hawkeye | ba035412a2f4ce5f1496c6ed0220fa9958c070a532dd4b2541b648331a3a0454

General

Target

PI.exe
Size

992KB
MD5

f915f94f551c0c5371d093dbe27bbfaa
SHA1

912941a11e2c924eceb37ac5928ba457a10d8512
SHA256

9cc92274df864afffdc64af3537d37033aff710061b4cc1863153a4d5a435c22
SHA512

a5eecf05caa8fab3e1f98b43b222b4c1ea2080d243e9601590342410eeb9f1481e7352ebed76a56849ffb8ed0481fcc06b136253701c879370b22b610abab786
SSDEEP

24576:NaPY8FueJVd/IfHydpi7m4Qt/XZhGPUKcpO+gpqeDySVR+PJ:GTN8Ui7mh/DGSpO+gp5nP

Score

10^/10

hawkeye agilenet keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
diamond7625w@gmail.com
Password:
pdmiawgubaleywef

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 7 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/1076-117-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral1/memory/1076-118-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral1/memory/1076-119-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral1/memory/1076-120-0x000000000047E90E-mapping.dmp	MailPassView
behavioral1/memory/1076-122-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral1/memory/1076-124-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral1/memory/1808-159-0x000000000047E90E-mapping.dmp	MailPassView

NirSoft WebBrowserPassView 7 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/1076-117-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral1/memory/1076-118-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral1/memory/1076-119-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral1/memory/1076-120-0x000000000047E90E-mapping.dmp	WebBrowserPassView
behavioral1/memory/1076-122-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral1/memory/1076-124-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral1/memory/1808-159-0x000000000047E90E-mapping.dmp	WebBrowserPassView

Nirsoft 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1076-117-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral1/memory/1076-118-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral1/memory/1076-119-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral1/memory/1076-120-0x000000000047E90E-mapping.dmp	Nirsoft
behavioral1/memory/1076-122-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral1/memory/1076-124-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral1/memory/1808-159-0x000000000047E90E-mapping.dmp	Nirsoft

Executes dropped EXE 1 IoCs

Processes:

IpOverUsbSvrc.exe

pid process

888 IpOverUsbSvrc.exe
Loads dropped DLL 1 IoCs

Processes:

PI.exe

pid process

1476 PI.exe

pid	process
888	IpOverUsbSvrc.exe

Obfuscated with Agile.Net obfuscator 3 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe	agile_net

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

IpOverUsbSvrc.exePI.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Multimedia Class Scheduler = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\IpOverUsbSvrc.exe"	IpOverUsbSvrc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	PI.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 whatismyipaddress.com
4 whatismyipaddress.com
6 whatismyipaddress.com

flow	ioc
7	whatismyipaddress.com
4	whatismyipaddress.com
6	whatismyipaddress.com

Suspicious use of SetThreadContext 7 IoCs

Processes:

PI.exePI.exePI.exePI.exePI.exePI.exe

description	pid	process	target process
PID 1476 set thread context of 1984	1476	PI.exe	PI.exe
PID 1984 set thread context of 1608	1984	PI.exe	PI.exe
PID 1476 set thread context of 924	1476	PI.exe	PI.exe
PID 1608 set thread context of 1076	1608	PI.exe	PI.exe
PID 1076 set thread context of 1156	1076	PI.exe	vbc.exe
PID 924 set thread context of 1580	924	PI.exe	PI.exe
PID 1580 set thread context of 1808	1580	PI.exe	PI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1624 1156 WerFault.exe vbc.exe

pid	pid_target	process	target process
1624	1156	WerFault.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

PI.exeIpOverUsbSvrc.exePI.exe

pid	process
1476	PI.exe
1476	PI.exe
1476	PI.exe
1476	PI.exe
1476	PI.exe
1476	PI.exe
1476	PI.exe
1476	PI.exe
1476	PI.exe
1476	PI.exe
1476	PI.exe
1476	PI.exe
1476	PI.exe
1476	PI.exe
1476	PI.exe
1476	PI.exe
1476	PI.exe
1476	PI.exe
1476	PI.exe
1476	PI.exe
1476	PI.exe
1476	PI.exe
1476	PI.exe
1476	PI.exe
1476	PI.exe
1476	PI.exe
888	IpOverUsbSvrc.exe
1476	PI.exe
1476	PI.exe
1476	PI.exe
888	IpOverUsbSvrc.exe
1984	PI.exe
1984	PI.exe
1984	PI.exe
1476	PI.exe
1984	PI.exe
1476	PI.exe
888	IpOverUsbSvrc.exe
1984	PI.exe
1476	PI.exe
1984	PI.exe
1476	PI.exe
888	IpOverUsbSvrc.exe
1984	PI.exe
1476	PI.exe
1984	PI.exe
1476	PI.exe
888	IpOverUsbSvrc.exe
1984	PI.exe
1476	PI.exe
1984	PI.exe
1476	PI.exe
888	IpOverUsbSvrc.exe
1984	PI.exe
1476	PI.exe
1984	PI.exe
1476	PI.exe
888	IpOverUsbSvrc.exe
1984	PI.exe
1476	PI.exe
1984	PI.exe
1476	PI.exe
888	IpOverUsbSvrc.exe
1984	PI.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

PI.exePI.exeIpOverUsbSvrc.exePI.exePI.exePI.exePI.exe

description	pid	process
Token: SeDebugPrivilege	1476	PI.exe
Token: SeDebugPrivilege	1984	PI.exe
Token: SeDebugPrivilege	888	IpOverUsbSvrc.exe
Token: SeDebugPrivilege	1608	PI.exe
Token: SeDebugPrivilege	1076	PI.exe
Token: SeDebugPrivilege	924	PI.exe
Token: SeDebugPrivilege	1580	PI.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

PI.exe

pid process

1076 PI.exe

pid	process
1076	PI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

PI.exePI.exePI.exePI.exevbc.exePI.exe

description	pid	process	target process
PID 1476 wrote to memory of 1984	1476	PI.exe	PI.exe
PID 1476 wrote to memory of 1984	1476	PI.exe	PI.exe
PID 1476 wrote to memory of 1984	1476	PI.exe	PI.exe
PID 1476 wrote to memory of 1984	1476	PI.exe	PI.exe
PID 1476 wrote to memory of 1984	1476	PI.exe	PI.exe
PID 1476 wrote to memory of 1984	1476	PI.exe	PI.exe
PID 1476 wrote to memory of 1984	1476	PI.exe	PI.exe
PID 1476 wrote to memory of 1984	1476	PI.exe	PI.exe
PID 1476 wrote to memory of 1984	1476	PI.exe	PI.exe
PID 1476 wrote to memory of 888	1476	PI.exe	IpOverUsbSvrc.exe
PID 1476 wrote to memory of 888	1476	PI.exe	IpOverUsbSvrc.exe
PID 1476 wrote to memory of 888	1476	PI.exe	IpOverUsbSvrc.exe
PID 1476 wrote to memory of 888	1476	PI.exe	IpOverUsbSvrc.exe
PID 1984 wrote to memory of 1608	1984	PI.exe	PI.exe
PID 1984 wrote to memory of 1608	1984	PI.exe	PI.exe
PID 1984 wrote to memory of 1608	1984	PI.exe	PI.exe
PID 1984 wrote to memory of 1608	1984	PI.exe	PI.exe
PID 1984 wrote to memory of 1608	1984	PI.exe	PI.exe
PID 1984 wrote to memory of 1608	1984	PI.exe	PI.exe
PID 1984 wrote to memory of 1608	1984	PI.exe	PI.exe
PID 1984 wrote to memory of 1608	1984	PI.exe	PI.exe
PID 1984 wrote to memory of 1608	1984	PI.exe	PI.exe
PID 1476 wrote to memory of 924	1476	PI.exe	PI.exe
PID 1476 wrote to memory of 924	1476	PI.exe	PI.exe
PID 1476 wrote to memory of 924	1476	PI.exe	PI.exe
PID 1476 wrote to memory of 924	1476	PI.exe	PI.exe
PID 1476 wrote to memory of 924	1476	PI.exe	PI.exe
PID 1476 wrote to memory of 924	1476	PI.exe	PI.exe
PID 1476 wrote to memory of 924	1476	PI.exe	PI.exe
PID 1476 wrote to memory of 924	1476	PI.exe	PI.exe
PID 1476 wrote to memory of 924	1476	PI.exe	PI.exe
PID 1608 wrote to memory of 1076	1608	PI.exe	PI.exe
PID 1608 wrote to memory of 1076	1608	PI.exe	PI.exe
PID 1608 wrote to memory of 1076	1608	PI.exe	PI.exe
PID 1608 wrote to memory of 1076	1608	PI.exe	PI.exe
PID 1608 wrote to memory of 1076	1608	PI.exe	PI.exe
PID 1608 wrote to memory of 1076	1608	PI.exe	PI.exe
PID 1608 wrote to memory of 1076	1608	PI.exe	PI.exe
PID 1608 wrote to memory of 1076	1608	PI.exe	PI.exe
PID 1608 wrote to memory of 1076	1608	PI.exe	PI.exe
PID 1076 wrote to memory of 1156	1076	PI.exe	vbc.exe
PID 1076 wrote to memory of 1156	1076	PI.exe	vbc.exe
PID 1076 wrote to memory of 1156	1076	PI.exe	vbc.exe
PID 1076 wrote to memory of 1156	1076	PI.exe	vbc.exe
PID 1076 wrote to memory of 1156	1076	PI.exe	vbc.exe
PID 1076 wrote to memory of 1156	1076	PI.exe	vbc.exe
PID 1076 wrote to memory of 1156	1076	PI.exe	vbc.exe
PID 1076 wrote to memory of 1156	1076	PI.exe	vbc.exe
PID 1076 wrote to memory of 1156	1076	PI.exe	vbc.exe
PID 1076 wrote to memory of 1156	1076	PI.exe	vbc.exe
PID 1156 wrote to memory of 1624	1156	vbc.exe	WerFault.exe
PID 1156 wrote to memory of 1624	1156	vbc.exe	WerFault.exe
PID 1156 wrote to memory of 1624	1156	vbc.exe	WerFault.exe
PID 1156 wrote to memory of 1624	1156	vbc.exe	WerFault.exe
PID 1076 wrote to memory of 864	1076	PI.exe	dw20.exe
PID 1076 wrote to memory of 864	1076	PI.exe	dw20.exe
PID 1076 wrote to memory of 864	1076	PI.exe	dw20.exe
PID 1076 wrote to memory of 864	1076	PI.exe	dw20.exe
PID 924 wrote to memory of 1580	924	PI.exe	PI.exe
PID 924 wrote to memory of 1580	924	PI.exe	PI.exe
PID 924 wrote to memory of 1580	924	PI.exe	PI.exe
PID 924 wrote to memory of 1580	924	PI.exe	PI.exe
PID 924 wrote to memory of 1580	924	PI.exe	PI.exe
PID 924 wrote to memory of 1580	924	PI.exe	PI.exe

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
4⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1076

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
5⤵
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 36
6⤵
- Program crash
PID:1624

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 1592
5⤵
PID:864

C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:888

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:924

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
4⤵
PID:1808

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe
Filesize
11KB

MD5
03c4f3f5cdbc342eb1c0349e001fdd0c

SHA1
7d45ed19db4eaed16d1985240c98fab7623798e5

SHA256
a395cb8bb6cdaa7f0dad2e012fb5107d0d307efea021be048bdd5b67479356bc

SHA512
d59ccd1ffffa884c8a7a96979ed19f0f8a586474c23d5b5ab23c235799044042f639e1834ee2e54a205a71caf97898ac8898d0da963fb006e443f3fb8f3c1162

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe
Filesize
11KB

MD5
03c4f3f5cdbc342eb1c0349e001fdd0c

SHA1
7d45ed19db4eaed16d1985240c98fab7623798e5

SHA256
a395cb8bb6cdaa7f0dad2e012fb5107d0d307efea021be048bdd5b67479356bc

SHA512
d59ccd1ffffa884c8a7a96979ed19f0f8a586474c23d5b5ab23c235799044042f639e1834ee2e54a205a71caf97898ac8898d0da963fb006e443f3fb8f3c1162

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
Filesize
992KB

MD5
f915f94f551c0c5371d093dbe27bbfaa

SHA1
912941a11e2c924eceb37ac5928ba457a10d8512

SHA256
9cc92274df864afffdc64af3537d37033aff710061b4cc1863153a4d5a435c22

SHA512
a5eecf05caa8fab3e1f98b43b222b4c1ea2080d243e9601590342410eeb9f1481e7352ebed76a56849ffb8ed0481fcc06b136253701c879370b22b610abab786

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
Filesize
992KB

MD5
f915f94f551c0c5371d093dbe27bbfaa

SHA1
912941a11e2c924eceb37ac5928ba457a10d8512

SHA256
9cc92274df864afffdc64af3537d37033aff710061b4cc1863153a4d5a435c22

SHA512
a5eecf05caa8fab3e1f98b43b222b4c1ea2080d243e9601590342410eeb9f1481e7352ebed76a56849ffb8ed0481fcc06b136253701c879370b22b610abab786

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
Filesize
992KB

MD5
f915f94f551c0c5371d093dbe27bbfaa

SHA1
912941a11e2c924eceb37ac5928ba457a10d8512

SHA256
9cc92274df864afffdc64af3537d37033aff710061b4cc1863153a4d5a435c22

SHA512
a5eecf05caa8fab3e1f98b43b222b4c1ea2080d243e9601590342410eeb9f1481e7352ebed76a56849ffb8ed0481fcc06b136253701c879370b22b610abab786

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe
Filesize
11KB

MD5
03c4f3f5cdbc342eb1c0349e001fdd0c

SHA1
7d45ed19db4eaed16d1985240c98fab7623798e5

SHA256
a395cb8bb6cdaa7f0dad2e012fb5107d0d307efea021be048bdd5b67479356bc

SHA512
d59ccd1ffffa884c8a7a96979ed19f0f8a586474c23d5b5ab23c235799044042f639e1834ee2e54a205a71caf97898ac8898d0da963fb006e443f3fb8f3c1162

Download Submit
memory/864-133-0x0000000000000000-mapping.dmp

Download
memory/888-82-0x0000000074E30000-0x00000000753DB000-memory.dmp

Filesize
5.7MB

Download
memory/888-76-0x0000000000000000-mapping.dmp

Download
memory/888-80-0x0000000074E30000-0x00000000753DB000-memory.dmp

Filesize
5.7MB

Download
memory/924-127-0x0000000074E30000-0x00000000753DB000-memory.dmp

Filesize
5.7MB

Download
memory/924-106-0x00000000004E083E-mapping.dmp

Download
memory/924-108-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/924-110-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/924-112-0x0000000074E30000-0x00000000753DB000-memory.dmp

Filesize
5.7MB

Download
memory/1076-124-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1076-126-0x0000000074E30000-0x00000000753DB000-memory.dmp

Filesize
5.7MB

Download
memory/1076-115-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1076-117-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1076-118-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1076-119-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1076-135-0x0000000074E30000-0x00000000753DB000-memory.dmp

Filesize
5.7MB

Download
memory/1076-120-0x000000000047E90E-mapping.dmp

Download
memory/1076-122-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1076-114-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1156-129-0x0000000000411654-mapping.dmp

Download
memory/1156-128-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1476-54-0x0000000075E51000-0x0000000075E53000-memory.dmp

Filesize
8KB

Download
memory/1476-56-0x0000000074E30000-0x00000000753DB000-memory.dmp

Filesize
5.7MB

Download
memory/1476-55-0x0000000074E30000-0x00000000753DB000-memory.dmp

Filesize
5.7MB

Download
memory/1580-144-0x000000000049657E-mapping.dmp

Download
memory/1580-150-0x0000000074E30000-0x00000000753DB000-memory.dmp

Filesize
5.7MB

Download
memory/1580-151-0x0000000074E30000-0x00000000753DB000-memory.dmp

Filesize
5.7MB

Download
memory/1608-93-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/1608-85-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/1608-89-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/1608-90-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/1608-91-0x000000000049657E-mapping.dmp

Download
memory/1608-152-0x0000000074E30000-0x00000000753DB000-memory.dmp

Filesize
5.7MB

Download
memory/1608-84-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/1608-98-0x0000000074E30000-0x00000000753DB000-memory.dmp

Filesize
5.7MB

Download
memory/1608-97-0x0000000074E30000-0x00000000753DB000-memory.dmp

Filesize
5.7MB

Download
memory/1608-95-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/1608-87-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/1624-132-0x0000000000000000-mapping.dmp

Download
memory/1808-159-0x000000000047E90E-mapping.dmp

Download
memory/1808-170-0x0000000074E30000-0x00000000753DB000-memory.dmp

Filesize
5.7MB

Download
memory/1808-171-0x0000000074E30000-0x00000000753DB000-memory.dmp

Filesize
5.7MB

Download
memory/1984-57-0x0000000000080000-0x0000000000166000-memory.dmp

Filesize
920KB

Download
memory/1984-61-0x0000000000080000-0x0000000000166000-memory.dmp

Filesize
920KB

Download
memory/1984-74-0x0000000074E30000-0x00000000753DB000-memory.dmp

Filesize
5.7MB

Download
memory/1984-99-0x0000000074E30000-0x00000000753DB000-memory.dmp

Filesize
5.7MB

Download
memory/1984-65-0x0000000000080000-0x0000000000166000-memory.dmp

Filesize
920KB

Download
memory/1984-69-0x0000000000080000-0x0000000000166000-memory.dmp

Filesize
920KB

Download
memory/1984-81-0x0000000074E30000-0x00000000753DB000-memory.dmp

Filesize
5.7MB

Download
memory/1984-72-0x0000000000080000-0x0000000000166000-memory.dmp

Filesize
920KB

Download
memory/1984-64-0x0000000000080000-0x0000000000166000-memory.dmp

Filesize
920KB

Download
memory/1984-63-0x00000000004E083E-mapping.dmp

Download
memory/1984-58-0x0000000000080000-0x0000000000166000-memory.dmp

Filesize
920KB

Download
memory/1984-60-0x0000000000080000-0x0000000000166000-memory.dmp

Filesize
920KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads