hawkeye | 834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a

Analysis

max time kernel
209s
max time network
232s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
Size

1023KB
MD5

48a7ffc306eb2df89fa8d5e76bb9f84a
SHA1

b35ac93dc1c8960b5535f3ea9115ce462563df95
SHA256

834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a
SHA512

d39728d7044bded26c539ae80f64db38ee97495b657f3c7dc534575ef25537ab35319c10115e082ceaeecaa9d771ac6856c590287fcac9e56fca22e9e14964b6
SSDEEP

24576:JlvEhuUvl2xtTaZL3LMNy32TkC4N8tHZkI0hVGSb4Glxrzd3Qcj:vvEPYxsr32TJ4UHZkLVj4Y9d3Qcj

Score

10^/10

hawkeye keylogger spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/4984-136-0x0000000000400000-0x00000000004F0000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/4984-136-0x0000000000400000-0x00000000004F0000-memory.dmp	WebBrowserPassView

Nirsoft 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4984-136-0x0000000000400000-0x00000000004F0000-memory.dmp	Nirsoft

Executes dropped EXE 7 IoCs

Processes:

BrokerInfrastructure.exeWindows Update.exeAudioEndpointBuilder.exeAudioEndpointBuilder.exeWindows Update.exeBrokerInfrastructure.exeBrokerInfrastructure.exe

pid	process
1784	BrokerInfrastructure.exe
4044	Windows Update.exe
2580	AudioEndpointBuilder.exe
4936	AudioEndpointBuilder.exe
1856	Windows Update.exe
1144	BrokerInfrastructure.exe
2596	BrokerInfrastructure.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exeBrokerInfrastructure.exeWindows Update.exeAudioEndpointBuilder.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	BrokerInfrastructure.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	Windows Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	AudioEndpointBuilder.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

110 whatismyipaddress.com
112 whatismyipaddress.com
115 whatismyipaddress.com

flow	ioc
110	whatismyipaddress.com
112	whatismyipaddress.com
115	whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exeAudioEndpointBuilder.exeWindows Update.exe

description	pid	process	target process
PID 3852 set thread context of 4984	3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
PID 2580 set thread context of 4936	2580	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 4044 set thread context of 1856	4044	Windows Update.exe	Windows Update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exeBrokerInfrastructure.exe

pid	process
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
1784	BrokerInfrastructure.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
1784	BrokerInfrastructure.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
1784	BrokerInfrastructure.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
1784	BrokerInfrastructure.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
1784	BrokerInfrastructure.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
1784	BrokerInfrastructure.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
1784	BrokerInfrastructure.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
1784	BrokerInfrastructure.exe
3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exeBrokerInfrastructure.exeAudioEndpointBuilder.exeWindows Update.exeBrokerInfrastructure.exeBrokerInfrastructure.exeWindows Update.exe

description	pid	process
Token: SeDebugPrivilege	3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
Token: SeDebugPrivilege	1784	BrokerInfrastructure.exe
Token: SeDebugPrivilege	2580	AudioEndpointBuilder.exe
Token: SeDebugPrivilege	4044	Windows Update.exe
Token: SeDebugPrivilege	1144	BrokerInfrastructure.exe
Token: SeDebugPrivilege	2596	BrokerInfrastructure.exe
Token: SeDebugPrivilege	1856	Windows Update.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Windows Update.exe

pid process

1856 Windows Update.exe

pid	process
1856	Windows Update.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

description	pid	process	target process
PID 3852 wrote to memory of 4984	3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
PID 3852 wrote to memory of 4984	3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
PID 3852 wrote to memory of 4984	3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
PID 3852 wrote to memory of 4984	3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
PID 3852 wrote to memory of 4984	3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
PID 3852 wrote to memory of 4984	3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
PID 3852 wrote to memory of 4984	3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
PID 3852 wrote to memory of 4984	3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
PID 3852 wrote to memory of 1784	3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe	BrokerInfrastructure.exe
PID 3852 wrote to memory of 1784	3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe	BrokerInfrastructure.exe
PID 3852 wrote to memory of 1784	3852	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe	BrokerInfrastructure.exe
PID 4984 wrote to memory of 4044	4984	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe	Windows Update.exe
PID 4984 wrote to memory of 4044	4984	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe	Windows Update.exe
PID 4984 wrote to memory of 4044	4984	834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe	Windows Update.exe
PID 1784 wrote to memory of 2580	1784	BrokerInfrastructure.exe	AudioEndpointBuilder.exe
PID 1784 wrote to memory of 2580	1784	BrokerInfrastructure.exe	AudioEndpointBuilder.exe
PID 1784 wrote to memory of 2580	1784	BrokerInfrastructure.exe	AudioEndpointBuilder.exe
PID 2580 wrote to memory of 4936	2580	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2580 wrote to memory of 4936	2580	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2580 wrote to memory of 4936	2580	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 4044 wrote to memory of 1856	4044	Windows Update.exe	Windows Update.exe
PID 4044 wrote to memory of 1856	4044	Windows Update.exe	Windows Update.exe
PID 4044 wrote to memory of 1856	4044	Windows Update.exe	Windows Update.exe
PID 2580 wrote to memory of 4936	2580	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2580 wrote to memory of 4936	2580	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2580 wrote to memory of 4936	2580	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2580 wrote to memory of 4936	2580	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 2580 wrote to memory of 4936	2580	AudioEndpointBuilder.exe	AudioEndpointBuilder.exe
PID 4044 wrote to memory of 1856	4044	Windows Update.exe	Windows Update.exe
PID 4044 wrote to memory of 1856	4044	Windows Update.exe	Windows Update.exe
PID 4044 wrote to memory of 1856	4044	Windows Update.exe	Windows Update.exe
PID 4044 wrote to memory of 1856	4044	Windows Update.exe	Windows Update.exe
PID 4044 wrote to memory of 1856	4044	Windows Update.exe	Windows Update.exe
PID 4044 wrote to memory of 1144	4044	Windows Update.exe	BrokerInfrastructure.exe
PID 4044 wrote to memory of 1144	4044	Windows Update.exe	BrokerInfrastructure.exe
PID 4044 wrote to memory of 1144	4044	Windows Update.exe	BrokerInfrastructure.exe
PID 2580 wrote to memory of 2596	2580	AudioEndpointBuilder.exe	BrokerInfrastructure.exe
PID 2580 wrote to memory of 2596	2580	AudioEndpointBuilder.exe	BrokerInfrastructure.exe
PID 2580 wrote to memory of 2596	2580	AudioEndpointBuilder.exe	BrokerInfrastructure.exe

C:\Users\Admin\AppData\Local\Temp\834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
"C:\Users\Admin\AppData\Local\Temp\834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3852

C:\Users\Admin\AppData\Local\Temp\834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe
"C:\Users\Admin\AppData\Local\Temp\834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4984

C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4044

C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1856

C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1144

C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1784

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580

C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe"
4⤵
- Executes dropped EXE
PID:4936

C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a.exe.log
Filesize
774B

MD5
049b2c7e274ebb68f3ada1961c982a22

SHA1
796b9f03c8cd94617ea26aaf861af9fb2a5731db

SHA256
5c69c41dceda1bb32d4054d6b483bb3e3af84c8cf0a6191c79068168a1d506b3

SHA512
fb2ee642e1401772d514e86b0b8dd117659335066242e85c158b40e8912572f2bd7b9a0f63f9b9f4d7a2e051579345215f6b1f147881f3d1e78f335c45d78ebf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\BrokerInfrastructure.exe.log
Filesize
128B

MD5
a5dcc7c9c08af7dddd82be5b036a4416

SHA1
4f998ca1526d199e355ffb435bae111a2779b994

SHA256
e24033ceec97fd03402b03acaaabd1d1e378e83bb1683afbccac760e00f8ead5

SHA512
56035de734836c0c39f0b48641c51c26adb6e79c6c65e23ca96603f71c95b8673e2ef853146e87efc899dd1878d0bbc2c82d91fbf0fce81c552048e986f9bb5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
Filesize
102B

MD5
86f49fba1e2bd32484a49be33efbed1a

SHA1
529f46b90a626016c6708a1af05b449346980802

SHA256
2fd940083c6f51c6b0324a4c367aadd674b5cc7495688a75ed82f858444e1b78

SHA512
43019a316913e3d3fe3aebb7827e2fe75e741335132651cf0185e889dd29ca6d1a7846eb7b04b9412e5c7c2146c7b148b866a0868caf26945ce0651a22a9d609

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1023KB

MD5
48a7ffc306eb2df89fa8d5e76bb9f84a

SHA1
b35ac93dc1c8960b5535f3ea9115ce462563df95

SHA256
834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a

SHA512
d39728d7044bded26c539ae80f64db38ee97495b657f3c7dc534575ef25537ab35319c10115e082ceaeecaa9d771ac6856c590287fcac9e56fca22e9e14964b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1023KB

MD5
48a7ffc306eb2df89fa8d5e76bb9f84a

SHA1
b35ac93dc1c8960b5535f3ea9115ce462563df95

SHA256
834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a

SHA512
d39728d7044bded26c539ae80f64db38ee97495b657f3c7dc534575ef25537ab35319c10115e082ceaeecaa9d771ac6856c590287fcac9e56fca22e9e14964b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AudioEndpointBuilder.exe
Filesize
1023KB

MD5
48a7ffc306eb2df89fa8d5e76bb9f84a

SHA1
b35ac93dc1c8960b5535f3ea9115ce462563df95

SHA256
834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a

SHA512
d39728d7044bded26c539ae80f64db38ee97495b657f3c7dc534575ef25537ab35319c10115e082ceaeecaa9d771ac6856c590287fcac9e56fca22e9e14964b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe
Filesize
12KB

MD5
01f48e0a9f0dbf4a3c601bf1c8c4e68a

SHA1
5439a513f790bc8650b975b952f3baa189ef23c4

SHA256
8c362e40460c9f894b4723e2a3e388c8bf8c9695904a9597c58a84fb7e3c8b97

SHA512
24246465dfa9da4c90c5d5535ff277b1e8b759e82932f8d4d21187059f79b8a085613318a984e294b34998b1dbd8b5ba7d700f890151f20cb18efc847e23d136

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe
Filesize
12KB

MD5
01f48e0a9f0dbf4a3c601bf1c8c4e68a

SHA1
5439a513f790bc8650b975b952f3baa189ef23c4

SHA256
8c362e40460c9f894b4723e2a3e388c8bf8c9695904a9597c58a84fb7e3c8b97

SHA512
24246465dfa9da4c90c5d5535ff277b1e8b759e82932f8d4d21187059f79b8a085613318a984e294b34998b1dbd8b5ba7d700f890151f20cb18efc847e23d136

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe
Filesize
12KB

MD5
01f48e0a9f0dbf4a3c601bf1c8c4e68a

SHA1
5439a513f790bc8650b975b952f3baa189ef23c4

SHA256
8c362e40460c9f894b4723e2a3e388c8bf8c9695904a9597c58a84fb7e3c8b97

SHA512
24246465dfa9da4c90c5d5535ff277b1e8b759e82932f8d4d21187059f79b8a085613318a984e294b34998b1dbd8b5ba7d700f890151f20cb18efc847e23d136

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\BrokerInfrastructure.exe
Filesize
12KB

MD5
01f48e0a9f0dbf4a3c601bf1c8c4e68a

SHA1
5439a513f790bc8650b975b952f3baa189ef23c4

SHA256
8c362e40460c9f894b4723e2a3e388c8bf8c9695904a9597c58a84fb7e3c8b97

SHA512
24246465dfa9da4c90c5d5535ff277b1e8b759e82932f8d4d21187059f79b8a085613318a984e294b34998b1dbd8b5ba7d700f890151f20cb18efc847e23d136

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
1023KB

MD5
48a7ffc306eb2df89fa8d5e76bb9f84a

SHA1
b35ac93dc1c8960b5535f3ea9115ce462563df95

SHA256
834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a

SHA512
d39728d7044bded26c539ae80f64db38ee97495b657f3c7dc534575ef25537ab35319c10115e082ceaeecaa9d771ac6856c590287fcac9e56fca22e9e14964b6

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
1023KB

MD5
48a7ffc306eb2df89fa8d5e76bb9f84a

SHA1
b35ac93dc1c8960b5535f3ea9115ce462563df95

SHA256
834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a

SHA512
d39728d7044bded26c539ae80f64db38ee97495b657f3c7dc534575ef25537ab35319c10115e082ceaeecaa9d771ac6856c590287fcac9e56fca22e9e14964b6

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
1023KB

MD5
48a7ffc306eb2df89fa8d5e76bb9f84a

SHA1
b35ac93dc1c8960b5535f3ea9115ce462563df95

SHA256
834cb94448e55a4707a71c78ae0ce5f44a0aeeb98823ccf7e0a7d5114943df6a

SHA512
d39728d7044bded26c539ae80f64db38ee97495b657f3c7dc534575ef25537ab35319c10115e082ceaeecaa9d771ac6856c590287fcac9e56fca22e9e14964b6

Download Submit
memory/1144-165-0x0000000000000000-mapping.dmp

Download
memory/1144-176-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/1144-173-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/1784-162-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/1784-138-0x0000000000000000-mapping.dmp

Download
memory/1784-151-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/1784-144-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/1856-157-0x0000000000000000-mapping.dmp

Download
memory/1856-174-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/1856-164-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/2580-153-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/2580-147-0x0000000000000000-mapping.dmp

Download
memory/2580-150-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/2596-172-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/2596-175-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/2596-166-0x0000000000000000-mapping.dmp

Download
memory/3852-134-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/3852-133-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/3852-155-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/4044-139-0x0000000000000000-mapping.dmp

Download
memory/4044-152-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/4044-145-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/4936-163-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/4936-156-0x0000000000000000-mapping.dmp

Download
memory/4936-171-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/4984-137-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/4984-136-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/4984-135-0x0000000000000000-mapping.dmp

Download
memory/4984-149-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download