hawkeye | 8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c

Analysis

max time kernel
180s
max time network
171s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 06:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
Size

871KB
MD5

1dd3046dfe2f54a0568ef1df5ff5089b
SHA1

d03827ca82c37acd99ad29805fcd2dc4863e6281
SHA256

8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c
SHA512

c38b3c7b9a8e5f6e4d58be65c9c5392799928a309fa9b50a3b297d88f619f536310925f5840c0e11557ac453b2ffb06840f347f0233e78751c7e66fa055d6d94
SSDEEP

12288:SeoOpsSa1ApP5pEMbKiskasiRP4CscPDZ3p3DnkD1BaJFw6zUJYd:xVPXbqtFfwyws

Score

10^/10

hawkeye keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
king@kong

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 7 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/596-65-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral1/memory/596-66-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral1/memory/596-67-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral1/memory/596-68-0x000000000047EA8E-mapping.dmp	MailPassView
behavioral1/memory/596-71-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral1/memory/596-73-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral1/memory/1732-101-0x000000000047EA8E-mapping.dmp	MailPassView

NirSoft WebBrowserPassView 7 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/596-65-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral1/memory/596-66-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral1/memory/596-67-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral1/memory/596-68-0x000000000047EA8E-mapping.dmp	WebBrowserPassView
behavioral1/memory/596-71-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral1/memory/596-73-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral1/memory/1732-101-0x000000000047EA8E-mapping.dmp	WebBrowserPassView

Nirsoft 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/596-65-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral1/memory/596-66-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral1/memory/596-67-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral1/memory/596-68-0x000000000047EA8E-mapping.dmp	Nirsoft
behavioral1/memory/596-71-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral1/memory/596-73-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral1/memory/1732-101-0x000000000047EA8E-mapping.dmp	Nirsoft

Executes dropped EXE 5 IoCs

Processes:

8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exeWindows Update.exe8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe

pid	process
1372	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
596	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1008	Windows Update.exe
1876	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe

Loads dropped DLL 8 IoCs

Processes:

8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exeWindows Update.exe

pid	process
948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
596	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1008	Windows Update.exe
1008	Windows Update.exe
1008	Windows Update.exe
948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sidebar = "C:\\Users\\Admin\\AppData\\Roaming\\Sample.lnk"	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

12 whatismyipaddress.com
14 whatismyipaddress.com
15 whatismyipaddress.com

flow	ioc
12	whatismyipaddress.com
14	whatismyipaddress.com
15	whatismyipaddress.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe

description	pid	process	target process
PID 948 set thread context of 596	948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
PID 948 set thread context of 1732	948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe

pid	process
948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exeWindows Update.exe8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe

description	pid	process
Token: SeDebugPrivilege	948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
Token: SeDebugPrivilege	1008	Windows Update.exe
Token: SeDebugPrivilege	1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe

pid process

1732 8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe

pid	process
1732	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe

C:\Users\Admin\AppData\Local\Temp\8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
"C:\Users\Admin\AppData\Local\Temp\8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\SysWOW64\CMD.exe
"CMD"
2⤵
PID:1800

C:\Windows\SysWOW64\CMD.exe
"CMD"
2⤵
PID:804

C:\Users\Admin\AppData\Local\Temp\8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
"C:\Users\Admin\AppData\Local\Temp\8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe"
2⤵
- Executes dropped EXE
PID:1372

C:\Users\Admin\AppData\Local\Temp\8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
"C:\Users\Admin\AppData\Local\Temp\8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:596

C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Users\Admin\AppData\Local\Temp\8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
"C:\Users\Admin\AppData\Local\Temp\8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe"
2⤵
- Executes dropped EXE
PID:1876

C:\Users\Admin\AppData\Local\Temp\8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
"C:\Users\Admin\AppData\Local\Temp\8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6
Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F
Filesize
834B

MD5
2f9af8e0d783cfa432c7041713c8f5ee

SHA1
974e325ade4fd9e3f450913e8269c78d1ef4836a

SHA256
b4c71719b03d24adf1b8d89707cdf20e2b0be78c58686d78c340da6fd3a00eb3

SHA512
3ccb5b22dd0cb7e4841b4979d1c0aa6e921925cc9a187c88d67d6e2f19285ed4acc30424c7e481b61e215bdae8af9d4bdc9c17fada508ff0385cd9d456968c72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9A19ADAD9D098E039450ABBEDD5616EB_500F57EEC9E626F78EE636E0FA5E7AFB
Filesize
1KB

MD5
42326c9e1ae64c2c9584405ad2e41684

SHA1
a9a2d44354f12ba463f165ab44b8c28958f526fc

SHA256
9e879254481b59cf57329951742a3e106135df61ebd5c151e5c623d4d2c91801

SHA512
4fa586a5e61437a674e3e7c1233786abebf59c62c621c21438465f932aa065b34e6a9a326f59b983e57e553881bcb82bf7ce788f5e88fd7a6f8e898093ad11a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6
Filesize
404B

MD5
464ee0e3c5949f60bf77ef35128163fe

SHA1
9b926b1e83fcb1a71ec29da9d28e40d5c48f2e0d

SHA256
3c0fecc1ebb0638756116cc588d1c9f6091c08bb28ce9e45fcc5d9f0ae198377

SHA512
0381cd0835af66231a7bbe5d0709356df218fc45cb379c5af990d2b8559ca9c68214c0b07bd271b5925154b421b7e0de82c6a2d0a373c3a172a392b50100054e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F
Filesize
188B

MD5
4cf152e932ab55e56e6aeddb2ed935b4

SHA1
77bec318ace78a84ee67c7c3670e5b99dfde234f

SHA256
be4c500ded14ce9a9cec6d63b9a1b85d5731040139f0437478c9ad66c024be40

SHA512
a178cc0ae7a585d8d3ed110777cd44233e3f1a50b07e1fae4d0a99800f064c779dac42b783e5f33d4bb93d810ecaa8be772d734cab56062dd83a2f2ded34a56e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
775852c8b6c321c9f022c35ecff62f9e

SHA1
7f2b07a8fb1a43e7c98b91fe95c1120e746265fe

SHA256
4e4f3ad36307210173545bcc43bd82f76acd30fd062c8fad6dbc143391be6d07

SHA512
e838b47376eaf57dfeb82dd8f495af5d01c19172f6bb7fb5b73a2c1b4bbcceb5a02d28aa1d9afa6ee777ae607ab5c68aeb307fc210c9e2d5d76316aef1905b15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9A19ADAD9D098E039450ABBEDD5616EB_500F57EEC9E626F78EE636E0FA5E7AFB
Filesize
394B

MD5
df8ee019cfed81244b8f2fc378065fc7

SHA1
caf6c55fdece5d303f0ca377eeca3618d7eccad8

SHA256
f66128dfb7b1d6a6729d604e1bd53d4d05336549475a45efe3f2460995e60519

SHA512
6adb5d4085720f3143021066377e66641f01cc2a11aec9dc9d89e54faf4f10148b6a4ccb03f028bd7d5d8768529e01740f6d40a4f6c3aca898898b94f3c54168

Download Submit
C:\Users\Admin\AppData\Local\Temp\8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
Filesize
871KB

MD5
1dd3046dfe2f54a0568ef1df5ff5089b

SHA1
d03827ca82c37acd99ad29805fcd2dc4863e6281

SHA256
8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c

SHA512
c38b3c7b9a8e5f6e4d58be65c9c5392799928a309fa9b50a3b297d88f619f536310925f5840c0e11557ac453b2ffb06840f347f0233e78751c7e66fa055d6d94

Download Submit
C:\Users\Admin\AppData\Local\Temp\8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
Filesize
871KB

MD5
1dd3046dfe2f54a0568ef1df5ff5089b

SHA1
d03827ca82c37acd99ad29805fcd2dc4863e6281

SHA256
8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c

SHA512
c38b3c7b9a8e5f6e4d58be65c9c5392799928a309fa9b50a3b297d88f619f536310925f5840c0e11557ac453b2ffb06840f347f0233e78751c7e66fa055d6d94

Download Submit
C:\Users\Admin\AppData\Local\Temp\8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
Filesize
871KB

MD5
1dd3046dfe2f54a0568ef1df5ff5089b

SHA1
d03827ca82c37acd99ad29805fcd2dc4863e6281

SHA256
8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c

SHA512
c38b3c7b9a8e5f6e4d58be65c9c5392799928a309fa9b50a3b297d88f619f536310925f5840c0e11557ac453b2ffb06840f347f0233e78751c7e66fa055d6d94

Download Submit
C:\Users\Admin\AppData\Local\Temp\8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
Filesize
871KB

MD5
1dd3046dfe2f54a0568ef1df5ff5089b

SHA1
d03827ca82c37acd99ad29805fcd2dc4863e6281

SHA256
8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c

SHA512
c38b3c7b9a8e5f6e4d58be65c9c5392799928a309fa9b50a3b297d88f619f536310925f5840c0e11557ac453b2ffb06840f347f0233e78751c7e66fa055d6d94

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
Filesize
102B

MD5
be3e5c4c8c5557368c740b4d3cf679da

SHA1
9a2dc2647e5e4837fe52f210ff871c8338343503

SHA256
b565e7ec93b124a7ea2fe58c96111cfbac0a94de13b7c2e7f35e4e78c4be8aac

SHA512
cedeeade16dd6db939ae43dbd51895c7449f7a45e63c08bd04c1c5697dba841386dc7f5b90974a873cf28cdba2a9f0405ef541a76725d0fc99bf80452cb872ea

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
871KB

MD5
1dd3046dfe2f54a0568ef1df5ff5089b

SHA1
d03827ca82c37acd99ad29805fcd2dc4863e6281

SHA256
8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c

SHA512
c38b3c7b9a8e5f6e4d58be65c9c5392799928a309fa9b50a3b297d88f619f536310925f5840c0e11557ac453b2ffb06840f347f0233e78751c7e66fa055d6d94

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
871KB

MD5
1dd3046dfe2f54a0568ef1df5ff5089b

SHA1
d03827ca82c37acd99ad29805fcd2dc4863e6281

SHA256
8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c

SHA512
c38b3c7b9a8e5f6e4d58be65c9c5392799928a309fa9b50a3b297d88f619f536310925f5840c0e11557ac453b2ffb06840f347f0233e78751c7e66fa055d6d94

Download Submit
\Users\Admin\AppData\Local\Temp\8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
Filesize
871KB

MD5
1dd3046dfe2f54a0568ef1df5ff5089b

SHA1
d03827ca82c37acd99ad29805fcd2dc4863e6281

SHA256
8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c

SHA512
c38b3c7b9a8e5f6e4d58be65c9c5392799928a309fa9b50a3b297d88f619f536310925f5840c0e11557ac453b2ffb06840f347f0233e78751c7e66fa055d6d94

Download Submit
\Users\Admin\AppData\Local\Temp\8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
Filesize
871KB

MD5
1dd3046dfe2f54a0568ef1df5ff5089b

SHA1
d03827ca82c37acd99ad29805fcd2dc4863e6281

SHA256
8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c

SHA512
c38b3c7b9a8e5f6e4d58be65c9c5392799928a309fa9b50a3b297d88f619f536310925f5840c0e11557ac453b2ffb06840f347f0233e78751c7e66fa055d6d94

Download Submit
\Users\Admin\AppData\Local\Temp\8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
Filesize
871KB

MD5
1dd3046dfe2f54a0568ef1df5ff5089b

SHA1
d03827ca82c37acd99ad29805fcd2dc4863e6281

SHA256
8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c

SHA512
c38b3c7b9a8e5f6e4d58be65c9c5392799928a309fa9b50a3b297d88f619f536310925f5840c0e11557ac453b2ffb06840f347f0233e78751c7e66fa055d6d94

Download Submit
\Users\Admin\AppData\Local\Temp\8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
Filesize
871KB

MD5
1dd3046dfe2f54a0568ef1df5ff5089b

SHA1
d03827ca82c37acd99ad29805fcd2dc4863e6281

SHA256
8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c

SHA512
c38b3c7b9a8e5f6e4d58be65c9c5392799928a309fa9b50a3b297d88f619f536310925f5840c0e11557ac453b2ffb06840f347f0233e78751c7e66fa055d6d94

Download Submit
\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
871KB

MD5
1dd3046dfe2f54a0568ef1df5ff5089b

SHA1
d03827ca82c37acd99ad29805fcd2dc4863e6281

SHA256
8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c

SHA512
c38b3c7b9a8e5f6e4d58be65c9c5392799928a309fa9b50a3b297d88f619f536310925f5840c0e11557ac453b2ffb06840f347f0233e78751c7e66fa055d6d94

Download Submit
\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
871KB

MD5
1dd3046dfe2f54a0568ef1df5ff5089b

SHA1
d03827ca82c37acd99ad29805fcd2dc4863e6281

SHA256
8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c

SHA512
c38b3c7b9a8e5f6e4d58be65c9c5392799928a309fa9b50a3b297d88f619f536310925f5840c0e11557ac453b2ffb06840f347f0233e78751c7e66fa055d6d94

Download Submit
\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
871KB

MD5
1dd3046dfe2f54a0568ef1df5ff5089b

SHA1
d03827ca82c37acd99ad29805fcd2dc4863e6281

SHA256
8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c

SHA512
c38b3c7b9a8e5f6e4d58be65c9c5392799928a309fa9b50a3b297d88f619f536310925f5840c0e11557ac453b2ffb06840f347f0233e78751c7e66fa055d6d94

Download Submit
\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
871KB

MD5
1dd3046dfe2f54a0568ef1df5ff5089b

SHA1
d03827ca82c37acd99ad29805fcd2dc4863e6281

SHA256
8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c

SHA512
c38b3c7b9a8e5f6e4d58be65c9c5392799928a309fa9b50a3b297d88f619f536310925f5840c0e11557ac453b2ffb06840f347f0233e78751c7e66fa055d6d94

Download Submit
memory/596-75-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/596-73-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/596-81-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/596-68-0x000000000047EA8E-mapping.dmp

Download
memory/596-66-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/596-71-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/596-65-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/596-63-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/596-62-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/596-67-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/804-58-0x0000000000000000-mapping.dmp

Download
memory/948-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/948-56-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/948-55-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/1008-77-0x0000000000000000-mapping.dmp

Download
memory/1008-109-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/1732-101-0x000000000047EA8E-mapping.dmp

Download
memory/1732-110-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/1732-111-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/1800-57-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 948 wrote to memory of 1800	948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe	CMD.exe
PID 948 wrote to memory of 1800	948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe	CMD.exe
PID 948 wrote to memory of 1800	948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe	CMD.exe
PID 948 wrote to memory of 1800	948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe	CMD.exe
PID 948 wrote to memory of 804	948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe	CMD.exe
PID 948 wrote to memory of 804	948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe	CMD.exe
PID 948 wrote to memory of 804	948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe	CMD.exe
PID 948 wrote to memory of 804	948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe	CMD.exe
PID 948 wrote to memory of 1372	948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
PID 948 wrote to memory of 1372	948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
PID 948 wrote to memory of 1372	948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
PID 948 wrote to memory of 1372	948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
PID 948 wrote to memory of 596	948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
PID 948 wrote to memory of 596	948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
PID 948 wrote to memory of 596	948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
PID 948 wrote to memory of 596	948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
PID 948 wrote to memory of 596	948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
PID 948 wrote to memory of 596	948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
PID 948 wrote to memory of 596	948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
PID 948 wrote to memory of 596	948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
PID 948 wrote to memory of 596	948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
PID 596 wrote to memory of 1008	596	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe	Windows Update.exe
PID 596 wrote to memory of 1008	596	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe	Windows Update.exe
PID 596 wrote to memory of 1008	596	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe	Windows Update.exe
PID 596 wrote to memory of 1008	596	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe	Windows Update.exe
PID 596 wrote to memory of 1008	596	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe	Windows Update.exe
PID 596 wrote to memory of 1008	596	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe	Windows Update.exe
PID 596 wrote to memory of 1008	596	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe	Windows Update.exe
PID 948 wrote to memory of 1876	948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
PID 948 wrote to memory of 1876	948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
PID 948 wrote to memory of 1876	948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
PID 948 wrote to memory of 1876	948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
PID 948 wrote to memory of 1732	948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
PID 948 wrote to memory of 1732	948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
PID 948 wrote to memory of 1732	948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
PID 948 wrote to memory of 1732	948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
PID 948 wrote to memory of 1732	948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
PID 948 wrote to memory of 1732	948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
PID 948 wrote to memory of 1732	948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
PID 948 wrote to memory of 1732	948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe
PID 948 wrote to memory of 1732	948	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe	8d7b3d419302a1fad52e52d070a4aec6baf898d99d86315353e3cf88cfd4b90c.exe