hawkeye_reborn | 3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a

General

Target

3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe
Size

893KB
MD5

45bcaf1873553f6047d714fcec3362f1
SHA1

e898892a0af8a34d666543f5169dd34d6dbba6e9
SHA256

3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a
SHA512

e686717f37d87ce87473079969c6cf2f8a608eb68adc8516f18a03fa18e0e4077905deb9cd8b0555c108c387bdd4322fbf1dcc2d79d465f65600eb92bb5fa345

Score

10^/10

hawkeye_reborn m00nd3v_logger infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger Payload 9 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

Processes:

resource	yara_rule
behavioral1/memory/1972-60-0x0000000000D80000-0x0000000000E10000-memory.dmp	m00nd3v_logger
behavioral1/memory/1168-64-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/1168-65-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/1168-66-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/1168-67-0x000000000048B1CE-mapping.dmp	m00nd3v_logger
behavioral1/memory/1168-69-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/1168-71-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/1744-105-0x000000000048B1CE-mapping.dmp	m00nd3v_logger
behavioral1/memory/2036-141-0x000000000048B1CE-mapping.dmp	m00nd3v_logger

NirSoft WebBrowserPassView 11 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/328-84-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral1/memory/328-85-0x000000000044472E-mapping.dmp	WebBrowserPassView
behavioral1/memory/328-88-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral1/memory/328-89-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral1/memory/328-90-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral1/memory/1172-122-0x000000000044472E-mapping.dmp	WebBrowserPassView
behavioral1/memory/1172-125-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral1/memory/1172-126-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral1/memory/1172-128-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral1/memory/1120-158-0x000000000044472E-mapping.dmp	WebBrowserPassView
behavioral1/memory/1120-162-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView

Nirsoft 11 IoCs

Processes:

resource	yara_rule
behavioral1/memory/328-84-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/328-85-0x000000000044472E-mapping.dmp	Nirsoft
behavioral1/memory/328-88-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/328-89-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/328-90-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/1172-122-0x000000000044472E-mapping.dmp	Nirsoft
behavioral1/memory/1172-125-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/1172-126-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/1172-128-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/1120-158-0x000000000044472E-mapping.dmp	Nirsoft
behavioral1/memory/1120-162-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft

Executes dropped EXE 2 IoCs

Processes:

anyname.exeanyname.exe

pid process

268 anyname.exe
584 anyname.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
268	anyname.exe
584	anyname.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exeRegAsm.exeanyname.exeRegAsm.exeanyname.exeRegAsm.exe

description	pid	process	target process
PID 1972 set thread context of 1168	1972	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe	RegAsm.exe
PID 1168 set thread context of 328	1168	RegAsm.exe	vbc.exe
PID 268 set thread context of 1744	268	anyname.exe	RegAsm.exe
PID 1744 set thread context of 1172	1744	RegAsm.exe	vbc.exe
PID 584 set thread context of 2036	584	anyname.exe	RegAsm.exe
PID 2036 set thread context of 1120	2036	RegAsm.exe	vbc.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1164 schtasks.exe

pid	process
1164	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exevbc.exeanyname.exevbc.exeanyname.exevbc.exe

pid	process
1972	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe
1972	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe
1972	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe
328	vbc.exe
328	vbc.exe
328	vbc.exe
328	vbc.exe
328	vbc.exe
268	anyname.exe
268	anyname.exe
1172	vbc.exe
1172	vbc.exe
1172	vbc.exe
1172	vbc.exe
1172	vbc.exe
1172	vbc.exe
584	anyname.exe
584	anyname.exe
1120	vbc.exe
1120	vbc.exe
1120	vbc.exe
1120	vbc.exe
1120	vbc.exe
1120	vbc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exeanyname.exeanyname.exe

description	pid	process
Token: SeDebugPrivilege	1972	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe
Token: SeDebugPrivilege	268	anyname.exe
Token: SeDebugPrivilege	584	anyname.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exeRegAsm.exetaskeng.exeanyname.exeRegAsm.exe

description	pid	process	target process
PID 1972 wrote to memory of 2028	1972	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe	schtasks.exe
PID 1972 wrote to memory of 2028	1972	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe	schtasks.exe
PID 1972 wrote to memory of 2028	1972	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe	schtasks.exe
PID 1972 wrote to memory of 2028	1972	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe	schtasks.exe
PID 1972 wrote to memory of 1164	1972	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe	schtasks.exe
PID 1972 wrote to memory of 1164	1972	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe	schtasks.exe
PID 1972 wrote to memory of 1164	1972	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe	schtasks.exe
PID 1972 wrote to memory of 1164	1972	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe	schtasks.exe
PID 1972 wrote to memory of 1416	1972	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe	RegAsm.exe
PID 1972 wrote to memory of 1416	1972	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe	RegAsm.exe
PID 1972 wrote to memory of 1416	1972	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe	RegAsm.exe
PID 1972 wrote to memory of 1416	1972	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe	RegAsm.exe
PID 1972 wrote to memory of 1416	1972	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe	RegAsm.exe
PID 1972 wrote to memory of 1416	1972	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe	RegAsm.exe
PID 1972 wrote to memory of 1416	1972	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe	RegAsm.exe
PID 1972 wrote to memory of 1168	1972	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe	RegAsm.exe
PID 1972 wrote to memory of 1168	1972	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe	RegAsm.exe
PID 1972 wrote to memory of 1168	1972	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe	RegAsm.exe
PID 1972 wrote to memory of 1168	1972	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe	RegAsm.exe
PID 1972 wrote to memory of 1168	1972	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe	RegAsm.exe
PID 1972 wrote to memory of 1168	1972	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe	RegAsm.exe
PID 1972 wrote to memory of 1168	1972	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe	RegAsm.exe
PID 1972 wrote to memory of 1168	1972	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe	RegAsm.exe
PID 1972 wrote to memory of 1168	1972	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe	RegAsm.exe
PID 1972 wrote to memory of 1168	1972	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe	RegAsm.exe
PID 1972 wrote to memory of 1168	1972	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe	RegAsm.exe
PID 1972 wrote to memory of 1168	1972	3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe	RegAsm.exe
PID 1168 wrote to memory of 328	1168	RegAsm.exe	vbc.exe
PID 1168 wrote to memory of 328	1168	RegAsm.exe	vbc.exe
PID 1168 wrote to memory of 328	1168	RegAsm.exe	vbc.exe
PID 1168 wrote to memory of 328	1168	RegAsm.exe	vbc.exe
PID 1168 wrote to memory of 328	1168	RegAsm.exe	vbc.exe
PID 1168 wrote to memory of 328	1168	RegAsm.exe	vbc.exe
PID 1168 wrote to memory of 328	1168	RegAsm.exe	vbc.exe
PID 1168 wrote to memory of 328	1168	RegAsm.exe	vbc.exe
PID 1168 wrote to memory of 328	1168	RegAsm.exe	vbc.exe
PID 1168 wrote to memory of 328	1168	RegAsm.exe	vbc.exe
PID 756 wrote to memory of 268	756	taskeng.exe	anyname.exe
PID 756 wrote to memory of 268	756	taskeng.exe	anyname.exe
PID 756 wrote to memory of 268	756	taskeng.exe	anyname.exe
PID 756 wrote to memory of 268	756	taskeng.exe	anyname.exe
PID 268 wrote to memory of 308	268	anyname.exe	schtasks.exe
PID 268 wrote to memory of 308	268	anyname.exe	schtasks.exe
PID 268 wrote to memory of 308	268	anyname.exe	schtasks.exe
PID 268 wrote to memory of 308	268	anyname.exe	schtasks.exe
PID 268 wrote to memory of 1744	268	anyname.exe	RegAsm.exe
PID 268 wrote to memory of 1744	268	anyname.exe	RegAsm.exe
PID 268 wrote to memory of 1744	268	anyname.exe	RegAsm.exe
PID 268 wrote to memory of 1744	268	anyname.exe	RegAsm.exe
PID 268 wrote to memory of 1744	268	anyname.exe	RegAsm.exe
PID 268 wrote to memory of 1744	268	anyname.exe	RegAsm.exe
PID 268 wrote to memory of 1744	268	anyname.exe	RegAsm.exe
PID 268 wrote to memory of 1744	268	anyname.exe	RegAsm.exe
PID 268 wrote to memory of 1744	268	anyname.exe	RegAsm.exe
PID 268 wrote to memory of 1744	268	anyname.exe	RegAsm.exe
PID 268 wrote to memory of 1744	268	anyname.exe	RegAsm.exe
PID 268 wrote to memory of 1744	268	anyname.exe	RegAsm.exe
PID 1744 wrote to memory of 1172	1744	RegAsm.exe	vbc.exe
PID 1744 wrote to memory of 1172	1744	RegAsm.exe	vbc.exe
PID 1744 wrote to memory of 1172	1744	RegAsm.exe	vbc.exe
PID 1744 wrote to memory of 1172	1744	RegAsm.exe	vbc.exe
PID 1744 wrote to memory of 1172	1744	RegAsm.exe	vbc.exe
PID 1744 wrote to memory of 1172	1744	RegAsm.exe	vbc.exe
PID 1744 wrote to memory of 1172	1744	RegAsm.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe
"C:\Users\Admin\AppData\Local\Temp\3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /query
2⤵
PID:2028

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /sc MINUTE /tn pCwmWG /MO 1 /tr "C:\Users\Admin\AppData\Roaming\anyname\anyname.exe\
2⤵
- Creates scheduled task(s)
PID:1164

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
PID:1416

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpF21D.tmp"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:328

C:\Windows\system32\taskeng.exe
taskeng.exe {6079B01E-AB7D-4986-AAEF-760BBECD2DC8} S-1-5-21-2277218442-1199762539-2004043321-1000:AUVQQRRF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:756

C:\Users\Admin\AppData\Roaming\anyname\anyname.exe
C:\Users\Admin\AppData\Roaming\anyname\anyname.exe "C:\Users\Admin\AppData\Roaming\anyname\anyname.exe\"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /query
3⤵
PID:308

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp8B6F.tmp"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1172

C:\Users\Admin\AppData\Roaming\anyname\anyname.exe
C:\Users\Admin\AppData\Roaming\anyname\anyname.exe "C:\Users\Admin\AppData\Roaming\anyname\anyname.exe\"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:584

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /query
3⤵
PID:1076

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
3⤵
- Suspicious use of SetThreadContext
PID:2036

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp6549.tmp"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1120

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6549.tmp
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8B6F.tmp
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF21D.tmp
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\anyname\anyname.exe
Filesize
893KB

MD5
45bcaf1873553f6047d714fcec3362f1

SHA1
e898892a0af8a34d666543f5169dd34d6dbba6e9

SHA256
3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a

SHA512
e686717f37d87ce87473079969c6cf2f8a608eb68adc8516f18a03fa18e0e4077905deb9cd8b0555c108c387bdd4322fbf1dcc2d79d465f65600eb92bb5fa345

Download Submit
C:\Users\Admin\AppData\Roaming\anyname\anyname.exe
Filesize
893KB

MD5
45bcaf1873553f6047d714fcec3362f1

SHA1
e898892a0af8a34d666543f5169dd34d6dbba6e9

SHA256
3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a

SHA512
e686717f37d87ce87473079969c6cf2f8a608eb68adc8516f18a03fa18e0e4077905deb9cd8b0555c108c387bdd4322fbf1dcc2d79d465f65600eb92bb5fa345

Download Submit
C:\Users\Admin\AppData\Roaming\anyname\anyname.exe
Filesize
893KB

MD5
45bcaf1873553f6047d714fcec3362f1

SHA1
e898892a0af8a34d666543f5169dd34d6dbba6e9

SHA256
3c92435ea37038bf93a3b93fd5df4d923006c91b728064eaedcc894b7615e90a

SHA512
e686717f37d87ce87473079969c6cf2f8a608eb68adc8516f18a03fa18e0e4077905deb9cd8b0555c108c387bdd4322fbf1dcc2d79d465f65600eb92bb5fa345

Download Submit
memory/268-94-0x0000000000000000-mapping.dmp

Download
memory/268-96-0x0000000001050000-0x000000000111C000-memory.dmp

Filesize
816KB

Download
memory/308-98-0x0000000000000000-mapping.dmp

Download
memory/328-76-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/328-84-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/328-89-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/328-88-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/328-85-0x000000000044472E-mapping.dmp

Download
memory/328-82-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/328-80-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/328-78-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/328-75-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/328-90-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/584-130-0x0000000000000000-mapping.dmp

Download
memory/584-132-0x0000000001060000-0x000000000112C000-memory.dmp

Filesize
816KB

Download
memory/756-92-0x000007FEFBF21000-0x000007FEFBF23000-memory.dmp

Filesize
8KB

Download
memory/1076-134-0x0000000000000000-mapping.dmp

Download
memory/1120-162-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1120-158-0x000000000044472E-mapping.dmp

Download
memory/1164-59-0x0000000000000000-mapping.dmp

Download
memory/1168-67-0x000000000048B1CE-mapping.dmp

Download
memory/1168-65-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1168-73-0x00000000740D0000-0x000000007467B000-memory.dmp

Filesize
5.7MB

Download
memory/1168-71-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1168-69-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1168-61-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1168-66-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1168-74-0x00000000740D0000-0x000000007467B000-memory.dmp

Filesize
5.7MB

Download
memory/1168-64-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1168-62-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1172-122-0x000000000044472E-mapping.dmp

Download
memory/1172-125-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1172-126-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1172-128-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1744-127-0x00000000740D0000-0x000000007467B000-memory.dmp

Filesize
5.7MB

Download
memory/1744-111-0x00000000740D0000-0x000000007467B000-memory.dmp

Filesize
5.7MB

Download
memory/1744-105-0x000000000048B1CE-mapping.dmp

Download
memory/1972-54-0x0000000000E10000-0x0000000000EDC000-memory.dmp

Filesize
816KB

Download
memory/1972-60-0x0000000000D80000-0x0000000000E10000-memory.dmp

Filesize
576KB

Download
memory/1972-57-0x0000000076721000-0x0000000076723000-memory.dmp

Filesize
8KB

Download
memory/1972-56-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/1972-55-0x0000000000AB0000-0x0000000000B4A000-memory.dmp

Filesize
616KB

Download
memory/2028-58-0x0000000000000000-mapping.dmp

Download
memory/2036-141-0x000000000048B1CE-mapping.dmp

Download
memory/2036-147-0x00000000740D0000-0x000000007467B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads