505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539

Analysis

max time kernel
177s
max time network
210s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
28/11/2022, 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
Size

1.2MB
MD5

8f15bfb3722b7b5c2af0a3af4aea2e59
SHA1

b7b1c094d883c219c7f872b9d18bd765bce8a5f5
SHA256

505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539
SHA512

47cf5362e7a48d0871f628b3a1913a8b081d2e366323e196860a1249c9b5408178a175e4acfac42a6e4f2d617b405501d6ff036acea558f75184fccecb0131f6
SSDEEP

12288:92vL7kVDlyOjZ87Bvr7wn8/GtFgd6/L5G8Qx9CPW0CjTTrm+pLFONMIRkxkfkkUN:UfSh94z+tCdSV3fW0CjT3m+pApl08M3

Score

9^/10

collection persistence spyware stealer

Malware Config

Signatures

NirSoft MailPassView 5 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/3008-203-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/3008-205-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/3008-209-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/3008-211-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/4976-241-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

Nirsoft 13 IoCs

resource	yara_rule
behavioral2/memory/392-152-0x0000000000400000-0x0000000000418000-memory.dmp	Nirsoft
behavioral2/memory/392-154-0x0000000000400000-0x0000000000418000-memory.dmp	Nirsoft
behavioral2/memory/392-155-0x0000000000400000-0x0000000000418000-memory.dmp	Nirsoft
behavioral2/memory/392-157-0x0000000000400000-0x0000000000418000-memory.dmp	Nirsoft
behavioral2/memory/3736-180-0x0000000000400000-0x0000000000418000-memory.dmp	Nirsoft
behavioral2/memory/3736-182-0x0000000000400000-0x0000000000418000-memory.dmp	Nirsoft
behavioral2/memory/3008-203-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/3008-205-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/4280-208-0x0000000000400000-0x0000000000418000-memory.dmp	Nirsoft
behavioral2/memory/3008-209-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/3008-211-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/2956-234-0x0000000000400000-0x0000000000418000-memory.dmp	Nirsoft
behavioral2/memory/4976-241-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft

Executes dropped EXE 4 IoCs

pid	Process
2500	WUDHost.exe
4360	Acctres.exe
2120	Acctres.exe
2432	WUDHost.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	Acctres.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	takshost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	Acctres.exe

Drops startup file 8 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Acctres.exe	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Acctres.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\takshost.exe	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\takshost.exe	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Boot File Servicing Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\WUDHost.exe"	WUDHost.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
111	bot.whatismyipaddress.com
78	bot.whatismyipaddress.com
84	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 11 IoCs

description	pid	Process	procid_target
PID 1112 set thread context of 4260	1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	91
PID 4260 set thread context of 392	4260	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	107
PID 1112 set thread context of 3528	1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	110
PID 3528 set thread context of 3736	3528	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	118
PID 1112 set thread context of 376	1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	123
PID 376 set thread context of 4280	376	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	129
PID 376 set thread context of 3008	376	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	131
PID 4360 set thread context of 2120	4360	Acctres.exe	133
PID 2120 set thread context of 2956	2120	Acctres.exe	139
PID 2120 set thread context of 4976	2120	Acctres.exe	141
PID 4292 set thread context of 4480	4292	takshost.exe	142

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	dw20.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
Token: SeDebugPrivilege	4260	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
Token: SeDebugPrivilege	2500	WUDHost.exe
Token: SeRestorePrivilege	1996	dw20.exe
Token: SeBackupPrivilege	1996	dw20.exe
Token: SeBackupPrivilege	1996	dw20.exe
Token: SeBackupPrivilege	1996	dw20.exe
Token: SeBackupPrivilege	1996	dw20.exe
Token: SeDebugPrivilege	3528	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
Token: SeBackupPrivilege	5100	dw20.exe
Token: SeBackupPrivilege	5100	dw20.exe
Token: SeDebugPrivilege	376	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
Token: SeDebugPrivilege	4360	Acctres.exe
Token: SeBackupPrivilege	1900	dw20.exe
Token: SeDebugPrivilege	2120	Acctres.exe
Token: SeBackupPrivilege	2400	dw20.exe
Token: SeDebugPrivilege	4292	takshost.exe
Token: SeDebugPrivilege	4480	takshost.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4260	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
3528	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
376	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
2120	Acctres.exe
4480	takshost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 4260	1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	91
PID 1112 wrote to memory of 4260	1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	91
PID 1112 wrote to memory of 4260	1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	91
PID 1112 wrote to memory of 4260	1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	91
PID 1112 wrote to memory of 4260	1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	91
PID 1112 wrote to memory of 4260	1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	91
PID 1112 wrote to memory of 4260	1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	91
PID 1112 wrote to memory of 4260	1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	91
PID 4260 wrote to memory of 1600	4260	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	94
PID 4260 wrote to memory of 1600	4260	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	94
PID 4260 wrote to memory of 1600	4260	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	94
PID 1112 wrote to memory of 2500	1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	95
PID 1112 wrote to memory of 2500	1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	95
PID 1112 wrote to memory of 2500	1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	95
PID 4260 wrote to memory of 3468	4260	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	103
PID 4260 wrote to memory of 3468	4260	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	103
PID 3468 wrote to memory of 2592	3468	msedge.exe	104
PID 3468 wrote to memory of 2592	3468	msedge.exe	104
PID 2500 wrote to memory of 4360	2500	WUDHost.exe	105
PID 2500 wrote to memory of 4360	2500	WUDHost.exe	105
PID 2500 wrote to memory of 4360	2500	WUDHost.exe	105
PID 4260 wrote to memory of 1996	4260	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	106
PID 4260 wrote to memory of 1996	4260	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	106
PID 4260 wrote to memory of 1996	4260	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	106
PID 4260 wrote to memory of 392	4260	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	107
PID 4260 wrote to memory of 392	4260	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	107
PID 4260 wrote to memory of 392	4260	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	107
PID 4260 wrote to memory of 392	4260	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	107
PID 4260 wrote to memory of 392	4260	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	107
PID 4260 wrote to memory of 392	4260	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	107
PID 4260 wrote to memory of 392	4260	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	107
PID 4260 wrote to memory of 392	4260	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	107
PID 4260 wrote to memory of 392	4260	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	107
PID 1112 wrote to memory of 3528	1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	110
PID 1112 wrote to memory of 3528	1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	110
PID 1112 wrote to memory of 3528	1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	110
PID 1112 wrote to memory of 3528	1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	110
PID 1112 wrote to memory of 3528	1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	110
PID 1112 wrote to memory of 3528	1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	110
PID 1112 wrote to memory of 3528	1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	110
PID 1112 wrote to memory of 3528	1112	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	110
PID 3528 wrote to memory of 2432	3528	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	111
PID 3528 wrote to memory of 2432	3528	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	111
PID 3528 wrote to memory of 2432	3528	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	111
PID 3528 wrote to memory of 3432	3528	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	113
PID 3528 wrote to memory of 3432	3528	505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe	113
PID 3432 wrote to memory of 3896	3432	msedge.exe	114
PID 3432 wrote to memory of 3896	3432	msedge.exe	114
PID 3432 wrote to memory of 4116	3432	msedge.exe	115
PID 3432 wrote to memory of 4116	3432	msedge.exe	115
PID 3432 wrote to memory of 4116	3432	msedge.exe	115
PID 3432 wrote to memory of 4116	3432	msedge.exe	115
PID 3432 wrote to memory of 4116	3432	msedge.exe	115
PID 3432 wrote to memory of 4116	3432	msedge.exe	115
PID 3432 wrote to memory of 4116	3432	msedge.exe	115
PID 3432 wrote to memory of 4116	3432	msedge.exe	115
PID 3432 wrote to memory of 4116	3432	msedge.exe	115
PID 3432 wrote to memory of 4116	3432	msedge.exe	115
PID 3432 wrote to memory of 4116	3432	msedge.exe	115
PID 3432 wrote to memory of 4116	3432	msedge.exe	115
PID 3432 wrote to memory of 4116	3432	msedge.exe	115
PID 3432 wrote to memory of 4116	3432	msedge.exe	115
PID 3432 wrote to memory of 4116	3432	msedge.exe	115
PID 3432 wrote to memory of 4116	3432	msedge.exe	115

C:\Users\Admin\AppData\Local\Temp\505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
"C:\Users\Admin\AppData\Local\Temp\505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Users\Admin\AppData\Local\Temp\505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
  "C:\Users\Admin\AppData\Local\Temp\505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4260
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy /z "C:\Users\Admin\AppData\Local\Temp\505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe"
    3⤵
    - Drops startup file
    PID:1600
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.ebis.pro/images/invoice_img.png
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3468
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8e1a346f8,0x7ff8e1a34708,0x7ff8e1a34718
      4⤵
      PID:2592
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,2382457835076529944,8163156143223784875,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
      4⤵
      PID:4628
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,2382457835076529944,8163156143223784875,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
      4⤵
      PID:1468
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 2492
    3⤵
    - Drops file in Windows directory
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:1996
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\logff.txt
    3⤵
    PID:392
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    PID:4360
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2120
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy /z "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Acctres.exe"
        5⤵
        Drops startup file
        
        PID:3220
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.ebis.pro/images/invoice_img.png
        5⤵
        
        PID:4560
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8e1a346f8,0x7ff8e1a34708,0x7ff8e1a34718
        6⤵
        
        PID:3636
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\logff.txt
        5⤵
        
        PID:2956
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 2468
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\logmail.txt
        5⤵
        Accesses Microsoft Outlook accounts
        
        PID:4976
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe"
      4⤵
      Executes dropped EXE
      PID:2432
- C:\Users\Admin\AppData\Local\Temp\505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
  "C:\Users\Admin\AppData\Local\Temp\505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3528
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy /z "C:\Users\Admin\AppData\Local\Temp\505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe"
    3⤵
    - Drops startup file
    PID:2432
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.ebis.pro/images/invoice_img.png
    3⤵
    - Enumerates system info in registry
    - Suspicious use of WriteProcessMemory
    PID:3432
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8e1a346f8,0x7ff8e1a34708,0x7ff8e1a34718
      4⤵
      PID:3896
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,10981017520419639724,16948328498636789797,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
      4⤵
      PID:4116
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,10981017520419639724,16948328498636789797,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
      4⤵
      PID:2328
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,10981017520419639724,16948328498636789797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3140 /prefetch:8
      4⤵
      PID:4492
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 2548
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:5100
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\logff.txt
    3⤵
    PID:3736
- C:\Users\Admin\AppData\Local\Temp\505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
  "C:\Users\Admin\AppData\Local\Temp\505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:376
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy /z "C:\Users\Admin\AppData\Local\Temp\505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe"
    3⤵
    - Drops startup file
    PID:1208
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.ebis.pro/images/invoice_img.png
    3⤵
    PID:2096
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8e1a346f8,0x7ff8e1a34708,0x7ff8e1a34718
      4⤵
      PID:4212
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\logff.txt
    3⤵
    PID:4280
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 2532
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:1900
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\logmail.txt
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:3008
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:4292
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4480
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy /z "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\takshost.exe"
      4⤵
      Drops startup file
      PID:4556
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.ebis.pro/images/invoice_img.png
      4⤵
      PID:2532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177

Filesize
471B

MD5
db492a58fd3cfb60084aafbef2004f23

SHA1
540a7def9ab46e2d50fc6c8fdff7e4880f5c39ac

SHA256
2e24e3141006f251a54ba416e55e1fe768d031aa65c8ef7160610307f5c4c0fb

SHA512
221b5cdd96e4936f899c4acab5354d1e14aceabd43a64e4b59e3349c9f2b2a164b0628c2a024df15f2a2c9cc0551e910771e05a46ff7b631ef93ff28334a9099

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177

Filesize
442B

MD5
0c6c94a187d6d1537e90c96b75e711c4

SHA1
2447e5392b30a39468d7051a322e6f20e6e0b95c

SHA256
ac7287e7778924622e7e45bee59bf43232a3423d3d81d9e19275d882588f7877

SHA512
527c82b6de39f1d7c108ceecd1bc92e0de8874472912d6fdfc5e744c98628944aa69d3ffd1e438ebec611633d4a6147da6afa2a41cbfe4caa81701511bb22b6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177

Filesize
442B

MD5
9a0abbe3ad109b4b5ad26ed92ea63753

SHA1
f99cb41d0e4fcae92cd5de8d471066ff49fce952

SHA256
8b91fbd69b8effb488d5dd069a1f6b872534c626eaede734f2149e852b2d069b

SHA512
cf5a68428d1df3164cc554d484e8522395ef6b564a5d38da5dbcd9bbb69dfce66b8104d0894f21159d208b519bfe548325d4b60b030edef7239a2754a5076cae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\WUDHost.exe.log

Filesize
224B

MD5
c19eb8c8e7a40e6b987f9d2ee952996e

SHA1
6fc3049855bc9100643e162511673c6df0f28bfb

SHA256
677e9e30350df17e2bc20fa9f7d730e9f7cc6e870d6520a345f5f7dc5b31f58a

SHA512
860713b4a787c2189ed12a47d4b68b60ac00c7a253cae52dd4eb9276dacafeae3a81906b6d0742c8ecfdfaa255777c445beb7c2a532f3c677a9903237ac97596

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d492567d4611438b2f936ddcaa9544ef

SHA1
ae88af380bbeb5e05a0446163a5434d70710f853

SHA256
0cba2ccfcfff09f076de767bf8df52485a8ac4b29cd3d14d53b23fdad2da3645

SHA512
150794b8598594ac00f827996e62d84b9331f1e35386e908485181204e823e8e5802fa543b53aca4d3046d176eaf4ee1dcb4df211589ea2fedac46170f162f48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
18ad3a99cbd5ddc6b806e98374137f92

SHA1
03b6e4402a81fc0585430539a6d4a208b6ca9020

SHA256
b4f8afdb8ec7975ab4f4bff3a5c1fcab389dee2b9eb38b9603099d500457145f

SHA512
faabf3e957ee6516f8e66a1decfb2279e3923f63d0bc3f4f6aa5082b84feba57e48d0c631800b962567313b26d6cb92192a29eef6faf7b0be01894233b4929b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
18ad3a99cbd5ddc6b806e98374137f92

SHA1
03b6e4402a81fc0585430539a6d4a208b6ca9020

SHA256
b4f8afdb8ec7975ab4f4bff3a5c1fcab389dee2b9eb38b9603099d500457145f

SHA512
faabf3e957ee6516f8e66a1decfb2279e3923f63d0bc3f4f6aa5082b84feba57e48d0c631800b962567313b26d6cb92192a29eef6faf7b0be01894233b4929b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
18ad3a99cbd5ddc6b806e98374137f92

SHA1
03b6e4402a81fc0585430539a6d4a208b6ca9020

SHA256
b4f8afdb8ec7975ab4f4bff3a5c1fcab389dee2b9eb38b9603099d500457145f

SHA512
faabf3e957ee6516f8e66a1decfb2279e3923f63d0bc3f4f6aa5082b84feba57e48d0c631800b962567313b26d6cb92192a29eef6faf7b0be01894233b4929b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\logff.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\logff.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\logff.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\logff.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

Filesize
1.2MB

MD5
8f15bfb3722b7b5c2af0a3af4aea2e59

SHA1
b7b1c094d883c219c7f872b9d18bd765bce8a5f5

SHA256
505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539

SHA512
47cf5362e7a48d0871f628b3a1913a8b081d2e366323e196860a1249c9b5408178a175e4acfac42a6e4f2d617b405501d6ff036acea558f75184fccecb0131f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

Filesize
1.2MB

MD5
8f15bfb3722b7b5c2af0a3af4aea2e59

SHA1
b7b1c094d883c219c7f872b9d18bd765bce8a5f5

SHA256
505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539

SHA512
47cf5362e7a48d0871f628b3a1913a8b081d2e366323e196860a1249c9b5408178a175e4acfac42a6e4f2d617b405501d6ff036acea558f75184fccecb0131f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

Filesize
1.2MB

MD5
8f15bfb3722b7b5c2af0a3af4aea2e59

SHA1
b7b1c094d883c219c7f872b9d18bd765bce8a5f5

SHA256
505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539

SHA512
47cf5362e7a48d0871f628b3a1913a8b081d2e366323e196860a1249c9b5408178a175e4acfac42a6e4f2d617b405501d6ff036acea558f75184fccecb0131f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe

Filesize
1.2MB

MD5
8f15bfb3722b7b5c2af0a3af4aea2e59

SHA1
b7b1c094d883c219c7f872b9d18bd765bce8a5f5

SHA256
505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539

SHA512
47cf5362e7a48d0871f628b3a1913a8b081d2e366323e196860a1249c9b5408178a175e4acfac42a6e4f2d617b405501d6ff036acea558f75184fccecb0131f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe

Filesize
1.2MB

MD5
8f15bfb3722b7b5c2af0a3af4aea2e59

SHA1
b7b1c094d883c219c7f872b9d18bd765bce8a5f5

SHA256
505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539

SHA512
47cf5362e7a48d0871f628b3a1913a8b081d2e366323e196860a1249c9b5408178a175e4acfac42a6e4f2d617b405501d6ff036acea558f75184fccecb0131f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe

Filesize
9KB

MD5
3f9eb41226ad438b49d384cb08ce0126

SHA1
44024295715bd4847a29949d9a01a2b0a4671074

SHA256
dccd11c68485b58fbf705e191f3a93364a95e698e808d64fd6f643f4ad03b0e4

SHA512
0df9d94eedf480ad6918ebe011723d930c3bdaa43004de02bd1536a2e98fe9a559dde9ca099e7c4b994dfa55cb6edca3a8dcff3bc4a9ba71eb6e72caceeaa37b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe

Filesize
9KB

MD5
3f9eb41226ad438b49d384cb08ce0126

SHA1
44024295715bd4847a29949d9a01a2b0a4671074

SHA256
dccd11c68485b58fbf705e191f3a93364a95e698e808d64fd6f643f4ad03b0e4

SHA512
0df9d94eedf480ad6918ebe011723d930c3bdaa43004de02bd1536a2e98fe9a559dde9ca099e7c4b994dfa55cb6edca3a8dcff3bc4a9ba71eb6e72caceeaa37b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe

Filesize
9KB

MD5
3f9eb41226ad438b49d384cb08ce0126

SHA1
44024295715bd4847a29949d9a01a2b0a4671074

SHA256
dccd11c68485b58fbf705e191f3a93364a95e698e808d64fd6f643f4ad03b0e4

SHA512
0df9d94eedf480ad6918ebe011723d930c3bdaa43004de02bd1536a2e98fe9a559dde9ca099e7c4b994dfa55cb6edca3a8dcff3bc4a9ba71eb6e72caceeaa37b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe

Filesize
9KB

MD5
3f9eb41226ad438b49d384cb08ce0126

SHA1
44024295715bd4847a29949d9a01a2b0a4671074

SHA256
dccd11c68485b58fbf705e191f3a93364a95e698e808d64fd6f643f4ad03b0e4

SHA512
0df9d94eedf480ad6918ebe011723d930c3bdaa43004de02bd1536a2e98fe9a559dde9ca099e7c4b994dfa55cb6edca3a8dcff3bc4a9ba71eb6e72caceeaa37b

Download Submit
memory/376-195-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/376-213-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/392-154-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/392-157-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/392-155-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/392-152-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1112-217-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/1112-133-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/1112-132-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/2120-242-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/2120-223-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/2432-224-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/2432-245-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/2432-243-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/2500-212-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/2500-145-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/2500-141-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/2956-234-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3008-203-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3008-205-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3008-211-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3008-209-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3528-188-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/3528-161-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/3736-180-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3736-182-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4260-136-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/4260-158-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/4260-144-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/4260-135-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/4280-208-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4292-210-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/4292-235-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/4360-149-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/4360-156-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/4360-244-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/4480-250-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/4976-241-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download