hawkeye | bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c

Analysis

max time kernel
155s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 15:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
Size

1.4MB
MD5

620047f8b6970bb921ec2c1589a61914
SHA1

f108d8e94d14820174eb1ba5950906cc265be288
SHA256

bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c
SHA512

4c12f669d26e24c4685d529c2b4d0ff772ca3cb5b39f2da8dc77e57ba933caf1bed4bfae5e99d6e1414cc3c9f9a7c90864574f24e39fc053f087bca1b4acd1ad
SSDEEP

24576:wAGL1se/vFeAgAI/y8YsAm85tKgB68IU86OpjY3g2+rKQfzFsFfknVPpeEtjYF+n:wAW/vFxI/cw8P1sjfHrHzFLjR

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 5 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/4292-139-0x0000000000400000-0x00000000004F0000-memory.dmp	MailPassView
behavioral2/memory/1688-189-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/1688-188-0x0000000000000000-mapping.dmp	MailPassView
behavioral2/memory/1688-191-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/1688-192-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 6 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/4292-139-0x0000000000400000-0x00000000004F0000-memory.dmp	WebBrowserPassView
behavioral2/memory/4348-194-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView
behavioral2/memory/4348-193-0x0000000000000000-mapping.dmp	WebBrowserPassView
behavioral2/memory/4348-196-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView
behavioral2/memory/4348-197-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView
behavioral2/memory/4348-199-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView

Nirsoft 19 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4292-139-0x0000000000400000-0x00000000004F0000-memory.dmp	Nirsoft
behavioral2/memory/1688-189-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/1688-188-0x0000000000000000-mapping.dmp	Nirsoft
behavioral2/memory/1688-191-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/1688-192-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/4348-194-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral2/memory/4348-193-0x0000000000000000-mapping.dmp	Nirsoft
behavioral2/memory/4348-196-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral2/memory/4348-197-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral2/memory/4348-199-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral2/memory/1912-200-0x0000000000000000-mapping.dmp	Nirsoft
behavioral2/memory/1912-201-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft
behavioral2/memory/1912-203-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft
behavioral2/memory/1912-204-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft
behavioral2/memory/1912-206-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft
behavioral2/memory/1184-207-0x0000000000000000-mapping.dmp	Nirsoft
behavioral2/memory/1184-208-0x0000000000400000-0x000000000044F000-memory.dmp	Nirsoft
behavioral2/memory/1184-210-0x0000000000400000-0x000000000044F000-memory.dmp	Nirsoft
behavioral2/memory/1184-212-0x0000000000400000-0x000000000044F000-memory.dmp	Nirsoft

Executes dropped EXE 6 IoCs

Processes:

bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exeWindows Update.exebef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exebef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exeWindows Update.exebef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe

pid	process
4292	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
432	Windows Update.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
3532	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
4788	Windows Update.exe
4416	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exebef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exebef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sidebar = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCookies\\Sample.lnk"	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

39 whatismyipaddress.com
41 whatismyipaddress.com
63 whatismyipaddress.com

flow	ioc
39	whatismyipaddress.com
41	whatismyipaddress.com
63	whatismyipaddress.com

Suspicious use of SetThreadContext 9 IoCs

Processes:

description	pid	process	target process
PID 768 set thread context of 4292	768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
PID 768 set thread context of 1588	768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
PID 1588 set thread context of 1720	1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	vbc.exe
PID 768 set thread context of 3532	768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
PID 768 set thread context of 4416	768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
PID 4416 set thread context of 1688	4416	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	vbc.exe
PID 4416 set thread context of 4348	4416	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	vbc.exe
PID 4416 set thread context of 1912	4416	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	vbc.exe
PID 4416 set thread context of 1184	4416	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	vbc.exe

Drops file in Windows directory 1 IoCs

Processes:

dw20.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

372 1720 WerFault.exe vbc.exe
4164 1720 WerFault.exe vbc.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	dw20.exe

pid	pid_target	process	target process
372	1720	WerFault.exe	vbc.exe
4164	1720	WerFault.exe	vbc.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exebef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe

pid	process
768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exebef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exeWindows Update.exedw20.exebef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exeWindows Update.exe

description	pid	process
Token: SeDebugPrivilege	768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
Token: SeDebugPrivilege	1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
Token: SeDebugPrivilege	432	Windows Update.exe
Token: SeRestorePrivilege	1624	dw20.exe
Token: SeBackupPrivilege	1624	dw20.exe
Token: SeBackupPrivilege	1624	dw20.exe
Token: SeBackupPrivilege	1624	dw20.exe
Token: SeBackupPrivilege	1624	dw20.exe
Token: SeDebugPrivilege	4416	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
Token: SeDebugPrivilege	4788	Windows Update.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exebef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe

pid	process
1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
4416	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exebef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exebef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exebef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exebef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe

description	pid	process	target process
PID 768 wrote to memory of 4924	768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	CMD.exe
PID 768 wrote to memory of 4924	768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	CMD.exe
PID 768 wrote to memory of 4924	768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	CMD.exe
PID 768 wrote to memory of 4908	768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	CMD.exe
PID 768 wrote to memory of 4908	768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	CMD.exe
PID 768 wrote to memory of 4908	768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	CMD.exe
PID 768 wrote to memory of 4292	768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
PID 768 wrote to memory of 4292	768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
PID 768 wrote to memory of 4292	768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
PID 768 wrote to memory of 4292	768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
PID 768 wrote to memory of 4292	768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
PID 768 wrote to memory of 4292	768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
PID 768 wrote to memory of 4292	768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
PID 768 wrote to memory of 4292	768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
PID 4292 wrote to memory of 432	4292	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	Windows Update.exe
PID 4292 wrote to memory of 432	4292	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	Windows Update.exe
PID 4292 wrote to memory of 432	4292	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	Windows Update.exe
PID 768 wrote to memory of 1588	768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
PID 768 wrote to memory of 1588	768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
PID 768 wrote to memory of 1588	768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
PID 768 wrote to memory of 1588	768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
PID 768 wrote to memory of 1588	768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
PID 768 wrote to memory of 1588	768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
PID 768 wrote to memory of 1588	768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
PID 768 wrote to memory of 1588	768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
PID 1588 wrote to memory of 1720	1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	vbc.exe
PID 1588 wrote to memory of 1720	1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	vbc.exe
PID 1588 wrote to memory of 1720	1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	vbc.exe
PID 1588 wrote to memory of 1720	1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	vbc.exe
PID 1588 wrote to memory of 1720	1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	vbc.exe
PID 1588 wrote to memory of 1720	1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	vbc.exe
PID 1588 wrote to memory of 1720	1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	vbc.exe
PID 1588 wrote to memory of 1720	1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	vbc.exe
PID 1588 wrote to memory of 1720	1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	vbc.exe
PID 1588 wrote to memory of 1624	1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	dw20.exe
PID 1588 wrote to memory of 1624	1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	dw20.exe
PID 1588 wrote to memory of 1624	1588	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	dw20.exe
PID 768 wrote to memory of 3532	768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
PID 768 wrote to memory of 3532	768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
PID 768 wrote to memory of 3532	768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
PID 768 wrote to memory of 3532	768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
PID 768 wrote to memory of 3532	768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
PID 768 wrote to memory of 3532	768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
PID 768 wrote to memory of 3532	768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
PID 768 wrote to memory of 3532	768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
PID 3532 wrote to memory of 4788	3532	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	Windows Update.exe
PID 3532 wrote to memory of 4788	3532	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	Windows Update.exe
PID 3532 wrote to memory of 4788	3532	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	Windows Update.exe
PID 768 wrote to memory of 4416	768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
PID 768 wrote to memory of 4416	768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
PID 768 wrote to memory of 4416	768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
PID 768 wrote to memory of 4416	768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
PID 768 wrote to memory of 4416	768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
PID 768 wrote to memory of 4416	768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
PID 768 wrote to memory of 4416	768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
PID 768 wrote to memory of 4416	768	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
PID 4416 wrote to memory of 1688	4416	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	vbc.exe
PID 4416 wrote to memory of 1688	4416	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	vbc.exe
PID 4416 wrote to memory of 1688	4416	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	vbc.exe
PID 4416 wrote to memory of 1688	4416	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	vbc.exe
PID 4416 wrote to memory of 1688	4416	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	vbc.exe
PID 4416 wrote to memory of 1688	4416	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	vbc.exe
PID 4416 wrote to memory of 1688	4416	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	vbc.exe
PID 4416 wrote to memory of 1688	4416	bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
"C:\Users\Admin\AppData\Local\Temp\bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:768

C:\Windows\SysWOW64\CMD.exe
"CMD"
2⤵
PID:4924

C:\Windows\SysWOW64\CMD.exe
"CMD"
2⤵
PID:4908

C:\Users\Admin\AppData\Local\Temp\bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
"C:\Users\Admin\AppData\Local\Temp\bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4292

C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\Users\Admin\AppData\Local\Temp\bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
"C:\Users\Admin\AppData\Local\Temp\bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
PID:1720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 184
4⤵
- Program crash
PID:372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 188
4⤵
- Program crash
PID:4164

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 1048
3⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Users\Admin\AppData\Local\Temp\bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
"C:\Users\Admin\AppData\Local\Temp\bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3532

C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4788

C:\Users\Admin\AppData\Local\Temp\bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
"C:\Users\Admin\AppData\Local\Temp\bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4416

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
- Accesses Microsoft Outlook accounts
PID:1688

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
3⤵
PID:4348

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderprodkey.txt"
3⤵
PID:1912

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderskypeview.txt"
3⤵
PID:1184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1720 -ip 1720
1⤵
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1720 -ip 1720
1⤵
PID:2788

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B8944BA8AD0EFDF0E01A43EF62BECD0_B64CB26D56E76CD8F8BE2258B10CD6DA
Filesize
1KB

MD5
628cf6f08769a43f712de5e0ef80e3a6

SHA1
3f52535b28bc8a01bdf60b8654ffdb34651de8ba

SHA256
7cff2199395b27627ae4dfe6516ac799a0f56bdbde5f29b43fa75ad5c22ad17a

SHA512
426ae4448c3264f6127ae0c39d3ec5c0c642127f9b945ea0e393dee20f4550222e09b182f741fcd73efca585f0e7789c91760b89830ff04bfbe0d401a13e5d00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6
Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6
Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B8944BA8AD0EFDF0E01A43EF62BECD0_B64CB26D56E76CD8F8BE2258B10CD6DA
Filesize
408B

MD5
75d0288e74bb6b38e73daeeba2a08200

SHA1
42fde7832d209c33d18ae4c124faa27204134336

SHA256
9621bccb3a2dab4c1edef198d84934b9165149cb7526fcfb1513e3441c87e763

SHA512
f9d311b4c05a5481f107d424fa83e7328d1b9b6b01ba8f9f4769666da5b664aacbddab32c633298508007d9c94ae0c48c9e0f65c0151a5ac4fddaacafbffe979

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6
Filesize
404B

MD5
35dee5befe429706df2032b9ccbd8f66

SHA1
8653b1958688fb053314472937c1b73334f4d086

SHA256
99ab6c84ba2cc25dac1b5de4156dc76e1e8dc225a2e2e250e22bef31e7d14057

SHA512
6fcb6f535807f3e13950359d974779783c3c7408afd565cc178fb03589f622641d7929f42d8589116bbd981828cd45d9ef1d767dc5c231ab1965ec50c684a7ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6
Filesize
404B

MD5
3ef3006886f70facd55389612c5ade8c

SHA1
451f247038dca54dcfce3ac1f5263deb2e1460e5

SHA256
e3be5ac99252a8e876a4282b1612219f548d5172be16d2875d53d6526f5ad741

SHA512
266173d0a18e98039f3e64ff3c64e5deb72b961b0c9b37bcc8034c8b8c5cee2880129f54e976f484578f3d7bc7cab177287677bc5a1a8dc3ca7b2aee977713bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe.log
Filesize
774B

MD5
049b2c7e274ebb68f3ada1961c982a22

SHA1
796b9f03c8cd94617ea26aaf861af9fb2a5731db

SHA256
5c69c41dceda1bb32d4054d6b483bb3e3af84c8cf0a6191c79068168a1d506b3

SHA512
fb2ee642e1401772d514e86b0b8dd117659335066242e85c158b40e8912572f2bd7b9a0f63f9b9f4d7a2e051579345215f6b1f147881f3d1e78f335c45d78ebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
Filesize
102B

MD5
550ad121582360de35b2c627fc83f14f

SHA1
75e9285f90aed4b4778493bb2ae00b18b84a85dd

SHA256
56fbe9c6b668fd8a613ab923753e8af5bc7cb1b8d48692f7ad63254f8a5b6d99

SHA512
6d56876d74b63dfc59ebbc70e214d3d06db42c58dd4ce1f01648a839821dcea2f9b318d4d76f7a6868a3441f689f204203bee3e97d7743b00a63bbb68211f989

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
Filesize
102B

MD5
550ad121582360de35b2c627fc83f14f

SHA1
75e9285f90aed4b4778493bb2ae00b18b84a85dd

SHA256
56fbe9c6b668fd8a613ab923753e8af5bc7cb1b8d48692f7ad63254f8a5b6d99

SHA512
6d56876d74b63dfc59ebbc70e214d3d06db42c58dd4ce1f01648a839821dcea2f9b318d4d76f7a6868a3441f689f204203bee3e97d7743b00a63bbb68211f989

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
Filesize
102B

MD5
550ad121582360de35b2c627fc83f14f

SHA1
75e9285f90aed4b4778493bb2ae00b18b84a85dd

SHA256
56fbe9c6b668fd8a613ab923753e8af5bc7cb1b8d48692f7ad63254f8a5b6d99

SHA512
6d56876d74b63dfc59ebbc70e214d3d06db42c58dd4ce1f01648a839821dcea2f9b318d4d76f7a6868a3441f689f204203bee3e97d7743b00a63bbb68211f989

Download Submit
C:\Users\Admin\AppData\Local\Temp\bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
Filesize
1.4MB

MD5
620047f8b6970bb921ec2c1589a61914

SHA1
f108d8e94d14820174eb1ba5950906cc265be288

SHA256
bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c

SHA512
4c12f669d26e24c4685d529c2b4d0ff772ca3cb5b39f2da8dc77e57ba933caf1bed4bfae5e99d6e1414cc3c9f9a7c90864574f24e39fc053f087bca1b4acd1ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
Filesize
1.4MB

MD5
620047f8b6970bb921ec2c1589a61914

SHA1
f108d8e94d14820174eb1ba5950906cc265be288

SHA256
bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c

SHA512
4c12f669d26e24c4685d529c2b4d0ff772ca3cb5b39f2da8dc77e57ba933caf1bed4bfae5e99d6e1414cc3c9f9a7c90864574f24e39fc053f087bca1b4acd1ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
Filesize
1.4MB

MD5
620047f8b6970bb921ec2c1589a61914

SHA1
f108d8e94d14820174eb1ba5950906cc265be288

SHA256
bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c

SHA512
4c12f669d26e24c4685d529c2b4d0ff772ca3cb5b39f2da8dc77e57ba933caf1bed4bfae5e99d6e1414cc3c9f9a7c90864574f24e39fc053f087bca1b4acd1ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c.exe
Filesize
1.4MB

MD5
620047f8b6970bb921ec2c1589a61914

SHA1
f108d8e94d14820174eb1ba5950906cc265be288

SHA256
bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c

SHA512
4c12f669d26e24c4685d529c2b4d0ff772ca3cb5b39f2da8dc77e57ba933caf1bed4bfae5e99d6e1414cc3c9f9a7c90864574f24e39fc053f087bca1b4acd1ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderprodkey.txt
Filesize
725B

MD5
0e1a432ecda3bf9bddd9651a5cb128db

SHA1
c7309cef9457ad4777f6d8d2aa7afe22f8ea4111

SHA256
3a7635febb183b191ec1aa1736109956bc32ca7b3340305bf176ea0c3e216b70

SHA512
a29c1ab733c3207b6f9a61e11358856dbc9060561324fdacc655d26288416172a5321b5f5f218f95be436e542140716209d35547c03cccb1d1cf60d4ff8a4e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderskypeview.txt
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderwb.txt
Filesize
3KB

MD5
f94dc819ca773f1e3cb27abbc9e7fa27

SHA1
9a7700efadc5ea09ab288544ef1e3cd876255086

SHA256
a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

SHA512
72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
1.4MB

MD5
620047f8b6970bb921ec2c1589a61914

SHA1
f108d8e94d14820174eb1ba5950906cc265be288

SHA256
bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c

SHA512
4c12f669d26e24c4685d529c2b4d0ff772ca3cb5b39f2da8dc77e57ba933caf1bed4bfae5e99d6e1414cc3c9f9a7c90864574f24e39fc053f087bca1b4acd1ad

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
1.4MB

MD5
620047f8b6970bb921ec2c1589a61914

SHA1
f108d8e94d14820174eb1ba5950906cc265be288

SHA256
bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c

SHA512
4c12f669d26e24c4685d529c2b4d0ff772ca3cb5b39f2da8dc77e57ba933caf1bed4bfae5e99d6e1414cc3c9f9a7c90864574f24e39fc053f087bca1b4acd1ad

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
1.4MB

MD5
620047f8b6970bb921ec2c1589a61914

SHA1
f108d8e94d14820174eb1ba5950906cc265be288

SHA256
bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c

SHA512
4c12f669d26e24c4685d529c2b4d0ff772ca3cb5b39f2da8dc77e57ba933caf1bed4bfae5e99d6e1414cc3c9f9a7c90864574f24e39fc053f087bca1b4acd1ad

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
1.4MB

MD5
620047f8b6970bb921ec2c1589a61914

SHA1
f108d8e94d14820174eb1ba5950906cc265be288

SHA256
bef6021b0749b86924120e822dc130875bd2efbeea7185a6b118e6231d90154c

SHA512
4c12f669d26e24c4685d529c2b4d0ff772ca3cb5b39f2da8dc77e57ba933caf1bed4bfae5e99d6e1414cc3c9f9a7c90864574f24e39fc053f087bca1b4acd1ad

Download Submit
C:\Users\Admin\AppData\Roaming\pid.txt
Filesize
4B

MD5
894b77f805bd94d292574c38c5d628d5

SHA1
1784f0e37c1fdd6200c1e8b28e8caae5402e74e0

SHA256
d24eac45e69be063cc0053eb02650954eec62c314c405e564a4d11e951392e75

SHA512
605b8ee18c6bd7c9d489faa803dc4c00fed6e7a4b21a9a69ba7b429642a06d7fe42e5fd45162f72fff76f1ec518c5840399c97d4ab0f7633651d35e2b19f2e05

Download Submit
C:\Users\Admin\AppData\Roaming\pidloc.txt
Filesize
102B

MD5
550ad121582360de35b2c627fc83f14f

SHA1
75e9285f90aed4b4778493bb2ae00b18b84a85dd

SHA256
56fbe9c6b668fd8a613ab923753e8af5bc7cb1b8d48692f7ad63254f8a5b6d99

SHA512
6d56876d74b63dfc59ebbc70e214d3d06db42c58dd4ce1f01648a839821dcea2f9b318d4d76f7a6868a3441f689f204203bee3e97d7743b00a63bbb68211f989

Download Submit
memory/432-155-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/432-148-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/432-142-0x0000000000000000-mapping.dmp

Download
memory/432-159-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/768-133-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/768-132-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/768-135-0x0000000001570000-0x0000000001670000-memory.dmp

Filesize
1024KB

Download
memory/768-134-0x0000000001570000-0x0000000001670000-memory.dmp

Filesize
1024KB

Download
memory/1184-212-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1184-210-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1184-208-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1184-207-0x0000000000000000-mapping.dmp

Download
memory/1588-153-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/1588-158-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/1588-165-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/1588-149-0x0000000000000000-mapping.dmp

Download
memory/1624-164-0x0000000000000000-mapping.dmp

Download
memory/1688-189-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1688-188-0x0000000000000000-mapping.dmp

Download
memory/1688-191-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1688-192-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1720-161-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1720-160-0x0000000000000000-mapping.dmp

Download
memory/1912-201-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1912-200-0x0000000000000000-mapping.dmp

Download
memory/1912-203-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1912-204-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1912-206-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3532-169-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/3532-166-0x0000000000000000-mapping.dmp

Download
memory/3532-174-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/4292-138-0x0000000000000000-mapping.dmp

Download
memory/4292-147-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/4292-141-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/4292-139-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/4348-196-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4348-197-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4348-199-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4348-194-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4348-193-0x0000000000000000-mapping.dmp

Download
memory/4416-177-0x0000000000000000-mapping.dmp

Download
memory/4416-184-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/4416-186-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/4788-187-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/4788-180-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/4788-171-0x0000000000000000-mapping.dmp

Download
memory/4788-185-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/4908-137-0x0000000000000000-mapping.dmp

Download
memory/4924-136-0x0000000000000000-mapping.dmp

Download