hawkeye_reborn | 880a8e92a551eadbe2100603827a0f37146b7d8bd32dca0d571dd153b2b46e0d

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07-05-2024 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe
Size

750KB
MD5

1ff187482465cab97f45861705d4aea8
SHA1

014219f8768444e4a2c8bc0519c4869d4537f419
SHA256

880a8e92a551eadbe2100603827a0f37146b7d8bd32dca0d571dd153b2b46e0d
SHA512

647b687774cd9cf4a71605021e34d68972381d694405d358dc3627ef262bcabbb15f09da62503c548840c2bd423d7b1c2af50cfb800ee022f6ea91ed50cb16f1
SSDEEP

12288:YhHe7H2bIKv7J4nDCrLuIeOgSkb94+NCjjq09eW3IKaIt1frZhAQap2svLxHw:++7H2FJucpeO3khc/IWIItN+v

Score

10^/10

hawkeye_reborn m00nd3v_logger collection infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 6 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

resource	yara_rule
behavioral1/memory/2992-24-0x0000000005060000-0x00000000050F0000-memory.dmp	m00nd3v_logger
behavioral1/memory/2496-34-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2496-36-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2496-35-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2496-31-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/2496-29-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/1308-115-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 5 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/2624-51-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral1/memory/2624-50-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral1/memory/2624-53-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral1/memory/2248-100-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral1/memory/2248-102-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView

Nirsoft 6 IoCs

resource	yara_rule
behavioral1/memory/2624-51-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/2624-50-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/2624-53-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/2248-100-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/2248-102-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/1308-115-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RfVYLH.url	sys32null.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RfVYLH.url	sys32null.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RfVYLH.url	sys32null.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RfVYLH.url	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
1280	sys32null.exe
2360	sys32null.exe
2472	sys32null.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Suspicious use of SetThreadContext 11 IoCs

description	pid	Process	procid_target
PID 2992 set thread context of 2496	2992	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe	35
PID 2496 set thread context of 2624	2496	RegAsm.exe	37
PID 1280 set thread context of 2160	1280	sys32null.exe	45
PID 2160 set thread context of 2248	2160	RegAsm.exe	46
PID 2496 set thread context of 1308	2496	RegAsm.exe	49
PID 2360 set thread context of 1524	2360	sys32null.exe	56
PID 1524 set thread context of 2940	1524	RegAsm.exe	57
PID 2160 set thread context of 2816	2160	RegAsm.exe	58
PID 2472 set thread context of 2164	2472	sys32null.exe	65
PID 2164 set thread context of 1248	2164	RegAsm.exe	66
PID 1524 set thread context of 756	1524	RegAsm.exe	67

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2632	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2992	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe
2992	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe
2624	vbc.exe
2624	vbc.exe
2624	vbc.exe
2624	vbc.exe
2624	vbc.exe
1280	sys32null.exe
1280	sys32null.exe
2248	vbc.exe
2248	vbc.exe
2248	vbc.exe
2248	vbc.exe
2248	vbc.exe
2360	sys32null.exe
2360	sys32null.exe
2940	vbc.exe
2940	vbc.exe
2940	vbc.exe
2940	vbc.exe
2940	vbc.exe
2496	RegAsm.exe
2496	RegAsm.exe
2472	sys32null.exe
2472	sys32null.exe
1248	vbc.exe
1248	vbc.exe
1248	vbc.exe
1248	vbc.exe
1248	vbc.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2992	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe
Token: SeDebugPrivilege	1280	sys32null.exe
Token: SeDebugPrivilege	2360	sys32null.exe
Token: SeDebugPrivilege	2496	RegAsm.exe
Token: SeDebugPrivilege	2472	sys32null.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2496	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 2956	2992	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe	28
PID 2992 wrote to memory of 2956	2992	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe	28
PID 2992 wrote to memory of 2956	2992	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe	28
PID 2992 wrote to memory of 2956	2992	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe	28
PID 2956 wrote to memory of 2488	2956	csc.exe	30
PID 2956 wrote to memory of 2488	2956	csc.exe	30
PID 2956 wrote to memory of 2488	2956	csc.exe	30
PID 2956 wrote to memory of 2488	2956	csc.exe	30
PID 2992 wrote to memory of 2576	2992	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe	31
PID 2992 wrote to memory of 2576	2992	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe	31
PID 2992 wrote to memory of 2576	2992	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe	31
PID 2992 wrote to memory of 2576	2992	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe	31
PID 2992 wrote to memory of 2632	2992	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe	33
PID 2992 wrote to memory of 2632	2992	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe	33
PID 2992 wrote to memory of 2632	2992	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe	33
PID 2992 wrote to memory of 2632	2992	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe	33
PID 2992 wrote to memory of 2496	2992	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe	35
PID 2992 wrote to memory of 2496	2992	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe	35
PID 2992 wrote to memory of 2496	2992	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe	35
PID 2992 wrote to memory of 2496	2992	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe	35
PID 2992 wrote to memory of 2496	2992	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe	35
PID 2992 wrote to memory of 2496	2992	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe	35
PID 2992 wrote to memory of 2496	2992	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe	35
PID 2992 wrote to memory of 2496	2992	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe	35
PID 2992 wrote to memory of 2496	2992	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe	35
PID 2992 wrote to memory of 2496	2992	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe	35
PID 2992 wrote to memory of 2496	2992	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe	35
PID 2992 wrote to memory of 2496	2992	1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe	35
PID 2496 wrote to memory of 2624	2496	RegAsm.exe	37
PID 2496 wrote to memory of 2624	2496	RegAsm.exe	37
PID 2496 wrote to memory of 2624	2496	RegAsm.exe	37
PID 2496 wrote to memory of 2624	2496	RegAsm.exe	37
PID 2496 wrote to memory of 2624	2496	RegAsm.exe	37
PID 2496 wrote to memory of 2624	2496	RegAsm.exe	37
PID 2496 wrote to memory of 2624	2496	RegAsm.exe	37
PID 2496 wrote to memory of 2624	2496	RegAsm.exe	37
PID 2496 wrote to memory of 2624	2496	RegAsm.exe	37
PID 2496 wrote to memory of 2624	2496	RegAsm.exe	37
PID 2748 wrote to memory of 1280	2748	taskeng.exe	39
PID 2748 wrote to memory of 1280	2748	taskeng.exe	39
PID 2748 wrote to memory of 1280	2748	taskeng.exe	39
PID 2748 wrote to memory of 1280	2748	taskeng.exe	39
PID 1280 wrote to memory of 340	1280	sys32null.exe	40
PID 1280 wrote to memory of 340	1280	sys32null.exe	40
PID 1280 wrote to memory of 340	1280	sys32null.exe	40
PID 1280 wrote to memory of 340	1280	sys32null.exe	40
PID 340 wrote to memory of 1256	340	csc.exe	42
PID 340 wrote to memory of 1256	340	csc.exe	42
PID 340 wrote to memory of 1256	340	csc.exe	42
PID 340 wrote to memory of 1256	340	csc.exe	42
PID 1280 wrote to memory of 1872	1280	sys32null.exe	43
PID 1280 wrote to memory of 1872	1280	sys32null.exe	43
PID 1280 wrote to memory of 1872	1280	sys32null.exe	43
PID 1280 wrote to memory of 1872	1280	sys32null.exe	43
PID 1280 wrote to memory of 2160	1280	sys32null.exe	45
PID 1280 wrote to memory of 2160	1280	sys32null.exe	45
PID 1280 wrote to memory of 2160	1280	sys32null.exe	45
PID 1280 wrote to memory of 2160	1280	sys32null.exe	45
PID 1280 wrote to memory of 2160	1280	sys32null.exe	45
PID 1280 wrote to memory of 2160	1280	sys32null.exe	45
PID 1280 wrote to memory of 2160	1280	sys32null.exe	45
PID 1280 wrote to memory of 2160	1280	sys32null.exe	45
PID 1280 wrote to memory of 2160	1280	sys32null.exe	45
PID 1280 wrote to memory of 2160	1280	sys32null.exe	45

C:\Users\Admin\AppData\Local\Temp\1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1ff187482465cab97f45861705d4aea8_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\chmai1y5\chmai1y5.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2694.tmp" "c:\Users\Admin\AppData\Local\Temp\chmai1y5\CSC7F4BDA91C831436995E319F4B8119F6.TMP"
    3⤵
    PID:2488
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /query
  2⤵
  PID:2576
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /create /sc MINUTE /tn RfVYLH /MO 1 /tr "C:\Users\Admin\AppData\Roaming\000000\sys32null.exe\
  2⤵
  - Creates scheduled task(s)
  PID:2632
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp50DE.tmp"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2624
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp427D.tmp"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:1308

C:\Windows\system32\taskeng.exe
taskeng.exe {FAA7BA2B-29AD-412F-AD6E-09EF835B7661} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Users\Admin\AppData\Roaming\000000\sys32null.exe
  C:\Users\Admin\AppData\Roaming\000000\sys32null.exe "C:\Users\Admin\AppData\Roaming\000000\sys32null.exe\"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\shd433ta\shd433ta.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:340
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES672C.tmp" "c:\Users\Admin\AppData\Local\Temp\shd433ta\CSC109B65CC994333BBA1796E1D5F9B.TMP"
      4⤵
      PID:1256
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /query
    3⤵
    PID:1872
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
    3⤵
    - Suspicious use of SetThreadContext
    PID:2160
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp8F83.tmp"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2248
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp8122.tmp"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:2816
- C:\Users\Admin\AppData\Roaming\000000\sys32null.exe
  C:\Users\Admin\AppData\Roaming\000000\sys32null.exe "C:\Users\Admin\AppData\Roaming\000000\sys32null.exe\"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2360
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1le1qz0v\1le1qz0v.cmdline"
    3⤵
    PID:1532
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES50EE.tmp" "c:\Users\Admin\AppData\Local\Temp\1le1qz0v\CSC380E6079886B448B8B3EF7835A178.TMP"
      4⤵
      PID:1160
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /query
    3⤵
    PID:2664
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
    3⤵
    - Suspicious use of SetThreadContext
    PID:1524
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp7945.tmp"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2940
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp6AF4.tmp"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:756
- C:\Users\Admin\AppData\Roaming\000000\sys32null.exe
  C:\Users\Admin\AppData\Roaming\000000\sys32null.exe "C:\Users\Admin\AppData\Roaming\000000\sys32null.exe\"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2472
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w20f3tkx\w20f3tkx.cmdline"
    3⤵
    PID:2736
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3B1D.tmp" "c:\Users\Admin\AppData\Local\Temp\w20f3tkx\CSC13E5387540FB45F48273BCE65B838E5E.TMP"
      4⤵
      PID:2024
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /query
    3⤵
    PID:2000
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
    3⤵
    - Suspicious use of SetThreadContext
    PID:2164
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp63B3.tmp"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1le1qz0v\1le1qz0v.dll

Filesize
7KB

MD5
1ddbfc25a30b70e12ea5956fe89add1d

SHA1
d9eded6860996486b68090fcdff85e37becf4ccf

SHA256
3274ddfc8bc3a0ccc83f2c3fa0c0c294ec8ffc059b880468575daa6f2da1d149

SHA512
4921737176366070d5e4c86db733f323a96ed9f651031aae22ba7ac6212b069b96337c317787049f5f490ed21b82dbecdab814b946b0cdccbe1b5a7b2705927a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1le1qz0v\1le1qz0v.pdb

Filesize
19KB

MD5
bbbd014f51921cf00531cfd4b3e88504

SHA1
21d808f1618faae6bf9eaa9fe264361d29a4d5c3

SHA256
3ea72bc9e58f10d76531015fb8cc046e7ab600193c44290a9abf86d8f6aa77b2

SHA512
241537a773001199d69b0f4ed21b739fff6b837598a31c2f1151e8a41f42040419ad4d064d617f6d64a5ee703c386789ebfde99ae9545ae17991fef3cff0701a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2694.tmp

Filesize
1KB

MD5
4924d7488e063535d18444f64715a909

SHA1
c2c2094aaf648d2e653fe0826ccd0cab5b6958ec

SHA256
40c11866f6793b1abbe2267b7312a7bab3a73a00b261f842fdf901aeee79eeb4

SHA512
8fd9b31fad6326193b18181236ce739160ee1d805dfa88125f493f77315651534c0ecffec082b5f39ba90e40abcdc7aec4344a92b3587b640b5ecdf7ef5c8ebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3B1D.tmp

Filesize
1KB

MD5
c3988f74e837806ec016c1ef1b1069aa

SHA1
ceadccf17b0b87967b02ba0db1902fee8abd9e16

SHA256
e012456fb65a711e4693b69009a6c0a9b45d67ed74c1fecd8085e1247674ca45

SHA512
0a5351043d8cf98d04b11646ff80fc3516fe76fa96fb12f5a83998f09da1e184f5dc5de51dceb241da2faa1aca37d867d5f7d966f6b1e881c8327454e44a2c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES50EE.tmp

Filesize
1KB

MD5
20f7ec8a4b6a0be5554a040f6c6c16b3

SHA1
d329dec969bbb3f72c0c2fc12a7e3b171a7606d4

SHA256
546750c5fc2dfb2baf7931547c1e9ebf93e031837b8ddb4fbcaf84e8962ee86d

SHA512
1975b8feed3574ab99fb06676f24fc230e3a6e90e84a3df9adf77c90f856b51ef51661679fcf2feae23fc1177ef402e6a134d96a45fd5407cb436650df56167c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES672C.tmp

Filesize
1KB

MD5
286eaee4fced80be15a38bfc3894c44a

SHA1
427c3ceb769020fd7184064124230cd00730c81f

SHA256
edd6332ad89f48bbd4b613c16aba127cfdb90040ec6184b711b689e46b1a649f

SHA512
1073eac735054bf34c08956f3a228c39c77593ef7871316281a24e4732290b4bb22c54b24d5f3241b0fd9c72f532c03a5114664485d0ad8f588d0024ac806232

Download Submit
C:\Users\Admin\AppData\Local\Temp\chmai1y5\chmai1y5.dll

Filesize
7KB

MD5
54ba1f82f95f0efa59ab396baa923953

SHA1
49c46b248c9fc2f50098d8466794a35b8526d651

SHA256
c0aee0bab9249f81db1d55da56039cc287aecd0d4491f1895832b03d134da02b

SHA512
d202cb6864ea5a63597168697bda2f9854ff90789fddae1244d0dcd8fe7e3f9ae5439a3c70342b5f0882b9d39c4e54a839474258e0a55b5da25a24ea1ad2460e

Download Submit
C:\Users\Admin\AppData\Local\Temp\chmai1y5\chmai1y5.pdb

Filesize
19KB

MD5
76c2e95a44609cc396d08567cef6bc71

SHA1
4516dd124fca840c3d58a51f9fdf99c0d2b39bbf

SHA256
32683d89a498d0f0a152f33f3c26c0fe6eb46018773aa5a478e54952e9c73c09

SHA512
a4f1925c80d796980fbfa92eaaa74f9d4da0f054e03b683a0f309859bf9759e27f3709ab88669e8c4838f2763192f11cef4e3807c97cca5ebcaf975c8088815d

Download Submit
C:\Users\Admin\AppData\Local\Temp\shd433ta\shd433ta.dll

Filesize
7KB

MD5
a4807f591586d18169533f7f0d8af29d

SHA1
b73844e7cb7d880b6c7989193ea125d71d4935e8

SHA256
278e3e2f565a6c9ea710ccc4edefbe9e67dbb7b61c0f97c12017f238d01221c3

SHA512
1f6acf6facc7d11edf701cf5e83d47033cc754e0528df4bd39d07364f36e9d9b3207741f486078ac0fe65f36e7cd50fd558fd7561df209459300c7fb1380d1df

Download Submit
C:\Users\Admin\AppData\Local\Temp\shd433ta\shd433ta.pdb

Filesize
19KB

MD5
b48f608e556b25f1a3816c85216dc7b3

SHA1
50436f75884429fcc6a24ddd44c2c07251901164

SHA256
b10d0b91e1b6ea21d76f65d272221b5698e2488b8a24bfba8a8721f7126e7a8f

SHA512
473da964df5644c3ff66752991ce8ccdcdbd8304167da5147ea73b94f44fc9b1fe3cabe10142bd537edfbd094ab448b66f46bc855f8c89841c9676bd727fe09b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp50DE.tmp

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\w20f3tkx\w20f3tkx.dll

Filesize
7KB

MD5
16fab9f9ef8667e581f24acf95be8505

SHA1
5a5e22ca90786c9ade4623f10611f80dcf84a181

SHA256
e0e3fbffc73614feb1994091977f8b29a0b3ae4973efa4b09f87136f694f2184

SHA512
5ada2e6c8402ee394e5ae414e5053be8412362366cbee0b363e99c655adedb4e5e15c2f6e8c4de2525059bdf0acf215a55166b09a1cb848dffc44d035a5e5062

Download Submit
C:\Users\Admin\AppData\Local\Temp\w20f3tkx\w20f3tkx.pdb

Filesize
19KB

MD5
f389deb144de4977752c007a62a7b6d5

SHA1
a2fe27bcd8b730a07aba4ee00eb5c21970e23769

SHA256
fc1f054efd73d6ada50150664331083c57c34cb25860a862a04d898b9da92a66

SHA512
6574f6d4619d2b8d064957e2b8fd9003b966ffb67836a262acc00e80a9a20f359deabae5d3036ce78c29c2fe88adc3629bdd3897521b0811f79546641463b89f

Download Submit
C:\Users\Admin\AppData\Roaming\000000\sys32null.exe

Filesize
750KB

MD5
1ff187482465cab97f45861705d4aea8

SHA1
014219f8768444e4a2c8bc0519c4869d4537f419

SHA256
880a8e92a551eadbe2100603827a0f37146b7d8bd32dca0d571dd153b2b46e0d

SHA512
647b687774cd9cf4a71605021e34d68972381d694405d358dc3627ef262bcabbb15f09da62503c548840c2bd423d7b1c2af50cfb800ee022f6ea91ed50cb16f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RfVYLH.url

Filesize
85B

MD5
54e00c6dae072bb02bb60626842826f4

SHA1
ea3c8c5a47a99cb0f37d7da740604ade76c427c0

SHA256
5c13e20a181a5ac285cc6e767c34458386367beb48326de46208c63cba68d927

SHA512
0a2351a53aa8e5faf941c03e7b4c0d12bacc64a921a331cf6b7dadf216107bd8e29af09a609ddd2a06ee4841807a46be1c6ec30c1b97b224b385151e3ed72a26

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1le1qz0v\1le1qz0v.cmdline

Filesize
312B

MD5
23d144105681408affacd82dc6871a47

SHA1
5e7e87c1aa1ff73e2cbd81e311555322839c535c

SHA256
cca7356985144a255a2d917376370c7964627f8ed0e32bd63b940046c5f2fb9a

SHA512
d88455b4d547903a1979fc101129280596436f6c5fdba0d16368a6171da947b3e30c7e06efc1464cd8388e0be3e9efd9ca80f8a283457ce5975904c7b5086808

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1le1qz0v\CSC380E6079886B448B8B3EF7835A178.TMP

Filesize
1KB

MD5
0dd15386490013bf84f12ba6c2eae633

SHA1
5b21dc834a2340853ef416d77c8ecafc579027ca

SHA256
f4a01af721707e41020038240db3be07df3dce2b25d18688967d3ae1bfcf7e0e

SHA512
3a3a564254e5167c14cc1506441638233bb7ad6a2aa5b8247ba88bc3d042b8319305e084e3795668e57b7e1196d44802d08487ca86864ff2871d51a556418811

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\chmai1y5\CSC7F4BDA91C831436995E319F4B8119F6.TMP

Filesize
1KB

MD5
dc7dd8176d98df9b0230178d1a38f1a3

SHA1
7109bd545b7f2ffaf3b1097ee0bc216e4e12a9ff

SHA256
7b8c3c313fe6ebecf00a4492b45e8adbcef2bab894acc10b4cbeb4465382d01f

SHA512
5cdbeec40980d4ec170e4652cab671cedd0c81a4fe2e0bedb86af3acbe9f0c1c1d1302e3d6439fb57ceb1532d4f8be870d85f19660eb38346d5c396d27347003

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\chmai1y5\chmai1y5.0.cs

Filesize
5KB

MD5
673ecdec7f6b53899d44e694f054022b

SHA1
06d169aa1909b8a2a78fdca41762ac2f5a36b54f

SHA256
fe1d99724cfc9c4c95353eed185ea53e96bfac440b2ee4837bd7ee226025a488

SHA512
f820d06b03a30afcd116c53559f119a61fd9aded2157d7db4b6b81af7557ecb48aa20247f081b7eaff5a701148ce0b0a7035faa77725cbae405a4a4317f27537

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\chmai1y5\chmai1y5.cmdline

Filesize
312B

MD5
fddae16b7fa8d2daf28ffa1521262172

SHA1
d1afbad891eab6503678041acc802dff8f93bb83

SHA256
442056c633939efdfd91f798868b29cc3e42b2edd5746cc56dfe420b915dc998

SHA512
d5387d7646aebda769fa87c056912aa00936a979659d65200f2def9d53bc44f43b718946d4c19384856a067982e2388e385a90445c0665ba17ee36a3c35847d6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\shd433ta\CSC109B65CC994333BBA1796E1D5F9B.TMP

Filesize
1KB

MD5
4a296d241d3bad87e8c9f71cdfb59324

SHA1
d726ff67cb9ae435114d448cb17bae8c68d68df8

SHA256
9f711e68cce9f0229184146eeb610a6ae0f5d5cb096dfc8cc66952e25b0fcb19

SHA512
fa958d87aa654d236799a8808950bb315ddd9e4998b888aa4e613fa120af66a2db9ee79d0489ea366de4f0b955ff31e4a7f631f686246dcdbc658ba0359162c4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\shd433ta\shd433ta.cmdline

Filesize
312B

MD5
7cab5d2373b30b5144dfab7e863d5b73

SHA1
3dd8d268fdc91c36de48eeb1cbced6a0de354681

SHA256
17f0f98366cd640fe3d87e5398ee1ed5d39c31fbd34ec10e524ee86761ce0731

SHA512
46c7ad099420e7f7e2eebbdea44d1407a9dcd619dd0363fd02ad2da24da64f554b9106a99f1251c3318a6e3e0e201a8b3513c593cbb991a009cc4c32f69f36e7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\w20f3tkx\CSC13E5387540FB45F48273BCE65B838E5E.TMP

Filesize
1KB

MD5
2b69c3ddfd004383b769f7cf875c07f9

SHA1
acf975201075d5f11efba71ad756ff7e0bb04e10

SHA256
44262a16ce40a1db667966344e5456799975a7286a0ede98ac6702d4e916ab0c

SHA512
3dff6cb7010677c3a437c68fc33474c933d276379eaaf5c26d08e8acd8a6d11835139a87752188bfacc2c4959b8f2748ba1dfee37de5b6d206dd71d32eb12326

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\w20f3tkx\w20f3tkx.cmdline

Filesize
312B

MD5
b93e27a876ea0660e5626092f5aa2636

SHA1
894c76c224ee5e9127204661246dfb5f40c9c985

SHA256
48de781370c98af0c1396970005555ac5df998dce625228d408d975df43ce52c

SHA512
2ed2fb992121e6f1caf8fe49b3a6cb73796d5451bfb26637fc00a7b824ccd344d81086caac01235db1a9c07f42ad6cadfab7dbf7b2609cd74182bf390b8ec69c

Download Submit
memory/1280-71-0x0000000000490000-0x0000000000498000-memory.dmp

Filesize
32KB

Download
memory/1280-56-0x00000000009C0000-0x0000000000A82000-memory.dmp

Filesize
776KB

Download
memory/1308-110-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1308-108-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1308-112-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1308-106-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1308-115-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1308-104-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2248-100-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2248-102-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2360-135-0x0000000000350000-0x0000000000358000-memory.dmp

Filesize
32KB

Download
memory/2360-120-0x00000000003B0000-0x0000000000472000-memory.dmp

Filesize
776KB

Download
memory/2472-199-0x0000000000410000-0x0000000000418000-memory.dmp

Filesize
32KB

Download
memory/2472-184-0x0000000000880000-0x0000000000942000-memory.dmp

Filesize
776KB

Download
memory/2496-29-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2496-25-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2496-36-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2496-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2496-34-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2496-31-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2496-27-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2496-35-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2624-41-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2624-50-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2624-45-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2624-49-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2624-53-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2624-51-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2624-47-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2624-43-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2624-40-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2992-21-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/2992-24-0x0000000005060000-0x00000000050F0000-memory.dmp

Filesize
576KB

Download
memory/2992-37-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/2992-20-0x0000000005270000-0x000000000530A000-memory.dmp

Filesize
616KB

Download
memory/2992-18-0x0000000000440000-0x0000000000448000-memory.dmp

Filesize
32KB

Download
memory/2992-3-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/2992-2-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2992-1-0x00000000011B0000-0x0000000001272000-memory.dmp

Filesize
776KB

Download
memory/2992-0-0x000000007452E000-0x000000007452F000-memory.dmp

Filesize
4KB

Download