hawkeye_reborn | 415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d

Analysis

max time kernel
151s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
03-05-2022 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
Size

1.1MB
MD5

bd5bc2f6b95e140c02325034f6a5c068
SHA1

7034fd90e9e47b8bbc195d8b07222e68aaed91cc
SHA256

415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d
SHA512

cf6875becdab1381e32c36ba6489bc318e6a35b8f96219b45b7a7c2300b81c9450f4e850fbde43de918a5c9bbff747adeaa8b9da013d836cffb136b1eacc1d2b

Score

10^/10

hawkeye_reborn keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

10.0.0.1

Credentials

Protocol: smtp
Host:
mail.eagleeyeapparels.com
Port:
587
Username:
[email protected]
Password:
eagle*qaz

Mutex

f98d37f4-ca90-4ed7-9f6f-6121c4014605

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:eagle*qaz _EmailPort:587 _EmailSSL:true _EmailServer:mail.eagleeyeapparels.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:f98d37f4-ca90-4ed7-9f6f-6121c4014605 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:true _SystemInfo:true _Version:10.0.0.1 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye RebornX, Version=10.0.0.1, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn

Looks up external IP address via web service 8 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
72	bot.whatismyipaddress.com
31	bot.whatismyipaddress.com
35	bot.whatismyipaddress.com
44	bot.whatismyipaddress.com
47	bot.whatismyipaddress.com
56	bot.whatismyipaddress.com
62	bot.whatismyipaddress.com
71	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 4036 set thread context of 2400	4036	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	80
PID 4492 set thread context of 1856	4492	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	84
PID 2328 set thread context of 3180	2328	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	89
PID 1960 set thread context of 2440	1960	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	92
PID 1680 set thread context of 3172	1680	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	98
PID 3880 set thread context of 3116	3880	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	104
PID 3360 set thread context of 2256	3360	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	108
PID 4276 set thread context of 32	4276	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	116
PID 2584 set thread context of 4616	2584	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	119

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4036	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4036	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe

Suspicious behavior: MapViewOfSection 9 IoCs

pid	Process
4036	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4492	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
2328	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
1960	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
1680	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
3880	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
3360	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
4276	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
2584	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4036 wrote to memory of 2400	4036	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	80
PID 4036 wrote to memory of 2400	4036	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	80
PID 4036 wrote to memory of 2400	4036	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	80
PID 4036 wrote to memory of 4160	4036	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	81
PID 4036 wrote to memory of 4160	4036	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	81
PID 4036 wrote to memory of 4160	4036	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	81
PID 4160 wrote to memory of 4492	4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	83
PID 4160 wrote to memory of 4492	4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	83
PID 4160 wrote to memory of 4492	4160	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	83
PID 4492 wrote to memory of 1856	4492	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	84
PID 4492 wrote to memory of 1856	4492	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	84
PID 4492 wrote to memory of 1856	4492	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	84
PID 4492 wrote to memory of 740	4492	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	85
PID 4492 wrote to memory of 740	4492	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	85
PID 4492 wrote to memory of 740	4492	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	85
PID 740 wrote to memory of 2328	740	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	88
PID 740 wrote to memory of 2328	740	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	88
PID 740 wrote to memory of 2328	740	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	88
PID 2328 wrote to memory of 3180	2328	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	89
PID 2328 wrote to memory of 3180	2328	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	89
PID 2328 wrote to memory of 3180	2328	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	89
PID 2328 wrote to memory of 4076	2328	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	90
PID 2328 wrote to memory of 4076	2328	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	90
PID 2328 wrote to memory of 4076	2328	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	90
PID 4076 wrote to memory of 1960	4076	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	91
PID 4076 wrote to memory of 1960	4076	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	91
PID 4076 wrote to memory of 1960	4076	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	91
PID 1960 wrote to memory of 2440	1960	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	92
PID 1960 wrote to memory of 2440	1960	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	92
PID 1960 wrote to memory of 2440	1960	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	92
PID 1960 wrote to memory of 4504	1960	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	93
PID 1960 wrote to memory of 4504	1960	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	93
PID 1960 wrote to memory of 4504	1960	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	93
PID 4504 wrote to memory of 1680	4504	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	97
PID 4504 wrote to memory of 1680	4504	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	97
PID 4504 wrote to memory of 1680	4504	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	97
PID 1680 wrote to memory of 3172	1680	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	98
PID 1680 wrote to memory of 3172	1680	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	98
PID 1680 wrote to memory of 3172	1680	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	98
PID 1680 wrote to memory of 2844	1680	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	99
PID 1680 wrote to memory of 2844	1680	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	99
PID 1680 wrote to memory of 2844	1680	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	99
PID 2844 wrote to memory of 3880	2844	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	103
PID 2844 wrote to memory of 3880	2844	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	103
PID 2844 wrote to memory of 3880	2844	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	103
PID 3880 wrote to memory of 3116	3880	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	104
PID 3880 wrote to memory of 3116	3880	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	104
PID 3880 wrote to memory of 3116	3880	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	104
PID 3880 wrote to memory of 1144	3880	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	105
PID 3880 wrote to memory of 1144	3880	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	105
PID 3880 wrote to memory of 1144	3880	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	105
PID 1144 wrote to memory of 3360	1144	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	107
PID 1144 wrote to memory of 3360	1144	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	107
PID 1144 wrote to memory of 3360	1144	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	107
PID 3360 wrote to memory of 2256	3360	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	108
PID 3360 wrote to memory of 2256	3360	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	108
PID 3360 wrote to memory of 2256	3360	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	108
PID 3360 wrote to memory of 3504	3360	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	109
PID 3360 wrote to memory of 3504	3360	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	109
PID 3360 wrote to memory of 3504	3360	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	109
PID 3504 wrote to memory of 4276	3504	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	115
PID 3504 wrote to memory of 4276	3504	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	115
PID 3504 wrote to memory of 4276	3504	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	115
PID 4276 wrote to memory of 32	4276	415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe	116

C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
"C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4036
- C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
  "C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe"
  2⤵
  PID:2400
- C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
  "C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe" 2 2400 240541531
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4160
- - C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
    "C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4492
  - - C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
      "C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe"
      4⤵
      PID:1856
  - - C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
      "C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe" 2 1856 240606531
      4⤵
      Suspicious use of WriteProcessMemory
      PID:740
    - - C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2328
      - C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe"
        6⤵
        
        PID:3180
      - C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe" 2 3180 240617968
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe"
        7⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe"
        8⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe" 2 2440 240628859
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe"
        9⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe"
        10⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe" 2 3172 240639843
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe"
        11⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe"
        12⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe" 2 3116 240650828
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe"
        13⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe"
        14⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe" 2 2256 240661765
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe"
        15⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe"
        16⤵
        
        PID:32
        
        C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe" 2 32 240672734
        16⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe"
        17⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe"
        18⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe" 2 4616 240683750
        18⤵
        
        PID:4612

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\415dfa4ea6d8b002aa3f6b96dd95dbc149514f283caa4f3043d465d26bd54e5d.exe.log

Filesize
680B

MD5
8faf48455ffc017246b08e89f6ba1956

SHA1
2f6c39d9828b3f95dc050f52a38cd7d3f543baf8

SHA256
9a643ce75fdfe840ea158010f28f8520bea2a60220494b44a25039a2a318fc35

SHA512
dafd4f1bf894ef1c61ff65dbcb8d5a151b33d8e39f3e354e6e433c8c7c0e8c2105615bffde8d796e361b77ccbe917a70ca4d03cc8cb6396f0495ff9e5b7010a9

Download Submit
memory/32-207-0x0000000074910000-0x0000000074EC1000-memory.dmp

Filesize
5.7MB

Download
memory/32-206-0x0000000000A70000-0x0000000000B00000-memory.dmp

Filesize
576KB

Download
memory/1856-149-0x0000000074910000-0x0000000074EC1000-memory.dmp

Filesize
5.7MB

Download
memory/1856-144-0x0000000000960000-0x00000000009F0000-memory.dmp

Filesize
576KB

Download
memory/1856-145-0x0000000000960000-0x00000000009F0000-memory.dmp

Filesize
576KB

Download
memory/2256-196-0x0000000000A00000-0x0000000000A90000-memory.dmp

Filesize
576KB

Download
memory/2256-199-0x0000000074910000-0x0000000074EC1000-memory.dmp

Filesize
5.7MB

Download
memory/2400-134-0x0000000000AF0000-0x0000000000B80000-memory.dmp

Filesize
576KB

Download
memory/2400-135-0x0000000000AF0000-0x0000000000B80000-memory.dmp

Filesize
576KB

Download
memory/2400-138-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/2440-166-0x0000000000A50000-0x0000000000AE0000-memory.dmp

Filesize
576KB

Download
memory/2440-169-0x0000000074910000-0x0000000074EC1000-memory.dmp

Filesize
5.7MB

Download
memory/3116-189-0x0000000074910000-0x0000000074EC1000-memory.dmp

Filesize
5.7MB

Download
memory/3116-186-0x0000000000AE0000-0x0000000000B70000-memory.dmp

Filesize
576KB

Download
memory/3172-179-0x0000000074910000-0x0000000074EC1000-memory.dmp

Filesize
5.7MB

Download
memory/3172-176-0x0000000000A40000-0x0000000000AD0000-memory.dmp

Filesize
576KB

Download
memory/3180-159-0x0000000074910000-0x0000000074EC1000-memory.dmp

Filesize
5.7MB

Download
memory/3180-156-0x0000000000A20000-0x0000000000AB0000-memory.dmp

Filesize
576KB

Download
memory/4036-131-0x0000000000BA0000-0x0000000000BB1000-memory.dmp

Filesize
68KB

Download
memory/4616-216-0x0000000000AA0000-0x0000000000B30000-memory.dmp

Filesize
576KB

Download
memory/4616-229-0x0000000074910000-0x0000000074EC1000-memory.dmp

Filesize
5.7MB

Download