hawkeye | 21f55203cdbb98339c575f81328b00bd8397306995a2abd89c8f2c4f195786ab

Analysis

max time kernel
153s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 08:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21f55203cdbb98339c575f81328b00bd8397306995a2abd89c8f2c4f195786ab.exe
Size

1.5MB
MD5

40570856df7efebd7ebda05408224e1b
SHA1

47cc7a0b90c6b79c4416476e5b5ced7422ea6247
SHA256

21f55203cdbb98339c575f81328b00bd8397306995a2abd89c8f2c4f195786ab
SHA512

449fcab507e352bcb736bf03292b269afdc3ae3b8382bfbf19d82f7167951e9bf66fdf2997dc7b625d47162a9fff1a4996a4b2dd380a170f06767e61455cc417
SSDEEP

24576:wGd3O+nY5gC8WlgzkjD2oSOH+nqUmM31ShHT4TSEoSo/6Z6fgVXmCwIhr:w2LYghcgIvbZ+pj04OEto/s6fYmGh

Score

10^/10

hawkeye imminent pony collection discovery keylogger persistence rat spyware stealer trojan upx

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
123owerri

Extracted

Family

pony

http://newwork.hostoi.com/Panel/gate.php

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Executes dropped EXE 13 IoCs

pid	Process
2836	FB_5B7E.tmp.exe
1940	FB_6BCB.tmp.exe
4896	FB_6C39.tmp.exe
2852	FB_6BCB.tmp.exe
3672	FB_5B7E.tmp.exe
3640	FB_6C39.tmp.exe
3596	defragsvc.exe
4876	Windows Update.exe
3960	AppReadiness.exe
2308	Windows Update.exe
2764	defragsvc.exe
2440	AppReadiness.exe
364	defragsvc.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2852-161-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/2852-167-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/2852-168-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/2852-171-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/2852-189-0x0000000000400000-0x0000000000419000-memory.dmp	upx

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	FB_6C39.tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	FB_6C39.tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	FB_6BCB.tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Windows Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	AppReadiness.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	FB_6BCB.tmp.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	FB_6BCB.tmp.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Default NKey = "C:\\Users\\Admin\\AppData\\Roaming\\Default NFolder\\Default File.exe"	FB_5B7E.tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application Readiness = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\defragsvc.exe"	defragsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	Windows Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application Readiness = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\defragsvc.exe"	defragsvc.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	FB_5B7E.tmp.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	FB_5B7E.tmp.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
59	whatismyipaddress.com
61	whatismyipaddress.com
65	whatismyipaddress.com

Suspicious use of SetThreadContext 10 IoCs

description	pid	Process	procid_target
PID 1092 set thread context of 1484	1092	21f55203cdbb98339c575f81328b00bd8397306995a2abd89c8f2c4f195786ab.exe	90
PID 1940 set thread context of 2852	1940	FB_6BCB.tmp.exe	98
PID 2836 set thread context of 3672	2836	FB_5B7E.tmp.exe	99
PID 4896 set thread context of 3640	4896	FB_6C39.tmp.exe	100
PID 4876 set thread context of 2308	4876	Windows Update.exe	116
PID 2308 set thread context of 3160	2308	Windows Update.exe	118
PID 3960 set thread context of 2440	3960	AppReadiness.exe	120
PID 2308 set thread context of 2988	2308	Windows Update.exe	122
PID 2440 set thread context of 3120	2440	AppReadiness.exe	124
PID 2440 set thread context of 2744	2440	AppReadiness.exe	126

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	FB_5B7E.tmp.exe
File created	C:\Windows\assembly\Desktop.ini	FB_5B7E.tmp.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	FB_5B7E.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	AppLaunch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4428	AcroRd32.exe
4428	AcroRd32.exe
4896	FB_6C39.tmp.exe
4896	FB_6C39.tmp.exe
4896	FB_6C39.tmp.exe
4896	FB_6C39.tmp.exe
4896	FB_6C39.tmp.exe
4896	FB_6C39.tmp.exe
4896	FB_6C39.tmp.exe
4896	FB_6C39.tmp.exe
4896	FB_6C39.tmp.exe
4896	FB_6C39.tmp.exe
4896	FB_6C39.tmp.exe
4896	FB_6C39.tmp.exe
4896	FB_6C39.tmp.exe
4896	FB_6C39.tmp.exe
4896	FB_6C39.tmp.exe
4896	FB_6C39.tmp.exe
4896	FB_6C39.tmp.exe
4896	FB_6C39.tmp.exe
4896	FB_6C39.tmp.exe
4896	FB_6C39.tmp.exe
4896	FB_6C39.tmp.exe
4896	FB_6C39.tmp.exe
4428	AcroRd32.exe
4428	AcroRd32.exe
4896	FB_6C39.tmp.exe
4896	FB_6C39.tmp.exe
4896	FB_6C39.tmp.exe
4896	FB_6C39.tmp.exe
4896	FB_6C39.tmp.exe
4896	FB_6C39.tmp.exe
4896	FB_6C39.tmp.exe
4896	FB_6C39.tmp.exe
4896	FB_6C39.tmp.exe
4896	FB_6C39.tmp.exe
4896	FB_6C39.tmp.exe
4896	FB_6C39.tmp.exe
4896	FB_6C39.tmp.exe
4896	FB_6C39.tmp.exe
4896	FB_6C39.tmp.exe
4428	AcroRd32.exe
4428	AcroRd32.exe
4428	AcroRd32.exe
4428	AcroRd32.exe
4896	FB_6C39.tmp.exe
4896	FB_6C39.tmp.exe
4428	AcroRd32.exe
4428	AcroRd32.exe
4428	AcroRd32.exe
4428	AcroRd32.exe
4428	AcroRd32.exe
4428	AcroRd32.exe
4428	AcroRd32.exe
4428	AcroRd32.exe
4428	AcroRd32.exe
4428	AcroRd32.exe
4428	AcroRd32.exe
4428	AcroRd32.exe
4428	AcroRd32.exe
4428	AcroRd32.exe
4428	AcroRd32.exe
4428	AcroRd32.exe
4896	FB_6C39.tmp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3672	FB_5B7E.tmp.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
2440	AppReadiness.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

description	pid	Process
Token: SeDebugPrivilege	1092	21f55203cdbb98339c575f81328b00bd8397306995a2abd89c8f2c4f195786ab.exe
Token: SeDebugPrivilege	1940	FB_6BCB.tmp.exe
Token: SeDebugPrivilege	2836	FB_5B7E.tmp.exe
Token: SeDebugPrivilege	4896	FB_6C39.tmp.exe
Token: SeImpersonatePrivilege	2852	FB_6BCB.tmp.exe
Token: SeTcbPrivilege	2852	FB_6BCB.tmp.exe
Token: SeChangeNotifyPrivilege	2852	FB_6BCB.tmp.exe
Token: SeCreateTokenPrivilege	2852	FB_6BCB.tmp.exe
Token: SeBackupPrivilege	2852	FB_6BCB.tmp.exe
Token: SeRestorePrivilege	2852	FB_6BCB.tmp.exe
Token: SeIncreaseQuotaPrivilege	2852	FB_6BCB.tmp.exe
Token: SeAssignPrimaryTokenPrivilege	2852	FB_6BCB.tmp.exe
Token: SeImpersonatePrivilege	2852	FB_6BCB.tmp.exe
Token: SeTcbPrivilege	2852	FB_6BCB.tmp.exe
Token: SeChangeNotifyPrivilege	2852	FB_6BCB.tmp.exe
Token: SeCreateTokenPrivilege	2852	FB_6BCB.tmp.exe
Token: SeBackupPrivilege	2852	FB_6BCB.tmp.exe
Token: SeRestorePrivilege	2852	FB_6BCB.tmp.exe
Token: SeIncreaseQuotaPrivilege	2852	FB_6BCB.tmp.exe
Token: SeAssignPrimaryTokenPrivilege	2852	FB_6BCB.tmp.exe
Token: SeImpersonatePrivilege	2852	FB_6BCB.tmp.exe
Token: SeTcbPrivilege	2852	FB_6BCB.tmp.exe
Token: SeChangeNotifyPrivilege	2852	FB_6BCB.tmp.exe
Token: SeCreateTokenPrivilege	2852	FB_6BCB.tmp.exe
Token: SeBackupPrivilege	2852	FB_6BCB.tmp.exe
Token: SeRestorePrivilege	2852	FB_6BCB.tmp.exe
Token: SeIncreaseQuotaPrivilege	2852	FB_6BCB.tmp.exe
Token: SeAssignPrimaryTokenPrivilege	2852	FB_6BCB.tmp.exe
Token: SeDebugPrivilege	3672	FB_5B7E.tmp.exe
Token: SeImpersonatePrivilege	2852	FB_6BCB.tmp.exe
Token: SeTcbPrivilege	2852	FB_6BCB.tmp.exe
Token: SeChangeNotifyPrivilege	2852	FB_6BCB.tmp.exe
Token: SeCreateTokenPrivilege	2852	FB_6BCB.tmp.exe
Token: SeBackupPrivilege	2852	FB_6BCB.tmp.exe
Token: SeRestorePrivilege	2852	FB_6BCB.tmp.exe
Token: SeIncreaseQuotaPrivilege	2852	FB_6BCB.tmp.exe
Token: SeAssignPrimaryTokenPrivilege	2852	FB_6BCB.tmp.exe
Token: SeImpersonatePrivilege	2852	FB_6BCB.tmp.exe
Token: SeTcbPrivilege	2852	FB_6BCB.tmp.exe
Token: SeChangeNotifyPrivilege	2852	FB_6BCB.tmp.exe
Token: SeCreateTokenPrivilege	2852	FB_6BCB.tmp.exe
Token: SeBackupPrivilege	2852	FB_6BCB.tmp.exe
Token: SeRestorePrivilege	2852	FB_6BCB.tmp.exe
Token: SeIncreaseQuotaPrivilege	2852	FB_6BCB.tmp.exe
Token: SeAssignPrimaryTokenPrivilege	2852	FB_6BCB.tmp.exe
Token: SeImpersonatePrivilege	2852	FB_6BCB.tmp.exe
Token: SeTcbPrivilege	2852	FB_6BCB.tmp.exe
Token: SeChangeNotifyPrivilege	2852	FB_6BCB.tmp.exe
Token: SeCreateTokenPrivilege	2852	FB_6BCB.tmp.exe
Token: SeBackupPrivilege	2852	FB_6BCB.tmp.exe
Token: SeRestorePrivilege	2852	FB_6BCB.tmp.exe
Token: SeIncreaseQuotaPrivilege	2852	FB_6BCB.tmp.exe
Token: SeAssignPrimaryTokenPrivilege	2852	FB_6BCB.tmp.exe
Token: SeDebugPrivilege	3596	defragsvc.exe
Token: SeDebugPrivilege	4876	Windows Update.exe
Token: SeDebugPrivilege	2308	Windows Update.exe
Token: SeDebugPrivilege	3160	vbc.exe
Token: SeDebugPrivilege	3960	AppReadiness.exe
Token: SeDebugPrivilege	2440	AppReadiness.exe
Token: SeDebugPrivilege	2988	vbc.exe
Token: SeDebugPrivilege	3120	vbc.exe
Token: SeDebugPrivilege	2744	vbc.exe
Token: SeDebugPrivilege	364	defragsvc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4428	AcroRd32.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
4428	AcroRd32.exe
4428	AcroRd32.exe
4428	AcroRd32.exe
4428	AcroRd32.exe
4428	AcroRd32.exe
4428	AcroRd32.exe
3672	FB_5B7E.tmp.exe
2308	Windows Update.exe
2440	AppReadiness.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 1484	1092	21f55203cdbb98339c575f81328b00bd8397306995a2abd89c8f2c4f195786ab.exe	90
PID 1092 wrote to memory of 1484	1092	21f55203cdbb98339c575f81328b00bd8397306995a2abd89c8f2c4f195786ab.exe	90
PID 1092 wrote to memory of 1484	1092	21f55203cdbb98339c575f81328b00bd8397306995a2abd89c8f2c4f195786ab.exe	90
PID 1092 wrote to memory of 1484	1092	21f55203cdbb98339c575f81328b00bd8397306995a2abd89c8f2c4f195786ab.exe	90
PID 1092 wrote to memory of 1484	1092	21f55203cdbb98339c575f81328b00bd8397306995a2abd89c8f2c4f195786ab.exe	90
PID 1092 wrote to memory of 1484	1092	21f55203cdbb98339c575f81328b00bd8397306995a2abd89c8f2c4f195786ab.exe	90
PID 1092 wrote to memory of 1484	1092	21f55203cdbb98339c575f81328b00bd8397306995a2abd89c8f2c4f195786ab.exe	90
PID 1092 wrote to memory of 1484	1092	21f55203cdbb98339c575f81328b00bd8397306995a2abd89c8f2c4f195786ab.exe	90
PID 1092 wrote to memory of 1484	1092	21f55203cdbb98339c575f81328b00bd8397306995a2abd89c8f2c4f195786ab.exe	90
PID 1484 wrote to memory of 2836	1484	AppLaunch.exe	91
PID 1484 wrote to memory of 2836	1484	AppLaunch.exe	91
PID 1484 wrote to memory of 2836	1484	AppLaunch.exe	91
PID 1484 wrote to memory of 1940	1484	AppLaunch.exe	92
PID 1484 wrote to memory of 1940	1484	AppLaunch.exe	92
PID 1484 wrote to memory of 1940	1484	AppLaunch.exe	92
PID 1484 wrote to memory of 4896	1484	AppLaunch.exe	93
PID 1484 wrote to memory of 4896	1484	AppLaunch.exe	93
PID 1484 wrote to memory of 4896	1484	AppLaunch.exe	93
PID 1484 wrote to memory of 4428	1484	AppLaunch.exe	94
PID 1484 wrote to memory of 4428	1484	AppLaunch.exe	94
PID 1484 wrote to memory of 4428	1484	AppLaunch.exe	94
PID 4428 wrote to memory of 3988	4428	AcroRd32.exe	95
PID 4428 wrote to memory of 3988	4428	AcroRd32.exe	95
PID 4428 wrote to memory of 3988	4428	AcroRd32.exe	95
PID 4428 wrote to memory of 5088	4428	AcroRd32.exe	96
PID 4428 wrote to memory of 5088	4428	AcroRd32.exe	96
PID 4428 wrote to memory of 5088	4428	AcroRd32.exe	96
PID 4428 wrote to memory of 4056	4428	AcroRd32.exe	97
PID 4428 wrote to memory of 4056	4428	AcroRd32.exe	97
PID 4428 wrote to memory of 4056	4428	AcroRd32.exe	97
PID 1940 wrote to memory of 2852	1940	FB_6BCB.tmp.exe	98
PID 1940 wrote to memory of 2852	1940	FB_6BCB.tmp.exe	98
PID 1940 wrote to memory of 2852	1940	FB_6BCB.tmp.exe	98
PID 1940 wrote to memory of 2852	1940	FB_6BCB.tmp.exe	98
PID 1940 wrote to memory of 2852	1940	FB_6BCB.tmp.exe	98
PID 1940 wrote to memory of 2852	1940	FB_6BCB.tmp.exe	98
PID 1940 wrote to memory of 2852	1940	FB_6BCB.tmp.exe	98
PID 2836 wrote to memory of 3672	2836	FB_5B7E.tmp.exe	99
PID 2836 wrote to memory of 3672	2836	FB_5B7E.tmp.exe	99
PID 2836 wrote to memory of 3672	2836	FB_5B7E.tmp.exe	99
PID 2836 wrote to memory of 3672	2836	FB_5B7E.tmp.exe	99
PID 2836 wrote to memory of 3672	2836	FB_5B7E.tmp.exe	99
PID 2836 wrote to memory of 3672	2836	FB_5B7E.tmp.exe	99
PID 2836 wrote to memory of 3672	2836	FB_5B7E.tmp.exe	99
PID 2836 wrote to memory of 3672	2836	FB_5B7E.tmp.exe	99
PID 4896 wrote to memory of 3640	4896	FB_6C39.tmp.exe	100
PID 4896 wrote to memory of 3640	4896	FB_6C39.tmp.exe	100
PID 4896 wrote to memory of 3640	4896	FB_6C39.tmp.exe	100
PID 4896 wrote to memory of 3640	4896	FB_6C39.tmp.exe	100
PID 4896 wrote to memory of 3640	4896	FB_6C39.tmp.exe	100
PID 4896 wrote to memory of 3640	4896	FB_6C39.tmp.exe	100
PID 4896 wrote to memory of 3640	4896	FB_6C39.tmp.exe	100
PID 4896 wrote to memory of 3640	4896	FB_6C39.tmp.exe	100
PID 4896 wrote to memory of 3596	4896	FB_6C39.tmp.exe	101
PID 4896 wrote to memory of 3596	4896	FB_6C39.tmp.exe	101
PID 4896 wrote to memory of 3596	4896	FB_6C39.tmp.exe	101
PID 4428 wrote to memory of 3176	4428	AcroRd32.exe	102
PID 4428 wrote to memory of 3176	4428	AcroRd32.exe	102
PID 4428 wrote to memory of 3176	4428	AcroRd32.exe	102
PID 3640 wrote to memory of 4876	3640	FB_6C39.tmp.exe	103
PID 3640 wrote to memory of 4876	3640	FB_6C39.tmp.exe	103
PID 3640 wrote to memory of 4876	3640	FB_6C39.tmp.exe	103
PID 4428 wrote to memory of 4716	4428	AcroRd32.exe	104
PID 4428 wrote to memory of 4716	4428	AcroRd32.exe	104

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	FB_6BCB.tmp.exe

C:\Users\Admin\AppData\Local\Temp\21f55203cdbb98339c575f81328b00bd8397306995a2abd89c8f2c4f195786ab.exe
"C:\Users\Admin\AppData\Local\Temp\21f55203cdbb98339c575f81328b00bd8397306995a2abd89c8f2c4f195786ab.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Users\Admin\AppData\Local\Temp\FB_5B7E.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\FB_5B7E.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Users\Admin\AppData\Local\Temp\FB_5B7E.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\FB_5B7E.tmp.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops desktop.ini file(s)
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3672
- - C:\Users\Admin\AppData\Local\Temp\FB_6BCB.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\FB_6BCB.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Users\Admin\AppData\Local\Temp\FB_6BCB.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\FB_6BCB.tmp.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Accesses Microsoft Outlook accounts
      Accesses Microsoft Outlook profiles
      Suspicious use of AdjustPrivilegeToken
      outlook_win_path
      PID:2852
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240639500.bat" "C:\Users\Admin\AppData\Local\Temp\FB_6BCB.tmp.exe" "
        5⤵
        
        PID:3612
- - C:\Users\Admin\AppData\Local\Temp\FB_6C39.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\FB_6C39.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4896
  - - C:\Users\Admin\AppData\Local\Temp\FB_6C39.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\FB_6C39.tmp.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:3640
    - - C:\Users\Admin\AppData\Roaming\Windows Update.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Update.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4876
      - C:\Users\Admin\AppData\Roaming\Windows Update.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Update.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2308
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
        7⤵
        Accesses Microsoft Outlook accounts
        Suspicious use of AdjustPrivilegeToken
        
        PID:3160
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
      - C:\Users\Admin\AppData\Roaming\Microsoft\defragsvc.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\defragsvc.exe"
        6⤵
        Executes dropped EXE
        
        PID:2764
  - - C:\Users\Admin\AppData\Roaming\Microsoft\defragsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\defragsvc.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      PID:3596
    - - C:\Users\Admin\AppData\Roaming\Microsoft\AppReadiness.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft\AppReadiness.exe
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3960
      - C:\Users\Admin\AppData\Roaming\Microsoft\AppReadiness.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\AppReadiness.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2440
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
        7⤵
        Accesses Microsoft Outlook accounts
        Suspicious use of AdjustPrivilegeToken
        
        PID:3120
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
      - C:\Users\Admin\AppData\Roaming\Microsoft\defragsvc.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\defragsvc.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:364
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\FB_6D05.tmp.pdf"
    3⤵
    - Checks processor information in registry
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4428
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      4⤵
      PID:3988
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      4⤵
      PID:5088
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      4⤵
      PID:4056
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      4⤵
      PID:3176
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      4⤵
      PID:4716
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      4⤵
      PID:1816
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6C56C0B408BF3B72F88B761B5B5019E4 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:2104
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A02FCA9AC0EA8E1C66E0925A397D6BA1 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A02FCA9AC0EA8E1C66E0925A397D6BA1 --renderer-client-id=2 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job /prefetch:1
        5⤵
        
        PID:2368
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=3858BE325AA5C488F9E2D258653A7903 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=3858BE325AA5C488F9E2D258653A7903 --renderer-client-id=4 --mojo-platform-channel-handle=2164 --allow-no-sandbox-job /prefetch:1
        5⤵
        
        PID:380
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FF26C6CD9145C7BA838392D2206679C8 --mojo-platform-channel-handle=2548 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:3712
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C5E660E6D66B60519F76D61B1FB738A3 --mojo-platform-channel-handle=2560 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:4156
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9DF63C9CF7FBDB2D447AA84FAAC708F9 --mojo-platform-channel-handle=2648 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:3148

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\FB_6C39.tmp.exe.log

Filesize
594B

MD5
fdb26b3b547022b45cfaeee57eafd566

SHA1
11c6798b8a59233f404014c5e79b3363cd564b37

SHA256
2707fc7f074413881b7bafca05079327b188db6005709951e7f69d39a2af97c0

SHA512
44d9bb8c0f0b341690d00eda86e15a50f7f29ce9595925c1a2a7e19ad26202d10049a7a97bea278ecb7d429ad555de8edceeffff664d4b06309a9410a09bb700

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\defragsvc.exe.log

Filesize
224B

MD5
c19eb8c8e7a40e6b987f9d2ee952996e

SHA1
6fc3049855bc9100643e162511673c6df0f28bfb

SHA256
677e9e30350df17e2bc20fa9f7d730e9f7cc6e870d6520a345f5f7dc5b31f58a

SHA512
860713b4a787c2189ed12a47d4b68b60ac00c7a253cae52dd4eb9276dacafeae3a81906b6d0742c8ecfdfaa255777c445beb7c2a532f3c677a9903237ac97596

Download Submit
C:\Users\Admin\AppData\Local\Temp\240639500.bat

Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_5B7E.tmp.exe

Filesize
375KB

MD5
e70554626613b71cad3ee25fedc14860

SHA1
44a6ee6a6fa305f6361e9c22bd81b65b7c73d029

SHA256
d1a69a078b42b37ca36b10a42004a1c24772eec70b2c81e99e29b7c8fe64d2c8

SHA512
a7db08e98daa5bd0d9c520736ce24bf43ad77818f16cdbe8f99d50f5bb8d26499a08fcd0e164121ce96c84518c2aea01027e685c6688f37f5ed91edf08465f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_5B7E.tmp.exe

Filesize
375KB

MD5
e70554626613b71cad3ee25fedc14860

SHA1
44a6ee6a6fa305f6361e9c22bd81b65b7c73d029

SHA256
d1a69a078b42b37ca36b10a42004a1c24772eec70b2c81e99e29b7c8fe64d2c8

SHA512
a7db08e98daa5bd0d9c520736ce24bf43ad77818f16cdbe8f99d50f5bb8d26499a08fcd0e164121ce96c84518c2aea01027e685c6688f37f5ed91edf08465f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_5B7E.tmp.exe

Filesize
375KB

MD5
e70554626613b71cad3ee25fedc14860

SHA1
44a6ee6a6fa305f6361e9c22bd81b65b7c73d029

SHA256
d1a69a078b42b37ca36b10a42004a1c24772eec70b2c81e99e29b7c8fe64d2c8

SHA512
a7db08e98daa5bd0d9c520736ce24bf43ad77818f16cdbe8f99d50f5bb8d26499a08fcd0e164121ce96c84518c2aea01027e685c6688f37f5ed91edf08465f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_6BCB.tmp.exe

Filesize
133KB

MD5
510be7b2655743c1816d28cf348f0605

SHA1
ee71ce07ed98a82c4d2b9dac1e7f1c6dabe06456

SHA256
a1fd1f4c66a5c748a43bf8aa670850ff0a4ec5941e6f91e1140b4c021ff259de

SHA512
c5714a24caac7870042fb8ac113eb4d8a9f71b1db43b47f9695a0274b5f8a4964225903d05b0e93738c4f1ba51928cd85b9585311b0ea74279e7d47664a10271

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_6BCB.tmp.exe

Filesize
133KB

MD5
510be7b2655743c1816d28cf348f0605

SHA1
ee71ce07ed98a82c4d2b9dac1e7f1c6dabe06456

SHA256
a1fd1f4c66a5c748a43bf8aa670850ff0a4ec5941e6f91e1140b4c021ff259de

SHA512
c5714a24caac7870042fb8ac113eb4d8a9f71b1db43b47f9695a0274b5f8a4964225903d05b0e93738c4f1ba51928cd85b9585311b0ea74279e7d47664a10271

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_6BCB.tmp.exe

Filesize
133KB

MD5
510be7b2655743c1816d28cf348f0605

SHA1
ee71ce07ed98a82c4d2b9dac1e7f1c6dabe06456

SHA256
a1fd1f4c66a5c748a43bf8aa670850ff0a4ec5941e6f91e1140b4c021ff259de

SHA512
c5714a24caac7870042fb8ac113eb4d8a9f71b1db43b47f9695a0274b5f8a4964225903d05b0e93738c4f1ba51928cd85b9585311b0ea74279e7d47664a10271

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_6C39.tmp.exe

Filesize
899KB

MD5
51020be2299bf3abb75478c91b99073e

SHA1
8f68d3346d131b01addafab435bcbaa777d32c2a

SHA256
735fab502a9e9dc51e871b93fe2064139fea473c31ee2690232449c52ee4c1b3

SHA512
404791cab348c1fa7143886b0ca9f8b5fdf33e29ad6826e7cb7e4f466dba6ebffda5d4f1ac6d4c065c1318b4a017019c7ad45bf2445336475ff7b8683e386338

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_6C39.tmp.exe

Filesize
899KB

MD5
51020be2299bf3abb75478c91b99073e

SHA1
8f68d3346d131b01addafab435bcbaa777d32c2a

SHA256
735fab502a9e9dc51e871b93fe2064139fea473c31ee2690232449c52ee4c1b3

SHA512
404791cab348c1fa7143886b0ca9f8b5fdf33e29ad6826e7cb7e4f466dba6ebffda5d4f1ac6d4c065c1318b4a017019c7ad45bf2445336475ff7b8683e386338

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_6C39.tmp.exe

Filesize
899KB

MD5
51020be2299bf3abb75478c91b99073e

SHA1
8f68d3346d131b01addafab435bcbaa777d32c2a

SHA256
735fab502a9e9dc51e871b93fe2064139fea473c31ee2690232449c52ee4c1b3

SHA512
404791cab348c1fa7143886b0ca9f8b5fdf33e29ad6826e7cb7e4f466dba6ebffda5d4f1ac6d4c065c1318b4a017019c7ad45bf2445336475ff7b8683e386338

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_6D05.tmp.pdf

Filesize
19KB

MD5
78ce19a2ec6b1d5045b26600cdde2ba2

SHA1
f600c7449d0f843de4941b77971af731f11a8976

SHA256
ba1768f6bd4e00591e88f94709ff7b97b1d9961dd2daa9be1431a945e6506f36

SHA512
d071d196948586818e31de11b7b507f792649180b6c521569fbf85bea9d683dac48cea98a9abda95ef921e3872154b63e5cb05891801d42d4fcc81cdc0a7d4f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
49B

MD5
860f12e5ebc266d07b944fa0810a02c7

SHA1
96341b2930c4d359d2ccd9fad711b36394800f9a

SHA256
45c6e3e96a46c62697a5e18225c13b45bdc6b97e366845302ed40b52971315f2

SHA512
e2437f834372ca7fc0c06c5b8f999a1aca4de64e9cc128b4972c9f42c975bb0e022ae11877bb8435dfec0257ff273f5d126a259888cbccf9f144426061fa0213

Download Submit
C:\Users\Admin\AppData\Local\Temp\holdermail.txt

Filesize
327B

MD5
1265c5140a2f68b05b92aa1a25a2abb6

SHA1
627a660e9d2a41c8c4a662ca44fdb68a1356bc82

SHA256
694bae0c1ebf6f8eeb8d902b1bfad57ed9a42dea6d3e327a0137a1c9f4f0c6b9

SHA512
ad6a1dd57ec84459f28926d07e25f2c4f49dc67ff95b8400e85c3bcb8eccc471dbac5e2b1a2758fb563866ecacc2fae4657dfb85197fb4cd2547eef334b8a216

Download Submit
C:\Users\Admin\AppData\Local\Temp\holdermail.txt

Filesize
1KB

MD5
01e7975c708365983265ae40d604beb4

SHA1
f1c793c9b7a312d355cd944928ba9272bbeec44e

SHA256
95d7aeb5f67dc33d0b62d02b26a5d469436f58f2246fd95189a8b86220bc9a40

SHA512
9c67c306fbb0e191ea7af01388c6a99714c353590d99887ddd0b0ceee3f6cd3af2e7b2c8d1d22a5a34dac746e4b2156876d935a658afc9a1d38597fd4922e023

Download Submit
C:\Users\Admin\AppData\Local\Temp\holdermail.txt

Filesize
327B

MD5
1265c5140a2f68b05b92aa1a25a2abb6

SHA1
627a660e9d2a41c8c4a662ca44fdb68a1356bc82

SHA256
694bae0c1ebf6f8eeb8d902b1bfad57ed9a42dea6d3e327a0137a1c9f4f0c6b9

SHA512
ad6a1dd57ec84459f28926d07e25f2c4f49dc67ff95b8400e85c3bcb8eccc471dbac5e2b1a2758fb563866ecacc2fae4657dfb85197fb4cd2547eef334b8a216

Download Submit
C:\Users\Admin\AppData\Local\Temp\holdermail.txt

Filesize
1KB

MD5
01e7975c708365983265ae40d604beb4

SHA1
f1c793c9b7a312d355cd944928ba9272bbeec44e

SHA256
95d7aeb5f67dc33d0b62d02b26a5d469436f58f2246fd95189a8b86220bc9a40

SHA512
9c67c306fbb0e191ea7af01388c6a99714c353590d99887ddd0b0ceee3f6cd3af2e7b2c8d1d22a5a34dac746e4b2156876d935a658afc9a1d38597fd4922e023

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AppReadiness.exe

Filesize
899KB

MD5
51020be2299bf3abb75478c91b99073e

SHA1
8f68d3346d131b01addafab435bcbaa777d32c2a

SHA256
735fab502a9e9dc51e871b93fe2064139fea473c31ee2690232449c52ee4c1b3

SHA512
404791cab348c1fa7143886b0ca9f8b5fdf33e29ad6826e7cb7e4f466dba6ebffda5d4f1ac6d4c065c1318b4a017019c7ad45bf2445336475ff7b8683e386338

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AppReadiness.exe

Filesize
899KB

MD5
51020be2299bf3abb75478c91b99073e

SHA1
8f68d3346d131b01addafab435bcbaa777d32c2a

SHA256
735fab502a9e9dc51e871b93fe2064139fea473c31ee2690232449c52ee4c1b3

SHA512
404791cab348c1fa7143886b0ca9f8b5fdf33e29ad6826e7cb7e4f466dba6ebffda5d4f1ac6d4c065c1318b4a017019c7ad45bf2445336475ff7b8683e386338

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AppReadiness.exe

Filesize
899KB

MD5
51020be2299bf3abb75478c91b99073e

SHA1
8f68d3346d131b01addafab435bcbaa777d32c2a

SHA256
735fab502a9e9dc51e871b93fe2064139fea473c31ee2690232449c52ee4c1b3

SHA512
404791cab348c1fa7143886b0ca9f8b5fdf33e29ad6826e7cb7e4f466dba6ebffda5d4f1ac6d4c065c1318b4a017019c7ad45bf2445336475ff7b8683e386338

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\defragsvc.exe

Filesize
13KB

MD5
0ee04e685f30e70d9b35231493837faa

SHA1
80b193cf85321e106c0030e17f914c6ca14f52d6

SHA256
d9d2cc7216825ca9b1a3056d1c812455fe5c105145ed8185568177b9c66cabf6

SHA512
ef7b5de373a237e9e2d5e92612d7468a4498464c0c914bd2c03ba0a7a8eba8f8afec6507a1d71e596d8a83b41cdf8ae7d27d8f5a95fce344ab9c9364405ea494

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\defragsvc.exe

Filesize
13KB

MD5
0ee04e685f30e70d9b35231493837faa

SHA1
80b193cf85321e106c0030e17f914c6ca14f52d6

SHA256
d9d2cc7216825ca9b1a3056d1c812455fe5c105145ed8185568177b9c66cabf6

SHA512
ef7b5de373a237e9e2d5e92612d7468a4498464c0c914bd2c03ba0a7a8eba8f8afec6507a1d71e596d8a83b41cdf8ae7d27d8f5a95fce344ab9c9364405ea494

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\defragsvc.exe

Filesize
13KB

MD5
0ee04e685f30e70d9b35231493837faa

SHA1
80b193cf85321e106c0030e17f914c6ca14f52d6

SHA256
d9d2cc7216825ca9b1a3056d1c812455fe5c105145ed8185568177b9c66cabf6

SHA512
ef7b5de373a237e9e2d5e92612d7468a4498464c0c914bd2c03ba0a7a8eba8f8afec6507a1d71e596d8a83b41cdf8ae7d27d8f5a95fce344ab9c9364405ea494

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\defragsvc.exe

Filesize
13KB

MD5
0ee04e685f30e70d9b35231493837faa

SHA1
80b193cf85321e106c0030e17f914c6ca14f52d6

SHA256
d9d2cc7216825ca9b1a3056d1c812455fe5c105145ed8185568177b9c66cabf6

SHA512
ef7b5de373a237e9e2d5e92612d7468a4498464c0c914bd2c03ba0a7a8eba8f8afec6507a1d71e596d8a83b41cdf8ae7d27d8f5a95fce344ab9c9364405ea494

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\defragsvc.exe

Filesize
13KB

MD5
0ee04e685f30e70d9b35231493837faa

SHA1
80b193cf85321e106c0030e17f914c6ca14f52d6

SHA256
d9d2cc7216825ca9b1a3056d1c812455fe5c105145ed8185568177b9c66cabf6

SHA512
ef7b5de373a237e9e2d5e92612d7468a4498464c0c914bd2c03ba0a7a8eba8f8afec6507a1d71e596d8a83b41cdf8ae7d27d8f5a95fce344ab9c9364405ea494

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\defragsvc.exe

Filesize
13KB

MD5
0ee04e685f30e70d9b35231493837faa

SHA1
80b193cf85321e106c0030e17f914c6ca14f52d6

SHA256
d9d2cc7216825ca9b1a3056d1c812455fe5c105145ed8185568177b9c66cabf6

SHA512
ef7b5de373a237e9e2d5e92612d7468a4498464c0c914bd2c03ba0a7a8eba8f8afec6507a1d71e596d8a83b41cdf8ae7d27d8f5a95fce344ab9c9364405ea494

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe

Filesize
899KB

MD5
51020be2299bf3abb75478c91b99073e

SHA1
8f68d3346d131b01addafab435bcbaa777d32c2a

SHA256
735fab502a9e9dc51e871b93fe2064139fea473c31ee2690232449c52ee4c1b3

SHA512
404791cab348c1fa7143886b0ca9f8b5fdf33e29ad6826e7cb7e4f466dba6ebffda5d4f1ac6d4c065c1318b4a017019c7ad45bf2445336475ff7b8683e386338

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe

Filesize
899KB

MD5
51020be2299bf3abb75478c91b99073e

SHA1
8f68d3346d131b01addafab435bcbaa777d32c2a

SHA256
735fab502a9e9dc51e871b93fe2064139fea473c31ee2690232449c52ee4c1b3

SHA512
404791cab348c1fa7143886b0ca9f8b5fdf33e29ad6826e7cb7e4f466dba6ebffda5d4f1ac6d4c065c1318b4a017019c7ad45bf2445336475ff7b8683e386338

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe

Filesize
899KB

MD5
51020be2299bf3abb75478c91b99073e

SHA1
8f68d3346d131b01addafab435bcbaa777d32c2a

SHA256
735fab502a9e9dc51e871b93fe2064139fea473c31ee2690232449c52ee4c1b3

SHA512
404791cab348c1fa7143886b0ca9f8b5fdf33e29ad6826e7cb7e4f466dba6ebffda5d4f1ac6d4c065c1318b4a017019c7ad45bf2445336475ff7b8683e386338

Download Submit
C:\Users\Admin\AppData\Roaming\pid.txt

Filesize
4B

MD5
e58aea67b01fa747687f038dfde066f6

SHA1
a002f2f44c4eb97169796e571751a450aa506770

SHA256
e7f63be25caefa4d8cff32f04757b158f73c50ae313668a07dc8ee9bec9b43de

SHA512
893b031f42da96fe80371819deeec976ddd4280a65e9fb23d6a1a30717adb368e2630ddf7632923c1ec3fc74427ffea2bfe8ec1ab0b0e6478e99f8a007929999

Download Submit
C:\Users\Admin\AppData\Roaming\pidloc.txt

Filesize
49B

MD5
4e809690165da520fd525a595a154c7d

SHA1
9f182d976ff149642d6034b6991dbefdcd162036

SHA256
a81baa3308e8bb61e092d6677af55be7888d3924cb46b05d18c14c7dc00270cf

SHA512
e6def8c3f19f40d507e430cea760ed0ddaf63a20ca893f4422e92b5f733c25468e1c9671beac598b6a43f0893c240183e1f06d963ff2ba4de3adcbfdd266e418

Download Submit
memory/364-253-0x0000000073780000-0x0000000073D31000-memory.dmp

Filesize
5.7MB

Download
memory/364-268-0x0000000073780000-0x0000000073D31000-memory.dmp

Filesize
5.7MB

Download
memory/1092-132-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/1092-133-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/1092-139-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/1484-137-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1484-138-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1484-135-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1940-150-0x0000000073780000-0x0000000073D31000-memory.dmp

Filesize
5.7MB

Download
memory/1940-155-0x0000000073780000-0x0000000073D31000-memory.dmp

Filesize
5.7MB

Download
memory/1940-169-0x0000000073780000-0x0000000073D31000-memory.dmp

Filesize
5.7MB

Download
memory/2308-241-0x0000000073780000-0x0000000073D31000-memory.dmp

Filesize
5.7MB

Download
memory/2308-228-0x0000000073780000-0x0000000073D31000-memory.dmp

Filesize
5.7MB

Download
memory/2440-252-0x0000000073780000-0x0000000073D31000-memory.dmp

Filesize
5.7MB

Download
memory/2440-267-0x0000000073780000-0x0000000073D31000-memory.dmp

Filesize
5.7MB

Download
memory/2744-271-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2744-274-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2744-272-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2764-234-0x0000000073780000-0x0000000073D31000-memory.dmp

Filesize
5.7MB

Download
memory/2764-243-0x0000000073780000-0x0000000073D31000-memory.dmp

Filesize
5.7MB

Download
memory/2836-149-0x0000000073780000-0x0000000073D31000-memory.dmp

Filesize
5.7MB

Download
memory/2836-154-0x0000000073780000-0x0000000073D31000-memory.dmp

Filesize
5.7MB

Download
memory/2836-170-0x0000000073780000-0x0000000073D31000-memory.dmp

Filesize
5.7MB

Download
memory/2852-161-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2852-168-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2852-171-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2852-189-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2852-167-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2988-260-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2988-258-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2988-257-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2988-256-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2988-255-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3120-263-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3120-264-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3120-266-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3160-237-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3160-236-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3160-238-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3160-239-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3596-181-0x0000000073780000-0x0000000073D31000-memory.dmp

Filesize
5.7MB

Download
memory/3596-201-0x0000000073780000-0x0000000073D31000-memory.dmp

Filesize
5.7MB

Download
memory/3596-223-0x0000000073780000-0x0000000073D31000-memory.dmp

Filesize
5.7MB

Download
memory/3640-176-0x0000000073780000-0x0000000073D31000-memory.dmp

Filesize
5.7MB

Download
memory/3640-174-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/3640-185-0x0000000073780000-0x0000000073D31000-memory.dmp

Filesize
5.7MB

Download
memory/3672-192-0x0000000073780000-0x0000000073D31000-memory.dmp

Filesize
5.7MB

Download
memory/3672-172-0x0000000073780000-0x0000000073D31000-memory.dmp

Filesize
5.7MB

Download
memory/3672-163-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3960-227-0x0000000073780000-0x0000000073D31000-memory.dmp

Filesize
5.7MB

Download
memory/3960-220-0x0000000073780000-0x0000000073D31000-memory.dmp

Filesize
5.7MB

Download
memory/4876-202-0x0000000073780000-0x0000000073D31000-memory.dmp

Filesize
5.7MB

Download
memory/4876-242-0x0000000073780000-0x0000000073D31000-memory.dmp

Filesize
5.7MB

Download
memory/4876-186-0x0000000073780000-0x0000000073D31000-memory.dmp

Filesize
5.7MB

Download
memory/4896-222-0x0000000073780000-0x0000000073D31000-memory.dmp

Filesize
5.7MB

Download
memory/4896-156-0x0000000073780000-0x0000000073D31000-memory.dmp

Filesize
5.7MB

Download
memory/4896-152-0x0000000073780000-0x0000000073D31000-memory.dmp

Filesize
5.7MB

Download