hawkeye_reborn | 04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc

General

Target

04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
Size

817KB
MD5

8d914bfb5f45b53628eb5e6956a696d2
SHA1

fb8e636a77c99f508f9193027bc5da24e712dabc
SHA256

04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc
SHA512

0c5e86dc0b39bd57566ee12c85ac7fb0418f5cc2fa1bcf5e39ee23f73368c76111c8688dd312cf16ab35d75ada5c21afee8b1874777a7b04e986f487de182db3

Score

10^/10

hawkeye_reborn m00nd3v_logger infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger Payload 8 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

Processes:

resource	yara_rule
behavioral2/memory/3660-140-0x0000000000400000-0x000000000053C000-memory.dmp	m00nd3v_logger
behavioral2/memory/3660-142-0x0000000000400000-0x000000000053C000-memory.dmp	m00nd3v_logger
behavioral2/memory/3660-143-0x0000000000400000-0x000000000053C000-memory.dmp	m00nd3v_logger
behavioral2/memory/3660-144-0x0000000000402000-0x000000000048B200-memory.dmp	m00nd3v_logger
behavioral2/memory/3660-145-0x0000000000402000-0x000000000048B200-memory.dmp	m00nd3v_logger
behavioral2/memory/3660-146-0x0000000000400000-0x000000000053C000-memory.dmp	m00nd3v_logger
behavioral2/memory/3660-149-0x0000000000400000-0x000000000053C000-memory.dmp	m00nd3v_logger
behavioral2/memory/3660-158-0x0000000000400000-0x000000000053C000-memory.dmp	m00nd3v_logger

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe

Loads dropped DLL 3 IoCs

Processes:

04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe

pid	process
2420	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
2420	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
2420	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

23 bot.whatismyipaddress.com

flow	ioc
23	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe

description	pid	process	target process
PID 2420 set thread context of 3552	2420	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
PID 3552 set thread context of 3660	3552	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
4416	3660	WerFault.exe	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
2908	3660	WerFault.exe	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

4612 taskkill.exe
4508 taskkill.exe

pid	process
4612	taskkill.exe
4508	taskkill.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe

pid	process
3660	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
3660	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
3660	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
3660	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
3660	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
3660	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
3660	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
3660	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
3660	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
3660	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
3660	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
3660	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
3660	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
3660	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
3660	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
3660	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
3660	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
3660	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
3660	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
3660	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
3660	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
3660	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
3660	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
3660	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
3660	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
3660	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
3660	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	3660	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
Token: SeDebugPrivilege	4612	taskkill.exe
Token: SeDebugPrivilege	4508	taskkill.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.execmd.execmd.exe

C:\Users\Admin\AppData\Local\Temp\04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
"C:\Users\Admin\AppData\Local\Temp\04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
  "C:\Users\Admin\AppData\Local\Temp\04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3552
- - C:\Users\Admin\AppData\Local\Temp\04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
    "C:\Users\Admin\AppData\Local\Temp\04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3660
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM wscript.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2020
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM wscript.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4508
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM cmd.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4992
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4612
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 140
      4⤵
      Program crash
      PID:4416
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 208
      4⤵
      Program crash
      PID:2908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3660 -ip 3660
1⤵
PID:1352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3660 -ip 3660
1⤵
PID:536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bodements.dll

Filesize
84KB

MD5
a2f3f40061f165f5054336a90c78526f

SHA1
5a51d2e8cf374d90b615f026dc2ac9767558006c

SHA256
ce2b3ebba5b77665aeaf271b0c59c1a0cec1472585377cd5c74511dbedd76606

SHA512
f4304a99c9aa130225bb20ad3eb90f11ff790f022a2c8fbf80984b621d8752e7d4e59e27ae1c3cca9e4bfbd5137f084e26258ab948c6e066757ad5af3aa97093

Download Submit
C:\Users\Admin\AppData\Local\Temp\bodements.dll

Filesize
84KB

MD5
a2f3f40061f165f5054336a90c78526f

SHA1
5a51d2e8cf374d90b615f026dc2ac9767558006c

SHA256
ce2b3ebba5b77665aeaf271b0c59c1a0cec1472585377cd5c74511dbedd76606

SHA512
f4304a99c9aa130225bb20ad3eb90f11ff790f022a2c8fbf80984b621d8752e7d4e59e27ae1c3cca9e4bfbd5137f084e26258ab948c6e066757ad5af3aa97093

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu5E1F.tmp\System.dll

Filesize
11KB

MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b

SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Download Submit
memory/2020-153-0x0000000000000000-mapping.dmp

Download
memory/2420-134-0x00000000022A0000-0x00000000022B5000-memory.dmp

Filesize
84KB

Download
memory/3552-135-0x0000000000000000-mapping.dmp

Download
memory/3552-136-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/3552-138-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/3660-147-0x00000000747A0000-0x0000000074D51000-memory.dmp

Filesize
5.7MB

Download
memory/3660-152-0x0000000073390000-0x0000000073B38000-memory.dmp

Filesize
7.7MB

Download
memory/3660-143-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download
memory/3660-144-0x0000000000402000-0x000000000048B200-memory.dmp

Filesize
548KB

Download
memory/3660-145-0x0000000000402000-0x000000000048B200-memory.dmp

Filesize
548KB

Download
memory/3660-146-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download
memory/3660-140-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download
memory/3660-148-0x0000000073C00000-0x0000000074700000-memory.dmp

Filesize
11.0MB

Download
memory/3660-149-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download
memory/3660-150-0x00000000747A0000-0x0000000074D51000-memory.dmp

Filesize
5.7MB

Download
memory/3660-151-0x0000000073C00000-0x0000000074700000-memory.dmp

Filesize
11.0MB

Download
memory/3660-142-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download
memory/3660-139-0x0000000000000000-mapping.dmp

Download
memory/3660-161-0x0000000073390000-0x0000000073B38000-memory.dmp

Filesize
7.7MB

Download
memory/3660-160-0x0000000073C00000-0x0000000074700000-memory.dmp

Filesize
11.0MB

Download
memory/3660-159-0x00000000747A0000-0x0000000074D51000-memory.dmp

Filesize
5.7MB

Download
memory/3660-157-0x0000000073390000-0x0000000073B38000-memory.dmp

Filesize
7.7MB

Download
memory/3660-158-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download
memory/4508-155-0x0000000000000000-mapping.dmp

Download
memory/4612-156-0x0000000000000000-mapping.dmp

Download
memory/4992-154-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 2420 wrote to memory of 3552	2420	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
PID 2420 wrote to memory of 3552	2420	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
PID 2420 wrote to memory of 3552	2420	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
PID 2420 wrote to memory of 3552	2420	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
PID 2420 wrote to memory of 3552	2420	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
PID 2420 wrote to memory of 3552	2420	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
PID 2420 wrote to memory of 3552	2420	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
PID 2420 wrote to memory of 3552	2420	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
PID 2420 wrote to memory of 3552	2420	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
PID 2420 wrote to memory of 3552	2420	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
PID 3552 wrote to memory of 3660	3552	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
PID 3552 wrote to memory of 3660	3552	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
PID 3552 wrote to memory of 3660	3552	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
PID 3552 wrote to memory of 3660	3552	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
PID 3552 wrote to memory of 3660	3552	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
PID 3552 wrote to memory of 3660	3552	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
PID 3552 wrote to memory of 3660	3552	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
PID 3552 wrote to memory of 3660	3552	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
PID 3552 wrote to memory of 3660	3552	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
PID 3552 wrote to memory of 3660	3552	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
PID 3552 wrote to memory of 3660	3552	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe
PID 3660 wrote to memory of 2020	3660	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe	cmd.exe
PID 3660 wrote to memory of 2020	3660	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe	cmd.exe
PID 3660 wrote to memory of 2020	3660	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe	cmd.exe
PID 3660 wrote to memory of 4992	3660	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe	cmd.exe
PID 3660 wrote to memory of 4992	3660	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe	cmd.exe
PID 3660 wrote to memory of 4992	3660	04dd071c5cb9fb78ad922c1d19ae97bfe32583c210758cb2fa8f91ed2b7fdcbc.exe	cmd.exe
PID 2020 wrote to memory of 4508	2020	cmd.exe	taskkill.exe
PID 2020 wrote to memory of 4508	2020	cmd.exe	taskkill.exe
PID 2020 wrote to memory of 4508	2020	cmd.exe	taskkill.exe
PID 4992 wrote to memory of 4612	4992	cmd.exe	taskkill.exe
PID 4992 wrote to memory of 4612	4992	cmd.exe	taskkill.exe
PID 4992 wrote to memory of 4612	4992	cmd.exe	taskkill.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads