Malware Analysis Report

2024-12-07 10:01

Sample ID 241114-lhx7vsxcjj
Target 2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber
SHA256 11dcbbb9664c915f01d836f19e506389678d3214e7d8b10b01fc215a4c49974d
Tags
discovery persistence ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

11dcbbb9664c915f01d836f19e506389678d3214e7d8b10b01fc215a4c49974d

Threat Level: Likely malicious

The file 2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence ransomware

Renames multiple (316) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 09:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 09:32

Reported

2024-11-14 09:35

Platform

win7-20240903-en

Max time kernel

141s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\sysx32.exe C:\Users\Admin\AppData\Local\Temp\2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe N/A
File opened for modification C:\Windows\SysWOW64\sysx32.exe C:\Users\Admin\AppData\Local\Temp\2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe N/A
File created C:\Windows\SysWOW64\sysx32.exe C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\7z.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1728 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe C:\Windows\SysWOW64\sysx32.exe
PID 1728 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe C:\Windows\SysWOW64\sysx32.exe
PID 1728 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe C:\Windows\SysWOW64\sysx32.exe
PID 1728 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe C:\Windows\SysWOW64\sysx32.exe
PID 1728 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe C:\Users\Admin\AppData\Local\Temp\_2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe
PID 1728 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe C:\Users\Admin\AppData\Local\Temp\_2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe
PID 1728 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe C:\Users\Admin\AppData\Local\Temp\_2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe
PID 1728 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe C:\Users\Admin\AppData\Local\Temp\_2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe"

C:\Windows\SysWOW64\sysx32.exe

C:\Windows\system32\sysx32.exe /scan

C:\Users\Admin\AppData\Local\Temp\_2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe

C:\Users\Admin\AppData\Local\Temp\_2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe

Network

N/A

Files

memory/1728-0-0x0000000000400000-0x0000000000411000-memory.dmp

\Windows\SysWOW64\sysx32.exe

MD5 c07338aba36553458e7a69157218134d
SHA1 f80beaf33becdbda44ad2b8fd6b0d5e4dede0d0e
SHA256 11dcbbb9664c915f01d836f19e506389678d3214e7d8b10b01fc215a4c49974d
SHA512 c1156c702fe49ff5670677379e2e4fcb1492a5bc0e9157a07e1f7950f64bd72e0eb90e4717b1699aa64e1b9d64579523167bc633cc35b091d6627d581d26c6eb

memory/1728-8-0x0000000000220000-0x0000000000231000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe

MD5 8c412d213f67d1ee30c0303458e07070
SHA1 4def0a8a5787a39686970d8426930918cef3d3b1
SHA256 f1339d75c7e9f34d06310db6af7040b17a81848db301cd70c19e488909ff1a07
SHA512 50030474035426b5ddccd924ca7ea71a13c4a6a55d5aef707eb51b7b884b2c38346fa89aa8d520f6dc365556bf6b1f4022277ec23b6dd6f0b101b2fab82a078a

memory/1728-18-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2416-19-0x0000000000400000-0x0000000000411000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 09:32

Reported

2024-11-14 09:35

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe"

Signatures

Renames multiple (316) files with added filename extension

ransomware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\sysx32.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\pcaui.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\dllhst3g.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\IMESEARCH.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\setx.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\ddodiag.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\doskey.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\hdwwiz.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\cttune.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\waitfor.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\choice.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\SndVol.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\systeminfo.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\tracerpt.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\wiaacmgr.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\IME\IMEJP\IMJPSET.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\auditpol.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\SearchProtocolHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\runas.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\cttune.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\PackagedCWALauncher.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\rasautou.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallShield\setup.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\at.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\fsutil.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\RMActivate_ssp_isv.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\runonce.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows.Media.BackgroundPlayback.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\choice.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\gpupdate.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\newdev.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\IME\IMEJP\imjpuexc.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\Speech_OneCore\Common\SpeechModelDownload.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\dvdplay.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\PresentationHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\TapiUnattend.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\CheckNetIsolation.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\ROUTE.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\Utilman.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\powercfg.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\quickassist.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\wscadminui.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\chkntfs.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\LaunchWinApp.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\timeout.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\Magnify.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\cacls.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\curl.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\HOSTNAME.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\WinRTNetMUAHostServer.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\dvdplay.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\MRINFO.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\unregmp2.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\regedt32.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\SpatialAudioLicenseSrv.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\stordiag.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\IME\SHARED\IMEPADSV.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\SysWOW64\cmdl32.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\SysWOW64\InputSwitchToastHandler.exe C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\javaw.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\javadoc.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\grv_icons.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Windows Media Player\wmplayer.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\cookie_exporter.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jconsole.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pptico.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\accicons.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\SDXHelperBgt.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateCore.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateBroker.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jjs.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Windows Mail\wabmig.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jstatd.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\xlicons.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\msouc.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\outicon.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\wordicon.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Program Files\Windows Mail\wab.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Windows\SysWOW64\sysx32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-alg_31bf3856ad364e35_10.0.19041.746_none_86e29cecb9edce01\alg.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.1266_none_802f96a5044b0fbe\r\wmplayer.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-safedocs-main_31bf3856ad364e35_10.0.19041.264_none_02eb5d2ec5a9ec02\f\sdclt.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-sechealthui.appxmain_31bf3856ad364e35_10.0.19041.964_none_90d24b203cdf4e96\r\SecHealthUI.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-u..te-orchestratorcore_31bf3856ad364e35_10.0.19041.1266_none_fb98272b39a47240\f\usocoreworker.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-host-service_31bf3856ad364e35_10.0.19041.264_none_d58a0ca50a94510c\r\vmcompute.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ces-backgroundagent_31bf3856ad364e35_10.0.19041.423_none_d8a242bf396f7d4d\r\SpaceAgent.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-security-tokenbroker_31bf3856ad364e35_10.0.19041.1266_none_18784aba5fcd68cc\TokenBrokerCookies.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_openssh-client-components-onecore_31bf3856ad364e35_10.0.19041.964_none_dddeea757b7fbba7\sftp.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_adobe-flash-for-windows_31bf3856ad364e35_10.0.19041.1_none_ebe59bdc3d4ddc3f\FlashPlayerApp.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-scripting_31bf3856ad364e35_10.0.19041.1237_none_c77fb947e9eed73b\r\wscript.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-web-app-host_31bf3856ad364e35_10.0.19041.789_none_1ab57d24625888e6\f\WWAHost.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-winhstb_31bf3856ad364e35_10.0.19041.1_none_e94bc62edd251a47\winhlp32.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_comsvcconfig_b03f5f7f11d50a3a_4.0.15805.0_none_468e01fabfc37212\ComSvcConfig.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvsystem_31bf3856ad364e35_10.0.19041.1081_none_bdf809eb2dd695f9\f\AppVClient.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-audio-volumecontrol_31bf3856ad364e35_10.0.19041.964_none_a40a1f93665b43eb\f\SndVol.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-dataexchangehost_31bf3856ad364e35_10.0.19041.264_none_c765d8a6c76ec25f\DataExchangeHost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-e..-mdmdiagnosticstool_31bf3856ad364e35_10.0.19041.1023_none_d3d892f3280079d7\MdmDiagnosticsTool.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..lipboardredirection_31bf3856ad364e35_10.0.19041.746_none_dfcf5b6f69f16f7a\r\rdpclip.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-tpm-tool_31bf3856ad364e35_10.0.19041.1_none_b42ad8618bda36bd\TpmTool.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-u..te-musnotifyiconexe_31bf3856ad364e35_10.0.19041.1266_none_adfc223229a335a6\r\MusNotifyIcon.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\winhlp32.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-s..or-native-serverbox_31bf3856ad364e35_10.0.19041.1_none_c991318e4b11e4cf\RMActivate_ssp.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-virtualdiskservice_31bf3856ad364e35_10.0.19041.1202_none_dfaaff89afe4f3d4\r\vds.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-edge-microsoftedgecp_31bf3856ad364e35_10.0.19041.1_none_77274ce3b079d8f5\MicrosoftEdgeCP.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-filepicker.appxmain_31bf3856ad364e35_10.0.19041.1023_none_374973298940e35c\f\FilePicker.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-taskhost_31bf3856ad364e35_10.0.19041.906_none_066336a1b904a848\f\taskhostw.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-webcamexperience_31bf3856ad364e35_10.0.19041.746_none_4ae21b160a9d5bb2\r\CameraSettingsUIHost.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-r..eak-diagnostic-core_31bf3856ad364e35_10.0.19041.1_none_1b575ad951209106\rdrleakdiag.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-rundll32_31bf3856ad364e35_10.0.19041.746_none_c05346ae3e1a99a4\r\rundll32.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-scripting_31bf3856ad364e35_10.0.19041.264_none_309e9e4a939c0bac\cscript.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-containerdiagnosticstool_31bf3856ad364e35_10.0.19041.928_none_6571ff6e96271a64\hcsdiag.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\x86_netfx4-vbc_exe_b03f5f7f11d50a3a_4.0.15805.0_none_de9b06e519e58d0f\vbc.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-certificaterequesttool_31bf3856ad364e35_10.0.19041.1_none_1e01a107b6c5cadf\certreq.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-oobe-machine_31bf3856ad364e35_10.0.19041.1_none_c36f57b8a28f2fbc\msoobe.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-security-secedit_31bf3856ad364e35_10.0.19041.1_none_64d83b9e511c141f\SecEdit.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-defrag-adminui_31bf3856ad364e35_10.0.19041.746_none_816403dd2374fa29\dfrgui.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-i..tional-chinese-core_31bf3856ad364e35_10.0.19041.1_none_19c9b562d4b65581\IMTCPROP.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-terminalservices-theme_31bf3856ad364e35_10.0.19041.746_none_be3404fb0dff5d84\f\TSTheme.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-hns-diagnosticstool_31bf3856ad364e35_10.0.19041.423_none_841c30f68571c385\hnsdiag.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-onecore-d..ectxdatabaseupdater_31bf3856ad364e35_10.0.19041.928_none_138fb436497565f4\directxdatabaseupdater.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..ommandline-dsdbutil_31bf3856ad364e35_10.0.19041.1_none_f58a3da76ed0f251\dsdbutil.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.1266_none_802f96a5044b0fbe\f\wmplayer.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..-externaldictionary_31bf3856ad364e35_10.0.19041.1_none_fce141858c5d7f03\IMEWDBLD.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-w..ommand-line-utility_31bf3856ad364e35_10.0.19041.1_none_61ef8d34a0953a91\WMIC.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_edmgen_b77a5c561934e089_4.0.15805.0_none_ae80a3049486a75f\EdmGen.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-xwizard-host-process_31bf3856ad364e35_10.0.19041.1_none_0ee51e56d7e170fb\xwizard.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..raries-servercommon_31bf3856ad364e35_10.0.19041.906_none_87b019d7cebd66d4\r\appcmd.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-u..client-decoder-host_31bf3856ad364e35_10.0.19041.662_none_0070027dab4e4ffe\f\UtcDecoderHost.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-w..sition-uicomponents_31bf3856ad364e35_10.0.19041.1151_none_43c494653a7536d0\r\wiaacmgr.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-webcamexperience_31bf3856ad364e35_10.0.19041.1_none_22d9ddcd4b2b9d68\CameraSettingsUIHost.exe C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-gdi_31bf3856ad364e35_10.0.19041.1165_none_28f87d0444103fde\f\fontdrvhost.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-defrag-cmdline_31bf3856ad364e35_10.0.19041.84_none_bf1eecf3f472e3ce\Defrag.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\tskill.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-u..te-orchestratorcore_31bf3856ad364e35_10.0.19041.264_none_64b3f487e354744d\r\usocoreworker.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-spp_31bf3856ad364e35_10.0.19041.1266_none_8f272afdd624490f_sppsvc.exe_fc6922a9 C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-i..tional-chinese-core_31bf3856ad364e35_10.0.19041.1_none_19c9b562d4b65581\IMTCLNWZ.EXE.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-lprportmonitor_31bf3856ad364e35_10.0.19041.1_none_69f4af04dd2c1f80\lpq.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-fax-service_31bf3856ad364e35_10.0.19041.804_none_8b46258bdefa0beb\r\FXSSVC.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-fileexplorer.appxmain_31bf3856ad364e35_10.0.19041.546_none_476476bb5c3a0bbc\f\FileExplorer.exe C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..services-sessionmsg_31bf3856ad364e35_10.0.19041.746_none_18cbe45e21fb4fcb\sessionmsg.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-t..cesframework-ctfmon_31bf3856ad364e35_10.0.19041.1_none_5d7644a9644fd29d\ctfmon.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_multimedia-rrinstaller_31bf3856ad364e35_10.0.19041.746_none_fb3ba1752084c5cf\rrinstaller.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-blb-cli-main_31bf3856ad364e35_10.0.19041.1202_none_c0150a0a443c0ffc\wbadmin.exe.tmp C:\Windows\SysWOW64\sysx32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sysx32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe"

C:\Windows\SysWOW64\sysx32.exe

C:\Windows\system32\sysx32.exe /scan

C:\Users\Admin\AppData\Local\Temp\_2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe

C:\Users\Admin\AppData\Local\Temp\_2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

memory/3964-0-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\SysWOW64\sysx32.exe

MD5 c07338aba36553458e7a69157218134d
SHA1 f80beaf33becdbda44ad2b8fd6b0d5e4dede0d0e
SHA256 11dcbbb9664c915f01d836f19e506389678d3214e7d8b10b01fc215a4c49974d
SHA512 c1156c702fe49ff5670677379e2e4fcb1492a5bc0e9157a07e1f7950f64bd72e0eb90e4717b1699aa64e1b9d64579523167bc633cc35b091d6627d581d26c6eb

C:\Program Files\7-Zip\7z.exe

MD5 b24e60196821ca7cf2b1d45a748b2325
SHA1 5e71e4b7589c372cf61df1841a897f65c987939f
SHA256 7f92c987728348b666deee703b6e0ca44186263df4ee521f7a20b41e01dba91e
SHA512 8bfc5e4e675bc6dca687cd53cceb702d7af55b4cb3110904766c2badd6e30bb2e4505f407cdde10816b9e332c6b08ff0ff69f276a2de8244a77d9d6810cf8e1b

C:\Users\Admin\AppData\Local\Temp\_2024-11-14_c07338aba36553458e7a69157218134d_hawkeye_magniber.exe

MD5 8c412d213f67d1ee30c0303458e07070
SHA1 4def0a8a5787a39686970d8426930918cef3d3b1
SHA256 f1339d75c7e9f34d06310db6af7040b17a81848db301cd70c19e488909ff1a07
SHA512 50030474035426b5ddccd924ca7ea71a13c4a6a55d5aef707eb51b7b884b2c38346fa89aa8d520f6dc365556bf6b1f4022277ec23b6dd6f0b101b2fab82a078a

memory/3964-59-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4868-403-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4868-404-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4868-824-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4868-1261-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4868-1734-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4868-2690-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4868-2691-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4868-2692-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4868-2693-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4868-2694-0x0000000000400000-0x0000000000411000-memory.dmp