Analysis Overview
SHA256
231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631
Threat Level: Known bad
The file 231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe was found to be: Known bad.
Malicious Activity Summary
Hawkeye family
HawkEye
Loads dropped DLL
Reads local data of messenger clients
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Looks up external IP address via web service
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: SetClipboardViewer
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-02 21:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-02 21:42
Reported
2024-12-02 21:45
Platform
win7-20240903-en
Max time kernel
150s
Max time network
135s
Command Line
Signatures
HawkEye
Hawkeye family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CryptSvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CryptSvc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CryptSvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe | N/A |
Reads local data of messenger clients
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1860 set thread context of 2760 | N/A | C:\Users\Admin\AppData\Local\Temp\231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe | C:\Users\Admin\AppData\Local\Temp\231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe |
| PID 2760 set thread context of 2868 | N/A | C:\Users\Admin\AppData\Local\Temp\231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
| PID 2760 set thread context of 1636 | N/A | C:\Users\Admin\AppData\Local\Temp\231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
| PID 2612 set thread context of 1972 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CryptSvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CryptSvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CryptSvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CryptSvc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
"C:\Users\Admin\AppData\Local\Temp\231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe"
C:\Users\Admin\AppData\Local\Temp\231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
"C:\Users\Admin\AppData\Local\Temp\231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CryptSvc.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CryptSvc.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CryptSvc.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CryptSvc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.223.79:443 | whatismyipaddress.com | tcp |
| US | 104.19.223.79:443 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | mail.avesta.co.id | udp |
| ID | 180.235.149.138:587 | mail.avesta.co.id | tcp |
| ID | 180.235.149.138:587 | mail.avesta.co.id | tcp |
Files
memory/1860-0-0x0000000074221000-0x0000000074222000-memory.dmp
memory/1860-1-0x0000000074220000-0x00000000747CB000-memory.dmp
memory/1860-2-0x0000000074220000-0x00000000747CB000-memory.dmp
memory/1860-3-0x0000000074220000-0x00000000747CB000-memory.dmp
memory/2760-6-0x0000000000080000-0x0000000000166000-memory.dmp
memory/2760-23-0x0000000000080000-0x0000000000166000-memory.dmp
memory/2760-20-0x0000000000080000-0x0000000000166000-memory.dmp
memory/2760-16-0x0000000000080000-0x0000000000166000-memory.dmp
memory/2760-15-0x0000000000080000-0x0000000000166000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CryptSvc.exe
| MD5 | e5cfadb65f5a6b27b6a559cb3c286b95 |
| SHA1 | f33ab26def2759aad5248cf1affa413777148584 |
| SHA256 | 251b78d864900e3a2b6cc168463421e1bc4ca31bfcabe941b595989bda0e5314 |
| SHA512 | b833256eb469717036cd81673e6b4d2bfa00093955b3d202fcfade785f530c51ccb9c23d883f3d263b985996560f3e67d5c7df51963974b526c79f3ded043d9b |
memory/2760-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2760-8-0x0000000000080000-0x0000000000166000-memory.dmp
memory/2760-12-0x0000000000080000-0x0000000000166000-memory.dmp
memory/2760-10-0x0000000000080000-0x0000000000166000-memory.dmp
memory/2760-30-0x0000000074220000-0x00000000747CB000-memory.dmp
memory/2760-31-0x0000000074220000-0x00000000747CB000-memory.dmp
\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe
| MD5 | fc5828552d2036dc60430b21253b5e44 |
| SHA1 | 737cf33db7761061bd0774ebbd8976445cb98df1 |
| SHA256 | 231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631 |
| SHA512 | 9eb22f7ed932371a8a083399cd4dc48daebbddb6daa5f547d07049ac89261b660c25265586800ac1644d74234712b8b37478d1111b0e34c8092ce65bf2cb008f |
memory/2760-37-0x0000000074220000-0x00000000747CB000-memory.dmp
memory/2868-38-0x0000000000400000-0x000000000046E000-memory.dmp
memory/2868-39-0x0000000000400000-0x000000000046E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\holdermail.txt
| MD5 | e62221a3bb549a72fcc4afa60d34e620 |
| SHA1 | d60b16b540e0e3ed459a30cce0678d1fc8a1989a |
| SHA256 | 587f8f51485b575f30e5e1608f70b31b9d8bb384318802373cc52cbdf2a4aa95 |
| SHA512 | 5b6f6a3a88961b62870e486b02e41d065b3f054f3ad45f7c7e01aff3ba151893e36fd3c13771ed9e3738aaa525296a8ee72adc05fb32932ec3af259404172aed |
memory/2868-41-0x0000000000470000-0x00000000004D7000-memory.dmp
memory/2868-46-0x0000000000400000-0x000000000046E000-memory.dmp
memory/1636-47-0x0000000000400000-0x000000000046F000-memory.dmp
memory/1636-48-0x0000000000400000-0x000000000046F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\holdermail.txt
| MD5 | c3609e29395ccd5fd8407fed36414e75 |
| SHA1 | 04c0c5dc3fcced0c5581c44af17fa60260fb591a |
| SHA256 | a32df1c247d5738af4241edc4aa520dbb21013d05d47cac5db96ccfb48de7857 |
| SHA512 | 8bbd7b458f2be6e91c46cad8f682e109c7a7317f9ae89e5ce889ae7d4db5775b83d03016f47b56aa75bd5646a50c06ae7adbf2fc8af6b9f8a976f2ce30de3533 |
memory/1636-58-0x0000000000400000-0x000000000046F000-memory.dmp
memory/1860-59-0x0000000074220000-0x00000000747CB000-memory.dmp
memory/1972-73-0x0000000000400000-0x00000000004E6000-memory.dmp
memory/1972-72-0x0000000000400000-0x00000000004E6000-memory.dmp
C:\Users\Admin\AppData\Roaming\pid.txt
| MD5 | b0bef4c9a6e50d43880191492d4fc827 |
| SHA1 | 2650a12d36146ad4ab44ad4fc6bb77f59fa487f4 |
| SHA256 | 5fff864d27239fa252f76a884f2d427362b8e758d654db16a80d4136a1dca2d2 |
| SHA512 | a1053810008990231b9c1a60703ca33ed2f97c0ed2971db8925161c73dd5cd020b1ec93dcbe5d328837c511451cc2bcf6c557bea273279b55413f36b89e18ee3 |
memory/1972-69-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-02 21:42
Reported
2024-12-02 21:45
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
147s
Command Line
Signatures
HawkEye
Hawkeye family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CryptSvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CryptSvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CryptSvc.exe | N/A |
Reads local data of messenger clients
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CryptSvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CryptSvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: SetClipboardViewer
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
"C:\Users\Admin\AppData\Local\Temp\231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe"
C:\Users\Admin\AppData\Local\Temp\231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
"C:\Users\Admin\AppData\Local\Temp\231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CryptSvc.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CryptSvc.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CryptSvc.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CryptSvc.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.222.79:443 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | 79.222.19.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mail.avesta.co.id | udp |
| ID | 180.235.149.138:587 | mail.avesta.co.id | tcp |
| US | 8.8.8.8:53 | 138.149.235.180.in-addr.arpa | udp |
| ID | 180.235.149.138:587 | mail.avesta.co.id | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.222.79:443 | whatismyipaddress.com | tcp |
| ID | 180.235.149.138:587 | mail.avesta.co.id | tcp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| ID | 180.235.149.138:587 | mail.avesta.co.id | tcp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/396-0-0x0000000074BE2000-0x0000000074BE3000-memory.dmp
memory/396-1-0x0000000074BE0000-0x0000000075191000-memory.dmp
memory/396-2-0x0000000074BE0000-0x0000000075191000-memory.dmp
memory/396-3-0x0000000074BE2000-0x0000000074BE3000-memory.dmp
memory/396-4-0x0000000074BE0000-0x0000000075191000-memory.dmp
memory/396-5-0x0000000074BE0000-0x0000000075191000-memory.dmp
memory/868-8-0x0000000074BE0000-0x0000000075191000-memory.dmp
memory/868-9-0x0000000074BE0000-0x0000000075191000-memory.dmp
memory/868-11-0x0000000074BE0000-0x0000000075191000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CryptSvc.exe
| MD5 | e5cfadb65f5a6b27b6a559cb3c286b95 |
| SHA1 | f33ab26def2759aad5248cf1affa413777148584 |
| SHA256 | 251b78d864900e3a2b6cc168463421e1bc4ca31bfcabe941b595989bda0e5314 |
| SHA512 | b833256eb469717036cd81673e6b4d2bfa00093955b3d202fcfade785f530c51ccb9c23d883f3d263b985996560f3e67d5c7df51963974b526c79f3ded043d9b |
memory/4864-21-0x0000000074BE0000-0x0000000075191000-memory.dmp
memory/4864-22-0x0000000074BE0000-0x0000000075191000-memory.dmp
memory/4864-23-0x0000000074BE0000-0x0000000075191000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe
| MD5 | fc5828552d2036dc60430b21253b5e44 |
| SHA1 | 737cf33db7761061bd0774ebbd8976445cb98df1 |
| SHA256 | 231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631 |
| SHA512 | 9eb22f7ed932371a8a083399cd4dc48daebbddb6daa5f547d07049ac89261b660c25265586800ac1644d74234712b8b37478d1111b0e34c8092ce65bf2cb008f |
memory/2720-28-0x0000000000400000-0x000000000046E000-memory.dmp
memory/396-29-0x0000000074BE0000-0x0000000075191000-memory.dmp
memory/2720-30-0x0000000000400000-0x000000000046E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\holdermail.txt
| MD5 | 38d18b0ae3449c2f854ebe7de63cc065 |
| SHA1 | 5b2591f992b47b0b9c36d17e467b198dce478d58 |
| SHA256 | f5871e2513fff59e0d00b54d0db5c8d6d2bf398788243f81ad5d40b90f9cb8e1 |
| SHA512 | 5d372daee065acce43eb9ee91f52546660e7177f2d75183d7eda0e6c86d28b671423fd9965582a4c7193c3e0fdc1dd3eaafeb3d46ae347a1f78d8c24fb0e7538 |
memory/2720-33-0x0000000000470000-0x0000000000539000-memory.dmp
memory/2720-37-0x0000000000400000-0x000000000046E000-memory.dmp
memory/868-38-0x0000000074BE0000-0x0000000075191000-memory.dmp
memory/4864-39-0x0000000074BE0000-0x0000000075191000-memory.dmp
memory/1428-40-0x0000000000400000-0x000000000046F000-memory.dmp
memory/1428-41-0x0000000000400000-0x000000000046F000-memory.dmp
memory/1428-50-0x0000000000400000-0x000000000046F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\holdermail.txt
| MD5 | c3609e29395ccd5fd8407fed36414e75 |
| SHA1 | 04c0c5dc3fcced0c5581c44af17fa60260fb591a |
| SHA256 | a32df1c247d5738af4241edc4aa520dbb21013d05d47cac5db96ccfb48de7857 |
| SHA512 | 8bbd7b458f2be6e91c46cad8f682e109c7a7317f9ae89e5ce889ae7d4db5775b83d03016f47b56aa75bd5646a50c06ae7adbf2fc8af6b9f8a976f2ce30de3533 |
memory/396-54-0x0000000074BE0000-0x0000000075191000-memory.dmp
memory/4864-53-0x0000000074BE0000-0x0000000075191000-memory.dmp
memory/3420-56-0x0000000000400000-0x00000000004E6000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\CryptSvc.exe.log
| MD5 | a5dcc7c9c08af7dddd82be5b036a4416 |
| SHA1 | 4f998ca1526d199e355ffb435bae111a2779b994 |
| SHA256 | e24033ceec97fd03402b03acaaabd1d1e378e83bb1683afbccac760e00f8ead5 |
| SHA512 | 56035de734836c0c39f0b48641c51c26adb6e79c6c65e23ca96603f71c95b8673e2ef853146e87efc899dd1878d0bbc2c82d91fbf0fce81c552048e986f9bb5a |
C:\Users\Admin\AppData\Roaming\pidloc.txt
| MD5 | 7fbf191ac91dbbb90d3a9372d743c9f0 |
| SHA1 | 60f07ad84fe3fa6eb30b67fb3269ccccaf300573 |
| SHA256 | bebe525a16a20ee8b3867297d45cc6d8703c731080b169d2b4e7f18a06afcdf3 |
| SHA512 | 47e23e98dedf679399342a06e06a9731e1bf911b1232405ab74f74fa9dd681376acbde3980fdca3771f807f6d92d1a10c39a85fd4eb47c941e4f7a6618d3b11c |
C:\Users\Admin\AppData\Roaming\pid.txt
| MD5 | dd45045f8c68db9f54e70c67048d32e8 |
| SHA1 | 0b93caee71a9d214d0bbbc5622ea29507e3b8a7a |
| SHA256 | d2e655334ee2e4841be477484381df1617a8b891adc04cbc536cc1bed229d713 |
| SHA512 | 9e1ec3586174b78f5e732a56df6a97b5cfc9b3fb3376bd7df522112d3be78f652bbfde838fba1f2d811bf3554ba637a5de41f797868eca669d96ec0cbccbee17 |
memory/4288-74-0x0000000000400000-0x000000000046E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\holdermail.txt
| MD5 | e62221a3bb549a72fcc4afa60d34e620 |
| SHA1 | d60b16b540e0e3ed459a30cce0678d1fc8a1989a |
| SHA256 | 587f8f51485b575f30e5e1608f70b31b9d8bb384318802373cc52cbdf2a4aa95 |
| SHA512 | 5b6f6a3a88961b62870e486b02e41d065b3f054f3ad45f7c7e01aff3ba151893e36fd3c13771ed9e3738aaa525296a8ee72adc05fb32932ec3af259404172aed |
memory/4288-80-0x0000000000400000-0x000000000046E000-memory.dmp
memory/1876-82-0x0000000000400000-0x000000000046F000-memory.dmp
memory/1876-89-0x0000000000400000-0x000000000046F000-memory.dmp