505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539

Analysis

max time kernel
191s
max time network
186s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
28/11/2022, 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
Size

1.2MB
MD5

8f15bfb3722b7b5c2af0a3af4aea2e59
SHA1

b7b1c094d883c219c7f872b9d18bd765bce8a5f5
SHA256

505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539
SHA512

47cf5362e7a48d0871f628b3a1913a8b081d2e366323e196860a1249c9b5408178a175e4acfac42a6e4f2d617b405501d6ff036acea558f75184fccecb0131f6
SSDEEP

12288:92vL7kVDlyOjZ87Bvr7wn8/GtFgd6/L5G8Qx9CPW0CjTTrm+pLFONMIRkxkfkkUN:UfSh94z+tCdSV3fW0CjT3m+pApl08M3

Score

9^/10

collection persistence spyware stealer

Malware Config

Signatures

NirSoft MailPassView 9 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/1368-111-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1368-112-0x0000000000411654-mapping.dmp	MailPassView
behavioral1/memory/1368-115-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1368-116-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1368-117-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/2548-171-0x0000000000411654-mapping.dmp	MailPassView
behavioral1/memory/2548-175-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/2528-228-0x0000000000411654-mapping.dmp	MailPassView
behavioral1/memory/2528-232-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

Nirsoft 16 IoCs

resource	yara_rule
behavioral1/memory/524-89-0x000000000040E758-mapping.dmp	Nirsoft
behavioral1/memory/524-88-0x0000000000400000-0x0000000000418000-memory.dmp	Nirsoft
behavioral1/memory/524-97-0x0000000000400000-0x0000000000418000-memory.dmp	Nirsoft
behavioral1/memory/524-100-0x0000000000400000-0x0000000000418000-memory.dmp	Nirsoft
behavioral1/memory/524-101-0x0000000000400000-0x0000000000418000-memory.dmp	Nirsoft
behavioral1/memory/1368-111-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1368-112-0x0000000000411654-mapping.dmp	Nirsoft
behavioral1/memory/1368-115-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1368-116-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1368-117-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/2412-160-0x0000000000400000-0x0000000000418000-memory.dmp	Nirsoft
behavioral1/memory/2548-171-0x0000000000411654-mapping.dmp	Nirsoft
behavioral1/memory/2548-175-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/2472-217-0x0000000000400000-0x0000000000418000-memory.dmp	Nirsoft
behavioral1/memory/2528-228-0x0000000000411654-mapping.dmp	Nirsoft
behavioral1/memory/2528-232-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft

Executes dropped EXE 5 IoCs

pid	Process
1516	WUDHost.exe
1044	Acctres.exe
1888	Acctres.exe
1008	WUDHost.exe
2080	WUDHost.exe

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Acctres.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\takshost.exe	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\takshost.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Acctres.exe	cmd.exe

Loads dropped DLL 4 IoCs

pid	Process
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1516	WUDHost.exe
2344	dw20.exe
964	takshost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Boot File Servicing Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\WUDHost.exe"	WUDHost.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 1740 set thread context of 1180	1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	27
PID 1180 set thread context of 524	1180	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	37
PID 1180 set thread context of 1368	1180	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	39
PID 1044 set thread context of 1888	1044	Acctres.exe	41
PID 1888 set thread context of 2412	1888	Acctres.exe	49
PID 1888 set thread context of 2548	1888	Acctres.exe	50
PID 964 set thread context of 2812	964	takshost.exe	51
PID 2812 set thread context of 2472	2812	takshost.exe	57
PID 2812 set thread context of 2528	2812	takshost.exe	58

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da00000000020000000000106600000001000020000000a5c4f4e2b0b6a1870aa8273c3c9ef1f8a6c458348a6d1c4d35ceb014ba8e512f000000000e80000000020000200000003df2e2b5f77dbd4dd61ee7eeeb0e3871a3932e2857f769e7fc116a7a00eb4e25900000007c0711e1e35c348386a7067405c64674ba72e1ae3a44335f8b36a312550f73a5a73f53c12f747db78f0f3544a1e0201070e9de8b78c270d349715d11561129bdf442b6ffaa3f57c3d50691d67b2d16d87043ec80437d8bd40387837cd0dad26f316518df1c3055892a10620f743ba2e4c6a19bae2dcba0106fe9dcc7456d57246686d00fbe1dddf40f0ab38da47408c940000000ac8ada0c69d61a2fdf9d7995bd644804525b46bca1290d17748a62995dbc5317c1c25ffbf131eb075b678eef1817b69b37cf4c6a748d11d258c626495c7d8e51	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da00000000020000000000106600000001000020000000667ec212014e77cfc74b4a0e2b08cc97e4195c6012d938b612b4a5c156090625000000000e8000000002000020000000aef918380506d624d3bce32675391de6233fc4e2fe1fb90a1d15e40cb185df47200000008ca0262063cf1fae8378bc2f87e69f1afce69da98b72aa2ec0ebdd2deb7262c84000000087600e93fdc37c46992478b72ef079594f201c84f0fb866fe61fd95ef06a084f7e3e7ed2cfa6e03a149bd7bd0ff644b687a292bf3447f5b339361cab07f88578	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0846d07a703d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376459322"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{23C22C41-6F9A-11ED-9B9F-7AEFAD47A2D2} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1516	WUDHost.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1516	WUDHost.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1516	WUDHost.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1516	WUDHost.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1516	WUDHost.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1516	WUDHost.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1516	WUDHost.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1516	WUDHost.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
Token: SeDebugPrivilege	1180	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
Token: SeDebugPrivilege	1516	WUDHost.exe
Token: SeDebugPrivilege	1044	Acctres.exe
Token: SeDebugPrivilege	1888	Acctres.exe
Token: SeDebugPrivilege	964	takshost.exe
Token: SeDebugPrivilege	2812	takshost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
828	iexplore.exe
828	iexplore.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
1180	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
828	iexplore.exe
828	iexplore.exe
1912	IEXPLORE.EXE
1912	IEXPLORE.EXE
1888	Acctres.exe
828	iexplore.exe
828	iexplore.exe
1912	IEXPLORE.EXE
1912	IEXPLORE.EXE
2100	IEXPLORE.EXE
2100	IEXPLORE.EXE
2108	IEXPLORE.EXE
2108	IEXPLORE.EXE
2812	takshost.exe
2100	IEXPLORE.EXE
2100	IEXPLORE.EXE
2964	IEXPLORE.EXE
2964	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 1180	1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	27
PID 1740 wrote to memory of 1180	1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	27
PID 1740 wrote to memory of 1180	1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	27
PID 1740 wrote to memory of 1180	1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	27
PID 1740 wrote to memory of 1180	1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	27
PID 1740 wrote to memory of 1180	1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	27
PID 1740 wrote to memory of 1180	1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	27
PID 1740 wrote to memory of 1180	1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	27
PID 1740 wrote to memory of 1180	1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	27
PID 1740 wrote to memory of 1516	1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	28
PID 1740 wrote to memory of 1516	1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	28
PID 1740 wrote to memory of 1516	1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	28
PID 1740 wrote to memory of 1516	1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	28
PID 1180 wrote to memory of 1360	1180	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	29
PID 1180 wrote to memory of 1360	1180	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	29
PID 1180 wrote to memory of 1360	1180	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	29
PID 1180 wrote to memory of 1360	1180	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	29
PID 1180 wrote to memory of 828	1180	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	31
PID 1180 wrote to memory of 828	1180	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	31
PID 1180 wrote to memory of 828	1180	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	31
PID 1180 wrote to memory of 828	1180	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	31
PID 828 wrote to memory of 1912	828	iexplore.exe	34
PID 828 wrote to memory of 1912	828	iexplore.exe	34
PID 828 wrote to memory of 1912	828	iexplore.exe	34
PID 828 wrote to memory of 1912	828	iexplore.exe	34
PID 1180 wrote to memory of 1504	1180	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	36
PID 1180 wrote to memory of 1504	1180	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	36
PID 1180 wrote to memory of 1504	1180	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	36
PID 1180 wrote to memory of 1504	1180	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	36
PID 1180 wrote to memory of 524	1180	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	37
PID 1180 wrote to memory of 524	1180	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	37
PID 1180 wrote to memory of 524	1180	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	37
PID 1180 wrote to memory of 524	1180	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	37
PID 1180 wrote to memory of 524	1180	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	37
PID 1180 wrote to memory of 524	1180	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	37
PID 1180 wrote to memory of 524	1180	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	37
PID 1180 wrote to memory of 524	1180	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	37
PID 1180 wrote to memory of 524	1180	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	37
PID 1180 wrote to memory of 524	1180	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	37
PID 1516 wrote to memory of 1044	1516	WUDHost.exe	38
PID 1516 wrote to memory of 1044	1516	WUDHost.exe	38
PID 1516 wrote to memory of 1044	1516	WUDHost.exe	38
PID 1516 wrote to memory of 1044	1516	WUDHost.exe	38
PID 1180 wrote to memory of 1368	1180	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	39
PID 1180 wrote to memory of 1368	1180	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	39
PID 1180 wrote to memory of 1368	1180	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	39
PID 1180 wrote to memory of 1368	1180	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	39
PID 1180 wrote to memory of 1368	1180	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	39
PID 1180 wrote to memory of 1368	1180	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	39
PID 1180 wrote to memory of 1368	1180	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	39
PID 1180 wrote to memory of 1368	1180	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	39
PID 1180 wrote to memory of 1368	1180	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	39
PID 1180 wrote to memory of 1368	1180	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	39
PID 1740 wrote to memory of 964	1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	40
PID 1740 wrote to memory of 964	1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	40
PID 1740 wrote to memory of 964	1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	40
PID 1740 wrote to memory of 964	1740	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	40
PID 1044 wrote to memory of 1888	1044	Acctres.exe	41
PID 1044 wrote to memory of 1888	1044	Acctres.exe	41
PID 1044 wrote to memory of 1888	1044	Acctres.exe	41
PID 1044 wrote to memory of 1888	1044	Acctres.exe	41
PID 1044 wrote to memory of 1888	1044	Acctres.exe	41
PID 1044 wrote to memory of 1888	1044	Acctres.exe	41
PID 1044 wrote to memory of 1888	1044	Acctres.exe	41

C:\Users\Admin\AppData\Local\Temp\505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
"C:\Users\Admin\AppData\Local\Temp\505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Users\Admin\AppData\Local\Temp\505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
  "C:\Users\Admin\AppData\Local\Temp\505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1180
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy /z "C:\Users\Admin\AppData\Local\Temp\505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe"
    3⤵
    - Drops startup file
    PID:1360
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ebis.pro/images/invoice_img.png
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:828
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:828 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1912
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:828 CREDAT:472083 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2100
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:828 CREDAT:603139 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2108
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:828 CREDAT:275482 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2964
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 1584
    3⤵
    PID:1504
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\logff.txt
    3⤵
    PID:524
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\logmail.txt
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:1368
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1044
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1888
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy /z "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Acctres.exe"
        5⤵
        Drops startup file
        
        PID:776
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ebis.pro/images/invoice_img.png
        5⤵
        
        PID:2072
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 1516
        5⤵
        Loads dropped DLL
        
        PID:2344
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\logff.txt
        5⤵
        
        PID:2412
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\logmail.txt
        5⤵
        Accesses Microsoft Outlook accounts
        
        PID:2548
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe"
      4⤵
      Executes dropped EXE
      PID:1008
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:964
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2812
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy /z "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\takshost.exe"
      4⤵
      Drops startup file
      PID:2908
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 1464
      4⤵
      PID:2356
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\logff.txt
      4⤵
      PID:2472
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\logmail.txt
      4⤵
      Accesses Microsoft Outlook accounts
      PID:2528
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe"
    3⤵
    - Executes dropped EXE
    PID:2080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\logff.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\logff.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\logff.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

Filesize
1.2MB

MD5
8f15bfb3722b7b5c2af0a3af4aea2e59

SHA1
b7b1c094d883c219c7f872b9d18bd765bce8a5f5

SHA256
505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539

SHA512
47cf5362e7a48d0871f628b3a1913a8b081d2e366323e196860a1249c9b5408178a175e4acfac42a6e4f2d617b405501d6ff036acea558f75184fccecb0131f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

Filesize
1.2MB

MD5
8f15bfb3722b7b5c2af0a3af4aea2e59

SHA1
b7b1c094d883c219c7f872b9d18bd765bce8a5f5

SHA256
505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539

SHA512
47cf5362e7a48d0871f628b3a1913a8b081d2e366323e196860a1249c9b5408178a175e4acfac42a6e4f2d617b405501d6ff036acea558f75184fccecb0131f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

Filesize
1.2MB

MD5
8f15bfb3722b7b5c2af0a3af4aea2e59

SHA1
b7b1c094d883c219c7f872b9d18bd765bce8a5f5

SHA256
505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539

SHA512
47cf5362e7a48d0871f628b3a1913a8b081d2e366323e196860a1249c9b5408178a175e4acfac42a6e4f2d617b405501d6ff036acea558f75184fccecb0131f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4QYX5DOT.txt

Filesize
601B

MD5
079efa30e63076a73f3455926df15059

SHA1
f3f4467b3a91f632454370b579cafcfcdea4b869

SHA256
4fba62098efaa7b436c10bfee583f71326b495652d729544f5a7993e3d7203f5

SHA512
d08a6e742de3cf11dcf2404fdcf40945633406d089b73e019587ce28a7d9094fb19072810a335e779aea3d2c8327d9427d3786bbfb3018b4102503868c8ca8c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\DVVTQYNE.txt

Filesize
98B

MD5
63a1a56f5b8619ee9850a2178bbf6361

SHA1
e11791f934c5f55695bc659c290d6563b79d9f67

SHA256
410929282e2c453de841631a4be7c966fd806b9a3c1710a5f858ebe530b2ab05

SHA512
c248c3585dce9922c441147661dc0f7399eacf9a949b42462b22c141cd640084760a81a02863cdfe04a602cbd7784723be5a2efc5ec4a6e262b28b8e80617e2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe

Filesize
9KB

MD5
3f9eb41226ad438b49d384cb08ce0126

SHA1
44024295715bd4847a29949d9a01a2b0a4671074

SHA256
dccd11c68485b58fbf705e191f3a93364a95e698e808d64fd6f643f4ad03b0e4

SHA512
0df9d94eedf480ad6918ebe011723d930c3bdaa43004de02bd1536a2e98fe9a559dde9ca099e7c4b994dfa55cb6edca3a8dcff3bc4a9ba71eb6e72caceeaa37b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe

Filesize
9KB

MD5
3f9eb41226ad438b49d384cb08ce0126

SHA1
44024295715bd4847a29949d9a01a2b0a4671074

SHA256
dccd11c68485b58fbf705e191f3a93364a95e698e808d64fd6f643f4ad03b0e4

SHA512
0df9d94eedf480ad6918ebe011723d930c3bdaa43004de02bd1536a2e98fe9a559dde9ca099e7c4b994dfa55cb6edca3a8dcff3bc4a9ba71eb6e72caceeaa37b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe

Filesize
9KB

MD5
3f9eb41226ad438b49d384cb08ce0126

SHA1
44024295715bd4847a29949d9a01a2b0a4671074

SHA256
dccd11c68485b58fbf705e191f3a93364a95e698e808d64fd6f643f4ad03b0e4

SHA512
0df9d94eedf480ad6918ebe011723d930c3bdaa43004de02bd1536a2e98fe9a559dde9ca099e7c4b994dfa55cb6edca3a8dcff3bc4a9ba71eb6e72caceeaa37b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe

Filesize
9KB

MD5
3f9eb41226ad438b49d384cb08ce0126

SHA1
44024295715bd4847a29949d9a01a2b0a4671074

SHA256
dccd11c68485b58fbf705e191f3a93364a95e698e808d64fd6f643f4ad03b0e4

SHA512
0df9d94eedf480ad6918ebe011723d930c3bdaa43004de02bd1536a2e98fe9a559dde9ca099e7c4b994dfa55cb6edca3a8dcff3bc4a9ba71eb6e72caceeaa37b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe

Filesize
9KB

MD5
3f9eb41226ad438b49d384cb08ce0126

SHA1
44024295715bd4847a29949d9a01a2b0a4671074

SHA256
dccd11c68485b58fbf705e191f3a93364a95e698e808d64fd6f643f4ad03b0e4

SHA512
0df9d94eedf480ad6918ebe011723d930c3bdaa43004de02bd1536a2e98fe9a559dde9ca099e7c4b994dfa55cb6edca3a8dcff3bc4a9ba71eb6e72caceeaa37b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

Filesize
1.2MB

MD5
8f15bfb3722b7b5c2af0a3af4aea2e59

SHA1
b7b1c094d883c219c7f872b9d18bd765bce8a5f5

SHA256
505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539

SHA512
47cf5362e7a48d0871f628b3a1913a8b081d2e366323e196860a1249c9b5408178a175e4acfac42a6e4f2d617b405501d6ff036acea558f75184fccecb0131f6

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

Filesize
1.2MB

MD5
8f15bfb3722b7b5c2af0a3af4aea2e59

SHA1
b7b1c094d883c219c7f872b9d18bd765bce8a5f5

SHA256
505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539

SHA512
47cf5362e7a48d0871f628b3a1913a8b081d2e366323e196860a1249c9b5408178a175e4acfac42a6e4f2d617b405501d6ff036acea558f75184fccecb0131f6

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe

Filesize
9KB

MD5
3f9eb41226ad438b49d384cb08ce0126

SHA1
44024295715bd4847a29949d9a01a2b0a4671074

SHA256
dccd11c68485b58fbf705e191f3a93364a95e698e808d64fd6f643f4ad03b0e4

SHA512
0df9d94eedf480ad6918ebe011723d930c3bdaa43004de02bd1536a2e98fe9a559dde9ca099e7c4b994dfa55cb6edca3a8dcff3bc4a9ba71eb6e72caceeaa37b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe

Filesize
9KB

MD5
3f9eb41226ad438b49d384cb08ce0126

SHA1
44024295715bd4847a29949d9a01a2b0a4671074

SHA256
dccd11c68485b58fbf705e191f3a93364a95e698e808d64fd6f643f4ad03b0e4

SHA512
0df9d94eedf480ad6918ebe011723d930c3bdaa43004de02bd1536a2e98fe9a559dde9ca099e7c4b994dfa55cb6edca3a8dcff3bc4a9ba71eb6e72caceeaa37b

Download Submit
memory/524-88-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/524-100-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/524-101-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/524-97-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/524-80-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/524-85-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/524-81-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/524-86-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/524-83-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/964-131-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download
memory/964-176-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download
memory/1008-178-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download
memory/1008-180-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download
memory/1008-142-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download
memory/1044-179-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download
memory/1044-98-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download
memory/1044-118-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download
memory/1180-58-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1180-61-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1180-60-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1180-62-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1180-77-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download
memory/1180-57-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1180-69-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download
memory/1180-65-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1180-67-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1368-115-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1368-104-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1368-109-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1368-117-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1368-116-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1368-111-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1368-108-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1368-103-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1368-106-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1516-78-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download
memory/1516-122-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download
memory/1516-76-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download
memory/1740-55-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download
memory/1740-56-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download
memory/1740-54-0x00000000759C1000-0x00000000759C3000-memory.dmp

Filesize
8KB

Download
memory/1740-121-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download
memory/1888-141-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download
memory/1888-177-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download
memory/2080-201-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download
memory/2412-160-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2472-217-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2528-232-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2548-175-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2812-194-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download
memory/2812-233-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download