hawkeye | b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91

General

Target

b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe
Size

1.1MB
MD5

f318e540a01cf649bbb1640c81c55c94
SHA1

7afdb12755c99467b79dcc7ca92b07cac8b38a93
SHA256

b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91
SHA512

a5438f40ed13d0e262ac548d8dcc7a559763a4eda3c6d3df77629baa578898eaa94f4b449db21027a3c28e98072bc7a774b7f949b5c5d7b4e6a7b7ec76e4bb87
SSDEEP

24576:X6blI9AqgZh+D3vspAANvVp2OrHtKuzNwiTIV3teph6ar+:X6bK91eh+D0pFBKOn8lwph6ay

Score

10^/10

hawkeye keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
drlwjrdttnageixp

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 11 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/1580-73-0x0000000000400000-0x00000000004F0000-memory.dmp	MailPassView
behavioral1/memory/1580-74-0x0000000000400000-0x00000000004F0000-memory.dmp	MailPassView
behavioral1/memory/1580-71-0x0000000000400000-0x00000000004F0000-memory.dmp	MailPassView
behavioral1/memory/1580-75-0x00000000004EB1AE-mapping.dmp	MailPassView
behavioral1/memory/1580-78-0x0000000000400000-0x00000000004F0000-memory.dmp	MailPassView
behavioral1/memory/1580-80-0x0000000000400000-0x00000000004F0000-memory.dmp	MailPassView
behavioral1/memory/920-86-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/920-87-0x0000000000411714-mapping.dmp	MailPassView
behavioral1/memory/920-90-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/920-91-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/920-100-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 11 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/1580-73-0x0000000000400000-0x00000000004F0000-memory.dmp	WebBrowserPassView
behavioral1/memory/1580-74-0x0000000000400000-0x00000000004F0000-memory.dmp	WebBrowserPassView
behavioral1/memory/1580-71-0x0000000000400000-0x00000000004F0000-memory.dmp	WebBrowserPassView
behavioral1/memory/1580-75-0x00000000004EB1AE-mapping.dmp	WebBrowserPassView
behavioral1/memory/1580-78-0x0000000000400000-0x00000000004F0000-memory.dmp	WebBrowserPassView
behavioral1/memory/1580-80-0x0000000000400000-0x00000000004F0000-memory.dmp	WebBrowserPassView
behavioral1/memory/1604-92-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView
behavioral1/memory/1604-93-0x0000000000442F04-mapping.dmp	WebBrowserPassView
behavioral1/memory/1604-96-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView
behavioral1/memory/1604-97-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView
behavioral1/memory/1604-98-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView

Nirsoft 24 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1580-73-0x0000000000400000-0x00000000004F0000-memory.dmp	Nirsoft
behavioral1/memory/1580-74-0x0000000000400000-0x00000000004F0000-memory.dmp	Nirsoft
behavioral1/memory/1580-71-0x0000000000400000-0x00000000004F0000-memory.dmp	Nirsoft
behavioral1/memory/1580-75-0x00000000004EB1AE-mapping.dmp	Nirsoft
behavioral1/memory/1580-78-0x0000000000400000-0x00000000004F0000-memory.dmp	Nirsoft
behavioral1/memory/1580-80-0x0000000000400000-0x00000000004F0000-memory.dmp	Nirsoft
behavioral1/memory/920-86-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/920-87-0x0000000000411714-mapping.dmp	Nirsoft
behavioral1/memory/920-90-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/920-91-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1604-92-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral1/memory/1604-93-0x0000000000442F04-mapping.dmp	Nirsoft
behavioral1/memory/1604-96-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral1/memory/1604-97-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral1/memory/1604-98-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral1/memory/920-100-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/2032-101-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft
behavioral1/memory/2032-102-0x000000000040BEC0-mapping.dmp	Nirsoft
behavioral1/memory/2032-105-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft
behavioral1/memory/2032-107-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft
behavioral1/memory/844-108-0x0000000000400000-0x000000000044F000-memory.dmp	Nirsoft
behavioral1/memory/844-109-0x000000000043BC50-mapping.dmp	Nirsoft
behavioral1/memory/844-112-0x0000000000400000-0x000000000044F000-memory.dmp	Nirsoft
behavioral1/memory/844-113-0x0000000000400000-0x000000000044F000-memory.dmp	Nirsoft

Executes dropped EXE 2 IoCs

Processes:

nvtray.exenvtray.exe

pid process

1700 nvtray.exe
1580 nvtray.exe
Loads dropped DLL 1 IoCs

Processes:

b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe

pid process

1952 b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 whatismyipaddress.com
7 whatismyipaddress.com
4 whatismyipaddress.com

pid	process
1700	nvtray.exe
1580	nvtray.exe

flow	ioc
6	whatismyipaddress.com
7	whatismyipaddress.com
4	whatismyipaddress.com

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exenvtray.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	nvtray.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	nvtray.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

nvtray.exenvtray.exe

description	pid	process	target process
PID 1700 set thread context of 1580	1700	nvtray.exe	nvtray.exe
PID 1580 set thread context of 920	1580	nvtray.exe	vbc.exe
PID 1580 set thread context of 1604	1580	nvtray.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exenvtray.exenvtray.exe

pid	process
1952	b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe
1700	nvtray.exe
1700	nvtray.exe
1700	nvtray.exe
1700	nvtray.exe
1700	nvtray.exe
1700	nvtray.exe
1700	nvtray.exe
1700	nvtray.exe
1700	nvtray.exe
1700	nvtray.exe
1700	nvtray.exe
1700	nvtray.exe
1700	nvtray.exe
1700	nvtray.exe
1700	nvtray.exe
1700	nvtray.exe
1700	nvtray.exe
1580	nvtray.exe
1580	nvtray.exe
1700	nvtray.exe
1700	nvtray.exe
1580	nvtray.exe
1580	nvtray.exe
1580	nvtray.exe
1580	nvtray.exe
1700	nvtray.exe
1700	nvtray.exe
1580	nvtray.exe
1580	nvtray.exe
1580	nvtray.exe
1700	nvtray.exe
1700	nvtray.exe
1580	nvtray.exe
1580	nvtray.exe
1580	nvtray.exe
1580	nvtray.exe
1700	nvtray.exe
1700	nvtray.exe
1580	nvtray.exe
1580	nvtray.exe
1580	nvtray.exe
1700	nvtray.exe
1700	nvtray.exe
1580	nvtray.exe
1580	nvtray.exe
1580	nvtray.exe
1580	nvtray.exe
1700	nvtray.exe
1700	nvtray.exe
1580	nvtray.exe
1700	nvtray.exe
1700	nvtray.exe
1580	nvtray.exe
1580	nvtray.exe
1580	nvtray.exe
1700	nvtray.exe
1700	nvtray.exe
1580	nvtray.exe
1580	nvtray.exe
1580	nvtray.exe
1580	nvtray.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exenvtray.exenvtray.exe

description	pid	process
Token: SeDebugPrivilege	1952	b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe
Token: SeDebugPrivilege	1700	nvtray.exe
Token: SeDebugPrivilege	1580	nvtray.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

nvtray.exe

pid process

1580 nvtray.exe

pid	process
1580	nvtray.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.execmd.exenvtray.exenvtray.exe

description	pid	process	target process
PID 1952 wrote to memory of 1108	1952	b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe	cmd.exe
PID 1952 wrote to memory of 1108	1952	b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe	cmd.exe
PID 1952 wrote to memory of 1108	1952	b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe	cmd.exe
PID 1952 wrote to memory of 1108	1952	b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe	cmd.exe
PID 1108 wrote to memory of 1156	1108	cmd.exe	reg.exe
PID 1108 wrote to memory of 1156	1108	cmd.exe	reg.exe
PID 1108 wrote to memory of 1156	1108	cmd.exe	reg.exe
PID 1108 wrote to memory of 1156	1108	cmd.exe	reg.exe
PID 1952 wrote to memory of 1700	1952	b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe	nvtray.exe
PID 1952 wrote to memory of 1700	1952	b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe	nvtray.exe
PID 1952 wrote to memory of 1700	1952	b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe	nvtray.exe
PID 1952 wrote to memory of 1700	1952	b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe	nvtray.exe
PID 1700 wrote to memory of 1580	1700	nvtray.exe	nvtray.exe
PID 1700 wrote to memory of 1580	1700	nvtray.exe	nvtray.exe
PID 1700 wrote to memory of 1580	1700	nvtray.exe	nvtray.exe
PID 1700 wrote to memory of 1580	1700	nvtray.exe	nvtray.exe
PID 1700 wrote to memory of 1580	1700	nvtray.exe	nvtray.exe
PID 1700 wrote to memory of 1580	1700	nvtray.exe	nvtray.exe
PID 1700 wrote to memory of 1580	1700	nvtray.exe	nvtray.exe
PID 1700 wrote to memory of 1580	1700	nvtray.exe	nvtray.exe
PID 1700 wrote to memory of 1580	1700	nvtray.exe	nvtray.exe
PID 1580 wrote to memory of 920	1580	nvtray.exe	vbc.exe
PID 1580 wrote to memory of 920	1580	nvtray.exe	vbc.exe
PID 1580 wrote to memory of 920	1580	nvtray.exe	vbc.exe
PID 1580 wrote to memory of 920	1580	nvtray.exe	vbc.exe
PID 1580 wrote to memory of 920	1580	nvtray.exe	vbc.exe
PID 1580 wrote to memory of 920	1580	nvtray.exe	vbc.exe
PID 1580 wrote to memory of 920	1580	nvtray.exe	vbc.exe
PID 1580 wrote to memory of 920	1580	nvtray.exe	vbc.exe
PID 1580 wrote to memory of 920	1580	nvtray.exe	vbc.exe
PID 1580 wrote to memory of 920	1580	nvtray.exe	vbc.exe
PID 1580 wrote to memory of 1604	1580	nvtray.exe	vbc.exe
PID 1580 wrote to memory of 1604	1580	nvtray.exe	vbc.exe
PID 1580 wrote to memory of 1604	1580	nvtray.exe	vbc.exe
PID 1580 wrote to memory of 1604	1580	nvtray.exe	vbc.exe
PID 1580 wrote to memory of 1604	1580	nvtray.exe	vbc.exe
PID 1580 wrote to memory of 1604	1580	nvtray.exe	vbc.exe
PID 1580 wrote to memory of 1604	1580	nvtray.exe	vbc.exe
PID 1580 wrote to memory of 1604	1580	nvtray.exe	vbc.exe
PID 1580 wrote to memory of 1604	1580	nvtray.exe	vbc.exe
PID 1580 wrote to memory of 1604	1580	nvtray.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe
"C:\Users\Admin\AppData\Local\Temp\b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91.exe"
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Windows" /f /v "Load" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\nvtray.exe" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Windows" /f /v "Load" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\nvtray.exe"
3⤵
PID:1156

C:\Users\Admin\AppData\Roaming\nvtray.exe
"C:\Users\Admin\AppData\Roaming\nvtray.exe"
2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700

C:\Users\Admin\AppData\Roaming\nvtray.exe
"C:\Users\Admin\AppData\Roaming\nvtray.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
4⤵
PID:920

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
4⤵
PID:1604

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderprodkey.txt"
4⤵
PID:2032

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderskypeview.txt"
4⤵
PID:844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\holderprodkey.txt
Filesize
1KB

MD5
c1da33bc664c10aa86e6e450136bb4b3

SHA1
4001924b38dc3e41a5d9573e2880919e204ede94

SHA256
02c8c655b70f06dcde29a6bbaf35f76a70210954b5d934ca65f83e4f91e24391

SHA512
5ce23126fdee1d418606f33217638818fcf0c44fcc19bbb1ab259ce0468db6878469a6f6c7f38d094d03a02104ddeb900364d367ad91753d2169e2b92660d8c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderskypeview.txt
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderwb.txt
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\nvtray.exe
Filesize
1.1MB

MD5
f318e540a01cf649bbb1640c81c55c94

SHA1
7afdb12755c99467b79dcc7ca92b07cac8b38a93

SHA256
b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91

SHA512
a5438f40ed13d0e262ac548d8dcc7a559763a4eda3c6d3df77629baa578898eaa94f4b449db21027a3c28e98072bc7a774b7f949b5c5d7b4e6a7b7ec76e4bb87

Download Submit
C:\Users\Admin\AppData\Roaming\nvtray.exe
Filesize
1.1MB

MD5
f318e540a01cf649bbb1640c81c55c94

SHA1
7afdb12755c99467b79dcc7ca92b07cac8b38a93

SHA256
b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91

SHA512
a5438f40ed13d0e262ac548d8dcc7a559763a4eda3c6d3df77629baa578898eaa94f4b449db21027a3c28e98072bc7a774b7f949b5c5d7b4e6a7b7ec76e4bb87

Download Submit
C:\Users\Admin\AppData\Roaming\nvtray.exe
Filesize
1.1MB

MD5
f318e540a01cf649bbb1640c81c55c94

SHA1
7afdb12755c99467b79dcc7ca92b07cac8b38a93

SHA256
b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91

SHA512
a5438f40ed13d0e262ac548d8dcc7a559763a4eda3c6d3df77629baa578898eaa94f4b449db21027a3c28e98072bc7a774b7f949b5c5d7b4e6a7b7ec76e4bb87

Download Submit
\Users\Admin\AppData\Roaming\nvtray.exe
Filesize
1.1MB

MD5
f318e540a01cf649bbb1640c81c55c94

SHA1
7afdb12755c99467b79dcc7ca92b07cac8b38a93

SHA256
b4466b32eaccffeb486bf92dc0bcf26a9f29c6b8c148cc004ed9bb0eabc5ae91

SHA512
a5438f40ed13d0e262ac548d8dcc7a559763a4eda3c6d3df77629baa578898eaa94f4b449db21027a3c28e98072bc7a774b7f949b5c5d7b4e6a7b7ec76e4bb87

Download Submit
memory/844-113-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/844-112-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/844-109-0x000000000043BC50-mapping.dmp

Download
memory/844-108-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/920-100-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/920-91-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/920-90-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/920-87-0x0000000000411714-mapping.dmp

Download
memory/920-86-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1108-58-0x0000000000000000-mapping.dmp

Download
memory/1156-59-0x0000000000000000-mapping.dmp

Download
memory/1580-67-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1580-73-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1580-75-0x00000000004EB1AE-mapping.dmp

Download
memory/1580-78-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1580-80-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1580-82-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/1580-68-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1580-71-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1580-85-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/1580-74-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1604-96-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1604-92-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1604-93-0x0000000000442F04-mapping.dmp

Download
memory/1604-97-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1604-98-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1700-61-0x0000000000000000-mapping.dmp

Download
memory/1700-70-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/1700-84-0x0000000002056000-0x0000000002067000-memory.dmp

Filesize
68KB

Download
memory/1700-83-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/1700-72-0x0000000002056000-0x0000000002067000-memory.dmp

Filesize
68KB

Download
memory/1952-54-0x00000000762F1000-0x00000000762F3000-memory.dmp

Filesize
8KB

Download
memory/1952-66-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/1952-62-0x0000000002226000-0x0000000002237000-memory.dmp

Filesize
68KB

Download
memory/1952-57-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/1952-56-0x0000000002226000-0x0000000002237000-memory.dmp

Filesize
68KB

Download
memory/1952-55-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/2032-102-0x000000000040BEC0-mapping.dmp

Download
memory/2032-105-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2032-107-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2032-101-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads