hawkeye_reborn | 5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396

General

Target

5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe
Size

630KB
MD5

0025306c92ef036623fdd9c8680eb7f6
SHA1

5de4e2d583001cda30b555754321b58c10ed1678
SHA256

5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396
SHA512

703739ae57893b286ef414f039118cf4995219a6ec7dd0768b6d7696cacdc05161ec9438a18aeaefc54b084ec4de3b6b2d7e5602a770f48d06ce40766fcc8691

Score

10^/10

hawkeye_reborn m00nd3v_logger collection infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 2 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\tmp.exe	m00nd3v_logger
C:\Users\Admin\AppData\Roaming\tmp.exe	m00nd3v_logger

NirSoft MailPassView 4 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/316-159-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/316-161-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/316-162-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/316-163-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/4568-152-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/4568-154-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/4568-155-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/4568-156-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView

Nirsoft 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4568-152-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/4568-154-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/4568-155-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/4568-156-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/316-159-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/316-161-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/316-162-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/316-163-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Executes dropped EXE 1 IoCs

Processes:

tmp.exe

pid process

1544 tmp.exe

pid	process
1544	tmp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe

Drops startup file 1 IoCs

Processes:

5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.exe.lnk	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe

description	pid	process	target process
PID 2036 set thread context of 3212	2036	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe
PID 3212 set thread context of 4568	3212	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe	vbc.exe
PID 3212 set thread context of 316	3212	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe	vbc.exe

Drops file in Windows directory 3 IoCs

Processes:

5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe
File opened for modification	C:\Windows\assembly	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1852 timeout.exe
NTFS ADS 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\FolderN\name.exe:Zone.Identifier cmd.exe

pid	process
1852	timeout.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\FolderN\name.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exevbc.exe5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe

pid	process
2036	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe
2036	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe
2036	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe
2036	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe
4568	vbc.exe
4568	vbc.exe
4568	vbc.exe
4568	vbc.exe
4568	vbc.exe
4568	vbc.exe
4568	vbc.exe
4568	vbc.exe
4568	vbc.exe
4568	vbc.exe
4568	vbc.exe
4568	vbc.exe
3212	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe
3212	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe

description	pid	process
Token: SeDebugPrivilege	2036	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe
Token: 33	2036	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe
Token: SeIncBasePriorityPrivilege	2036	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe
Token: SeDebugPrivilege	3212	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe

pid process

3212 5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe

pid	process
3212	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.execmd.execmd.exe5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe

description	pid	process	target process
PID 2036 wrote to memory of 2256	2036	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe	cmd.exe
PID 2036 wrote to memory of 2256	2036	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe	cmd.exe
PID 2036 wrote to memory of 2256	2036	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe	cmd.exe
PID 2256 wrote to memory of 3116	2256	cmd.exe	reg.exe
PID 2256 wrote to memory of 3116	2256	cmd.exe	reg.exe
PID 2256 wrote to memory of 3116	2256	cmd.exe	reg.exe
PID 2036 wrote to memory of 1544	2036	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe	tmp.exe
PID 2036 wrote to memory of 1544	2036	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe	tmp.exe
PID 2036 wrote to memory of 1544	2036	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe	tmp.exe
PID 2036 wrote to memory of 3212	2036	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe
PID 2036 wrote to memory of 3212	2036	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe
PID 2036 wrote to memory of 3212	2036	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe
PID 2036 wrote to memory of 3212	2036	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe
PID 2036 wrote to memory of 3212	2036	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe
PID 2036 wrote to memory of 3212	2036	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe
PID 2036 wrote to memory of 3212	2036	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe
PID 2036 wrote to memory of 3212	2036	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe
PID 2036 wrote to memory of 3324	2036	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe	cmd.exe
PID 2036 wrote to memory of 3324	2036	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe	cmd.exe
PID 2036 wrote to memory of 3324	2036	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe	cmd.exe
PID 3324 wrote to memory of 1852	3324	cmd.exe	timeout.exe
PID 3324 wrote to memory of 1852	3324	cmd.exe	timeout.exe
PID 3324 wrote to memory of 1852	3324	cmd.exe	timeout.exe
PID 3212 wrote to memory of 4568	3212	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe	vbc.exe
PID 3212 wrote to memory of 4568	3212	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe	vbc.exe
PID 3212 wrote to memory of 4568	3212	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe	vbc.exe
PID 3212 wrote to memory of 4568	3212	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe	vbc.exe
PID 3212 wrote to memory of 4568	3212	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe	vbc.exe
PID 3212 wrote to memory of 4568	3212	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe	vbc.exe
PID 3212 wrote to memory of 4568	3212	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe	vbc.exe
PID 3212 wrote to memory of 4568	3212	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe	vbc.exe
PID 3212 wrote to memory of 4568	3212	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe	vbc.exe
PID 3212 wrote to memory of 316	3212	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe	vbc.exe
PID 3212 wrote to memory of 316	3212	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe	vbc.exe
PID 3212 wrote to memory of 316	3212	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe	vbc.exe
PID 3212 wrote to memory of 316	3212	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe	vbc.exe
PID 3212 wrote to memory of 316	3212	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe	vbc.exe
PID 3212 wrote to memory of 316	3212	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe	vbc.exe
PID 3212 wrote to memory of 316	3212	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe	vbc.exe
PID 3212 wrote to memory of 316	3212	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe	vbc.exe
PID 3212 wrote to memory of 316	3212	5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe
"C:\Users\Admin\AppData\Local\Temp\5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderN\name.exe.lnk" /f
3⤵
PID:3116

C:\Users\Admin\AppData\Roaming\tmp.exe
"C:\Users\Admin\AppData\Roaming\tmp.exe"
2⤵
- Executes dropped EXE
PID:1544

C:\Users\Admin\AppData\Local\Temp\5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe
"C:\Users\Admin\AppData\Local\Temp\5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3212

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp82A8.tmp"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4568

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpAB01.tmp"
3⤵
- Accesses Microsoft Outlook accounts
PID:316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FolderN\name.exe.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:3324

C:\Windows\SysWOW64\timeout.exe
timeout /t 300
3⤵
- Delays execution with timeout.exe
PID:1852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp82A8.tmp
Filesize
4KB

MD5
508d12363b937319e4dbfc174a10ecba

SHA1
edb7ae72b83074621bc83e12d79e6ec91b28952e

SHA256
2e4b211b03ba5a4b727a3bdeb55afc31be43ca8605fe7189fb755befa4f4e061

SHA512
384f33d45223f2428c80e465ecae7e15a0dc348d2421d4ede7e01e77358e8e6eadcb8002227b9577c2ee1071199267c21a5e35554fc773d4d9f583bff0265e15

Download Submit
C:\Users\Admin\AppData\Roaming\FolderN\name.exe
Filesize
630KB

MD5
0025306c92ef036623fdd9c8680eb7f6

SHA1
5de4e2d583001cda30b555754321b58c10ed1678

SHA256
5f3cc5d66dba68642ea558418b22bc59ab165263249553ce24ba10af25702396

SHA512
703739ae57893b286ef414f039118cf4995219a6ec7dd0768b6d7696cacdc05161ec9438a18aeaefc54b084ec4de3b6b2d7e5602a770f48d06ce40766fcc8691

Download Submit
C:\Users\Admin\AppData\Roaming\FolderN\name.exe.bat
Filesize
189B

MD5
dca86f6bec779bba1b58d992319e88db

SHA1
844e656d3603d15ae56f36298f8031ad52935829

SHA256
413b4ee68f5400fcd30ae5df957d723989b400637dbc7f5d158fa050bdc20743

SHA512
4b9d532a777921543b3243020ea4b655a8b956c400b237ce714b5bd8e9a3ad7fdbcb11410e84e2e0ecc45e87dcd107385a487f5bb5b359aabd1322314ef2d24c

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe
Filesize
552KB

MD5
303b744ecc9e04220c120c94d09255b2

SHA1
935d2def9b2e6a12621c66a0f490da4a57f3152f

SHA256
053ec3c54bdbac87c67d027024b51bb5cb5fa54c2b2b5edbbd9984be073dde3a

SHA512
023e85be566aa25342c1cd5132641dbe81b4c83f06652fff4e28bf39c4f42deda180e469ce555e402be57b318b98a1bf305b01a6d85ae529d6946fcb02fd21e9

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe
Filesize
552KB

MD5
303b744ecc9e04220c120c94d09255b2

SHA1
935d2def9b2e6a12621c66a0f490da4a57f3152f

SHA256
053ec3c54bdbac87c67d027024b51bb5cb5fa54c2b2b5edbbd9984be073dde3a

SHA512
023e85be566aa25342c1cd5132641dbe81b4c83f06652fff4e28bf39c4f42deda180e469ce555e402be57b318b98a1bf305b01a6d85ae529d6946fcb02fd21e9

Download Submit
memory/316-163-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/316-162-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/316-161-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/316-159-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/316-158-0x0000000000000000-mapping.dmp

Download
memory/1544-147-0x0000000074990000-0x0000000074F41000-memory.dmp

Filesize
5.7MB

Download
memory/1544-140-0x0000000074990000-0x0000000074F41000-memory.dmp

Filesize
5.7MB

Download
memory/1544-150-0x0000000074990000-0x0000000074F41000-memory.dmp

Filesize
5.7MB

Download
memory/1544-137-0x0000000000000000-mapping.dmp

Download
memory/1852-145-0x0000000000000000-mapping.dmp

Download
memory/2036-133-0x0000000074990000-0x0000000074F41000-memory.dmp

Filesize
5.7MB

Download
memory/2036-132-0x0000000074990000-0x0000000074F41000-memory.dmp

Filesize
5.7MB

Download
memory/2036-149-0x0000000074990000-0x0000000074F41000-memory.dmp

Filesize
5.7MB

Download
memory/2256-134-0x0000000000000000-mapping.dmp

Download
memory/3116-135-0x0000000000000000-mapping.dmp

Download
memory/3212-141-0x0000000000000000-mapping.dmp

Download
memory/3212-148-0x0000000074990000-0x0000000074F41000-memory.dmp

Filesize
5.7MB

Download
memory/3212-146-0x0000000074990000-0x0000000074F41000-memory.dmp

Filesize
5.7MB

Download
memory/3324-143-0x0000000000000000-mapping.dmp

Download
memory/4568-155-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4568-156-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4568-154-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4568-152-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4568-151-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads