hawkeye | bde35d2817ab64fe26bfafc71b8e7c8d47ba08aa23d6ad15a26ff1ff3fbd99b7

Analysis

max time kernel
150s
max time network
143s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20-08-2024 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b03ef6672d4f79c1f4293cf7758b5794_JaffaCakes118.exe
Size

1.7MB
MD5

b03ef6672d4f79c1f4293cf7758b5794
SHA1

02278477f16bbc31bea3e103ceb83bd03a19c9e1
SHA256

bde35d2817ab64fe26bfafc71b8e7c8d47ba08aa23d6ad15a26ff1ff3fbd99b7
SHA512

de00feaafde5ac26d280473d11f0638da374bba40f19379cfadfdca045598bdf682f1070d2a781ddfad2bba2848e63ab64308083401cb345147f2f08b68a2253
SSDEEP

24576:r4lVqxn0YdlEnfami+SnU3s72ZYlv47O+W:rOcj3xmi+XhOt

Score

10^/10

hawkeye discovery evasion keylogger spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

Modifies firewall policy service 3 TTPs 8 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\AppLaunch.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\plugtemp\neoex.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\plugtemp\\neoex.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Deletes itself 1 IoCs

Processes:

explorer.exe

pid	Process
584	explorer.exe

Executes dropped EXE 3 IoCs

Processes:

explorer.exed3dref9.exeifsutilx.exe

pid	Process
584	explorer.exe
2620	d3dref9.exe
2168	ifsutilx.exe

Loads dropped DLL 5 IoCs

Processes:

b03ef6672d4f79c1f4293cf7758b5794_JaffaCakes118.exeexplorer.exed3dref9.exedw20.exe

pid	Process
1976	b03ef6672d4f79c1f4293cf7758b5794_JaffaCakes118.exe
584	explorer.exe
584	explorer.exe
2620	d3dref9.exe
2332	dw20.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

explorer.exeifsutilx.exe

description	pid	Process	procid_target
PID 584 set thread context of 2492	584	explorer.exe	32
PID 2168 set thread context of 1924	2168	ifsutilx.exe	48

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

dw20.execmd.execmd.exereg.exed3dref9.exeb03ef6672d4f79c1f4293cf7758b5794_JaffaCakes118.execmd.exeexplorer.exereg.exeifsutilx.exeAppLaunch.exeAppLaunch.execmd.exereg.exereg.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3dref9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b03ef6672d4f79c1f4293cf7758b5794_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ifsutilx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exe

pid	Process
2656	reg.exe
2776	reg.exe
2800	reg.exe
2872	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

explorer.exed3dref9.exeifsutilx.exe

pid	Process
584	explorer.exe
2620	d3dref9.exe
584	explorer.exe
584	explorer.exe
2620	d3dref9.exe
584	explorer.exe
2620	d3dref9.exe
2168	ifsutilx.exe
584	explorer.exe
2620	d3dref9.exe
2168	ifsutilx.exe
584	explorer.exe
2620	d3dref9.exe
2168	ifsutilx.exe
584	explorer.exe
2620	d3dref9.exe
584	explorer.exe
2168	ifsutilx.exe
2620	d3dref9.exe
584	explorer.exe
2168	ifsutilx.exe
2620	d3dref9.exe
584	explorer.exe
2168	ifsutilx.exe
2620	d3dref9.exe
2168	ifsutilx.exe
584	explorer.exe
2620	d3dref9.exe
2168	ifsutilx.exe
584	explorer.exe
2620	d3dref9.exe
2168	ifsutilx.exe
584	explorer.exe
2620	d3dref9.exe
584	explorer.exe
2168	ifsutilx.exe
2620	d3dref9.exe
584	explorer.exe
2168	ifsutilx.exe
2620	d3dref9.exe
584	explorer.exe
2168	ifsutilx.exe
2620	d3dref9.exe
584	explorer.exe
2168	ifsutilx.exe
2620	d3dref9.exe
584	explorer.exe
2168	ifsutilx.exe
2620	d3dref9.exe
2168	ifsutilx.exe
584	explorer.exe
2620	d3dref9.exe
2168	ifsutilx.exe
584	explorer.exe
2620	d3dref9.exe
2168	ifsutilx.exe
584	explorer.exe
2620	d3dref9.exe
584	explorer.exe
2168	ifsutilx.exe
2620	d3dref9.exe
584	explorer.exe
2168	ifsutilx.exe
2620	d3dref9.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

b03ef6672d4f79c1f4293cf7758b5794_JaffaCakes118.exeexplorer.exeAppLaunch.exed3dref9.exeifsutilx.exe

description	pid	Process
Token: SeDebugPrivilege	1976	b03ef6672d4f79c1f4293cf7758b5794_JaffaCakes118.exe
Token: SeDebugPrivilege	584	explorer.exe
Token: 1	2492	AppLaunch.exe
Token: SeCreateTokenPrivilege	2492	AppLaunch.exe
Token: SeAssignPrimaryTokenPrivilege	2492	AppLaunch.exe
Token: SeLockMemoryPrivilege	2492	AppLaunch.exe
Token: SeIncreaseQuotaPrivilege	2492	AppLaunch.exe
Token: SeMachineAccountPrivilege	2492	AppLaunch.exe
Token: SeTcbPrivilege	2492	AppLaunch.exe
Token: SeSecurityPrivilege	2492	AppLaunch.exe
Token: SeTakeOwnershipPrivilege	2492	AppLaunch.exe
Token: SeLoadDriverPrivilege	2492	AppLaunch.exe
Token: SeSystemProfilePrivilege	2492	AppLaunch.exe
Token: SeSystemtimePrivilege	2492	AppLaunch.exe
Token: SeProfSingleProcessPrivilege	2492	AppLaunch.exe
Token: SeIncBasePriorityPrivilege	2492	AppLaunch.exe
Token: SeCreatePagefilePrivilege	2492	AppLaunch.exe
Token: SeCreatePermanentPrivilege	2492	AppLaunch.exe
Token: SeBackupPrivilege	2492	AppLaunch.exe
Token: SeRestorePrivilege	2492	AppLaunch.exe
Token: SeShutdownPrivilege	2492	AppLaunch.exe
Token: SeDebugPrivilege	2492	AppLaunch.exe
Token: SeAuditPrivilege	2492	AppLaunch.exe
Token: SeSystemEnvironmentPrivilege	2492	AppLaunch.exe
Token: SeChangeNotifyPrivilege	2492	AppLaunch.exe
Token: SeRemoteShutdownPrivilege	2492	AppLaunch.exe
Token: SeUndockPrivilege	2492	AppLaunch.exe
Token: SeSyncAgentPrivilege	2492	AppLaunch.exe
Token: SeEnableDelegationPrivilege	2492	AppLaunch.exe
Token: SeManageVolumePrivilege	2492	AppLaunch.exe
Token: SeImpersonatePrivilege	2492	AppLaunch.exe
Token: SeCreateGlobalPrivilege	2492	AppLaunch.exe
Token: 31	2492	AppLaunch.exe
Token: 32	2492	AppLaunch.exe
Token: 33	2492	AppLaunch.exe
Token: 34	2492	AppLaunch.exe
Token: 35	2492	AppLaunch.exe
Token: SeDebugPrivilege	2620	d3dref9.exe
Token: SeDebugPrivilege	2168	ifsutilx.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

AppLaunch.exeAppLaunch.exe

pid	Process
2492	AppLaunch.exe
2492	AppLaunch.exe
2492	AppLaunch.exe
1924	AppLaunch.exe
1924	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b03ef6672d4f79c1f4293cf7758b5794_JaffaCakes118.exeexplorer.exeAppLaunch.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 1976 wrote to memory of 584	1976	b03ef6672d4f79c1f4293cf7758b5794_JaffaCakes118.exe	31
PID 1976 wrote to memory of 584	1976	b03ef6672d4f79c1f4293cf7758b5794_JaffaCakes118.exe	31
PID 1976 wrote to memory of 584	1976	b03ef6672d4f79c1f4293cf7758b5794_JaffaCakes118.exe	31
PID 1976 wrote to memory of 584	1976	b03ef6672d4f79c1f4293cf7758b5794_JaffaCakes118.exe	31
PID 584 wrote to memory of 2492	584	explorer.exe	32
PID 584 wrote to memory of 2492	584	explorer.exe	32
PID 584 wrote to memory of 2492	584	explorer.exe	32
PID 584 wrote to memory of 2492	584	explorer.exe	32
PID 584 wrote to memory of 2492	584	explorer.exe	32
PID 584 wrote to memory of 2492	584	explorer.exe	32
PID 584 wrote to memory of 2492	584	explorer.exe	32
PID 584 wrote to memory of 2492	584	explorer.exe	32
PID 584 wrote to memory of 2492	584	explorer.exe	32
PID 584 wrote to memory of 2492	584	explorer.exe	32
PID 584 wrote to memory of 2492	584	explorer.exe	32
PID 2492 wrote to memory of 2984	2492	AppLaunch.exe	33
PID 2492 wrote to memory of 2984	2492	AppLaunch.exe	33
PID 2492 wrote to memory of 2984	2492	AppLaunch.exe	33
PID 2492 wrote to memory of 2984	2492	AppLaunch.exe	33
PID 2492 wrote to memory of 2984	2492	AppLaunch.exe	33
PID 2492 wrote to memory of 2984	2492	AppLaunch.exe	33
PID 2492 wrote to memory of 2984	2492	AppLaunch.exe	33
PID 2492 wrote to memory of 2616	2492	AppLaunch.exe	34
PID 2492 wrote to memory of 2616	2492	AppLaunch.exe	34
PID 2492 wrote to memory of 2616	2492	AppLaunch.exe	34
PID 2492 wrote to memory of 2616	2492	AppLaunch.exe	34
PID 2492 wrote to memory of 2616	2492	AppLaunch.exe	34
PID 2492 wrote to memory of 2616	2492	AppLaunch.exe	34
PID 2492 wrote to memory of 2616	2492	AppLaunch.exe	34
PID 2492 wrote to memory of 2340	2492	AppLaunch.exe	35
PID 2492 wrote to memory of 2340	2492	AppLaunch.exe	35
PID 2492 wrote to memory of 2340	2492	AppLaunch.exe	35
PID 2492 wrote to memory of 2340	2492	AppLaunch.exe	35
PID 2492 wrote to memory of 2340	2492	AppLaunch.exe	35
PID 2492 wrote to memory of 2340	2492	AppLaunch.exe	35
PID 2492 wrote to memory of 2340	2492	AppLaunch.exe	35
PID 2492 wrote to memory of 2824	2492	AppLaunch.exe	37
PID 2492 wrote to memory of 2824	2492	AppLaunch.exe	37
PID 2492 wrote to memory of 2824	2492	AppLaunch.exe	37
PID 2492 wrote to memory of 2824	2492	AppLaunch.exe	37
PID 2492 wrote to memory of 2824	2492	AppLaunch.exe	37
PID 2492 wrote to memory of 2824	2492	AppLaunch.exe	37
PID 2492 wrote to memory of 2824	2492	AppLaunch.exe	37
PID 2824 wrote to memory of 2800	2824	cmd.exe	41
PID 2824 wrote to memory of 2800	2824	cmd.exe	41
PID 2824 wrote to memory of 2800	2824	cmd.exe	41
PID 2824 wrote to memory of 2800	2824	cmd.exe	41
PID 2824 wrote to memory of 2800	2824	cmd.exe	41
PID 2824 wrote to memory of 2800	2824	cmd.exe	41
PID 2824 wrote to memory of 2800	2824	cmd.exe	41
PID 2984 wrote to memory of 2656	2984	cmd.exe	43
PID 2984 wrote to memory of 2656	2984	cmd.exe	43
PID 2984 wrote to memory of 2656	2984	cmd.exe	43
PID 2984 wrote to memory of 2656	2984	cmd.exe	43
PID 2984 wrote to memory of 2656	2984	cmd.exe	43
PID 2984 wrote to memory of 2656	2984	cmd.exe	43
PID 2984 wrote to memory of 2656	2984	cmd.exe	43
PID 2616 wrote to memory of 2776	2616	cmd.exe	42
PID 2616 wrote to memory of 2776	2616	cmd.exe	42
PID 2616 wrote to memory of 2776	2616	cmd.exe	42
PID 2616 wrote to memory of 2776	2616	cmd.exe	42
PID 2616 wrote to memory of 2776	2616	cmd.exe	42
PID 2616 wrote to memory of 2776	2616	cmd.exe	42
PID 2616 wrote to memory of 2776	2616	cmd.exe	42

C:\Users\Admin\AppData\Local\Temp\b03ef6672d4f79c1f4293cf7758b5794_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b03ef6672d4f79c1f4293cf7758b5794_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:584
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2984
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2656
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2776
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2340
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2872
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\plugtemp\neoex.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\plugtemp\neoex.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2824
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\plugtemp\neoex.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\plugtemp\neoex.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2800
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2620
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 584
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2332
  - - C:\Users\Admin\AppData\Local\Temp\ifsutilx.exe
      "C:\Users\Admin\AppData\Local\Temp\ifsutilx.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2168
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
84B

MD5
72430aae472e3d038e8c8f5ed2709c24

SHA1
11a71420af8009bd7946bf16735df2bfeab101f7

SHA256
482032e805814209fd2712d96ecb49129e166f8fc719d6e6fa3c405a66ee6429

SHA512
67efb8afed8b30665e1cfe1c906bddf7f937b1f538ef6d0d84d637b807a98c56270e5142a6f1658fca291133019574c6aaea8b78ff2d93b9d0987e6100631eb9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe

Filesize
7KB

MD5
882395953db028ddc33f5dd0382c8f3e

SHA1
0600e62a4e3c272d47509559dff523c32520a7d6

SHA256
0861c32cd83eae4fefaecc63a2054556b9b63384bcd839eca3dff5f122df85c7

SHA512
bc0d0fc45767fcc15330fbc19d035f37591cdb37eca924ba5750b31780d265ed1523f5842131949cccf024bef8f21123b8aa6c672677ec72e9cd0cb8f1f63c3d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
1.7MB

MD5
b03ef6672d4f79c1f4293cf7758b5794

SHA1
02278477f16bbc31bea3e103ceb83bd03a19c9e1

SHA256
bde35d2817ab64fe26bfafc71b8e7c8d47ba08aa23d6ad15a26ff1ff3fbd99b7

SHA512
de00feaafde5ac26d280473d11f0638da374bba40f19379cfadfdca045598bdf682f1070d2a781ddfad2bba2848e63ab64308083401cb345147f2f08b68a2253

Download Submit
memory/584-13-0x0000000074E00000-0x00000000753AB000-memory.dmp

Filesize
5.7MB

Download
memory/584-14-0x0000000074E00000-0x00000000753AB000-memory.dmp

Filesize
5.7MB

Download
memory/584-12-0x0000000074E00000-0x00000000753AB000-memory.dmp

Filesize
5.7MB

Download
memory/584-59-0x0000000074E00000-0x00000000753AB000-memory.dmp

Filesize
5.7MB

Download
memory/584-58-0x0000000074E00000-0x00000000753AB000-memory.dmp

Filesize
5.7MB

Download
memory/1976-2-0x0000000074E00000-0x00000000753AB000-memory.dmp

Filesize
5.7MB

Download
memory/1976-11-0x0000000074E00000-0x00000000753AB000-memory.dmp

Filesize
5.7MB

Download
memory/1976-1-0x0000000074E00000-0x00000000753AB000-memory.dmp

Filesize
5.7MB

Download
memory/1976-0-0x0000000074E01000-0x0000000074E02000-memory.dmp

Filesize
4KB

Download
memory/2492-28-0x0000000000400000-0x00000000005A9000-memory.dmp

Filesize
1.7MB

Download
memory/2492-22-0x0000000000400000-0x00000000005A9000-memory.dmp

Filesize
1.7MB

Download
memory/2492-24-0x0000000000400000-0x00000000005A9000-memory.dmp

Filesize
1.7MB

Download
memory/2492-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2492-20-0x0000000000400000-0x00000000005A9000-memory.dmp

Filesize
1.7MB

Download
memory/2492-60-0x0000000000400000-0x00000000005A9000-memory.dmp

Filesize
1.7MB

Download