hawkeye_reborn | b008c96b1ba6c13c4e922202baad57e199d9dee32a97a1443548c8a0ca303492

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
02-06-2024 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d897a409a231c4bdb21ac3bcf9118b1_JaffaCakes118.exe
Size

575KB
MD5

8d897a409a231c4bdb21ac3bcf9118b1
SHA1

9cfdb5e97e24948e90fc2c6baa4aeb06ce091470
SHA256

b008c96b1ba6c13c4e922202baad57e199d9dee32a97a1443548c8a0ca303492
SHA512

45fa5b7121b91cbe8860362c1b966cdc070611a04126b5455fa2e5e025c65559cdba03f4d0db0c5b7249e8905a8200323225f40ecab0f6c6d6953c66744d51aa
SSDEEP

12288:PK3aVsTejOAevrUSNhpO+CaDq+b3gAcAyqR3zhIin:PK3XeKNvwAjLCaDq+b3tjR3zhIQ

Score

10^/10

hawkeye_reborn keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

10.0.0.0

Credentials

Protocol: smtp
Host:
smtp.mail.ru
Port:
587
Username:
[email protected]
Password:
(#@jS%{GF;0

Mutex

51ca91c3-9a11-4443-9e61-ee6e5c097d44

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:(#@jS%{GF;0 _EmailPort:587 _EmailSSL:true _EmailServer:smtp.mail.ru _EmailUsername:[email protected] _ExecutionDelay:5 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:51ca91c3-9a11-4443-9e61-ee6e5c097d44 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:true _SystemInfo:true _Version:10.0.0.0 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye RebornX, Version=10.0.0.0, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/2868-48-0x0000000000380000-0x00000000003F6000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/2868-48-0x0000000000380000-0x00000000003F6000-memory.dmp	WebBrowserPassView

Nirsoft 1 IoCs

resource	yara_rule
behavioral1/memory/2868-48-0x0000000000380000-0x00000000003F6000-memory.dmp	Nirsoft

Executes dropped EXE 3 IoCs

pid	Process
2196	HPXmmgLUSavYuccxma5.exe
2684	HPXmmgLUSavYuccxma5.exe
2996	HPXmmgLUSavYuccxma5.exe

Loads dropped DLL 10 IoCs

pid	Process
2040	8d897a409a231c4bdb21ac3bcf9118b1_JaffaCakes118.exe
2040	8d897a409a231c4bdb21ac3bcf9118b1_JaffaCakes118.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2684	HPXmmgLUSavYuccxma5.exe
2684	HPXmmgLUSavYuccxma5.exe
2996	HPXmmgLUSavYuccxma5.exe
2908	WerFault.exe
2908	WerFault.exe
2908	WerFault.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8d897a409a231c4bdb21ac3bcf9118b1_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Roaming\\invoice"	HPXmmgLUSavYuccxma5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Roaming\\invoice"	HPXmmgLUSavYuccxma5.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2196 set thread context of 2868	2196	HPXmmgLUSavYuccxma5.exe	39
PID 2684 set thread context of 1340	2684	HPXmmgLUSavYuccxma5.exe	49

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2908	2996	WerFault.exe	50

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2196	HPXmmgLUSavYuccxma5.exe
2684	HPXmmgLUSavYuccxma5.exe
2684	HPXmmgLUSavYuccxma5.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2196	HPXmmgLUSavYuccxma5.exe
Token: SeDebugPrivilege	2868	RegAsm.exe
Token: SeDebugPrivilege	2684	HPXmmgLUSavYuccxma5.exe
Token: SeDebugPrivilege	1340	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2196	2040	8d897a409a231c4bdb21ac3bcf9118b1_JaffaCakes118.exe	28
PID 2040 wrote to memory of 2196	2040	8d897a409a231c4bdb21ac3bcf9118b1_JaffaCakes118.exe	28
PID 2040 wrote to memory of 2196	2040	8d897a409a231c4bdb21ac3bcf9118b1_JaffaCakes118.exe	28
PID 2040 wrote to memory of 2196	2040	8d897a409a231c4bdb21ac3bcf9118b1_JaffaCakes118.exe	28
PID 2040 wrote to memory of 2196	2040	8d897a409a231c4bdb21ac3bcf9118b1_JaffaCakes118.exe	28
PID 2040 wrote to memory of 2196	2040	8d897a409a231c4bdb21ac3bcf9118b1_JaffaCakes118.exe	28
PID 2040 wrote to memory of 2196	2040	8d897a409a231c4bdb21ac3bcf9118b1_JaffaCakes118.exe	28
PID 2196 wrote to memory of 2136	2196	HPXmmgLUSavYuccxma5.exe	29
PID 2196 wrote to memory of 2136	2196	HPXmmgLUSavYuccxma5.exe	29
PID 2196 wrote to memory of 2136	2196	HPXmmgLUSavYuccxma5.exe	29
PID 2196 wrote to memory of 2136	2196	HPXmmgLUSavYuccxma5.exe	29
PID 2196 wrote to memory of 2136	2196	HPXmmgLUSavYuccxma5.exe	29
PID 2196 wrote to memory of 2136	2196	HPXmmgLUSavYuccxma5.exe	29
PID 2196 wrote to memory of 2136	2196	HPXmmgLUSavYuccxma5.exe	29
PID 2136 wrote to memory of 2688	2136	csc.exe	31
PID 2136 wrote to memory of 2688	2136	csc.exe	31
PID 2136 wrote to memory of 2688	2136	csc.exe	31
PID 2136 wrote to memory of 2688	2136	csc.exe	31
PID 2136 wrote to memory of 2688	2136	csc.exe	31
PID 2136 wrote to memory of 2688	2136	csc.exe	31
PID 2136 wrote to memory of 2688	2136	csc.exe	31
PID 2196 wrote to memory of 2452	2196	HPXmmgLUSavYuccxma5.exe	32
PID 2196 wrote to memory of 2452	2196	HPXmmgLUSavYuccxma5.exe	32
PID 2196 wrote to memory of 2452	2196	HPXmmgLUSavYuccxma5.exe	32
PID 2196 wrote to memory of 2452	2196	HPXmmgLUSavYuccxma5.exe	32
PID 2196 wrote to memory of 2452	2196	HPXmmgLUSavYuccxma5.exe	32
PID 2196 wrote to memory of 2452	2196	HPXmmgLUSavYuccxma5.exe	32
PID 2196 wrote to memory of 2452	2196	HPXmmgLUSavYuccxma5.exe	32
PID 2452 wrote to memory of 2716	2452	csc.exe	34
PID 2452 wrote to memory of 2716	2452	csc.exe	34
PID 2452 wrote to memory of 2716	2452	csc.exe	34
PID 2452 wrote to memory of 2716	2452	csc.exe	34
PID 2452 wrote to memory of 2716	2452	csc.exe	34
PID 2452 wrote to memory of 2716	2452	csc.exe	34
PID 2452 wrote to memory of 2716	2452	csc.exe	34
PID 2196 wrote to memory of 2628	2196	HPXmmgLUSavYuccxma5.exe	35
PID 2196 wrote to memory of 2628	2196	HPXmmgLUSavYuccxma5.exe	35
PID 2196 wrote to memory of 2628	2196	HPXmmgLUSavYuccxma5.exe	35
PID 2196 wrote to memory of 2628	2196	HPXmmgLUSavYuccxma5.exe	35
PID 2196 wrote to memory of 2628	2196	HPXmmgLUSavYuccxma5.exe	35
PID 2196 wrote to memory of 2628	2196	HPXmmgLUSavYuccxma5.exe	35
PID 2196 wrote to memory of 2628	2196	HPXmmgLUSavYuccxma5.exe	35
PID 2196 wrote to memory of 2664	2196	HPXmmgLUSavYuccxma5.exe	36
PID 2196 wrote to memory of 2664	2196	HPXmmgLUSavYuccxma5.exe	36
PID 2196 wrote to memory of 2664	2196	HPXmmgLUSavYuccxma5.exe	36
PID 2196 wrote to memory of 2664	2196	HPXmmgLUSavYuccxma5.exe	36
PID 2196 wrote to memory of 2664	2196	HPXmmgLUSavYuccxma5.exe	36
PID 2196 wrote to memory of 2664	2196	HPXmmgLUSavYuccxma5.exe	36
PID 2196 wrote to memory of 2664	2196	HPXmmgLUSavYuccxma5.exe	36
PID 2196 wrote to memory of 1996	2196	HPXmmgLUSavYuccxma5.exe	37
PID 2196 wrote to memory of 1996	2196	HPXmmgLUSavYuccxma5.exe	37
PID 2196 wrote to memory of 1996	2196	HPXmmgLUSavYuccxma5.exe	37
PID 2196 wrote to memory of 1996	2196	HPXmmgLUSavYuccxma5.exe	37
PID 2196 wrote to memory of 1996	2196	HPXmmgLUSavYuccxma5.exe	37
PID 2196 wrote to memory of 1996	2196	HPXmmgLUSavYuccxma5.exe	37
PID 2196 wrote to memory of 1996	2196	HPXmmgLUSavYuccxma5.exe	37
PID 2196 wrote to memory of 2800	2196	HPXmmgLUSavYuccxma5.exe	38
PID 2196 wrote to memory of 2800	2196	HPXmmgLUSavYuccxma5.exe	38
PID 2196 wrote to memory of 2800	2196	HPXmmgLUSavYuccxma5.exe	38
PID 2196 wrote to memory of 2800	2196	HPXmmgLUSavYuccxma5.exe	38
PID 2196 wrote to memory of 2800	2196	HPXmmgLUSavYuccxma5.exe	38
PID 2196 wrote to memory of 2800	2196	HPXmmgLUSavYuccxma5.exe	38
PID 2196 wrote to memory of 2800	2196	HPXmmgLUSavYuccxma5.exe	38
PID 2196 wrote to memory of 2868	2196	HPXmmgLUSavYuccxma5.exe	39

C:\Users\Admin\AppData\Local\Temp\8d897a409a231c4bdb21ac3bcf9118b1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8d897a409a231c4bdb21ac3bcf9118b1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5ahkbdiu\5ahkbdiu.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2136
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1AB2.tmp" "c:\Users\Admin\AppData\Local\Temp\5ahkbdiu\CSC19DD1C4B30AA4FBBA7E72C9AF7C182A6.TMP"
      4⤵
      PID:2688
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nz3hl5py\nz3hl5py.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2452
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1BAB.tmp" "c:\Users\Admin\AppData\Local\Temp\nz3hl5py\CSC9C77E52987164BF4BC2F1736CDA8B3D4.TMP"
      4⤵
      PID:2716
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2628
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2664
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:1996
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2800
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2868
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
    "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2684
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mlguegre\mlguegre.cmdline"
      4⤵
      PID:2516
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES454A.tmp" "c:\Users\Admin\AppData\Local\Temp\mlguegre\CSC541C47493A2147BFB514F19965AE33FC.TMP"
        5⤵
        
        PID:3068
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ticcmhlb\ticcmhlb.cmdline"
      4⤵
      PID:1732
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4672.tmp" "c:\Users\Admin\AppData\Local\Temp\ticcmhlb\CSCD45B7DD61B6A4EBCA4FA50BC765D682B.TMP"
        5⤵
        
        PID:1200
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:1360
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1340
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2996
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 676
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5ahkbdiu\5ahkbdiu.dll

Filesize
1.5MB

MD5
919f08a5b494be0c8615461eb9ddf925

SHA1
c8512eb260977b85e1458c6caf700729f92fc2b3

SHA256
066afd63b54a4c4858b805e5be5f0fcf2adda25dde6551d329a8e94e1aefe548

SHA512
4f4f1db66d8a12de19185a4cbfdbe628ff17ce3136c488c2fdaa6559115af6875b11ad050609437d436847f0ff260cb520fbee9f6eee374116f5ed517a0814f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxm

Filesize
2.3MB

MD5
4b6dd3fa0fc4f3acddd93b3d4cdcfe87

SHA1
b6c2b6267a7103a8ba11698c7a8b19164e2332ea

SHA256
215b52ab5b3b5ce35de5b6a656fd6a614b9b1afffe0837a3679d28415eab6de5

SHA512
5e06e1e3f9837b3dcc6bae4cfb92552765193d8d283e0c1d3bfc552bf3fd20edcc3d8ecf47a2363e178a5fd1936f6c2afaffa2814c3946c1a9d14bc32953fff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1AB2.tmp

Filesize
1KB

MD5
3e27d46300a134a727f42185b9485c74

SHA1
00d6b65769c968e19469bd87efdda503f02d67c7

SHA256
48d9b5604fcd96328d99838f095b930cbfcec472e2110f090eeb887a8d18cf0a

SHA512
b0c01a8099138cc9a9cb64a3ca17ff03ca0c7e3d2f7ee3f988c0ffedbe4e0e69ff5e39361ecd9b6f80800d74f72ae14da5a32fa0087fc5fa192e98d3d68008e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1BAB.tmp

Filesize
1KB

MD5
18d4c4ff624a289eef0049376c87fb49

SHA1
575e359d825d69e41db5bb2a7cddadb91a5e330e

SHA256
7d7f349f1ec4bc7aa48a95f73d2138eae64c992237db346ca5ab793795ee45f2

SHA512
047a69961b68bb45caf8268721b8983af3eaa0dfd6509ab7f66ceb18fd9e69a997122ff296617c1e94d2b6d357022063f9fbf2142cfcd6d07db75a6a326ddeb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES454A.tmp

Filesize
1KB

MD5
4144454368dfe6a9da7a40bdb130909a

SHA1
1d9305653098638e10149d4270a6131740da499a

SHA256
65cc1435e2e37ff765f9739b1ed197acbbf1089901aa81cc6a0ed5acc6c5155d

SHA512
8eef053e8f5f02baf9afcb6393cdd82ec4a2a581cfbb31012708450acac67495e4a61f7448b3eb9e66e7dc95ab4a48c603316c7da08bc9d96ee550507d5be2e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4672.tmp

Filesize
1KB

MD5
4b002ae4d4e3803728a299ec0ac78095

SHA1
e04e2180c8f3e7c18661f1e26a43fd34bbae9d2e

SHA256
8a307191e81d94c0f4fdfefc2a7d4458d306a30fbb1df084fb9a204ac67390cc

SHA512
73519c969825d2af07ae1836011683db5a473dee2277e07ea6c9047e64fec1d790c944b001b5f178cc6dbdaacd09750e6136e30759dd4176b746435b29a1aa90

Download Submit
C:\Users\Admin\AppData\Local\Temp\mlguegre\mlguegre.dll

Filesize
1.5MB

MD5
f150a9c4f7307ff4930de469630ab511

SHA1
969aa32dc17bb0f19a974ffc8bfbd3102765381b

SHA256
8525231b078ba470a0a130e25a91e49d1a4765c3b599f53c20c24d216098e719

SHA512
c9589785987229c642f8cdb15544d669fa3adcbe3f6bd0b2a702d719914c2bda5603ddbfc0a1248c798d4b172b80694d6c92e0d1a059a02735107880cb383f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\nz3hl5py\nz3hl5py.dll

Filesize
1.5MB

MD5
f687fb6a557ff52ea4a1a061929130a2

SHA1
b3cb7fe25700c8c7241a269801db6c3c7c643b81

SHA256
d2e2338e1d043601c3433138047ae895029a10e0203f8468054b098eab0e6c1d

SHA512
383ac8266de75d3c392a5e8f98f1a58577f0055fc5a31d10215cbd5cdeb2f00a009ddd9ab9022a3cd4233290f7ee3c01a1e689d294d1ecf8734da940ecb1debd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ticcmhlb\ticcmhlb.dll

Filesize
1.5MB

MD5
cf6b165d1d2f53e47995d44983da408e

SHA1
dc118b9fbe779a803fb191d520f4b4bce4ca062e

SHA256
cd5ac50b771e533bf15c680a62c26565b98b0af960ae167f3bfa8d2ece88fc81

SHA512
7e527f563ab65e75b49102e9cfeeb709152c9fe6d594a0a2aff20b1a32b451cbb914b9a5ac6786befe06c017e9e45c1f8b47a4a2c625a6de52be913f3b7b2c6c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5ahkbdiu\5ahkbdiu.0.cs

Filesize
2.3MB

MD5
c4553a6c03961a891e252d294b9ddc9a

SHA1
e992302c0c55d53fdee7649d2a0b37f6a5d1e895

SHA256
72a239e00851771a77b50e21dd388e79f62bdf4ac4f35425f047477b04d26812

SHA512
8d36dcf23a3bd97bcc89c54d56e4a998e5ef1a70361d9ebade3b098125966276afd5ad15ff2efe5e1f5a8412ce6a9fe27280c25a56ad12799be89b8e0f082d35

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5ahkbdiu\5ahkbdiu.cmdline

Filesize
302B

MD5
cadc67f6d0815bc4008b77cfc939d110

SHA1
000a9aa064706629152b4560859a5c7d0cb3bc65

SHA256
a170e8f1f468c212e76b8021e92502b1c16713c66e8af08b76cb36e6652be0e3

SHA512
1e1d1ddfa206c9fc639d8687f66922bb3c3306d3bb993febf6422159180f6004eeec6437e0136e3841e0327103635a339df3f53bec41c04e72753cbc8e474ee7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5ahkbdiu\CSC19DD1C4B30AA4FBBA7E72C9AF7C182A6.TMP

Filesize
652B

MD5
5a1e284fdec299ad6c500fcbcd0c5c14

SHA1
01310e98557e07a49f55ec271fdfec6ccd0a58be

SHA256
97883af939beb0b5cdafe5e2ae5a79d7cc5d5cc5521ee6cdd32f6202b704f40b

SHA512
cf58321936ffabc1ac0bde2bdf0fc4a4467522a4a316bc589b351b81a6ecfebcfd27522216d6aebe69cfebd656acf3da23ea755e23f6e6ddc0b78d3d9cb3a65e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mlguegre\CSC541C47493A2147BFB514F19965AE33FC.TMP

Filesize
652B

MD5
df9441ebcf21f7a488321193d37b3e49

SHA1
ab03c9b33e0375fce75c23996ab3b6837b0ebf0c

SHA256
ca64264c5f194dd5cae7809caedcf4962013f4f8b65632df490b96100e3078a8

SHA512
61306935b16356fdfefcead730154e6eae0fd3f51b47ae08d706cd2faeb2d135516fd4ff4639a9ff63391d3900dfa12984fc3c9d58f6fe7f241d6908d4b97a89

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mlguegre\mlguegre.cmdline

Filesize
302B

MD5
b89153d9aa75a9e027c7591d63a6b738

SHA1
ce6615b0b0099b3f4016a7228b5140c72b20518b

SHA256
ea8b185d0acc2607a490ae22391a0ad0f67211cf0b559e4600a6441557b71499

SHA512
ec0a159eb70d2a75b3c1e17ede679d7373c9e2ca873977a1ee3beb1e7e612794bea345feebff68b2c41c56b6dff0045a51f5fc52f88a8fb76120edef59240813

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nz3hl5py\CSC9C77E52987164BF4BC2F1736CDA8B3D4.TMP

Filesize
652B

MD5
bb23edb7688543a838d6f8acdf6d7f86

SHA1
594cd4bd8a86c995c8a7462d8bfd998ffb8bc617

SHA256
e7398bd3645761bffc513175634d5abfa704f7cb43efbdccc92be6633f46ee61

SHA512
94f204c060bbc4f81ac60fdf01ffa1ec0f9682144e2825e1e0d21089b921a02a6dffd0d962daae0e80868ab49ef49acb995a244ce8544f273b08b41d0dab4897

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nz3hl5py\nz3hl5py.cmdline

Filesize
302B

MD5
92c9d498f31d81202b53a29826d192f0

SHA1
e1284feb1455bb70718ccd52565309e2af5b68e3

SHA256
6b704b1e3e21429d1a3de98f06cff7620aaec081f914bd6c540263f2cf94758e

SHA512
a45ed1433e9d37c3283b77cf3aa1aef4a5ea216fb39ae5a65a7e0fb8bdd21f615f166846674a860691db1f3c720ae44ed9bc338dba3bc7c8dd8220e0fbc61ab2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ticcmhlb\CSCD45B7DD61B6A4EBCA4FA50BC765D682B.TMP

Filesize
652B

MD5
4ad09da3df5698a9efc69dba496c8324

SHA1
28921695c78643edd7e647f9da0f3eb19dd2089c

SHA256
e887876281fba842b1b0396cdfa40afa2c1ee0832c3fef133f0081f957683e3c

SHA512
9a38348cd36a6a1a89cc6bcd94dc64a7d7bfee2fbcc41ff1bbb88a1f60602d4e0c5efa921e6fce2032cc1b3f5cace106a74a6283bc5e48a1f1c2dc1d86be64fe

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ticcmhlb\ticcmhlb.cmdline

Filesize
302B

MD5
3e319999f0fc57f5347c8f478462ac5f

SHA1
c5f870481c0d2208f203354d6faf4141f59a90a2

SHA256
91de7ccb1cc2ecf001b2041f3041c67154b70e9302cf0527d9323eff0e73b287

SHA512
c3e6dc36fa91d4274ecddc8e79000aa49ed69c69211cbb53c99ae722a4fed39c3d1ce8abc7a21b25f0dc1e3497a1b39ebdf1f2f43fc6335d3439e15fcaeb87fe

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

Filesize
28KB

MD5
af744c4398b9d3cfd8be3946d03d4702

SHA1
5ff999e469c822807a08a247e3ba8b767c0e24e3

SHA256
6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638

SHA512
d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

Download Submit
memory/2196-41-0x0000000005420000-0x00000000055AE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-43-0x0000000000900000-0x0000000000998000-memory.dmp

Filesize
608KB

Download
memory/2196-13-0x0000000001090000-0x000000000109E000-memory.dmp

Filesize
56KB

Download
memory/2196-27-0x0000000005290000-0x000000000541E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-64-0x0000000005080000-0x000000000520E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-78-0x0000000005210000-0x000000000539E000-memory.dmp

Filesize
1.6MB

Download
memory/2868-48-0x0000000000380000-0x00000000003F6000-memory.dmp

Filesize
472KB

Download
memory/2868-46-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2868-47-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2868-45-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download