hawkeye | fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8

General

Target

fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe
Size

985KB
MD5

5d2da9b42ecb25a2ef75a3df61cce0f3
SHA1

ab1f675356123b518aea542d0b4d7535c490bf1a
SHA256

fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8
SHA512

5fa781eecd3715b53017989ce8c737d0e760e398631c5088290bbb163b376526ba2c9ea7940b38dbad1ea73f187468bf72369ee22ee48a5e20545c57532b1c41
SSDEEP

24576:7wZc+Mn5x6G+zuRrCtMRYMVi+1iJA3KaGco3SjA6f1Gvz4r:7X9f6G2uN6M8iwdsAm1q

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 5 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/3256-136-0x0000000000400000-0x00000000004F0000-memory.dmp	MailPassView
behavioral2/memory/1792-154-0x0000000000000000-mapping.dmp	MailPassView
behavioral2/memory/1792-155-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/1792-157-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/1792-158-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 5 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/3256-136-0x0000000000400000-0x00000000004F0000-memory.dmp	WebBrowserPassView
behavioral2/memory/2984-159-0x0000000000000000-mapping.dmp	WebBrowserPassView
behavioral2/memory/2984-160-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView
behavioral2/memory/2984-162-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView
behavioral2/memory/2984-164-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView

Nirsoft 9 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3256-136-0x0000000000400000-0x00000000004F0000-memory.dmp	Nirsoft
behavioral2/memory/1792-154-0x0000000000000000-mapping.dmp	Nirsoft
behavioral2/memory/1792-155-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/1792-157-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/1792-158-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/2984-159-0x0000000000000000-mapping.dmp	Nirsoft
behavioral2/memory/2984-160-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral2/memory/2984-162-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral2/memory/2984-164-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft

Executes dropped EXE 2 IoCs

Processes:

Windows Update.exeWindows Update.exe

pid process

4996 Windows Update.exe
3440 Windows Update.exe

pid	process
4996	Windows Update.exe
3440	Windows Update.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Windows Update.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	Windows Update.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

20 whatismyipaddress.com
22 whatismyipaddress.com

flow	ioc
20	whatismyipaddress.com
22	whatismyipaddress.com

Suspicious use of SetThreadContext 5 IoCs

Processes:

fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exeWindows Update.exeWindows Update.exe

description	pid	process	target process
PID 2232 set thread context of 3256	2232	fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe	fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe
PID 4996 set thread context of 3440	4996	Windows Update.exe	Windows Update.exe
PID 3440 set thread context of 1792	3440	Windows Update.exe	vbc.exe
PID 3440 set thread context of 2984	3440	Windows Update.exe	vbc.exe
PID 3440 set thread context of 4596	3440	Windows Update.exe	vbc.exe

Drops file in Windows directory 5 IoCs

Processes:

fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exeWindows Update.exedw20.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	Windows Update.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	Windows Update.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	dw20.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3252 4596 WerFault.exe vbc.exe
4572 4596 WerFault.exe vbc.exe

pid	pid_target	process	target process
3252	4596	WerFault.exe	vbc.exe
4572	4596	WerFault.exe	vbc.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exeWindows Update.exe

pid	process
2232	fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe
2232	fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe
2232	fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe
2232	fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe
3440	Windows Update.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exeWindows Update.exedw20.exe

description	pid	process
Token: SeDebugPrivilege	2232	fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe
Token: SeDebugPrivilege	3440	Windows Update.exe
Token: SeRestorePrivilege	3144	dw20.exe
Token: SeBackupPrivilege	3144	dw20.exe
Token: SeBackupPrivilege	3144	dw20.exe
Token: SeBackupPrivilege	3144	dw20.exe
Token: SeBackupPrivilege	3144	dw20.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Windows Update.exe

pid process

3440 Windows Update.exe

pid	process
3440	Windows Update.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exefc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exeWindows Update.exeWindows Update.exe

description	pid	process	target process
PID 2232 wrote to memory of 1748	2232	fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe	fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe
PID 2232 wrote to memory of 1748	2232	fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe	fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe
PID 2232 wrote to memory of 1748	2232	fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe	fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe
PID 2232 wrote to memory of 4768	2232	fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe	fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe
PID 2232 wrote to memory of 4768	2232	fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe	fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe
PID 2232 wrote to memory of 4768	2232	fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe	fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe
PID 2232 wrote to memory of 3256	2232	fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe	fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe
PID 2232 wrote to memory of 3256	2232	fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe	fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe
PID 2232 wrote to memory of 3256	2232	fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe	fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe
PID 2232 wrote to memory of 3256	2232	fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe	fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe
PID 2232 wrote to memory of 3256	2232	fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe	fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe
PID 2232 wrote to memory of 3256	2232	fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe	fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe
PID 2232 wrote to memory of 3256	2232	fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe	fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe
PID 2232 wrote to memory of 3256	2232	fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe	fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe
PID 3256 wrote to memory of 4996	3256	fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe	Windows Update.exe
PID 3256 wrote to memory of 4996	3256	fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe	Windows Update.exe
PID 3256 wrote to memory of 4996	3256	fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe	Windows Update.exe
PID 4996 wrote to memory of 3440	4996	Windows Update.exe	Windows Update.exe
PID 4996 wrote to memory of 3440	4996	Windows Update.exe	Windows Update.exe
PID 4996 wrote to memory of 3440	4996	Windows Update.exe	Windows Update.exe
PID 4996 wrote to memory of 3440	4996	Windows Update.exe	Windows Update.exe
PID 4996 wrote to memory of 3440	4996	Windows Update.exe	Windows Update.exe
PID 4996 wrote to memory of 3440	4996	Windows Update.exe	Windows Update.exe
PID 4996 wrote to memory of 3440	4996	Windows Update.exe	Windows Update.exe
PID 4996 wrote to memory of 3440	4996	Windows Update.exe	Windows Update.exe
PID 3440 wrote to memory of 1792	3440	Windows Update.exe	vbc.exe
PID 3440 wrote to memory of 1792	3440	Windows Update.exe	vbc.exe
PID 3440 wrote to memory of 1792	3440	Windows Update.exe	vbc.exe
PID 3440 wrote to memory of 1792	3440	Windows Update.exe	vbc.exe
PID 3440 wrote to memory of 1792	3440	Windows Update.exe	vbc.exe
PID 3440 wrote to memory of 1792	3440	Windows Update.exe	vbc.exe
PID 3440 wrote to memory of 1792	3440	Windows Update.exe	vbc.exe
PID 3440 wrote to memory of 1792	3440	Windows Update.exe	vbc.exe
PID 3440 wrote to memory of 1792	3440	Windows Update.exe	vbc.exe
PID 3440 wrote to memory of 2984	3440	Windows Update.exe	vbc.exe
PID 3440 wrote to memory of 2984	3440	Windows Update.exe	vbc.exe
PID 3440 wrote to memory of 2984	3440	Windows Update.exe	vbc.exe
PID 3440 wrote to memory of 2984	3440	Windows Update.exe	vbc.exe
PID 3440 wrote to memory of 2984	3440	Windows Update.exe	vbc.exe
PID 3440 wrote to memory of 2984	3440	Windows Update.exe	vbc.exe
PID 3440 wrote to memory of 2984	3440	Windows Update.exe	vbc.exe
PID 3440 wrote to memory of 2984	3440	Windows Update.exe	vbc.exe
PID 3440 wrote to memory of 2984	3440	Windows Update.exe	vbc.exe
PID 3440 wrote to memory of 4596	3440	Windows Update.exe	vbc.exe
PID 3440 wrote to memory of 4596	3440	Windows Update.exe	vbc.exe
PID 3440 wrote to memory of 4596	3440	Windows Update.exe	vbc.exe
PID 3440 wrote to memory of 4596	3440	Windows Update.exe	vbc.exe
PID 3440 wrote to memory of 4596	3440	Windows Update.exe	vbc.exe
PID 3440 wrote to memory of 4596	3440	Windows Update.exe	vbc.exe
PID 3440 wrote to memory of 4596	3440	Windows Update.exe	vbc.exe
PID 3440 wrote to memory of 4596	3440	Windows Update.exe	vbc.exe
PID 3440 wrote to memory of 4596	3440	Windows Update.exe	vbc.exe
PID 3440 wrote to memory of 3144	3440	Windows Update.exe	dw20.exe
PID 3440 wrote to memory of 3144	3440	Windows Update.exe	dw20.exe
PID 3440 wrote to memory of 3144	3440	Windows Update.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe
"C:\Users\Admin\AppData\Local\Temp\fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232

C:\Users\Admin\AppData\Local\Temp\fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe
"C:\Users\Admin\AppData\Local\Temp\fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe"
2⤵
PID:1748

C:\Users\Admin\AppData\Local\Temp\fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe
"C:\Users\Admin\AppData\Local\Temp\fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3256

C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4996

C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3440

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
5⤵
- Accesses Microsoft Outlook accounts
PID:1792

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
5⤵
PID:2984

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderprodkey.txt"
5⤵
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 184
6⤵
- Program crash
PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 188
6⤵
- Program crash
PID:4572

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 1044
5⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3144

C:\Users\Admin\AppData\Local\Temp\fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe
"C:\Users\Admin\AppData\Local\Temp\fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe"
2⤵
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4596 -ip 4596
1⤵
PID:1752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4596 -ip 4596
1⤵
PID:4300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8.exe.log
Filesize
411B

MD5
e2eedda50223a58e2bbe18223c9ceff4

SHA1
72653d8b29e2fbd683be979c4e0903e376352c46

SHA256
7e1b081fe3a560b0fbc63fc97acdf2e42aaa7d291f0bdca4c3a527a19979f060

SHA512
bbdd82180301cfe8b6cc4b03bef68e4587952e6d9428ac28e25f6f21afa516ebc425f80fbc5bede4240260f055423f647c68509674f4add73a6d582e5f39891a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
Filesize
102B

MD5
568198f493dd4d7271c038eb9df14b10

SHA1
6918dd233dd76f484992f2cc20cb20af1d35fb89

SHA256
375741188d8e2cf3b8adf006b0ab62cfc4529b363ecf92d85cd76c6d26ed18e7

SHA512
ecaa22981f909d5d63c238d124bbe3b496baca3cd36d6fb80644c68b620abcc4eefed65137e962d81fa22eb1dad5f6e8030c65aa2265374d95877eb43ec51106

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderwb.txt
Filesize
3KB

MD5
f94dc819ca773f1e3cb27abbc9e7fa27

SHA1
9a7700efadc5ea09ab288544ef1e3cd876255086

SHA256
a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

SHA512
72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
985KB

MD5
5d2da9b42ecb25a2ef75a3df61cce0f3

SHA1
ab1f675356123b518aea542d0b4d7535c490bf1a

SHA256
fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8

SHA512
5fa781eecd3715b53017989ce8c737d0e760e398631c5088290bbb163b376526ba2c9ea7940b38dbad1ea73f187468bf72369ee22ee48a5e20545c57532b1c41

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
985KB

MD5
5d2da9b42ecb25a2ef75a3df61cce0f3

SHA1
ab1f675356123b518aea542d0b4d7535c490bf1a

SHA256
fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8

SHA512
5fa781eecd3715b53017989ce8c737d0e760e398631c5088290bbb163b376526ba2c9ea7940b38dbad1ea73f187468bf72369ee22ee48a5e20545c57532b1c41

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
985KB

MD5
5d2da9b42ecb25a2ef75a3df61cce0f3

SHA1
ab1f675356123b518aea542d0b4d7535c490bf1a

SHA256
fc1bf3ec89e6decb97d920558547cadf88e2a7aed3a76efa65bf505d7f515ef8

SHA512
5fa781eecd3715b53017989ce8c737d0e760e398631c5088290bbb163b376526ba2c9ea7940b38dbad1ea73f187468bf72369ee22ee48a5e20545c57532b1c41

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch
Filesize
514B

MD5
202b5b57b0b5020110197eac08fe66c2

SHA1
4f53794db7cf970106f3d967bd2ee3cd9d06c777

SHA256
15517b289ec672ffb4d9a1491bbd5a24caefc951dcece0f94743166a6b07edd0

SHA512
0e2403114eae0776d341000ea27255f74dca2cdc2fcd1299acc42e9f91cd9779e4228fd4757a24c73b81ad7a1a5907210493b9ed0a2d9c2528f7da8942f75753

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch
Filesize
514B

MD5
202b5b57b0b5020110197eac08fe66c2

SHA1
4f53794db7cf970106f3d967bd2ee3cd9d06c777

SHA256
15517b289ec672ffb4d9a1491bbd5a24caefc951dcece0f94743166a6b07edd0

SHA512
0e2403114eae0776d341000ea27255f74dca2cdc2fcd1299acc42e9f91cd9779e4228fd4757a24c73b81ad7a1a5907210493b9ed0a2d9c2528f7da8942f75753

Download Submit
memory/1748-133-0x0000000000000000-mapping.dmp

Download
memory/1792-158-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1792-154-0x0000000000000000-mapping.dmp

Download
memory/1792-157-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1792-155-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2232-139-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/2232-132-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/2984-164-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2984-162-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2984-160-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2984-159-0x0000000000000000-mapping.dmp

Download
memory/3144-169-0x0000000000000000-mapping.dmp

Download
memory/3256-135-0x0000000000000000-mapping.dmp

Download
memory/3256-136-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3256-140-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/3256-145-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/3440-151-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/3440-153-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/3440-147-0x0000000000000000-mapping.dmp

Download
memory/3440-170-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/4596-166-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4596-165-0x0000000000000000-mapping.dmp

Download
memory/4768-134-0x0000000000000000-mapping.dmp

Download
memory/4996-150-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/4996-141-0x0000000000000000-mapping.dmp

Download
memory/4996-146-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads