hawkeye | c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08

General

Target

c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
Size

684KB
MD5

3a500a18474fc05e3f3d7123fb54400e
SHA1

9f17a0fd847d49abea516952bd6a27b94993e9a1
SHA256

c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08
SHA512

02050a9d79f1e23d2dbc8c9b4a1f087548ad79fcf62045bf23b251b6151c84cfa23ac670857d9bf55ab7a8c2846c6dc09fa9be6b7cfc3fb82bb8ab0d08a9f6d3
SSDEEP

12288:btE3CmI1SzdCJ3wZvYYnIjzfUHcuiBozJIl95cTWYNGzYZkL3s/S7nwx0:bSylSzdlv2jzfUFiLLQNGzYo4S7nwx

Score

10^/10

hawkeye keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 4 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/832-139-0x0000000000000000-mapping.dmp	MailPassView
behavioral2/memory/832-140-0x0000000000400000-0x000000000048C000-memory.dmp	MailPassView
behavioral2/memory/832-142-0x0000000000400000-0x000000000048C000-memory.dmp	MailPassView
behavioral2/memory/832-141-0x0000000000400000-0x000000000048C000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/832-139-0x0000000000000000-mapping.dmp	WebBrowserPassView
behavioral2/memory/832-140-0x0000000000400000-0x000000000048C000-memory.dmp	WebBrowserPassView
behavioral2/memory/832-142-0x0000000000400000-0x000000000048C000-memory.dmp	WebBrowserPassView
behavioral2/memory/832-141-0x0000000000400000-0x000000000048C000-memory.dmp	WebBrowserPassView

Nirsoft 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/832-139-0x0000000000000000-mapping.dmp	Nirsoft
behavioral2/memory/832-140-0x0000000000400000-0x000000000048C000-memory.dmp	Nirsoft
behavioral2/memory/832-142-0x0000000000400000-0x000000000048C000-memory.dmp	Nirsoft
behavioral2/memory/832-141-0x0000000000400000-0x000000000048C000-memory.dmp	Nirsoft

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

36 whatismyipaddress.com
38 whatismyipaddress.com

flow	ioc
36	whatismyipaddress.com
38	whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exec01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exec01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe

description	pid	process	target process
PID 4956 set thread context of 3984	4956	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 3984 set thread context of 832	3984	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 832 set thread context of 2988	832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	vbc.exe

Drops file in Windows directory 1 IoCs

Processes:

dw20.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

688 2988 WerFault.exe vbc.exe
4868 2988 WerFault.exe vbc.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	dw20.exe

pid	pid_target	process	target process
688	2988	WerFault.exe	vbc.exe
4868	2988	WerFault.exe	vbc.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

Processes:

c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe

pid	process
832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exedw20.exe

description	pid	process
Token: SeDebugPrivilege	832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
Token: SeRestorePrivilege	1888	dw20.exe
Token: SeBackupPrivilege	1888	dw20.exe
Token: SeBackupPrivilege	1888	dw20.exe
Token: SeBackupPrivilege	1888	dw20.exe
Token: SeBackupPrivilege	1888	dw20.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe

pid process

832 c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exec01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exec01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe

description	pid	process	target process
PID 4956 wrote to memory of 3984	4956	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 4956 wrote to memory of 3984	4956	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 4956 wrote to memory of 3984	4956	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 4956 wrote to memory of 3984	4956	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 4956 wrote to memory of 3984	4956	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 4956 wrote to memory of 3984	4956	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 4956 wrote to memory of 3984	4956	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 4956 wrote to memory of 3984	4956	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 3984 wrote to memory of 832	3984	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 3984 wrote to memory of 832	3984	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 3984 wrote to memory of 832	3984	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 3984 wrote to memory of 832	3984	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 3984 wrote to memory of 832	3984	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 3984 wrote to memory of 832	3984	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 3984 wrote to memory of 832	3984	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 3984 wrote to memory of 832	3984	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
PID 832 wrote to memory of 2988	832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	vbc.exe
PID 832 wrote to memory of 2988	832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	vbc.exe
PID 832 wrote to memory of 2988	832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	vbc.exe
PID 832 wrote to memory of 2988	832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	vbc.exe
PID 832 wrote to memory of 2988	832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	vbc.exe
PID 832 wrote to memory of 2988	832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	vbc.exe
PID 832 wrote to memory of 2988	832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	vbc.exe
PID 832 wrote to memory of 2988	832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	vbc.exe
PID 832 wrote to memory of 2988	832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	vbc.exe
PID 832 wrote to memory of 1888	832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	dw20.exe
PID 832 wrote to memory of 1888	832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	dw20.exe
PID 832 wrote to memory of 1888	832	c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
"C:\Users\Admin\AppData\Local\Temp\c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Users\Admin\AppData\Local\Temp\c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
  "C:\Users\Admin\AppData\Local\Temp\c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3984
- - C:\Users\Admin\AppData\Local\Temp\c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe
    "C:\Users\Admin\AppData\Local\Temp\c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe"
    3⤵
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:832
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
      4⤵
      PID:2988
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 188
        5⤵
        Program crash
        
        PID:688
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 232
        5⤵
        Program crash
        
        PID:4868
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 2632
      4⤵
      Drops file in Windows directory
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      PID:1888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2988 -ip 2988
1⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2988 -ip 2988
1⤵
PID:4280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\c01eeff0cdfe8e1fcc2475f0296a3bd5ac314aaa7004a6fba95fd5ab37817d08.exe.log

Filesize
408B

MD5
2d362531e18207d8e72a10ba27f12ca2

SHA1
42a3de9849915d1d25da086026dff1952d39ae3b

SHA256
cf39cec2d65bcda74a7d8a7cb889455d9a7348f6a25180afb6f5121bafb8c56a

SHA512
a36f09f1e957fcf4c8804c7a9328176ff19badd935c8bf1313e5d59e71e503a160b93052b23e19733b791b5e9f5282d6b498f8e2973ef8f7a303e38b22a64355

Download Submit
memory/832-147-0x0000000075140000-0x00000000756F1000-memory.dmp

Filesize
5.7MB

Download
memory/832-154-0x0000000075140000-0x00000000756F1000-memory.dmp

Filesize
5.7MB

Download
memory/832-148-0x0000000075140000-0x00000000756F1000-memory.dmp

Filesize
5.7MB

Download
memory/832-139-0x0000000000000000-mapping.dmp

Download
memory/832-140-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/832-142-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/832-141-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1888-153-0x0000000000000000-mapping.dmp

Download
memory/2988-150-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2988-149-0x0000000000000000-mapping.dmp

Download
memory/3984-136-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3984-146-0x0000000075140000-0x00000000756F1000-memory.dmp

Filesize
5.7MB

Download
memory/3984-138-0x0000000075140000-0x00000000756F1000-memory.dmp

Filesize
5.7MB

Download
memory/3984-135-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3984-134-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3984-133-0x0000000000000000-mapping.dmp

Download
memory/4956-145-0x0000000075140000-0x00000000756F1000-memory.dmp

Filesize
5.7MB

Download
memory/4956-132-0x0000000075140000-0x00000000756F1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads