hawkeye | 8f9cd57db574bc54883668459c530ee81a0e748fd4778b07009e5bda3f5f6176

General

Target

8f9cd57db574bc54883668459c530ee81a0e748fd4778b07009e5bda3f5f6176.exe
Size

488KB
MD5

32119bc05a71df1acbcd331912e81343
SHA1

285d81aa2c4196aa41184c0cc791fd5b7aab3d91
SHA256

8f9cd57db574bc54883668459c530ee81a0e748fd4778b07009e5bda3f5f6176
SHA512

0a98ab9f2748e12c2fda307d5df101917dc6292434739989dec96cc1b2177056ef468941509763018218c675117c4f541b624d1a5a97977f03e53658e0eb1aa4
SSDEEP

6144:fiQ+CGTCCkfVHKPikyX862ZAMB6gjaUVQJqtHnnW6H0TeXp5PfiioJwm26N8j6uM:fiQ+Chdy6gugQ+HW6hpxvoJwr1KaJbt

Score

10^/10

hawkeye evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

Modifies firewall policy service 2 TTPs 10 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\rundll32.exe = "C:\\Windows\\SysWOW64\\rundll32.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Windows Updates\NoZ.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Updates\\NoZ.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

audiadag.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	audiadag.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiadag.exe"	audiadag.exe

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

42 4648 rundll32.exe
Executes dropped EXE 3 IoCs

Processes:

explorer.exeaudiadag.exeWmiprvsd.exe

pid process

380 explorer.exe
3488 audiadag.exe
1568 Wmiprvsd.exe

flow	pid	process
42	4648	rundll32.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8f9cd57db574bc54883668459c530ee81a0e748fd4778b07009e5bda3f5f6176.exeexplorer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	8f9cd57db574bc54883668459c530ee81a0e748fd4778b07009e5bda3f5f6176.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	explorer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

audiadag.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiadag.exe"	audiadag.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

explorer.exeWmiprvsd.exe

description	pid	process	target process
PID 380 set thread context of 4648	380	explorer.exe	rundll32.exe
PID 1568 set thread context of 3200	1568	Wmiprvsd.exe	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry key 1 TTPs 4 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exe

pid process

1100 reg.exe
32 reg.exe
4700 reg.exe
1396 reg.exe

pid	process
1100	reg.exe
32	reg.exe
4700	reg.exe
1396	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

explorer.exeaudiadag.exeWmiprvsd.exe

pid	process
380	explorer.exe
3488	audiadag.exe
1568	Wmiprvsd.exe
380	explorer.exe
1568	Wmiprvsd.exe
380	explorer.exe
1568	Wmiprvsd.exe
380	explorer.exe
1568	Wmiprvsd.exe
380	explorer.exe
1568	Wmiprvsd.exe
380	explorer.exe
1568	Wmiprvsd.exe
380	explorer.exe
1568	Wmiprvsd.exe
380	explorer.exe
1568	Wmiprvsd.exe
380	explorer.exe
1568	Wmiprvsd.exe
380	explorer.exe
1568	Wmiprvsd.exe
380	explorer.exe
1568	Wmiprvsd.exe
380	explorer.exe
3488	audiadag.exe
1568	Wmiprvsd.exe
380	explorer.exe
3488	audiadag.exe
1568	Wmiprvsd.exe
380	explorer.exe
3488	audiadag.exe
1568	Wmiprvsd.exe
380	explorer.exe
3488	audiadag.exe
1568	Wmiprvsd.exe
380	explorer.exe
3488	audiadag.exe
1568	Wmiprvsd.exe
380	explorer.exe
3488	audiadag.exe
1568	Wmiprvsd.exe
380	explorer.exe
3488	audiadag.exe
1568	Wmiprvsd.exe
380	explorer.exe
3488	audiadag.exe
1568	Wmiprvsd.exe
380	explorer.exe
3488	audiadag.exe
1568	Wmiprvsd.exe
380	explorer.exe
3488	audiadag.exe
1568	Wmiprvsd.exe
380	explorer.exe
3488	audiadag.exe
1568	Wmiprvsd.exe
380	explorer.exe
3488	audiadag.exe
1568	Wmiprvsd.exe
380	explorer.exe
3488	audiadag.exe
1568	Wmiprvsd.exe
380	explorer.exe
3488	audiadag.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

8f9cd57db574bc54883668459c530ee81a0e748fd4778b07009e5bda3f5f6176.exeexplorer.exerundll32.exeaudiadag.exeWmiprvsd.exe

description	pid	process
Token: SeDebugPrivilege	5016	8f9cd57db574bc54883668459c530ee81a0e748fd4778b07009e5bda3f5f6176.exe
Token: SeDebugPrivilege	380	explorer.exe
Token: 1	4648	rundll32.exe
Token: SeCreateTokenPrivilege	4648	rundll32.exe
Token: SeAssignPrimaryTokenPrivilege	4648	rundll32.exe
Token: SeLockMemoryPrivilege	4648	rundll32.exe
Token: SeIncreaseQuotaPrivilege	4648	rundll32.exe
Token: SeMachineAccountPrivilege	4648	rundll32.exe
Token: SeTcbPrivilege	4648	rundll32.exe
Token: SeSecurityPrivilege	4648	rundll32.exe
Token: SeTakeOwnershipPrivilege	4648	rundll32.exe
Token: SeLoadDriverPrivilege	4648	rundll32.exe
Token: SeSystemProfilePrivilege	4648	rundll32.exe
Token: SeSystemtimePrivilege	4648	rundll32.exe
Token: SeProfSingleProcessPrivilege	4648	rundll32.exe
Token: SeIncBasePriorityPrivilege	4648	rundll32.exe
Token: SeCreatePagefilePrivilege	4648	rundll32.exe
Token: SeCreatePermanentPrivilege	4648	rundll32.exe
Token: SeBackupPrivilege	4648	rundll32.exe
Token: SeRestorePrivilege	4648	rundll32.exe
Token: SeShutdownPrivilege	4648	rundll32.exe
Token: SeDebugPrivilege	4648	rundll32.exe
Token: SeAuditPrivilege	4648	rundll32.exe
Token: SeSystemEnvironmentPrivilege	4648	rundll32.exe
Token: SeChangeNotifyPrivilege	4648	rundll32.exe
Token: SeRemoteShutdownPrivilege	4648	rundll32.exe
Token: SeUndockPrivilege	4648	rundll32.exe
Token: SeSyncAgentPrivilege	4648	rundll32.exe
Token: SeEnableDelegationPrivilege	4648	rundll32.exe
Token: SeManageVolumePrivilege	4648	rundll32.exe
Token: SeImpersonatePrivilege	4648	rundll32.exe
Token: SeCreateGlobalPrivilege	4648	rundll32.exe
Token: 31	4648	rundll32.exe
Token: 32	4648	rundll32.exe
Token: 33	4648	rundll32.exe
Token: 34	4648	rundll32.exe
Token: 35	4648	rundll32.exe
Token: SeDebugPrivilege	3488	audiadag.exe
Token: SeDebugPrivilege	1568	Wmiprvsd.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

rundll32.exerundll32.exe

pid process

4648 rundll32.exe
4648 rundll32.exe
4648 rundll32.exe
3200 rundll32.exe
3200 rundll32.exe

pid	process
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
3200	rundll32.exe
3200	rundll32.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

8f9cd57db574bc54883668459c530ee81a0e748fd4778b07009e5bda3f5f6176.exeexplorer.exerundll32.execmd.execmd.execmd.execmd.exeaudiadag.exeWmiprvsd.exe

description	pid	process	target process
PID 5016 wrote to memory of 380	5016	8f9cd57db574bc54883668459c530ee81a0e748fd4778b07009e5bda3f5f6176.exe	explorer.exe
PID 5016 wrote to memory of 380	5016	8f9cd57db574bc54883668459c530ee81a0e748fd4778b07009e5bda3f5f6176.exe	explorer.exe
PID 5016 wrote to memory of 380	5016	8f9cd57db574bc54883668459c530ee81a0e748fd4778b07009e5bda3f5f6176.exe	explorer.exe
PID 380 wrote to memory of 4648	380	explorer.exe	rundll32.exe
PID 380 wrote to memory of 4648	380	explorer.exe	rundll32.exe
PID 380 wrote to memory of 4648	380	explorer.exe	rundll32.exe
PID 380 wrote to memory of 4648	380	explorer.exe	rundll32.exe
PID 380 wrote to memory of 4648	380	explorer.exe	rundll32.exe
PID 380 wrote to memory of 4648	380	explorer.exe	rundll32.exe
PID 380 wrote to memory of 4648	380	explorer.exe	rundll32.exe
PID 380 wrote to memory of 4648	380	explorer.exe	rundll32.exe
PID 4648 wrote to memory of 4468	4648	rundll32.exe	cmd.exe
PID 4648 wrote to memory of 4468	4648	rundll32.exe	cmd.exe
PID 4648 wrote to memory of 4468	4648	rundll32.exe	cmd.exe
PID 4648 wrote to memory of 456	4648	rundll32.exe	cmd.exe
PID 4648 wrote to memory of 456	4648	rundll32.exe	cmd.exe
PID 4648 wrote to memory of 456	4648	rundll32.exe	cmd.exe
PID 4648 wrote to memory of 1656	4648	rundll32.exe	cmd.exe
PID 4648 wrote to memory of 1656	4648	rundll32.exe	cmd.exe
PID 4648 wrote to memory of 1656	4648	rundll32.exe	cmd.exe
PID 4648 wrote to memory of 1116	4648	rundll32.exe	cmd.exe
PID 4648 wrote to memory of 1116	4648	rundll32.exe	cmd.exe
PID 4648 wrote to memory of 1116	4648	rundll32.exe	cmd.exe
PID 4468 wrote to memory of 4700	4468	cmd.exe	reg.exe
PID 4468 wrote to memory of 4700	4468	cmd.exe	reg.exe
PID 4468 wrote to memory of 4700	4468	cmd.exe	reg.exe
PID 456 wrote to memory of 1396	456	cmd.exe	reg.exe
PID 456 wrote to memory of 1396	456	cmd.exe	reg.exe
PID 456 wrote to memory of 1396	456	cmd.exe	reg.exe
PID 380 wrote to memory of 3488	380	explorer.exe	audiadag.exe
PID 380 wrote to memory of 3488	380	explorer.exe	audiadag.exe
PID 380 wrote to memory of 3488	380	explorer.exe	audiadag.exe
PID 1656 wrote to memory of 1100	1656	cmd.exe	reg.exe
PID 1656 wrote to memory of 1100	1656	cmd.exe	reg.exe
PID 1656 wrote to memory of 1100	1656	cmd.exe	reg.exe
PID 1116 wrote to memory of 32	1116	cmd.exe	reg.exe
PID 1116 wrote to memory of 32	1116	cmd.exe	reg.exe
PID 1116 wrote to memory of 32	1116	cmd.exe	reg.exe
PID 3488 wrote to memory of 1568	3488	audiadag.exe	Wmiprvsd.exe
PID 3488 wrote to memory of 1568	3488	audiadag.exe	Wmiprvsd.exe
PID 3488 wrote to memory of 1568	3488	audiadag.exe	Wmiprvsd.exe
PID 1568 wrote to memory of 3200	1568	Wmiprvsd.exe	rundll32.exe
PID 1568 wrote to memory of 3200	1568	Wmiprvsd.exe	rundll32.exe
PID 1568 wrote to memory of 3200	1568	Wmiprvsd.exe	rundll32.exe
PID 1568 wrote to memory of 3200	1568	Wmiprvsd.exe	rundll32.exe
PID 1568 wrote to memory of 3200	1568	Wmiprvsd.exe	rundll32.exe
PID 1568 wrote to memory of 3200	1568	Wmiprvsd.exe	rundll32.exe
PID 1568 wrote to memory of 3200	1568	Wmiprvsd.exe	rundll32.exe
PID 1568 wrote to memory of 3200	1568	Wmiprvsd.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\8f9cd57db574bc54883668459c530ee81a0e748fd4778b07009e5bda3f5f6176.exe
"C:\Users\Admin\AppData\Local\Temp\8f9cd57db574bc54883668459c530ee81a0e748fd4778b07009e5bda3f5f6176.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5016

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:380

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\System32\rundll32.exe
3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4648

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
4⤵
- Suspicious use of WriteProcessMemory
PID:4468

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
5⤵
- Modifies firewall policy service
- Modifies registry key
PID:4700

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Updates\NoZ.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Updates\NoZ.exe:*:Enabled:Windows Messanger" /f
4⤵
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Updates\NoZ.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Updates\NoZ.exe:*:Enabled:Windows Messanger" /f
5⤵
- Modifies firewall policy service
- Modifies registry key
PID:32

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
4⤵
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
5⤵
- Modifies firewall policy service
- Modifies registry key
PID:1100

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\SysWOW64\rundll32.exe" /t REG_SZ /d "C:\Windows\SysWOW64\rundll32.exe:*:Enabled:Windows Messanger" /f
4⤵
- Suspicious use of WriteProcessMemory
PID:456

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\SysWOW64\rundll32.exe" /t REG_SZ /d "C:\Windows\SysWOW64\rundll32.exe:*:Enabled:Windows Messanger" /f
5⤵
- Modifies firewall policy service
- Modifies registry key
PID:1396

C:\Users\Admin\AppData\Local\Temp\System\audiadag.exe
"C:\Users\Admin\AppData\Local\Temp\System\audiadag.exe"
3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3488

C:\Users\Admin\AppData\Local\Temp\System\Wmiprvsd.exe
C:\Users\Admin\AppData\Local\Temp\System\Wmiprvsd.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\System32\rundll32.exe
5⤵
- Suspicious use of SetWindowsHookEx
PID:3200

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

4

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
Filesize
102B

MD5
c45c0cf1e981b3ea16f378e15694160a

SHA1
e4c5e9751ec3e82fb1c647230a258425951b41dc

SHA256
13aa86eaa22a8a3abedb1c381444aa3f36e09b2ba3a7dae8624a0e72d94e6fe0

SHA512
f37fdb0ccc245e71c015112e6896858cffde590460a7e0c7fb62c8555b8ab622b73650da8f38cd2faf6d9e79df3c99780e5820d6de69ba7e79ba868fe43ba070

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\Wmiprvsd.exe
Filesize
488KB

MD5
32119bc05a71df1acbcd331912e81343

SHA1
285d81aa2c4196aa41184c0cc791fd5b7aab3d91

SHA256
8f9cd57db574bc54883668459c530ee81a0e748fd4778b07009e5bda3f5f6176

SHA512
0a98ab9f2748e12c2fda307d5df101917dc6292434739989dec96cc1b2177056ef468941509763018218c675117c4f541b624d1a5a97977f03e53658e0eb1aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\Wmiprvsd.exe
Filesize
488KB

MD5
32119bc05a71df1acbcd331912e81343

SHA1
285d81aa2c4196aa41184c0cc791fd5b7aab3d91

SHA256
8f9cd57db574bc54883668459c530ee81a0e748fd4778b07009e5bda3f5f6176

SHA512
0a98ab9f2748e12c2fda307d5df101917dc6292434739989dec96cc1b2177056ef468941509763018218c675117c4f541b624d1a5a97977f03e53658e0eb1aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\audiadag.exe
Filesize
9KB

MD5
3b3515ae5be07674b71c2c1f74e298e2

SHA1
ce336fc83661eeedb00de087ea53a2ccc60d1fec

SHA256
66b40ba0578f18ae39e2c7d5e33ae05d315bd9172517dd27b464efdcb4f965d8

SHA512
18c29eb0344f4b50c32c74744e69ab3ca34fe5a4394cef75d4fea4fe8e0c7138651f57ee86c1a28d06bbfc790c5b69ac661fc9e93f9977d788c11870af0ef02b

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\audiadag.exe
Filesize
9KB

MD5
3b3515ae5be07674b71c2c1f74e298e2

SHA1
ce336fc83661eeedb00de087ea53a2ccc60d1fec

SHA256
66b40ba0578f18ae39e2c7d5e33ae05d315bd9172517dd27b464efdcb4f965d8

SHA512
18c29eb0344f4b50c32c74744e69ab3ca34fe5a4394cef75d4fea4fe8e0c7138651f57ee86c1a28d06bbfc790c5b69ac661fc9e93f9977d788c11870af0ef02b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
Filesize
488KB

MD5
32119bc05a71df1acbcd331912e81343

SHA1
285d81aa2c4196aa41184c0cc791fd5b7aab3d91

SHA256
8f9cd57db574bc54883668459c530ee81a0e748fd4778b07009e5bda3f5f6176

SHA512
0a98ab9f2748e12c2fda307d5df101917dc6292434739989dec96cc1b2177056ef468941509763018218c675117c4f541b624d1a5a97977f03e53658e0eb1aa4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
Filesize
488KB

MD5
32119bc05a71df1acbcd331912e81343

SHA1
285d81aa2c4196aa41184c0cc791fd5b7aab3d91

SHA256
8f9cd57db574bc54883668459c530ee81a0e748fd4778b07009e5bda3f5f6176

SHA512
0a98ab9f2748e12c2fda307d5df101917dc6292434739989dec96cc1b2177056ef468941509763018218c675117c4f541b624d1a5a97977f03e53658e0eb1aa4

Download Submit
memory/32-157-0x0000000000000000-mapping.dmp

Download
memory/380-139-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/380-169-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/380-133-0x0000000000000000-mapping.dmp

Download
memory/456-149-0x0000000000000000-mapping.dmp

Download
memory/1100-155-0x0000000000000000-mapping.dmp

Download
memory/1116-151-0x0000000000000000-mapping.dmp

Download
memory/1396-153-0x0000000000000000-mapping.dmp

Download
memory/1568-158-0x0000000000000000-mapping.dmp

Download
memory/1568-171-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/1568-168-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/1656-150-0x0000000000000000-mapping.dmp

Download
memory/3200-160-0x0000000000000000-mapping.dmp

Download
memory/3488-154-0x0000000000000000-mapping.dmp

Download
memory/3488-167-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/3488-170-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/4468-148-0x0000000000000000-mapping.dmp

Download
memory/4648-141-0x0000000000000000-mapping.dmp

Download
memory/4648-144-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4648-142-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4700-152-0x0000000000000000-mapping.dmp

Download
memory/5016-132-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/5016-136-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads