hawkeye | c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08

General

Target

c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
Size

684KB
MD5

3a500a18474fc05e3f3d7123fb54400e
SHA1

9f17a0fd847d49abea516952bd6a27b94993e9a1
SHA256

c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08
SHA512

02050a9d79f1e23d2dbc8c9b4a1f087548ad79fcf62045bf23b251b6151c84cfa23ac670857d9bf55ab7a8c2846c6dc09fa9be6b7cfc3fb82bb8ab0d08a9f6d3
SSDEEP

12288:btE3CmI1SzdCJ3wZvYYnIjzfUHcuiBozJIl95cTWYNGzYZkL3s/S7nwx0:bSylSzdlv2jzfUFiLLQNGzYo4S7nwx

Score

10^/10

hawkeye keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 6 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/1580-75-0x0000000000400000-0x000000000048C000-memory.dmp	MailPassView
behavioral1/memory/1580-78-0x0000000000400000-0x000000000048C000-memory.dmp	MailPassView
behavioral1/memory/1580-80-0x0000000000400000-0x000000000048C000-memory.dmp	MailPassView
behavioral1/memory/1580-82-0x00000000004859FE-mapping.dmp	MailPassView
behavioral1/memory/1580-85-0x0000000000400000-0x000000000048C000-memory.dmp	MailPassView
behavioral1/memory/1580-87-0x0000000000400000-0x000000000048C000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 6 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/1580-75-0x0000000000400000-0x000000000048C000-memory.dmp	WebBrowserPassView
behavioral1/memory/1580-78-0x0000000000400000-0x000000000048C000-memory.dmp	WebBrowserPassView
behavioral1/memory/1580-80-0x0000000000400000-0x000000000048C000-memory.dmp	WebBrowserPassView
behavioral1/memory/1580-82-0x00000000004859FE-mapping.dmp	WebBrowserPassView
behavioral1/memory/1580-85-0x0000000000400000-0x000000000048C000-memory.dmp	WebBrowserPassView
behavioral1/memory/1580-87-0x0000000000400000-0x000000000048C000-memory.dmp	WebBrowserPassView

Nirsoft 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1580-75-0x0000000000400000-0x000000000048C000-memory.dmp	Nirsoft
behavioral1/memory/1580-78-0x0000000000400000-0x000000000048C000-memory.dmp	Nirsoft
behavioral1/memory/1580-80-0x0000000000400000-0x000000000048C000-memory.dmp	Nirsoft
behavioral1/memory/1580-82-0x00000000004859FE-mapping.dmp	Nirsoft
behavioral1/memory/1580-85-0x0000000000400000-0x000000000048C000-memory.dmp	Nirsoft
behavioral1/memory/1580-87-0x0000000000400000-0x000000000048C000-memory.dmp	Nirsoft

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 whatismyipaddress.com
6 whatismyipaddress.com
7 whatismyipaddress.com

flow	ioc
4	whatismyipaddress.com
6	whatismyipaddress.com
7	whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exec01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exec01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe

description	pid	process	target process
PID 904 set thread context of 556	904	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 556 set thread context of 1580	556	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 1580 set thread context of 1104	1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	vbc.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1252 1104 WerFault.exe vbc.exe

pid	pid_target	process	target process
1252	1104	WerFault.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

Processes:

c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe

pid	process
1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe

description pid process

Token: SeDebugPrivilege 1580 c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe

pid process

1580 c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe

description	pid	process
Token: SeDebugPrivilege	1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exec01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exec01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exevbc.exe

C:\Users\Admin\AppData\Local\Temp\c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
"C:\Users\Admin\AppData\Local\Temp\c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:904

C:\Users\Admin\AppData\Local\Temp\c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
"C:\Users\Admin\AppData\Local\Temp\c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe"
2⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
"C:\Users\Admin\AppData\Local\Temp\c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe"
2⤵
PID:1860

C:\Users\Admin\AppData\Local\Temp\c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
"C:\Users\Admin\AppData\Local\Temp\c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe"
2⤵
PID:832

C:\Users\Admin\AppData\Local\Temp\c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
"C:\Users\Admin\AppData\Local\Temp\c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe"
2⤵
PID:760

C:\Users\Admin\AppData\Local\Temp\c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
"C:\Users\Admin\AppData\Local\Temp\c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe"
2⤵
PID:892

C:\Users\Admin\AppData\Local\Temp\c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
"C:\Users\Admin\AppData\Local\Temp\c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:556

C:\Users\Admin\AppData\Local\Temp\c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
"C:\Users\Admin\AppData\Local\Temp\c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe"
3⤵
PID:1164

C:\Users\Admin\AppData\Local\Temp\c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
"C:\Users\Admin\AppData\Local\Temp\c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe"
3⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
4⤵
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 36
5⤵
- Program crash
PID:1252

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 1444
4⤵
PID:1304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/556-68-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/556-63-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/556-56-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/556-57-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/556-84-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/556-61-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/556-70-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/556-65-0x000000000049796E-mapping.dmp

Download
memory/556-59-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/904-67-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/904-55-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/904-54-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download
memory/1104-92-0x0000000000411654-mapping.dmp

Download
memory/1104-91-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1252-97-0x0000000000000000-mapping.dmp

Download
memory/1304-95-0x0000000000000000-mapping.dmp

Download
memory/1580-73-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1580-82-0x00000000004859FE-mapping.dmp

Download
memory/1580-85-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1580-87-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1580-89-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/1580-90-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/1580-80-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1580-78-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1580-75-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1580-96-0x00000000022F5000-0x0000000002306000-memory.dmp

Filesize
68KB

Download
memory/1580-72-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download

description	pid	process	target process
PID 904 wrote to memory of 1640	904	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 904 wrote to memory of 1640	904	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 904 wrote to memory of 1640	904	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 904 wrote to memory of 1640	904	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 904 wrote to memory of 1860	904	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 904 wrote to memory of 1860	904	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 904 wrote to memory of 1860	904	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 904 wrote to memory of 1860	904	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 904 wrote to memory of 832	904	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 904 wrote to memory of 832	904	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 904 wrote to memory of 832	904	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 904 wrote to memory of 832	904	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 904 wrote to memory of 760	904	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 904 wrote to memory of 760	904	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 904 wrote to memory of 760	904	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 904 wrote to memory of 760	904	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 904 wrote to memory of 892	904	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 904 wrote to memory of 892	904	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 904 wrote to memory of 892	904	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 904 wrote to memory of 892	904	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 904 wrote to memory of 556	904	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 904 wrote to memory of 556	904	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 904 wrote to memory of 556	904	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 904 wrote to memory of 556	904	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 904 wrote to memory of 556	904	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 904 wrote to memory of 556	904	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 904 wrote to memory of 556	904	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 904 wrote to memory of 556	904	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 904 wrote to memory of 556	904	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 556 wrote to memory of 1164	556	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 556 wrote to memory of 1164	556	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 556 wrote to memory of 1164	556	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 556 wrote to memory of 1164	556	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 556 wrote to memory of 1580	556	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 556 wrote to memory of 1580	556	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 556 wrote to memory of 1580	556	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 556 wrote to memory of 1580	556	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 556 wrote to memory of 1580	556	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 556 wrote to memory of 1580	556	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 556 wrote to memory of 1580	556	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 556 wrote to memory of 1580	556	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 556 wrote to memory of 1580	556	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 1580 wrote to memory of 1104	1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	vbc.exe
PID 1580 wrote to memory of 1104	1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	vbc.exe
PID 1580 wrote to memory of 1104	1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	vbc.exe
PID 1580 wrote to memory of 1104	1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	vbc.exe
PID 1580 wrote to memory of 1104	1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	vbc.exe
PID 1580 wrote to memory of 1104	1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	vbc.exe
PID 1580 wrote to memory of 1104	1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	vbc.exe
PID 1580 wrote to memory of 1104	1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	vbc.exe
PID 1580 wrote to memory of 1104	1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	vbc.exe
PID 1580 wrote to memory of 1104	1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	vbc.exe
PID 1580 wrote to memory of 1304	1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	dw20.exe
PID 1580 wrote to memory of 1304	1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	dw20.exe
PID 1580 wrote to memory of 1304	1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	dw20.exe
PID 1580 wrote to memory of 1304	1580	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	dw20.exe
PID 1104 wrote to memory of 1252	1104	vbc.exe	WerFault.exe
PID 1104 wrote to memory of 1252	1104	vbc.exe	WerFault.exe
PID 1104 wrote to memory of 1252	1104	vbc.exe	WerFault.exe
PID 1104 wrote to memory of 1252	1104	vbc.exe	WerFault.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads