hawkeye | 871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70

General

Target

871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe
Size

1.1MB
MD5

628159cada256516f610bbe6db816f77
SHA1

3d707cc93337e5d875861e01e363e10be7248702
SHA256

871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70
SHA512

cc86a5fdc6d506c3b838ea83ced31d7264ab32296b45993f3a20af2ecd521f81dfb426eda345e4615e3505ace632b1c1a9551d418c835625ab61123b3a40d965
SSDEEP

24576:1ALejTbyeniCQEx88bUJevBnDa58aY+zX52t4/xpeJ2YYHv:1M4GCF8uU8cgk4tAxpsQv

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
qwerty@321

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\file.exe"	871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe

NirSoft MailPassView 14 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\tmp.exe	MailPassView
\Users\Admin\AppData\Local\Temp\tmp.exe	MailPassView
C:\Users\Admin\AppData\Local\Temp\tmp.exe	MailPassView
behavioral1/memory/580-68-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral1/memory/580-69-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral1/memory/580-71-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral1/memory/1724-72-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1724-73-0x0000000000411654-mapping.dmp	MailPassView
behavioral1/memory/1724-76-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1724-78-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1724-80-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/580-81-0x000000000047EA6E-mapping.dmp	MailPassView
behavioral1/memory/580-84-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral1/memory/580-86-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 13 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\tmp.exe	WebBrowserPassView
\Users\Admin\AppData\Local\Temp\tmp.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\tmp.exe	WebBrowserPassView
behavioral1/memory/580-68-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral1/memory/580-69-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral1/memory/580-71-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral1/memory/580-81-0x000000000047EA6E-mapping.dmp	WebBrowserPassView
behavioral1/memory/580-84-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral1/memory/580-86-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral1/memory/1508-93-0x0000000000442628-mapping.dmp	WebBrowserPassView
behavioral1/memory/1508-92-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/1508-96-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/1508-98-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView

Nirsoft 18 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\tmp.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\tmp.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\tmp.exe	Nirsoft
behavioral1/memory/580-68-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral1/memory/580-69-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral1/memory/580-71-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral1/memory/1724-72-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1724-73-0x0000000000411654-mapping.dmp	Nirsoft
behavioral1/memory/1724-76-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1724-78-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1724-80-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/580-81-0x000000000047EA6E-mapping.dmp	Nirsoft
behavioral1/memory/580-84-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral1/memory/580-86-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral1/memory/1508-93-0x0000000000442628-mapping.dmp	Nirsoft
behavioral1/memory/1508-92-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/1508-96-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/1508-98-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft

Executes dropped EXE 2 IoCs

Processes:

tmp.exenotepad .exe

pid process

1380 tmp.exe
580 notepad .exe

pid	process
1380	tmp.exe
580	notepad .exe

Loads dropped DLL 2 IoCs

Processes:

871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe

pid	process
1464	871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe
1464	871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	tmp.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 whatismyipaddress.com
6 whatismyipaddress.com
3 whatismyipaddress.com

flow	ioc
5	whatismyipaddress.com
6	whatismyipaddress.com
3	whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exetmp.exe

description	pid	process	target process
PID 1464 set thread context of 580	1464	871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe	notepad .exe
PID 1380 set thread context of 1724	1380	tmp.exe	vbc.exe
PID 1380 set thread context of 1508	1380	tmp.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe

pid	process
1464	871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe
1464	871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exetmp.exe

description	pid	process
Token: SeDebugPrivilege	1464	871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe
Token: SeDebugPrivilege	1380	tmp.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

tmp.exe

pid process

1380 tmp.exe

pid	process
1380	tmp.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.execmd.exetmp.exe

description	pid	process	target process
PID 1464 wrote to memory of 1704	1464	871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe	cmd.exe
PID 1464 wrote to memory of 1704	1464	871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe	cmd.exe
PID 1464 wrote to memory of 1704	1464	871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe	cmd.exe
PID 1464 wrote to memory of 1704	1464	871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe	cmd.exe
PID 1704 wrote to memory of 824	1704	cmd.exe	wscript.exe
PID 1704 wrote to memory of 824	1704	cmd.exe	wscript.exe
PID 1704 wrote to memory of 824	1704	cmd.exe	wscript.exe
PID 1704 wrote to memory of 824	1704	cmd.exe	wscript.exe
PID 1464 wrote to memory of 1380	1464	871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe	tmp.exe
PID 1464 wrote to memory of 1380	1464	871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe	tmp.exe
PID 1464 wrote to memory of 1380	1464	871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe	tmp.exe
PID 1464 wrote to memory of 1380	1464	871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe	tmp.exe
PID 1464 wrote to memory of 580	1464	871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe	notepad .exe
PID 1464 wrote to memory of 580	1464	871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe	notepad .exe
PID 1464 wrote to memory of 580	1464	871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe	notepad .exe
PID 1464 wrote to memory of 580	1464	871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe	notepad .exe
PID 1464 wrote to memory of 580	1464	871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe	notepad .exe
PID 1464 wrote to memory of 580	1464	871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe	notepad .exe
PID 1464 wrote to memory of 580	1464	871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe	notepad .exe
PID 1464 wrote to memory of 580	1464	871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe	notepad .exe
PID 1464 wrote to memory of 580	1464	871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe	notepad .exe
PID 1380 wrote to memory of 1724	1380	tmp.exe	vbc.exe
PID 1380 wrote to memory of 1724	1380	tmp.exe	vbc.exe
PID 1380 wrote to memory of 1724	1380	tmp.exe	vbc.exe
PID 1380 wrote to memory of 1724	1380	tmp.exe	vbc.exe
PID 1380 wrote to memory of 1724	1380	tmp.exe	vbc.exe
PID 1380 wrote to memory of 1724	1380	tmp.exe	vbc.exe
PID 1380 wrote to memory of 1724	1380	tmp.exe	vbc.exe
PID 1380 wrote to memory of 1724	1380	tmp.exe	vbc.exe
PID 1380 wrote to memory of 1724	1380	tmp.exe	vbc.exe
PID 1380 wrote to memory of 1724	1380	tmp.exe	vbc.exe
PID 1380 wrote to memory of 1508	1380	tmp.exe	vbc.exe
PID 1380 wrote to memory of 1508	1380	tmp.exe	vbc.exe
PID 1380 wrote to memory of 1508	1380	tmp.exe	vbc.exe
PID 1380 wrote to memory of 1508	1380	tmp.exe	vbc.exe
PID 1380 wrote to memory of 1508	1380	tmp.exe	vbc.exe
PID 1380 wrote to memory of 1508	1380	tmp.exe	vbc.exe
PID 1380 wrote to memory of 1508	1380	tmp.exe	vbc.exe
PID 1380 wrote to memory of 1508	1380	tmp.exe	vbc.exe
PID 1380 wrote to memory of 1508	1380	tmp.exe	vbc.exe
PID 1380 wrote to memory of 1508	1380	tmp.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe
"C:\Users\Admin\AppData\Local\Temp\871538f3f68fa01e94cdc5d0330a64133b933ba4ff14be18dac92b07f366ea70.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1464

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\\mata.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\SysWOW64\wscript.exe
wscript.exe "C:\Windows\temp\invs.vbs" "C:\Windows\temp\mata2.bat
3⤵
PID:824

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
- Accesses Microsoft Outlook accounts
PID:1724

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
3⤵
PID:1508

C:\Users\Admin\AppData\Local\Temp\notepad .exe
"C:\Users\Admin\AppData\Local\Temp\notepad .exe"
2⤵
- Executes dropped EXE
PID:580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\holderwb.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\mata.bat

Filesize
69B

MD5
1d3598a9affc15c286c78b40a665bffc

SHA1
dad491b8d033ce7dd37b8cade0eb6f8fdb61ecdf

SHA256
524357b7b65b324c1c32607ba9cc71fed6437c502540c059732e8a44a6129bb2

SHA512
3c7ccc403d9c515f04acc99607609cd2254b2f5a21667f4df5706297e4a5ef15a161da839e325b755f6f9eec8b47e060ec1a027b0092c5b70cbbbb853228d0a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\notepad .exe

Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\notepad .exe

Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
502KB

MD5
dd2f48d0d1fbc39d67d398c02dd03d08

SHA1
f34c3bd0511d0fe4f3a7417b31ccdf7ae8d4b807

SHA256
b3d5c2e7a04dd9b3c5da94b91b5783e2f1e65a6ddb26b86b62bc7f9d68986d1f

SHA512
22ebb2c8bf613987ded5f8e50a0edd6e19203b1187a52bdc442c4fa77113d8b3ba40b15d9b1af48f89b0153e3ab7c877d4d05a4c8a6a8bb6add1fda2fdac693c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
502KB

MD5
dd2f48d0d1fbc39d67d398c02dd03d08

SHA1
f34c3bd0511d0fe4f3a7417b31ccdf7ae8d4b807

SHA256
b3d5c2e7a04dd9b3c5da94b91b5783e2f1e65a6ddb26b86b62bc7f9d68986d1f

SHA512
22ebb2c8bf613987ded5f8e50a0edd6e19203b1187a52bdc442c4fa77113d8b3ba40b15d9b1af48f89b0153e3ab7c877d4d05a4c8a6a8bb6add1fda2fdac693c

Download Submit
\Users\Admin\AppData\Local\Temp\notepad .exe

Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
502KB

MD5
dd2f48d0d1fbc39d67d398c02dd03d08

SHA1
f34c3bd0511d0fe4f3a7417b31ccdf7ae8d4b807

SHA256
b3d5c2e7a04dd9b3c5da94b91b5783e2f1e65a6ddb26b86b62bc7f9d68986d1f

SHA512
22ebb2c8bf613987ded5f8e50a0edd6e19203b1187a52bdc442c4fa77113d8b3ba40b15d9b1af48f89b0153e3ab7c877d4d05a4c8a6a8bb6add1fda2fdac693c

Download Submit
memory/580-63-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/580-71-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/580-84-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/580-64-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/580-68-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/580-69-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/580-86-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/580-81-0x000000000047EA6E-mapping.dmp

Download
memory/580-91-0x0000000074140000-0x00000000746EB000-memory.dmp

Filesize
5.7MB

Download
memory/580-90-0x0000000074140000-0x00000000746EB000-memory.dmp

Filesize
5.7MB

Download
memory/580-89-0x0000000074140000-0x00000000746EB000-memory.dmp

Filesize
5.7MB

Download
memory/824-57-0x0000000000000000-mapping.dmp

Download
memory/1380-70-0x0000000074140000-0x00000000746EB000-memory.dmp

Filesize
5.7MB

Download
memory/1380-79-0x0000000074140000-0x00000000746EB000-memory.dmp

Filesize
5.7MB

Download
memory/1380-59-0x0000000000000000-mapping.dmp

Download
memory/1464-60-0x0000000074140000-0x00000000746EB000-memory.dmp

Filesize
5.7MB

Download
memory/1464-77-0x0000000074140000-0x00000000746EB000-memory.dmp

Filesize
5.7MB

Download
memory/1464-99-0x0000000074140000-0x00000000746EB000-memory.dmp

Filesize
5.7MB

Download
memory/1464-54-0x0000000075B51000-0x0000000075B53000-memory.dmp

Filesize
8KB

Download
memory/1508-96-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1508-93-0x0000000000442628-mapping.dmp

Download
memory/1508-92-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1508-98-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1704-55-0x0000000000000000-mapping.dmp

Download
memory/1724-76-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1724-73-0x0000000000411654-mapping.dmp

Download
memory/1724-72-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1724-78-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1724-80-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads