hawkeye | a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94

Analysis

max time kernel
152s
max time network
112s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-10-2022 00:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
Size

1.3MB
MD5

24fed3f31bf8912606adb5862ceb3ac8
SHA1

f2ba97e8cba9f8f24142ac2f1daee67783fb80ee
SHA256

a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94
SHA512

48eeb947ffeaa991e129f70b3782bf7b8d75f1d95a4b25d8dccc871f4e4fe75c9af422590d015c602e3eedda153b7f8015e4153f4f871a9be3a1606452ddedf0
SSDEEP

24576:9BxmWHAs0A6yDW3Yzv7NeGd6znhc2eEUWXXL9VAIEqJTsj7/pTA:9LhHAbz07jMC2eDWnXAIEx/1

Score

10^/10

hawkeye collection keylogger spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Executes dropped EXE 3 IoCs

Processes:

natsv.exednsmon.exenatsv.exe

pid process

1388 natsv.exe
1080 dnsmon.exe
1436 natsv.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exenatsv.exe

pid process

1752 cmd.exe
1388 natsv.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1388	natsv.exe
1080	dnsmon.exe
1436	natsv.exe

pid	process
1752	cmd.exe
1388	natsv.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 whatismyipaddress.com
6 whatismyipaddress.com
7 whatismyipaddress.com

flow	ioc
4	whatismyipaddress.com
6	whatismyipaddress.com
7	whatismyipaddress.com

Suspicious use of SetThreadContext 4 IoCs

Processes:

a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exednsmon.exeRegAsm.exe

description	pid	process	target process
PID 1248 set thread context of 1664	1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe	RegAsm.exe
PID 1080 set thread context of 1320	1080	dnsmon.exe	RegAsm.exe
PID 1664 set thread context of 828	1664	RegAsm.exe	vbc.exe
PID 1664 set thread context of 1288	1664	RegAsm.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exenatsv.exenatsv.exednsmon.exe

pid	process
1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
1388	natsv.exe
1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
1436	natsv.exe
1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
1436	natsv.exe
1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
1436	natsv.exe
1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
1436	natsv.exe
1080	dnsmon.exe
1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
1436	natsv.exe
1080	dnsmon.exe
1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
1436	natsv.exe
1080	dnsmon.exe
1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
1436	natsv.exe
1080	dnsmon.exe
1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
1436	natsv.exe
1080	dnsmon.exe
1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
1436	natsv.exe
1080	dnsmon.exe
1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
1436	natsv.exe
1080	dnsmon.exe
1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
1436	natsv.exe
1080	dnsmon.exe
1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
1436	natsv.exe
1080	dnsmon.exe
1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
1436	natsv.exe
1080	dnsmon.exe
1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
1436	natsv.exe
1080	dnsmon.exe
1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
1436	natsv.exe
1080	dnsmon.exe
1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
1436	natsv.exe
1080	dnsmon.exe
1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
1436	natsv.exe
1080	dnsmon.exe
1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
1436	natsv.exe
1080	dnsmon.exe
1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
1436	natsv.exe
1080	dnsmon.exe
1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
1436	natsv.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exenatsv.exednsmon.exenatsv.exeRegAsm.exevbc.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
Token: SeDebugPrivilege	1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
Token: SeDebugPrivilege	1388	natsv.exe
Token: SeDebugPrivilege	1080	dnsmon.exe
Token: SeDebugPrivilege	1080	dnsmon.exe
Token: SeDebugPrivilege	1436	natsv.exe
Token: SeDebugPrivilege	1664	RegAsm.exe
Token: SeDebugPrivilege	828	vbc.exe
Token: SeDebugPrivilege	1288	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

1664 RegAsm.exe

pid	process
1664	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.execmd.exenatsv.execmd.execmd.exednsmon.exeRegAsm.exe

description	pid	process	target process
PID 1248 wrote to memory of 1768	1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe	cmd.exe
PID 1248 wrote to memory of 1768	1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe	cmd.exe
PID 1248 wrote to memory of 1768	1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe	cmd.exe
PID 1248 wrote to memory of 1768	1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe	cmd.exe
PID 1248 wrote to memory of 1664	1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe	RegAsm.exe
PID 1248 wrote to memory of 1664	1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe	RegAsm.exe
PID 1248 wrote to memory of 1664	1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe	RegAsm.exe
PID 1248 wrote to memory of 1664	1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe	RegAsm.exe
PID 1248 wrote to memory of 1664	1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe	RegAsm.exe
PID 1248 wrote to memory of 1664	1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe	RegAsm.exe
PID 1248 wrote to memory of 1664	1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe	RegAsm.exe
PID 1248 wrote to memory of 1664	1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe	RegAsm.exe
PID 1248 wrote to memory of 1664	1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe	RegAsm.exe
PID 1248 wrote to memory of 1664	1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe	RegAsm.exe
PID 1248 wrote to memory of 1664	1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe	RegAsm.exe
PID 1248 wrote to memory of 1664	1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe	RegAsm.exe
PID 1248 wrote to memory of 1664	1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe	RegAsm.exe
PID 1248 wrote to memory of 1752	1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe	cmd.exe
PID 1248 wrote to memory of 1752	1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe	cmd.exe
PID 1248 wrote to memory of 1752	1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe	cmd.exe
PID 1248 wrote to memory of 1752	1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe	cmd.exe
PID 1752 wrote to memory of 1388	1752	cmd.exe	natsv.exe
PID 1752 wrote to memory of 1388	1752	cmd.exe	natsv.exe
PID 1752 wrote to memory of 1388	1752	cmd.exe	natsv.exe
PID 1752 wrote to memory of 1388	1752	cmd.exe	natsv.exe
PID 1388 wrote to memory of 108	1388	natsv.exe	cmd.exe
PID 1388 wrote to memory of 108	1388	natsv.exe	cmd.exe
PID 1388 wrote to memory of 108	1388	natsv.exe	cmd.exe
PID 1388 wrote to memory of 108	1388	natsv.exe	cmd.exe
PID 108 wrote to memory of 400	108	cmd.exe	reg.exe
PID 108 wrote to memory of 400	108	cmd.exe	reg.exe
PID 108 wrote to memory of 400	108	cmd.exe	reg.exe
PID 108 wrote to memory of 400	108	cmd.exe	reg.exe
PID 1388 wrote to memory of 1080	1388	natsv.exe	dnsmon.exe
PID 1388 wrote to memory of 1080	1388	natsv.exe	dnsmon.exe
PID 1388 wrote to memory of 1080	1388	natsv.exe	dnsmon.exe
PID 1388 wrote to memory of 1080	1388	natsv.exe	dnsmon.exe
PID 1248 wrote to memory of 1968	1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe	cmd.exe
PID 1248 wrote to memory of 1968	1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe	cmd.exe
PID 1248 wrote to memory of 1968	1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe	cmd.exe
PID 1248 wrote to memory of 1968	1248	a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe	cmd.exe
PID 1968 wrote to memory of 1436	1968	cmd.exe	natsv.exe
PID 1968 wrote to memory of 1436	1968	cmd.exe	natsv.exe
PID 1968 wrote to memory of 1436	1968	cmd.exe	natsv.exe
PID 1968 wrote to memory of 1436	1968	cmd.exe	natsv.exe
PID 1080 wrote to memory of 1320	1080	dnsmon.exe	RegAsm.exe
PID 1080 wrote to memory of 1320	1080	dnsmon.exe	RegAsm.exe
PID 1080 wrote to memory of 1320	1080	dnsmon.exe	RegAsm.exe
PID 1080 wrote to memory of 1320	1080	dnsmon.exe	RegAsm.exe
PID 1080 wrote to memory of 1320	1080	dnsmon.exe	RegAsm.exe
PID 1080 wrote to memory of 1320	1080	dnsmon.exe	RegAsm.exe
PID 1080 wrote to memory of 1320	1080	dnsmon.exe	RegAsm.exe
PID 1080 wrote to memory of 1320	1080	dnsmon.exe	RegAsm.exe
PID 1080 wrote to memory of 1320	1080	dnsmon.exe	RegAsm.exe
PID 1080 wrote to memory of 1320	1080	dnsmon.exe	RegAsm.exe
PID 1080 wrote to memory of 1320	1080	dnsmon.exe	RegAsm.exe
PID 1080 wrote to memory of 1320	1080	dnsmon.exe	RegAsm.exe
PID 1080 wrote to memory of 1320	1080	dnsmon.exe	RegAsm.exe
PID 1664 wrote to memory of 828	1664	RegAsm.exe	vbc.exe
PID 1664 wrote to memory of 828	1664	RegAsm.exe	vbc.exe
PID 1664 wrote to memory of 828	1664	RegAsm.exe	vbc.exe
PID 1664 wrote to memory of 828	1664	RegAsm.exe	vbc.exe
PID 1664 wrote to memory of 828	1664	RegAsm.exe	vbc.exe
PID 1664 wrote to memory of 828	1664	RegAsm.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe
"C:\Users\Admin\AppData\Local\Temp\a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1248

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exe"
2⤵
PID:1768

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
- Accesses Microsoft Outlook accounts
- Suspicious use of AdjustPrivilegeToken
PID:828

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1288

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "cmd /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe" /f
4⤵
- Suspicious use of WriteProcessMemory
PID:108

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "cmd /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe" /f
5⤵
PID:400

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
5⤵
PID:1320

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1968

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1436

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\holdermail.txt
Filesize
400B

MD5
de4e5ff058882957cf8a3b5f839a031f

SHA1
0b3d8279120fb5fa27efbd9eee89695aa040fc24

SHA256
ef54f46b9f1e342fc12e035ae94f57c61ea4e8be4e116f0a1c6f86310f400f49

SHA512
a6b0d557e9eec4e56630e5ba64495df318f4fd959fffbdcbf77831185b067906917c9117a0ecd6ac817c7860d5d831cce15820d715657d81e2d817d9fab9fb72

Download Submit
C:\Users\Admin\AppData\Local\Temp\holdermail.txt
Filesize
329B

MD5
f8ddf0fe04f214d64c3e5094ed622858

SHA1
245a91a1c968c45820fbbb319c1bcfc98b01b04e

SHA256
f73d76c930aa76b78390a50ee72b9169c7064b9e1256de76ab9ffb43bca8f5d3

SHA512
e6385a3d47f8969f2079ae28a4e2753c2da60e37601ebd15049e21f1490e7a1ec760a3cc6c8b75a8049aa8a08735a9f24187d7ad13c6ac8d4a5510dc88718900

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exe
Filesize
1.3MB

MD5
24fed3f31bf8912606adb5862ceb3ac8

SHA1
f2ba97e8cba9f8f24142ac2f1daee67783fb80ee

SHA256
a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94

SHA512
48eeb947ffeaa991e129f70b3782bf7b8d75f1d95a4b25d8dccc871f4e4fe75c9af422590d015c602e3eedda153b7f8015e4153f4f871a9be3a1606452ddedf0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exe
Filesize
1.3MB

MD5
24fed3f31bf8912606adb5862ceb3ac8

SHA1
f2ba97e8cba9f8f24142ac2f1daee67783fb80ee

SHA256
a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94

SHA512
48eeb947ffeaa991e129f70b3782bf7b8d75f1d95a4b25d8dccc871f4e4fe75c9af422590d015c602e3eedda153b7f8015e4153f4f871a9be3a1606452ddedf0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe
Filesize
24KB

MD5
17f51ab722963d73b5dcd050d06e6d40

SHA1
70a1eb538fe961512c74dda727ef185c8eb42884

SHA256
e1b1dc86ebe7440828efab389cb9edcfd639463a8ff64742818a84859a7ff417

SHA512
041794fb9817e578e3aa00f019ce295b82dc6ee5dd23b49e79785570d3f60c058f6292b1382ff3b0e9999774cb60bc5a76919b4fd79d2bba85ea594d9719ac0d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe
Filesize
24KB

MD5
17f51ab722963d73b5dcd050d06e6d40

SHA1
70a1eb538fe961512c74dda727ef185c8eb42884

SHA256
e1b1dc86ebe7440828efab389cb9edcfd639463a8ff64742818a84859a7ff417

SHA512
041794fb9817e578e3aa00f019ce295b82dc6ee5dd23b49e79785570d3f60c058f6292b1382ff3b0e9999774cb60bc5a76919b4fd79d2bba85ea594d9719ac0d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe
Filesize
24KB

MD5
17f51ab722963d73b5dcd050d06e6d40

SHA1
70a1eb538fe961512c74dda727ef185c8eb42884

SHA256
e1b1dc86ebe7440828efab389cb9edcfd639463a8ff64742818a84859a7ff417

SHA512
041794fb9817e578e3aa00f019ce295b82dc6ee5dd23b49e79785570d3f60c058f6292b1382ff3b0e9999774cb60bc5a76919b4fd79d2bba85ea594d9719ac0d

Download Submit
C:\Users\Admin\AppData\Roaming\pid.txt
Filesize
4B

MD5
4f398cb9d6bc79ae567298335b51ba8a

SHA1
776f707e19f39e6b830856a6cdf3aa605a5a283e

SHA256
5aca6f08b6780157a0da46aaaef9d86d2fe55919395b0e2aba71e52a377db90d

SHA512
6ea469870849ab48a14a65e433a1dd2fd7741ea7ed01c586424111f35256737a861c4527c66528b3ea489a6e22ed4732074167fdb152de9441d2f1958e94beca

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exe
Filesize
1.3MB

MD5
24fed3f31bf8912606adb5862ceb3ac8

SHA1
f2ba97e8cba9f8f24142ac2f1daee67783fb80ee

SHA256
a4aa3cbf18e122b9967117aa3ebcb776886ac92973aeb9cfccb6176294d24b94

SHA512
48eeb947ffeaa991e129f70b3782bf7b8d75f1d95a4b25d8dccc871f4e4fe75c9af422590d015c602e3eedda153b7f8015e4153f4f871a9be3a1606452ddedf0

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe
Filesize
24KB

MD5
17f51ab722963d73b5dcd050d06e6d40

SHA1
70a1eb538fe961512c74dda727ef185c8eb42884

SHA256
e1b1dc86ebe7440828efab389cb9edcfd639463a8ff64742818a84859a7ff417

SHA512
041794fb9817e578e3aa00f019ce295b82dc6ee5dd23b49e79785570d3f60c058f6292b1382ff3b0e9999774cb60bc5a76919b4fd79d2bba85ea594d9719ac0d

Download Submit
memory/108-76-0x0000000000000000-mapping.dmp

Download
memory/400-78-0x0000000000000000-mapping.dmp

Download
memory/828-124-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/828-127-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/828-125-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/828-121-0x0000000000462B6D-mapping.dmp

Download
memory/828-120-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/828-119-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/828-117-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/828-115-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/828-113-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/828-112-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1080-92-0x00000000747F0000-0x0000000074D9B000-memory.dmp

Filesize
5.7MB

Download
memory/1080-83-0x0000000000000000-mapping.dmp

Download
memory/1080-111-0x00000000747F0000-0x0000000074D9B000-memory.dmp

Filesize
5.7MB

Download
memory/1248-56-0x00000000747F0000-0x0000000074D9B000-memory.dmp

Filesize
5.7MB

Download
memory/1248-55-0x00000000747F0000-0x0000000074D9B000-memory.dmp

Filesize
5.7MB

Download
memory/1248-54-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download
memory/1288-129-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1288-130-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1288-145-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1288-142-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1288-141-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1288-132-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1288-138-0x0000000000460E2D-mapping.dmp

Download
memory/1288-137-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1288-136-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1288-134-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1320-126-0x00000000747F0000-0x0000000074D9B000-memory.dmp

Filesize
5.7MB

Download
memory/1320-100-0x000000000051BB1E-mapping.dmp

Download
memory/1320-107-0x00000000747F0000-0x0000000074D9B000-memory.dmp

Filesize
5.7MB

Download
memory/1388-79-0x00000000747F0000-0x0000000074D9B000-memory.dmp

Filesize
5.7MB

Download
memory/1388-86-0x00000000747F0000-0x0000000074D9B000-memory.dmp

Filesize
5.7MB

Download
memory/1388-73-0x0000000000000000-mapping.dmp

Download
memory/1436-110-0x00000000747F0000-0x0000000074D9B000-memory.dmp

Filesize
5.7MB

Download
memory/1436-91-0x00000000747F0000-0x0000000074D9B000-memory.dmp

Filesize
5.7MB

Download
memory/1436-88-0x0000000000000000-mapping.dmp

Download
memory/1664-109-0x0000000000BB5000-0x0000000000BC6000-memory.dmp

Filesize
68KB

Download
memory/1664-63-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/1664-58-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/1664-67-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/1664-65-0x000000000051BB1E-mapping.dmp

Download
memory/1664-64-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/1664-80-0x00000000747F0000-0x0000000074D9B000-memory.dmp

Filesize
5.7MB

Download
memory/1664-69-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/1664-61-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/1664-59-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/1664-143-0x0000000000BB5000-0x0000000000BC6000-memory.dmp

Filesize
68KB

Download
memory/1664-108-0x00000000747F0000-0x0000000074D9B000-memory.dmp

Filesize
5.7MB

Download
memory/1752-70-0x0000000000000000-mapping.dmp

Download
memory/1768-57-0x0000000000000000-mapping.dmp

Download
memory/1968-87-0x0000000000000000-mapping.dmp

Download