hawkeye | a5ce22e19a13b0ad26be00a9c005bbf8526d29a792045bfa6df15be0f2d7473f

Analysis

max time kernel
121s
max time network
138s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
11-05-2024 15:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

356198232be81a9e887eab01ad14d037_JaffaCakes118.rtf
Size

1.3MB
MD5

356198232be81a9e887eab01ad14d037
SHA1

06ead723b291a58715f5f08d3bfaa819030f5b36
SHA256

a5ce22e19a13b0ad26be00a9c005bbf8526d29a792045bfa6df15be0f2d7473f
SHA512

012cc5f84c76d5781dd212bad743a39c45bda6898f3d8570c4dd18c222f846423ee8137b57388d16ac8b02fc997d7954fc8b2e2fc1b426f42eae7b2e83a861a0
SSDEEP

24576:dU19yeKj7FhmK3qAU6Dd8vI7ZwRyuESqe9hLXIvwzMfpb5J2ArU9dIytJH8mnK3F:t

Score

10^/10

hawkeye collection keylogger spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.execmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2944	2984	cmd.exe	WINWORD.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2904	2984	cmd.exe	WINWORD.EXE

NirSoft MailPassView 8 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/2064-68-0x0000000000400000-0x0000000000488000-memory.dmp	MailPassView
behavioral1/memory/2064-70-0x0000000000400000-0x0000000000488000-memory.dmp	MailPassView
behavioral1/memory/2064-75-0x0000000000400000-0x0000000000488000-memory.dmp	MailPassView
behavioral1/memory/2064-73-0x0000000000400000-0x0000000000488000-memory.dmp	MailPassView
behavioral1/memory/2064-76-0x0000000000400000-0x0000000000488000-memory.dmp	MailPassView
behavioral1/memory/2524-81-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/2524-80-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/2524-82-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 8 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/2064-68-0x0000000000400000-0x0000000000488000-memory.dmp	WebBrowserPassView
behavioral1/memory/2064-70-0x0000000000400000-0x0000000000488000-memory.dmp	WebBrowserPassView
behavioral1/memory/2064-75-0x0000000000400000-0x0000000000488000-memory.dmp	WebBrowserPassView
behavioral1/memory/2064-73-0x0000000000400000-0x0000000000488000-memory.dmp	WebBrowserPassView
behavioral1/memory/2064-76-0x0000000000400000-0x0000000000488000-memory.dmp	WebBrowserPassView
behavioral1/memory/2136-83-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/2136-84-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/2136-88-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView

Nirsoft 11 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2064-68-0x0000000000400000-0x0000000000488000-memory.dmp	Nirsoft
behavioral1/memory/2064-70-0x0000000000400000-0x0000000000488000-memory.dmp	Nirsoft
behavioral1/memory/2064-75-0x0000000000400000-0x0000000000488000-memory.dmp	Nirsoft
behavioral1/memory/2064-73-0x0000000000400000-0x0000000000488000-memory.dmp	Nirsoft
behavioral1/memory/2064-76-0x0000000000400000-0x0000000000488000-memory.dmp	Nirsoft
behavioral1/memory/2524-81-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/2524-80-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/2524-82-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/2136-83-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/2136-84-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/2136-88-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft

Executes dropped EXE 2 IoCs

Processes:

saver.scrsaver.scr

pid process

1684 saver.scr
2064 saver.scr
Loads dropped DLL 2 IoCs

Processes:

cmd.exesaver.scr

pid process

3020 cmd.exe
1684 saver.scr
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1684	saver.scr
2064	saver.scr

pid	process
3020	cmd.exe
1684	saver.scr

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

cscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\desktop.ini	cscript.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\desktop.ini	cscript.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 whatismyipaddress.com
6 whatismyipaddress.com

flow	ioc
4	whatismyipaddress.com
6	whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

saver.scrsaver.scr

description	pid	process	target process
PID 1684 set thread context of 2064	1684	saver.scr	saver.scr
PID 2064 set thread context of 2524	2064	saver.scr	vbc.exe
PID 2064 set thread context of 2136	2064	saver.scr	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2544 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2744 taskkill.exe

pid	process
2544	timeout.exe

pid	process
2744	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2984 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

saver.scrsaver.scr

pid process

1684 saver.scr
1684 saver.scr
2064 saver.scr
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

taskkill.exesaver.scrsaver.scr

description pid process

Token: SeDebugPrivilege 2744 taskkill.exe
Token: SeDebugPrivilege 1684 saver.scr
Token: SeDebugPrivilege 2064 saver.scr
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

cscript.exe

pid process

2556 cscript.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

WINWORD.EXEsaver.scr

pid process

2984 WINWORD.EXE
2984 WINWORD.EXE
2984 WINWORD.EXE
2064 saver.scr

pid	process
2984	WINWORD.EXE

pid	process
1684	saver.scr
1684	saver.scr
2064	saver.scr

description	pid	process
Token: SeDebugPrivilege	2744	taskkill.exe
Token: SeDebugPrivilege	1684	saver.scr
Token: SeDebugPrivilege	2064	saver.scr

pid	process
2556	cscript.exe

pid	process
2984	WINWORD.EXE
2984	WINWORD.EXE
2984	WINWORD.EXE
2064	saver.scr

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WINWORD.EXEcmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2984 wrote to memory of 2944	2984	WINWORD.EXE	cmd.exe
PID 2984 wrote to memory of 2944	2984	WINWORD.EXE	cmd.exe
PID 2984 wrote to memory of 2944	2984	WINWORD.EXE	cmd.exe
PID 2984 wrote to memory of 2944	2984	WINWORD.EXE	cmd.exe
PID 2944 wrote to memory of 3016	2944	cmd.exe	cmd.exe
PID 2944 wrote to memory of 3016	2944	cmd.exe	cmd.exe
PID 2944 wrote to memory of 3016	2944	cmd.exe	cmd.exe
PID 2944 wrote to memory of 3016	2944	cmd.exe	cmd.exe
PID 3016 wrote to memory of 3020	3016	cmd.exe	cmd.exe
PID 3016 wrote to memory of 3020	3016	cmd.exe	cmd.exe
PID 3016 wrote to memory of 3020	3016	cmd.exe	cmd.exe
PID 3016 wrote to memory of 3020	3016	cmd.exe	cmd.exe
PID 2984 wrote to memory of 2904	2984	WINWORD.EXE	cmd.exe
PID 2984 wrote to memory of 2904	2984	WINWORD.EXE	cmd.exe
PID 2984 wrote to memory of 2904	2984	WINWORD.EXE	cmd.exe
PID 2984 wrote to memory of 2904	2984	WINWORD.EXE	cmd.exe
PID 3020 wrote to memory of 2544	3020	cmd.exe	timeout.exe
PID 3020 wrote to memory of 2544	3020	cmd.exe	timeout.exe
PID 3020 wrote to memory of 2544	3020	cmd.exe	timeout.exe
PID 3020 wrote to memory of 2544	3020	cmd.exe	timeout.exe
PID 2904 wrote to memory of 2888	2904	cmd.exe	cmd.exe
PID 2904 wrote to memory of 2888	2904	cmd.exe	cmd.exe
PID 2904 wrote to memory of 2888	2904	cmd.exe	cmd.exe
PID 2904 wrote to memory of 2888	2904	cmd.exe	cmd.exe
PID 3020 wrote to memory of 2556	3020	cmd.exe	cscript.exe
PID 3020 wrote to memory of 2556	3020	cmd.exe	cscript.exe
PID 3020 wrote to memory of 2556	3020	cmd.exe	cscript.exe
PID 3020 wrote to memory of 2556	3020	cmd.exe	cscript.exe
PID 3020 wrote to memory of 2744	3020	cmd.exe	taskkill.exe
PID 3020 wrote to memory of 2744	3020	cmd.exe	taskkill.exe
PID 3020 wrote to memory of 2744	3020	cmd.exe	taskkill.exe
PID 3020 wrote to memory of 2744	3020	cmd.exe	taskkill.exe
PID 3020 wrote to memory of 1280	3020	cmd.exe	reg.exe
PID 3020 wrote to memory of 1280	3020	cmd.exe	reg.exe
PID 3020 wrote to memory of 1280	3020	cmd.exe	reg.exe
PID 3020 wrote to memory of 1280	3020	cmd.exe	reg.exe
PID 3020 wrote to memory of 1936	3020	cmd.exe	cmd.exe
PID 3020 wrote to memory of 1936	3020	cmd.exe	cmd.exe
PID 3020 wrote to memory of 1936	3020	cmd.exe	cmd.exe
PID 3020 wrote to memory of 1936	3020	cmd.exe	cmd.exe
PID 1936 wrote to memory of 1288	1936	cmd.exe	reg.exe
PID 1936 wrote to memory of 1288	1936	cmd.exe	reg.exe
PID 1936 wrote to memory of 1288	1936	cmd.exe	reg.exe
PID 1936 wrote to memory of 1288	1936	cmd.exe	reg.exe
PID 3020 wrote to memory of 2004	3020	cmd.exe	reg.exe
PID 3020 wrote to memory of 2004	3020	cmd.exe	reg.exe
PID 3020 wrote to memory of 2004	3020	cmd.exe	reg.exe
PID 3020 wrote to memory of 2004	3020	cmd.exe	reg.exe
PID 3020 wrote to memory of 1756	3020	cmd.exe	cmd.exe
PID 3020 wrote to memory of 1756	3020	cmd.exe	cmd.exe
PID 3020 wrote to memory of 1756	3020	cmd.exe	cmd.exe
PID 3020 wrote to memory of 1756	3020	cmd.exe	cmd.exe
PID 1756 wrote to memory of 1760	1756	cmd.exe	reg.exe
PID 1756 wrote to memory of 1760	1756	cmd.exe	reg.exe
PID 1756 wrote to memory of 1760	1756	cmd.exe	reg.exe
PID 1756 wrote to memory of 1760	1756	cmd.exe	reg.exe
PID 3020 wrote to memory of 352	3020	cmd.exe	reg.exe
PID 3020 wrote to memory of 352	3020	cmd.exe	reg.exe
PID 3020 wrote to memory of 352	3020	cmd.exe	reg.exe
PID 3020 wrote to memory of 352	3020	cmd.exe	reg.exe
PID 3020 wrote to memory of 308	3020	cmd.exe	cmd.exe
PID 3020 wrote to memory of 308	3020	cmd.exe	cmd.exe
PID 3020 wrote to memory of 308	3020	cmd.exe	cmd.exe
PID 3020 wrote to memory of 308	3020	cmd.exe	cmd.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\356198232be81a9e887eab01ad14d037_JaffaCakes118.rtf"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\Admin\AppData\Local\Temp\ufFm.cMD"
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\SysWOW64\cmd.exe
    CmD
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3016
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K itnqknf5.CMD
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:3020
    - - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 1
        5⤵
        Delays execution with timeout.exe
        
        PID:2544
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript //nologo "C:\Users\Admin\AppData\Local\Temp\_.vbs"
        5⤵
        Drops desktop.ini file(s)
        Suspicious use of FindShellTrayWindow
        
        PID:2556
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASkKILL /F /IM winword.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\Resiliency /f
        5⤵
        
        PID:1280
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1936
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
        6⤵
        
        PID:1288
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\Resiliency /f
        5⤵
        
        PID:2004
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1756
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
        6⤵
        
        PID:1760
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\13.0\Word\Resiliency /f
        5⤵
        
        PID:352
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\13.0\Word\File MRU" /v "Item 1"
        5⤵
        
        PID:308
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\13.0\Word\File MRU" /v "Item 1"
        6⤵
        
        PID:772
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\Resiliency /f
        5⤵
        
        PID:1668
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
        5⤵
        
        PID:1932
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
        6⤵
        
        PID:1920
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\Resiliency /f
        5⤵
        
        PID:1908
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
        5⤵
        
        PID:1960
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
        6⤵
        
        PID:860
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency /f
        5⤵
        
        PID:2540
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
        5⤵
        
        PID:2328
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
        6⤵
        
        PID:1648
    - - C:\Users\Admin\AppData\Local\Temp\saver.scr
        
        "C:\Users\Admin\AppData\Local\Temp\saver.scr"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
      - C:\Users\Admin\AppData\Local\Temp\saver.scr
        
        "C:\Users\Admin\AppData\Local\Temp\saver.scr"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2064
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
        7⤵
        Accesses Microsoft Outlook accounts
        
        PID:2524
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
        7⤵
        
        PID:2136
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript //nologo "C:\Users\Admin\AppData\Local\Temp\_.vbs"
        5⤵
        
        PID:1536
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\Admin\AppData\Local\Temp\ufFm.cMD"
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\SysWOW64\cmd.exe
    CmD
    3⤵
    PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.zip

Filesize
656KB

MD5
2c905c6a71aef2cd16ac4be8d676b0cd

SHA1
9aec01bffe961e0a31e956941ec53c0fada0dd76

SHA256
8ea59f56c0b7225572ecd086d89e270cb20f30d4bceb355932b227787ca2aa1e

SHA512
a62ef9b2280dfa1d652910cbecb6093a62285180fc5519071cecd660bbfae19dfdf6b27099dc5a4b0b084606880286e6344a67fc8d84be6018d0083807b8a32f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_.vbs

Filesize
255B

MD5
bf8b4048b61bd2f3c20690415fa52ee4

SHA1
10cf302e555807f6a1e46cf52e9e0746cf93951b

SHA256
4e9782ff685787063d3213cb56c918f2ba9a57f7bdf365027e1d11a9824718a6

SHA512
60d1f5ea1595cb9efd8d3bc906a7f9e74b9f561a10ed96f0b1c6f4d33d878be0d86ba622bdd5d8efd576032c30471d5929458c1aa7124b1764deb6f0dbf30990

Download Submit
C:\Users\Admin\AppData\Local\Temp\_.vbs

Filesize
179B

MD5
1d88166a10f71703ef63a827718737ae

SHA1
d4ae6060a3c8c8ee0bc0498294e9fbac11133212

SHA256
9608595afec837d3131a139be240297f78fb1a79c34879eb3e1d01d4ca2c0fb7

SHA512
48f6cc0e4128289ad688cfd67d35f2b47199bfcb807071e800f798df61ae293d0e5af41915a7efb9c5869be48dbbbe0e7ed5ac41a433239a36c10939c28c8236

Download Submit
C:\Users\Admin\AppData\Local\Temp\a.ScT

Filesize
864B

MD5
93522467ea6a1b96b85ddc1aec79da43

SHA1
b4dfef1b1cec653e8675fe954c9c5f43bcdd32ad

SHA256
fab6f1444b9550ef2ef06b651efae615c358f5da51f267c94b78dd115240e9a1

SHA512
d94669ac17d9b1a3f50ddca1eba9c5c20a805e58e22faf86b7bb8379f8f38ae6b48930d9885568d60197f1f8b5fded3125ed7e7b879990ed6643928cbf827905

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderwb.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\itnqknf5.cmd

Filesize
1KB

MD5
a3b2ec295ad5a65c83a52892a2abe0fe

SHA1
e69986fc8ad7e818b4f66b101d4063faccf8dafb

SHA256
5a8956e665402c41f00377a5f5f2900b1a3dbc8b04099d8293207d3c65caa238

SHA512
ee42eea67996b1f8aca454eb2bfd2a63caf5cd669b341f60187d714db8a2461069a5d4f1b9328d4fa7569a5f044430cee7294025c7d2c035e437c25b390f0807

Download Submit
C:\Users\Admin\AppData\Local\Temp\ufFm.cMD

Filesize
210B

MD5
955dfb33cd8846c2214a71956b51f68b

SHA1
0e1eded70be14241237ce07620fa4db75618e3a8

SHA256
4a169cbdb43ce32975dcbc5b97dab03466479a1a6aefe9be8c3677a34740c118

SHA512
467b6ed79145460f1ec8d6852b07b19d35686e2f7920b80e07d90dc04ee859264c918b0902191ceb12094c153e61459b0ae144f84ce6072463b3cc15ffa4fb4e

Download Submit
C:\Users\Admin\appData\loCal\TeMp\gondi.doc

Filesize
32KB

MD5
61fbfe216675785d54f9b3b15b9fd5f4

SHA1
c8563c21b28ebdce0e365883959475f3d8631782

SHA256
8fe6b84d7d2b08a0b22d2abc863383a07f8dc038bd79070e6990f89efe1c5630

SHA512
c45cdd03acb1f52eadfab820291629037f66890f36427788575e43f6fefc4d84d4b84fb5a972b488f3bda569e102d5e13333d94c7928c92047451d1b012fde4b

Download Submit
\Users\Admin\AppData\Local\Temp\saver.scr

Filesize
1.0MB

MD5
1640b5226facb64d3f2e9e75384576c9

SHA1
99e2be80990798a87aa0bba9d44b41e461a2ed8c

SHA256
bbe5fdff5fa4c19c055126caf57dda0a13a96a736b58156ea730e34af88804c7

SHA512
9ae0b2c0e90787d8de55f978130df6d323b9ab17d9b09ea1cdf4d658467cd87d81d2347b632e66c957e57af4a6d35bead61e487fbb9ed0cfcfc83256626b0a60

Download Submit
memory/1684-62-0x0000000005090000-0x0000000005120000-memory.dmp

Filesize
576KB

Download
memory/1684-61-0x0000000000840000-0x000000000094A000-memory.dmp

Filesize
1.0MB

Download
memory/2064-64-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2064-72-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2064-79-0x0000000000830000-0x0000000000838000-memory.dmp

Filesize
32KB

Download
memory/2064-76-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2064-66-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2064-68-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2064-70-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2064-75-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2064-73-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2136-83-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2136-84-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2136-88-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2524-81-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2524-80-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2524-82-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2984-50-0x000000007166D000-0x0000000071678000-memory.dmp

Filesize
44KB

Download
memory/2984-0-0x000000002F8D1000-0x000000002F8D2000-memory.dmp

Filesize
4KB

Download
memory/2984-2-0x000000007166D000-0x0000000071678000-memory.dmp

Filesize
44KB

Download
memory/2984-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download