hawkeye | 8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b

General

Target

8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe
Size

1.7MB
MD5

2514c34a5985c4663b524b967c85d1c6
SHA1

e9ac6338ee778202e5a7ab51fc1a741eb2db4969
SHA256

8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b
SHA512

5ccec693ccc10c729e1f703ab24c27a321e04b1f4b023e96538bcf53a9d9efb8b37e30c8212494278e2c118a6376f8deb7b10cc55712f4b8d6dc2b004d0b4dff
SSDEEP

24576:8LvPkKzbM8FEQxazfhOlbR38mlMzKRv3HoNgg5CxkLoe7i6SR0QOBXLqMc+wTiR1:87k181V38eMevSnwMMxOB7qkwTiR

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.messagingengine.com
Port:
587
Username:
azarbaijj@fastmail.com
Password:
qedrks8q9hlo8up1ao7hrljvc7

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\FolderName\\TPAutoConnect.exe"	reg.exe

NirSoft MailPassView 5 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/5060-138-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral2/memory/3308-152-0x0000000000000000-mapping.dmp	MailPassView
behavioral2/memory/3308-153-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/3308-155-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/3308-156-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 6 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/5060-138-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral2/memory/4188-157-0x0000000000000000-mapping.dmp	WebBrowserPassView
behavioral2/memory/4188-158-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral2/memory/4188-160-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral2/memory/4188-161-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral2/memory/4188-163-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView

Nirsoft 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5060-138-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral2/memory/3308-152-0x0000000000000000-mapping.dmp	Nirsoft
behavioral2/memory/3308-153-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/3308-155-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/3308-156-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/4188-157-0x0000000000000000-mapping.dmp	Nirsoft
behavioral2/memory/4188-158-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral2/memory/4188-160-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral2/memory/4188-161-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral2/memory/4188-163-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft

Executes dropped EXE 1 IoCs

Processes:

svhost.exe

pid process

5060 svhost.exe

pid	process
5060	svhost.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exe8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\Desktop.ini	8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe
File created	C:\Windows\assembly\Desktop.ini	8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

52 whatismyipaddress.com

flow	ioc
52	whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exesvhost.exe

description	pid	process	target process
PID 4392 set thread context of 5060	4392	8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe	svhost.exe
PID 5060 set thread context of 3308	5060	svhost.exe	vbc.exe
PID 5060 set thread context of 4188	5060	svhost.exe	vbc.exe

Drops file in Windows directory 3 IoCs

Processes:

8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe
File created	C:\Windows\assembly\Desktop.ini	8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2204 timeout.exe

pid	process
2204	timeout.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exesvhost.exevbc.exe

pid	process
4392	8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe
4392	8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe
4392	8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe
4392	8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe
4392	8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe
4392	8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe
5060	svhost.exe
4188	vbc.exe
4188	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exesvhost.exe

description	pid	process
Token: SeDebugPrivilege	4392	8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe
Token: SeDebugPrivilege	5060	svhost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svhost.exe

pid process

5060 svhost.exe

pid	process
5060	svhost.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.execmd.exewscript.execmd.execmd.exesvhost.exe

description	pid	process	target process
PID 4392 wrote to memory of 4328	4392	8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe	cmd.exe
PID 4392 wrote to memory of 4328	4392	8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe	cmd.exe
PID 4392 wrote to memory of 4328	4392	8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe	cmd.exe
PID 4328 wrote to memory of 4448	4328	cmd.exe	wscript.exe
PID 4328 wrote to memory of 4448	4328	cmd.exe	wscript.exe
PID 4328 wrote to memory of 4448	4328	cmd.exe	wscript.exe
PID 4392 wrote to memory of 5060	4392	8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe	svhost.exe
PID 4392 wrote to memory of 5060	4392	8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe	svhost.exe
PID 4392 wrote to memory of 5060	4392	8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe	svhost.exe
PID 4392 wrote to memory of 5060	4392	8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe	svhost.exe
PID 4392 wrote to memory of 5060	4392	8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe	svhost.exe
PID 4392 wrote to memory of 5060	4392	8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe	svhost.exe
PID 4392 wrote to memory of 5060	4392	8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe	svhost.exe
PID 4392 wrote to memory of 5060	4392	8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe	svhost.exe
PID 4448 wrote to memory of 2316	4448	wscript.exe	cmd.exe
PID 4448 wrote to memory of 2316	4448	wscript.exe	cmd.exe
PID 4448 wrote to memory of 2316	4448	wscript.exe	cmd.exe
PID 2316 wrote to memory of 1636	2316	cmd.exe	reg.exe
PID 2316 wrote to memory of 1636	2316	cmd.exe	reg.exe
PID 2316 wrote to memory of 1636	2316	cmd.exe	reg.exe
PID 4392 wrote to memory of 4332	4392	8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe	cmd.exe
PID 4392 wrote to memory of 4332	4392	8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe	cmd.exe
PID 4392 wrote to memory of 4332	4392	8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe	cmd.exe
PID 4332 wrote to memory of 2204	4332	cmd.exe	timeout.exe
PID 4332 wrote to memory of 2204	4332	cmd.exe	timeout.exe
PID 4332 wrote to memory of 2204	4332	cmd.exe	timeout.exe
PID 5060 wrote to memory of 3308	5060	svhost.exe	vbc.exe
PID 5060 wrote to memory of 3308	5060	svhost.exe	vbc.exe
PID 5060 wrote to memory of 3308	5060	svhost.exe	vbc.exe
PID 5060 wrote to memory of 3308	5060	svhost.exe	vbc.exe
PID 5060 wrote to memory of 3308	5060	svhost.exe	vbc.exe
PID 5060 wrote to memory of 3308	5060	svhost.exe	vbc.exe
PID 5060 wrote to memory of 3308	5060	svhost.exe	vbc.exe
PID 5060 wrote to memory of 3308	5060	svhost.exe	vbc.exe
PID 5060 wrote to memory of 3308	5060	svhost.exe	vbc.exe
PID 5060 wrote to memory of 4188	5060	svhost.exe	vbc.exe
PID 5060 wrote to memory of 4188	5060	svhost.exe	vbc.exe
PID 5060 wrote to memory of 4188	5060	svhost.exe	vbc.exe
PID 5060 wrote to memory of 4188	5060	svhost.exe	vbc.exe
PID 5060 wrote to memory of 4188	5060	svhost.exe	vbc.exe
PID 5060 wrote to memory of 4188	5060	svhost.exe	vbc.exe
PID 5060 wrote to memory of 4188	5060	svhost.exe	vbc.exe
PID 5060 wrote to memory of 4188	5060	svhost.exe	vbc.exe
PID 5060 wrote to memory of 4188	5060	svhost.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe
"C:\Users\Admin\AppData\Local\Temp\8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:4328

C:\Windows\SysWOW64\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:2316

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderName\TPAutoConnect.exe" /f
5⤵
- Modifies WinLogon for persistence
PID:1636

C:\Users\Admin\AppData\Roaming\svhost.exe
C:\Users\Admin\AppData\Roaming\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5060

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
- Accesses Microsoft Outlook accounts
PID:3308

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\FolderName\svhost.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4332

C:\Windows\SysWOW64\timeout.exe
timeout /t 300
3⤵
- Delays execution with timeout.exe
PID:2204

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\holderwb.txt
Filesize
3KB

MD5
f94dc819ca773f1e3cb27abbc9e7fa27

SHA1
9a7700efadc5ea09ab288544ef1e3cd876255086

SHA256
a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

SHA512
72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\TPAutoConnect.exe
Filesize
1.7MB

MD5
2514c34a5985c4663b524b967c85d1c6

SHA1
e9ac6338ee778202e5a7ab51fc1a741eb2db4969

SHA256
8efd6cc02c0fa433a624579617491edde0fb616df1a32630c72a58a085d3135b

SHA512
5ccec693ccc10c729e1f703ab24c27a321e04b1f4b023e96538bcf53a9d9efb8b37e30c8212494278e2c118a6376f8deb7b10cc55712f4b8d6dc2b004d0b4dff

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs
Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
Filesize
76B

MD5
5e57f6f4e3242ad9719ed5e65346e83e

SHA1
72346d0208c5edeb69f41ddb4374d56d87221dad

SHA256
4ffb3e764dfbc48145231f19e2217f666bc88a44c6f29adec6a5728223048d0c

SHA512
7dcd8a5a95965b94bf26ec02ab68b8f854f399d41fb713e4387f6fddb9914c465ccf909f92ee6704e9c0397a77f11f2ca803d68184aa414651988d95824a209f

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat
Filesize
288B

MD5
f19741e9614de4a81dc619ae9f6d3c4d

SHA1
72dbbc17dcc76f11bac04507147aa39ee3c2342e

SHA256
e8c8ab04f5730e043a220ad833fb4421d173326d5996b475ffc610445a3d62e0

SHA512
52826847f6878bb1db500a6dc57396e2c473137b87a6fd9812d593dc6a61c2b3fd93bcb392490d3eec77860afbae5c6219668143403efe1182a1c2f7850a5285

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\svhost.bat
Filesize
215B

MD5
b4f3d9dc2751dc993839aad15ba26450

SHA1
f1fcd8280a51dcbf4551ecfd5baa445af9725dfa

SHA256
79e27e2950ece03ac4e57e699d7ab62f8c5a18a86a7e770f7398b6daf66350f6

SHA512
34c3505cb51c3c96a0c035ce850dd6eb3ce562b9b1a2c24b3dde4d836e1614c6536f20591a17296f103313d3d3c5d846cc0016ced0369989dd6eec0e285dc203

Download Submit
C:\Users\Admin\AppData\Roaming\svhost.exe
Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\Users\Admin\AppData\Roaming\svhost.exe
Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
memory/1636-145-0x0000000000000000-mapping.dmp

Download
memory/2204-148-0x0000000000000000-mapping.dmp

Download
memory/2316-144-0x0000000000000000-mapping.dmp

Download
memory/3308-153-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3308-152-0x0000000000000000-mapping.dmp

Download
memory/3308-156-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3308-155-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4188-157-0x0000000000000000-mapping.dmp

Download
memory/4188-158-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4188-163-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4188-161-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4188-160-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4328-134-0x0000000000000000-mapping.dmp

Download
memory/4332-146-0x0000000000000000-mapping.dmp

Download
memory/4392-132-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/4392-133-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/4392-150-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/4448-136-0x0000000000000000-mapping.dmp

Download
memory/5060-138-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/5060-143-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/5060-137-0x0000000000000000-mapping.dmp

Download
memory/5060-151-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads