hawkeye | 26208c834b6cf1ceaafe62ff1398b479db24e2dd92c0e61e38b05f90fbc34749

General

Target

26208c834b6cf1ceaafe62ff1398b479db24e2dd92c0e61e38b05f90fbc34749.exe
Size

1005KB
MD5

ba11d47be9d8609d31c1e71c839ccfef
SHA1

5829d66ab0ac2b626c826a7656aaca439eeed2f7
SHA256

26208c834b6cf1ceaafe62ff1398b479db24e2dd92c0e61e38b05f90fbc34749
SHA512

8cc56f8a491fd0cb07a803f9ee1ba07c8ab3fde814decb3f5c53096ac3a47362b5ddab2caad787ac215d13d095ef6dc3df8e4196ee98cba51d69a34c7fe75693
SSDEEP

24576:ajr1UHd4dk8XzoE7vOFH91VYyNEJ96HJPi8UnQsWqSfz3:Ir3d2GvOh9gYEJ0Vi8UnSfz

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NirSoft MailPassView 6 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/3476-135-0x0000000000400000-0x00000000004F0000-memory.dmp	MailPassView
behavioral2/memory/1888-144-0x0000000000000000-mapping.dmp	MailPassView
behavioral2/memory/1888-146-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/1888-157-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/1888-159-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/1888-162-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 6 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/3476-135-0x0000000000400000-0x00000000004F0000-memory.dmp	WebBrowserPassView
behavioral2/memory/536-143-0x0000000000000000-mapping.dmp	WebBrowserPassView
behavioral2/memory/536-147-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView
behavioral2/memory/536-156-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView
behavioral2/memory/536-163-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView
behavioral2/memory/536-165-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView

Nirsoft 11 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3476-135-0x0000000000400000-0x00000000004F0000-memory.dmp	Nirsoft
behavioral2/memory/536-143-0x0000000000000000-mapping.dmp	Nirsoft
behavioral2/memory/1888-144-0x0000000000000000-mapping.dmp	Nirsoft
behavioral2/memory/1888-146-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/536-147-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral2/memory/1888-157-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/536-156-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral2/memory/1888-159-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/1888-162-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/536-163-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral2/memory/536-165-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ESILlzCw = "\"C:\\Users\\Admin\\AppData\\Roaming\\ESILlzCw\\ESILlzCw.exe\""	RegSvcs.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

46 whatismyipaddress.com
51 whatismyipaddress.com
57 whatismyipaddress.com

flow	ioc
46	whatismyipaddress.com
51	whatismyipaddress.com
57	whatismyipaddress.com

Suspicious use of SetThreadContext 7 IoCs

Processes:

26208c834b6cf1ceaafe62ff1398b479db24e2dd92c0e61e38b05f90fbc34749.exeRegSvcs.exe

description	pid	process	target process
PID 2720 set thread context of 3476	2720	26208c834b6cf1ceaafe62ff1398b479db24e2dd92c0e61e38b05f90fbc34749.exe	RegSvcs.exe
PID 2720 set thread context of 2700	2720	26208c834b6cf1ceaafe62ff1398b479db24e2dd92c0e61e38b05f90fbc34749.exe	RegSvcs.exe
PID 3476 set thread context of 2264	3476	RegSvcs.exe	vbc.exe
PID 3476 set thread context of 1888	3476	RegSvcs.exe	vbc.exe
PID 3476 set thread context of 536	3476	RegSvcs.exe	vbc.exe
PID 3476 set thread context of 2132	3476	RegSvcs.exe	vbc.exe
PID 3476 set thread context of 4956	3476	RegSvcs.exe	vbc.exe

Drops file in Windows directory 1 IoCs

Processes:

dw20.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4688 2264 WerFault.exe vbc.exe
1268 2264 WerFault.exe vbc.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	dw20.exe

pid	pid_target	process	target process
4688	2264	WerFault.exe	vbc.exe
1268	2264	WerFault.exe	vbc.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

RegSvcs.exe

pid	process
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

RegSvcs.exe26208c834b6cf1ceaafe62ff1398b479db24e2dd92c0e61e38b05f90fbc34749.exedw20.exe

description	pid	process
Token: SeDebugPrivilege	3476	RegSvcs.exe
Token: SeDebugPrivilege	2720	26208c834b6cf1ceaafe62ff1398b479db24e2dd92c0e61e38b05f90fbc34749.exe
Token: SeRestorePrivilege	4636	dw20.exe
Token: SeBackupPrivilege	4636	dw20.exe
Token: SeBackupPrivilege	4636	dw20.exe
Token: SeBackupPrivilege	4636	dw20.exe
Token: SeBackupPrivilege	4636	dw20.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

3476 RegSvcs.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

26208c834b6cf1ceaafe62ff1398b479db24e2dd92c0e61e38b05f90fbc34749.exeRegSvcs.exevbc.exe

description	pid	process	target process
PID 2720 wrote to memory of 3476	2720	26208c834b6cf1ceaafe62ff1398b479db24e2dd92c0e61e38b05f90fbc34749.exe	RegSvcs.exe
PID 2720 wrote to memory of 3476	2720	26208c834b6cf1ceaafe62ff1398b479db24e2dd92c0e61e38b05f90fbc34749.exe	RegSvcs.exe
PID 2720 wrote to memory of 3476	2720	26208c834b6cf1ceaafe62ff1398b479db24e2dd92c0e61e38b05f90fbc34749.exe	RegSvcs.exe
PID 2720 wrote to memory of 3476	2720	26208c834b6cf1ceaafe62ff1398b479db24e2dd92c0e61e38b05f90fbc34749.exe	RegSvcs.exe
PID 2720 wrote to memory of 3476	2720	26208c834b6cf1ceaafe62ff1398b479db24e2dd92c0e61e38b05f90fbc34749.exe	RegSvcs.exe
PID 2720 wrote to memory of 3476	2720	26208c834b6cf1ceaafe62ff1398b479db24e2dd92c0e61e38b05f90fbc34749.exe	RegSvcs.exe
PID 2720 wrote to memory of 3476	2720	26208c834b6cf1ceaafe62ff1398b479db24e2dd92c0e61e38b05f90fbc34749.exe	RegSvcs.exe
PID 2720 wrote to memory of 3476	2720	26208c834b6cf1ceaafe62ff1398b479db24e2dd92c0e61e38b05f90fbc34749.exe	RegSvcs.exe
PID 2720 wrote to memory of 1492	2720	26208c834b6cf1ceaafe62ff1398b479db24e2dd92c0e61e38b05f90fbc34749.exe	RegSvcs.exe
PID 2720 wrote to memory of 1492	2720	26208c834b6cf1ceaafe62ff1398b479db24e2dd92c0e61e38b05f90fbc34749.exe	RegSvcs.exe
PID 2720 wrote to memory of 1492	2720	26208c834b6cf1ceaafe62ff1398b479db24e2dd92c0e61e38b05f90fbc34749.exe	RegSvcs.exe
PID 2720 wrote to memory of 2700	2720	26208c834b6cf1ceaafe62ff1398b479db24e2dd92c0e61e38b05f90fbc34749.exe	RegSvcs.exe
PID 2720 wrote to memory of 2700	2720	26208c834b6cf1ceaafe62ff1398b479db24e2dd92c0e61e38b05f90fbc34749.exe	RegSvcs.exe
PID 2720 wrote to memory of 2700	2720	26208c834b6cf1ceaafe62ff1398b479db24e2dd92c0e61e38b05f90fbc34749.exe	RegSvcs.exe
PID 2720 wrote to memory of 2700	2720	26208c834b6cf1ceaafe62ff1398b479db24e2dd92c0e61e38b05f90fbc34749.exe	RegSvcs.exe
PID 2720 wrote to memory of 2700	2720	26208c834b6cf1ceaafe62ff1398b479db24e2dd92c0e61e38b05f90fbc34749.exe	RegSvcs.exe
PID 2720 wrote to memory of 2700	2720	26208c834b6cf1ceaafe62ff1398b479db24e2dd92c0e61e38b05f90fbc34749.exe	RegSvcs.exe
PID 2720 wrote to memory of 2700	2720	26208c834b6cf1ceaafe62ff1398b479db24e2dd92c0e61e38b05f90fbc34749.exe	RegSvcs.exe
PID 2720 wrote to memory of 2700	2720	26208c834b6cf1ceaafe62ff1398b479db24e2dd92c0e61e38b05f90fbc34749.exe	RegSvcs.exe
PID 3476 wrote to memory of 2132	3476	RegSvcs.exe	vbc.exe
PID 3476 wrote to memory of 2132	3476	RegSvcs.exe	vbc.exe
PID 3476 wrote to memory of 2132	3476	RegSvcs.exe	vbc.exe
PID 3476 wrote to memory of 4956	3476	RegSvcs.exe	vbc.exe
PID 3476 wrote to memory of 4956	3476	RegSvcs.exe	vbc.exe
PID 3476 wrote to memory of 4956	3476	RegSvcs.exe	vbc.exe
PID 3476 wrote to memory of 536	3476	RegSvcs.exe	vbc.exe
PID 3476 wrote to memory of 536	3476	RegSvcs.exe	vbc.exe
PID 3476 wrote to memory of 536	3476	RegSvcs.exe	vbc.exe
PID 3476 wrote to memory of 536	3476	RegSvcs.exe	vbc.exe
PID 3476 wrote to memory of 536	3476	RegSvcs.exe	vbc.exe
PID 3476 wrote to memory of 536	3476	RegSvcs.exe	vbc.exe
PID 3476 wrote to memory of 536	3476	RegSvcs.exe	vbc.exe
PID 3476 wrote to memory of 536	3476	RegSvcs.exe	vbc.exe
PID 3476 wrote to memory of 2264	3476	RegSvcs.exe	vbc.exe
PID 3476 wrote to memory of 2264	3476	RegSvcs.exe	vbc.exe
PID 3476 wrote to memory of 2264	3476	RegSvcs.exe	vbc.exe
PID 3476 wrote to memory of 2264	3476	RegSvcs.exe	vbc.exe
PID 3476 wrote to memory of 2264	3476	RegSvcs.exe	vbc.exe
PID 3476 wrote to memory of 2264	3476	RegSvcs.exe	vbc.exe
PID 3476 wrote to memory of 1888	3476	RegSvcs.exe	vbc.exe
PID 3476 wrote to memory of 2264	3476	RegSvcs.exe	vbc.exe
PID 3476 wrote to memory of 2264	3476	RegSvcs.exe	vbc.exe
PID 3476 wrote to memory of 1888	3476	RegSvcs.exe	vbc.exe
PID 3476 wrote to memory of 1888	3476	RegSvcs.exe	vbc.exe
PID 3476 wrote to memory of 1888	3476	RegSvcs.exe	vbc.exe
PID 3476 wrote to memory of 1888	3476	RegSvcs.exe	vbc.exe
PID 3476 wrote to memory of 1888	3476	RegSvcs.exe	vbc.exe
PID 3476 wrote to memory of 1888	3476	RegSvcs.exe	vbc.exe
PID 3476 wrote to memory of 1888	3476	RegSvcs.exe	vbc.exe
PID 3476 wrote to memory of 2264	3476	RegSvcs.exe	vbc.exe
PID 3476 wrote to memory of 1888	3476	RegSvcs.exe	vbc.exe
PID 3476 wrote to memory of 536	3476	RegSvcs.exe	vbc.exe
PID 3476 wrote to memory of 4636	3476	RegSvcs.exe	dw20.exe
PID 3476 wrote to memory of 4636	3476	RegSvcs.exe	dw20.exe
PID 3476 wrote to memory of 4636	3476	RegSvcs.exe	dw20.exe
PID 3476 wrote to memory of 4956	3476	RegSvcs.exe	vbc.exe
PID 3476 wrote to memory of 2132	3476	RegSvcs.exe	vbc.exe
PID 3476 wrote to memory of 2132	3476	RegSvcs.exe	vbc.exe
PID 3476 wrote to memory of 4956	3476	RegSvcs.exe	vbc.exe
PID 2264 wrote to memory of 4688	2264	vbc.exe	WerFault.exe
PID 2264 wrote to memory of 4688	2264	vbc.exe	WerFault.exe
PID 2264 wrote to memory of 4688	2264	vbc.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\26208c834b6cf1ceaafe62ff1398b479db24e2dd92c0e61e38b05f90fbc34749.exe
"C:\Users\Admin\AppData\Local\Temp\26208c834b6cf1ceaafe62ff1398b479db24e2dd92c0e61e38b05f90fbc34749.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3476

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
3⤵
PID:2132

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
PID:4956

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderprodkey.txt"
3⤵
- Suspicious use of WriteProcessMemory
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 188
4⤵
- Program crash
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 188
4⤵
- Program crash
PID:1268

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt" /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
- Accesses Microsoft Outlook accounts
PID:1888

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt" /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
3⤵
PID:536

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 2648
3⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4636

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" /ESILlzCw /C:\Users\Admin\AppData\Roaming\ESILlzCw\ESILlzCw.exe
2⤵
PID:1492

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" /ESILlzCw /C:\Users\Admin\AppData\Roaming\ESILlzCw\ESILlzCw.exe
2⤵
- Adds Run key to start application
PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2264 -ip 2264
1⤵
PID:2168

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/536-165-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/536-163-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/536-156-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/536-147-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/536-143-0x0000000000000000-mapping.dmp

Download
memory/1492-138-0x0000000000000000-mapping.dmp

Download
memory/1888-146-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1888-162-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1888-159-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1888-157-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1888-144-0x0000000000000000-mapping.dmp

Download
memory/2132-153-0x0000000000000000-mapping.dmp

Download
memory/2264-142-0x0000000000000000-mapping.dmp

Download
memory/2264-145-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2700-149-0x0000000075080000-0x0000000075631000-memory.dmp

Filesize
5.7MB

Download
memory/2700-141-0x0000000075080000-0x0000000075631000-memory.dmp

Filesize
5.7MB

Download
memory/2700-139-0x0000000000000000-mapping.dmp

Download
memory/2700-140-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2700-161-0x0000000075080000-0x0000000075631000-memory.dmp

Filesize
5.7MB

Download
memory/2720-133-0x0000000075080000-0x0000000075631000-memory.dmp

Filesize
5.7MB

Download
memory/2720-132-0x0000000075080000-0x0000000075631000-memory.dmp

Filesize
5.7MB

Download
memory/2720-160-0x0000000075080000-0x0000000075631000-memory.dmp

Filesize
5.7MB

Download
memory/3476-135-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3476-136-0x0000000075080000-0x0000000075631000-memory.dmp

Filesize
5.7MB

Download
memory/3476-137-0x0000000075080000-0x0000000075631000-memory.dmp

Filesize
5.7MB

Download
memory/3476-134-0x0000000000000000-mapping.dmp

Download
memory/3476-164-0x0000000075080000-0x0000000075631000-memory.dmp

Filesize
5.7MB

Download
memory/4636-148-0x0000000000000000-mapping.dmp

Download
memory/4688-158-0x0000000000000000-mapping.dmp

Download
memory/4956-152-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads