Malware Analysis Report

2025-01-02 14:16

Sample ID 220725-th18hsdcg8
Target 556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2
SHA256 556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2
Tags
hawkeye collection keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2

Threat Level: Known bad

The file 556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2 was found to be: Known bad.

Malicious Activity Summary

hawkeye collection keylogger spyware stealer trojan

HawkEye

NirSoft WebBrowserPassView

Nirsoft

NirSoft MailPassView

Checks computer location settings

Uses the VBS compiler for execution

Looks up external IP address via web service

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-07-25 16:04

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-25 16:04

Reported

2022-07-26 11:16

Platform

win7-20220715-en

Max time kernel

99s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe"

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses the VBS compiler for execution

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 900 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\SysWOW64\schtasks.exe
PID 900 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\SysWOW64\schtasks.exe
PID 900 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\SysWOW64\schtasks.exe
PID 900 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\SysWOW64\schtasks.exe
PID 900 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe
PID 900 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe
PID 900 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe
PID 900 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe
PID 900 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe
PID 900 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe
PID 900 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe
PID 900 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe
PID 900 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe
PID 528 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 528 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 528 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 528 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 528 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 528 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 528 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 528 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 528 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 528 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 528 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 528 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 528 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 528 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 528 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 528 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 528 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 528 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 528 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 528 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 528 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
PID 528 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
PID 528 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
PID 528 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

Processes

C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe

"C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\igyhdrfgydftrtyopsdgtrvhyudfgevghuifvknufgju" /XML "C:\Users\Admin\AppData\Local\Temp\z500"

C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe

"C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 1380

Network

Country Destination Domain Proto
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.16.154.36:80 whatismyipaddress.com tcp
US 104.16.154.36:443 whatismyipaddress.com tcp
US 104.16.154.36:443 whatismyipaddress.com tcp
US 8.8.8.8:53 mail.tonysizzo.com udp

Files

memory/900-54-0x00000000754C1000-0x00000000754C3000-memory.dmp

memory/900-55-0x00000000745F0000-0x0000000074B9B000-memory.dmp

memory/900-56-0x00000000745F0000-0x0000000074B9B000-memory.dmp

memory/276-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\z500

MD5 5d1883410a89486b5833e8ad076e5bbd
SHA1 6a4b1382cd399b0b62c20cf68bbd46aadab1b4d0
SHA256 7d3fb35b668be38a4a8926c5bc44a471eb0baf750258b07ef36e8fd6dd9cd217
SHA512 b064297ddda9fa6eec1b09678e11c3390fb47e9d449023f8c579029a756896e9b46c887d6623954b78c0484b46a52bc9ee774cbda3b1584e041de5431af6452d

memory/528-59-0x0000000000400000-0x0000000000488000-memory.dmp

memory/528-60-0x0000000000400000-0x0000000000488000-memory.dmp

memory/528-62-0x0000000000400000-0x0000000000488000-memory.dmp

memory/528-65-0x0000000000400000-0x0000000000488000-memory.dmp

memory/528-67-0x0000000000400000-0x0000000000488000-memory.dmp

memory/528-69-0x0000000000480BAE-mapping.dmp

memory/528-71-0x0000000000400000-0x0000000000488000-memory.dmp

memory/900-74-0x00000000745F0000-0x0000000074B9B000-memory.dmp

memory/528-73-0x0000000000400000-0x0000000000488000-memory.dmp

memory/528-76-0x00000000745F0000-0x0000000074B9B000-memory.dmp

memory/1536-77-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1536-78-0x0000000000411654-mapping.dmp

memory/1536-81-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1536-82-0x0000000000400000-0x000000000041B000-memory.dmp

memory/528-83-0x00000000745F0000-0x0000000074B9B000-memory.dmp

memory/1536-84-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1944-85-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1944-86-0x0000000000442628-mapping.dmp

memory/1944-89-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\holderwb.txt

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/1944-91-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1580-92-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-25 16:04

Reported

2022-07-26 11:16

Platform

win10v2004-20220721-en

Max time kernel

101s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe"

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe N/A

Uses the VBS compiler for execution

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4708 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\SysWOW64\schtasks.exe
PID 4708 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\SysWOW64\schtasks.exe
PID 4708 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\SysWOW64\schtasks.exe
PID 4708 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe
PID 4708 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe
PID 4708 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe
PID 4708 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe
PID 4708 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe
PID 4708 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe
PID 4708 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe
PID 4708 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe
PID 4660 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4660 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4660 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4660 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4660 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4660 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4660 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4660 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4660 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4660 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4660 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4660 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4660 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4660 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4660 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4660 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4660 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4660 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4660 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
PID 4660 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
PID 4660 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

Processes

C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe

"C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\igyhdrfgydftrtyopsdgtrvhyudfgevghuifvknufgju" /XML "C:\Users\Admin\AppData\Local\Temp\z843"

C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe

"C:\Users\Admin\AppData\Local\Temp\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 1708

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
NL 13.69.116.104:443 tcp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.16.154.36:80 whatismyipaddress.com tcp
US 104.16.154.36:443 whatismyipaddress.com tcp
US 8.8.8.8:53 mail.tonysizzo.com udp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 mail.tonysizzo.com udp

Files

memory/4708-130-0x00000000753F0000-0x00000000759A1000-memory.dmp

memory/1164-131-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\z843

MD5 ac507fe6983e3be94a1979cb9cda94cc
SHA1 681e09bd23ffb1b395c5cf0ae1e6ca850288d809
SHA256 9b594df76b8aaf4ab2401b1748925621ad23a1a77b3b13586f1fa07438d54527
SHA512 9a6cf14225fb998c0ac100d59add82dba90d32a16c31f0ad24cbb68a089cd01aa839a7bff0f42b1fa26928725ff1995dcece1b9c9e8ff60ee712b0f3fc7aeacd

memory/4660-133-0x0000000000000000-mapping.dmp

memory/4660-134-0x0000000000360000-0x00000000003E8000-memory.dmp

memory/4660-135-0x0000000000360000-0x00000000003E8000-memory.dmp

memory/4660-136-0x0000000000360000-0x00000000003E8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\556f0baffda31920d6a03dd11a23e1da6357e529cb8496a0780889f3862f2ff2.exe.log

MD5 da4fafeffe21b7cb3a8c170ca7911976
SHA1 50ef77e2451ab60f93f4db88325b897d215be5ad
SHA256 7341a4a13e81cbb5b7f39ec47bb45f84836b08b8d8e3ea231d2c7dad982094f7
SHA512 0bc24b69460f31a0ebc0628b99908d818ee85feb7e4b663271d9375b30cced0cd55a0bbf8edff1281a4c886ddf4476ffc989c283069cdcb1235ffcb265580fc6

memory/4708-139-0x00000000753F0000-0x00000000759A1000-memory.dmp

memory/4660-140-0x00000000753F0000-0x00000000759A1000-memory.dmp

memory/1836-141-0x0000000000000000-mapping.dmp

memory/1836-142-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1836-144-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1836-145-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1836-146-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4660-147-0x00000000753F0000-0x00000000759A1000-memory.dmp

memory/264-148-0x0000000000000000-mapping.dmp

memory/264-149-0x0000000000400000-0x0000000000458000-memory.dmp

memory/264-151-0x0000000000400000-0x0000000000458000-memory.dmp

memory/264-152-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\holderwb.txt

MD5 f94dc819ca773f1e3cb27abbc9e7fa27
SHA1 9a7700efadc5ea09ab288544ef1e3cd876255086
SHA256 a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA512 72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

memory/264-154-0x0000000000400000-0x0000000000458000-memory.dmp

memory/4348-155-0x0000000000000000-mapping.dmp

memory/4660-156-0x00000000753F0000-0x00000000759A1000-memory.dmp