0x0000000075871000-0x0000000075873000-memory.dmp

memory/1696-58-0x0000000077C60000-0x0000000077DE0000-memory.dmp

memory/1728-59-0x00000000004D123E-mapping.dmp

memory/1696-60-0x0000000077C60000-0x0000000077DE0000-memory.dmp

memory/1728-64-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1728-67-0x0000000002420000-0x00000000024B0000-memory.dmp

memory/1728-70-0x0000000077C60000-0x0000000077DE0000-memory.dmp

memory/1728-71-0x0000000074E30000-0x00000000753DB000-memory.dmp

\Users\Admin\AppData\Roaming\Windows Update.exe

MD5 ad5dc6ea0f64a5a16fe225a011c2a023
SHA1 ccaa2ede5a16f03cf7982250d934c521c08042c4
SHA256 4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3
SHA512 b2c35f8e6b05bc2636136a045d75aebbc1fe3940caec3c73f4c06e6db9a6e3d099943d95edf7223e1045b8a990cff7499200241157f192d0cd1d7a98dcb22109

C:\Users\Admin\AppData\Roaming\Windows Update.exe

MD5 ad5dc6ea0f64a5a16fe225a011c2a023
SHA1 ccaa2ede5a16f03cf7982250d934c521c08042c4
SHA256 4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3
SHA512 b2c35f8e6b05bc2636136a045d75aebbc1fe3940caec3c73f4c06e6db9a6e3d099943d95edf7223e1045b8a990cff7499200241157f192d0cd1d7a98dcb22109

memory/1760-73-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows Update.exe

MD5 ad5dc6ea0f64a5a16fe225a011c2a023
SHA1 ccaa2ede5a16f03cf7982250d934c521c08042c4
SHA256 4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3
SHA512 b2c35f8e6b05bc2636136a045d75aebbc1fe3940caec3c73f4c06e6db9a6e3d099943d95edf7223e1045b8a990cff7499200241157f192d0cd1d7a98dcb22109

memory/1728-76-0x0000000077C60000-0x0000000077DE0000-memory.dmp

memory/1728-78-0x0000000074E30000-0x00000000753DB000-memory.dmp

\Users\Admin\AppData\Roaming\Windows Update.exe

MD5 ad5dc6ea0f64a5a16fe225a011c2a023
SHA1 ccaa2ede5a16f03cf7982250d934c521c08042c4
SHA256 4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3
SHA512 b2c35f8e6b05bc2636136a045d75aebbc1fe3940caec3c73f4c06e6db9a6e3d099943d95edf7223e1045b8a990cff7499200241157f192d0cd1d7a98dcb22109

\Users\Admin\AppData\Roaming\Windows Update.exe

MD5 ad5dc6ea0f64a5a16fe225a011c2a023
SHA1 ccaa2ede5a16f03cf7982250d934c521c08042c4
SHA256 4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3
SHA512 b2c35f8e6b05bc2636136a045d75aebbc1fe3940caec3c73f4c06e6db9a6e3d099943d95edf7223e1045b8a990cff7499200241157f192d0cd1d7a98dcb22109

\Users\Admin\AppData\Roaming\Windows Update.exe

MD5 ad5dc6ea0f64a5a16fe225a011c2a023
SHA1 ccaa2ede5a16f03cf7982250d934c521c08042c4
SHA256 4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3
SHA512 b2c35f8e6b05bc2636136a045d75aebbc1fe3940caec3c73f4c06e6db9a6e3d099943d95edf7223e1045b8a990cff7499200241157f192d0cd1d7a98dcb22109

\Users\Admin\AppData\Roaming\Windows Update.exe

MD5 ad5dc6ea0f64a5a16fe225a011c2a023
SHA1 ccaa2ede5a16f03cf7982250d934c521c08042c4
SHA256 4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3
SHA512 b2c35f8e6b05bc2636136a045d75aebbc1fe3940caec3c73f4c06e6db9a6e3d099943d95edf7223e1045b8a990cff7499200241157f192d0cd1d7a98dcb22109

memory/1004-85-0x00000000004D123E-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows Update.exe

MD5 ad5dc6ea0f64a5a16fe225a011c2a023
SHA1 ccaa2ede5a16f03cf7982250d934c521c08042c4
SHA256 4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3
SHA512 b2c35f8e6b05bc2636136a045d75aebbc1fe3940caec3c73f4c06e6db9a6e3d099943d95edf7223e1045b8a990cff7499200241157f192d0cd1d7a98dcb22109

memory/1760-88-0x0000000077C60000-0x0000000077DE0000-memory.dmp

\Users\Admin\AppData\Roaming\Windows Update.exe

MD5 ad5dc6ea0f64a5a16fe225a011c2a023
SHA1 ccaa2ede5a16f03cf7982250d934c521c08042c4
SHA256 4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3
SHA512 b2c35f8e6b05bc2636136a045d75aebbc1fe3940caec3c73f4c06e6db9a6e3d099943d95edf7223e1045b8a990cff7499200241157f192d0cd1d7a98dcb22109

\Users\Admin\AppData\Roaming\Windows Update.exe

MD5 ad5dc6ea0f64a5a16fe225a011c2a023
SHA1 ccaa2ede5a16f03cf7982250d934c521c08042c4
SHA256 4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3
SHA512 b2c35f8e6b05bc2636136a045d75aebbc1fe3940caec3c73f4c06e6db9a6e3d099943d95edf7223e1045b8a990cff7499200241157f192d0cd1d7a98dcb22109

\Users\Admin\AppData\Roaming\Windows Update.exe

MD5 ad5dc6ea0f64a5a16fe225a011c2a023
SHA1 ccaa2ede5a16f03cf7982250d934c521c08042c4
SHA256 4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3
SHA512 b2c35f8e6b05bc2636136a045d75aebbc1fe3940caec3c73f4c06e6db9a6e3d099943d95edf7223e1045b8a990cff7499200241157f192d0cd1d7a98dcb22109

memory/1004-94-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1004-98-0x0000000002680000-0x0000000002710000-memory.dmp

memory/1004-101-0x0000000077C60000-0x0000000077DE0000-memory.dmp

memory/1004-102-0x0000000074750000-0x0000000074CFB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

MD5 ab77ce8f3f627cc26d8d39590db498ea
SHA1 0e4f5991102ad8e45513fac5ab8099664ec913ed
SHA256 675468643dceea5dc5d5f9b927fd7f97442d591ad1723f8d3865cd69bee6cd7a
SHA512 1487ca588e8bc990f1c53d9241071aa3998f78158765297782f0c47d104526eab00ccb7b64e305cb22744651476308d9f4bd5ac8ec0f025b297038d3b54a16bc

memory/1004-104-0x0000000074750000-0x0000000074CFB000-memory.dmp

memory/1676-105-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1676-106-0x0000000000411654-mapping.dmp

memory/1676-109-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1676-112-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1004-111-0x00000000003A5000-0x00000000003B6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-20 02:06

Reported

2022-07-20 02:10

Platform

win10v2004-20220718-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe"

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2783062828-828903012-4218294845-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe N/A

Uses the VBS compiler for execution

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2783062828-828903012-4218294845-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2988 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe C:\Users\Admin\AppData\Local\Temp\4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe
PID 2988 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe C:\Users\Admin\AppData\Local\Temp\4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe
PID 2988 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe C:\Users\Admin\AppData\Local\Temp\4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe
PID 2864 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 2864 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 2864 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 376 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 376 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 376 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 2908 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2908 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2908 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2908 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2908 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2908 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2908 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2908 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2908 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe

"C:\Users\Admin\AppData\Local\Temp\4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe"

C:\Users\Admin\AppData\Local\Temp\4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe

C:\Users\Admin\AppData\Local\Temp\4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3.exe"

C:\Users\Admin\AppData\Roaming\Windows Update.exe

"C:\Users\Admin\AppData\Roaming\Windows Update.exe"

C:\Users\Admin\AppData\Roaming\Windows Update.exe

C:\Users\Admin\AppData\Roaming\Windows Update.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
NL 104.80.225.205:443 tcp
US 20.42.73.27:443 tcp
NL 2.21.41.70:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.16.155.36:80 whatismyipaddress.com tcp
US 104.16.155.36:443 whatismyipaddress.com tcp

Files

memory/2988-132-0x0000000000820000-0x0000000000827000-memory.dmp

memory/2864-133-0x0000000000000000-mapping.dmp

memory/2988-134-0x0000000077930000-0x0000000077AD3000-memory.dmp

memory/2864-135-0x0000000077930000-0x0000000077AD3000-memory.dmp

memory/2864-138-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2864-141-0x0000000002140000-0x00000000021D0000-memory.dmp

memory/2864-144-0x0000000077930000-0x0000000077AD3000-memory.dmp

memory/2864-145-0x0000000074FA0000-0x0000000075551000-memory.dmp

memory/376-146-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows Update.exe

MD5 ad5dc6ea0f64a5a16fe225a011c2a023
SHA1 ccaa2ede5a16f03cf7982250d934c521c08042c4
SHA256 4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3
SHA512 b2c35f8e6b05bc2636136a045d75aebbc1fe3940caec3c73f4c06e6db9a6e3d099943d95edf7223e1045b8a990cff7499200241157f192d0cd1d7a98dcb22109

C:\Users\Admin\AppData\Roaming\Windows Update.exe

MD5 ad5dc6ea0f64a5a16fe225a011c2a023
SHA1 ccaa2ede5a16f03cf7982250d934c521c08042c4
SHA256 4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3
SHA512 b2c35f8e6b05bc2636136a045d75aebbc1fe3940caec3c73f4c06e6db9a6e3d099943d95edf7223e1045b8a990cff7499200241157f192d0cd1d7a98dcb22109

memory/2864-151-0x0000000077930000-0x0000000077AD3000-memory.dmp

memory/2864-152-0x0000000074FA0000-0x0000000075551000-memory.dmp

memory/2908-153-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows Update.exe

MD5 ad5dc6ea0f64a5a16fe225a011c2a023
SHA1 ccaa2ede5a16f03cf7982250d934c521c08042c4
SHA256 4f6c7376d1d8f4a053cd1012979a89234754a83176949bea931ca5772ff720c3
SHA512 b2c35f8e6b05bc2636136a045d75aebbc1fe3940caec3c73f4c06e6db9a6e3d099943d95edf7223e1045b8a990cff7499200241157f192d0cd1d7a98dcb22109

memory/376-155-0x0000000077930000-0x0000000077AD3000-memory.dmp

memory/2908-161-0x0000000006AE0000-0x0000000006B70000-memory.dmp

memory/2908-164-0x0000000077930000-0x0000000077AD3000-memory.dmp

memory/2908-165-0x0000000077930000-0x0000000077AD3000-memory.dmp

memory/2908-166-0x0000000074FA0000-0x0000000075551000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

MD5 ab77ce8f3f627cc26d8d39590db498ea
SHA1 0e4f5991102ad8e45513fac5ab8099664ec913ed
SHA256 675468643dceea5dc5d5f9b927fd7f97442d591ad1723f8d3865cd69bee6cd7a
SHA512 1487ca588e8bc990f1c53d9241071aa3998f78158765297782f0c47d104526eab00ccb7b64e305cb22744651476308d9f4bd5ac8ec0f025b297038d3b54a16bc

memory/2908-168-0x0000000077930000-0x0000000077AD3000-memory.dmp

memory/2908-169-0x0000000074FA0000-0x0000000075551000-memory.dmp

memory/3660-171-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3660-170-0x0000000000000000-mapping.dmp

memory/3660-173-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3660-174-0x0000000000400000-0x000000000041B000-memory.dmp