e60928dee71b11866a826bc474a72b928327d1378ea80319819217cebcd53b2a

Resubmissions

05-10-2024 17:22

241005-vx29ssseke 7

05-10-2024 17:21

241005-vw7g5axfkn 4

Analysis

max time kernel
171s
max time network
162s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
05-10-2024 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

windhawk_setup.exe
Size

10.0MB
MD5

d634fcd62241a93efd88315091cced44
SHA1

f1baad89da31bf3f63d07e9cb1517e371101dde1
SHA256

e60928dee71b11866a826bc474a72b928327d1378ea80319819217cebcd53b2a
SHA512

93d37c89215f5123168d2d16dc74da5a36375d914201562b2701783f82bb50c4488f2a1330d7567fdc734db1089f87369b61e86188401c55e8c4fbc4bdaaff70
SSDEEP

196608:A3rzSJQkbeHufi8QhiNArredu5VODUqad9jDxrawNZFOu3U3V2:AbzkQGeHeQhqureM5MDBG9fIOdE30

Score

7^/10

discovery execution

Malware Config

Signatures

Executes dropped EXE 27 IoCs

pid	Process
2296	windhawk.exe
3284	Explorer.EXE
2516	sihost.exe
2740	sysmon.exe
2688	unsecapp.exe
3816	StartMenuExperienceHost.exe
3824	RuntimeBroker.exe
4048	RuntimeBroker.exe
4724	SppExtComObj.exe
3636	windhawk.exe
1144	windhawk.exe
3308	VSCodium.exe
4532	VSCodium.exe
1496	VSCodium.exe
2372	VSCodium.exe
2068	VSCodium.exe
2988	VSCodium.exe
4460	VSCodium.exe
3104	VSCodium.exe
2224	VSCodium.exe
3228	VSCodium.exe
2608	windhawk.exe
400	windhawk.exe
1332	g++.exe
880	clang-18.exe
2272	clang-18.exe
1384	ld.lld.exe

Loads dropped DLL 64 IoCs

pid	Process
728	windhawk_setup.exe
728	windhawk_setup.exe
728	windhawk_setup.exe
728	windhawk_setup.exe
728	windhawk_setup.exe
728	windhawk_setup.exe
728	windhawk_setup.exe
728	windhawk_setup.exe
728	windhawk_setup.exe
728	windhawk_setup.exe
728	windhawk_setup.exe
728	windhawk_setup.exe
728	windhawk_setup.exe
728	windhawk_setup.exe
728	windhawk_setup.exe
728	windhawk_setup.exe
728	windhawk_setup.exe
728	windhawk_setup.exe
728	windhawk_setup.exe
728	windhawk_setup.exe
728	windhawk_setup.exe
728	windhawk_setup.exe
728	windhawk_setup.exe
728	windhawk_setup.exe
728	windhawk_setup.exe
728	windhawk_setup.exe
728	windhawk_setup.exe
728	windhawk_setup.exe
728	windhawk_setup.exe
728	windhawk_setup.exe
728	windhawk_setup.exe
728	windhawk_setup.exe
728	windhawk_setup.exe
2296	windhawk.exe
996	OfficeClickToRun.exe
728	windhawk_setup.exe
3636	windhawk.exe
728	windhawk_setup.exe
2356	schtasks.exe
728	windhawk_setup.exe
1256	schtasks.exe
728	windhawk_setup.exe
3860	cmd.exe
3924	schtasks.exe
1564	powershell.exe
1404	Conhost.exe
728	windhawk_setup.exe
760	schtasks.exe
728	windhawk_setup.exe
728	windhawk_setup.exe
2816	DllHost.exe
1144	windhawk.exe
3308	VSCodium.exe
3308	VSCodium.exe
4532	VSCodium.exe
4532	VSCodium.exe
3308	VSCodium.exe
4532	VSCodium.exe
4532	VSCodium.exe
4532	VSCodium.exe
4532	VSCodium.exe
3308	VSCodium.exe
1496	VSCodium.exe
1496	VSCodium.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1564	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
30	raw.githubusercontent.com
25	raw.githubusercontent.com
26	raw.githubusercontent.com
27	raw.githubusercontent.com
28	raw.githubusercontent.com
29	raw.githubusercontent.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windhawk\Compiler\i686-w64-mingw32\lib\crt2.o	windhawk_setup.exe
File opened for modification	C:\Program Files\Windhawk\Compiler\i686-w64-mingw32\lib\libwecapi.a	windhawk_setup.exe
File opened for modification	C:\Program Files\Windhawk\Compiler\include\c++\v1\__algorithm\ranges_remove.h	windhawk_setup.exe
File created	C:\Program Files\Windhawk\Compiler\include\c++\v1\__type_traits\is_constant_evaluated.h	windhawk_setup.exe
File opened for modification	C:\Program Files\Windhawk\Compiler\include\ddk\poclass.h	windhawk_setup.exe
File created	C:\Program Files\Windhawk\Compiler\include\systemmediatransportcontrolsinterop.idl	windhawk_setup.exe
File opened for modification	C:\Program Files\Windhawk\Compiler\include\winscard.h	windhawk_setup.exe
File created	C:\Program Files\Windhawk\Compiler\include\wmcodecdsp.idl	windhawk_setup.exe
File created	C:\Program Files\Windhawk\Compiler\lib\clang\18\include\llvm_libc_wrappers\assert.h	windhawk_setup.exe
File opened for modification	C:\Program Files\Windhawk\Compiler\x86_64-w64-mingw32\lib\libipxsap.a	windhawk_setup.exe
File created	C:\Program Files\Windhawk\Compiler\include\winrt\impl\Windows.ApplicationModel.1.h	windhawk_setup.exe
File created	C:\Program Files\Windhawk\Compiler\include\winrt\impl\Windows.Media.Streaming.Adaptive.1.h	windhawk_setup.exe
File opened for modification	C:\Program Files\Windhawk\UI\resources\app\node_modules.asar.unpacked\spdlog	windhawk_setup.exe
File created	C:\Program Files\Windhawk\UI\resources\app\node_modules.asar.unpacked\native-keymap\build\Release\keymapping.node	windhawk_setup.exe
File created	C:\Program Files\Windhawk\Compiler\include\ntddscsi.h	windhawk_setup.exe
File opened for modification	C:\Program Files\Windhawk\Compiler\include\sec_api\mbstring_s.h	windhawk_setup.exe
File opened for modification	C:\Program Files\Windhawk\UI\resources\app\node_modules.asar.unpacked\native-watchdog	windhawk_setup.exe
File created	C:\Program Files\Windhawk\UI\resources\app\extensions\git-base\syntaxes\ignore.tmLanguage.json	windhawk_setup.exe
File created	C:\Program Files\Windhawk\UI\resources\app\extensions\markdown-language-features\icon.png	windhawk_setup.exe
File opened for modification	C:\Program Files\Windhawk\Compiler\i686-w64-mingw32\lib\libtapi32.a	windhawk_setup.exe
File created	C:\Program Files\Windhawk\Compiler\include\dxfile.h	windhawk_setup.exe
File opened for modification	C:\Program Files\Windhawk\Compiler\x86_64-w64-mingw32\lib\libipsecsvc.a	windhawk_setup.exe
File opened for modification	C:\Program Files\Windhawk\Compiler\include\axextend.idl	windhawk_setup.exe
File opened for modification	C:\Program Files\Windhawk\Compiler\include\c++\v1\__memory\allocator_traits.h	windhawk_setup.exe
File created	C:\Program Files\Windhawk\Compiler\x86_64-w64-mingw32\lib\libunwind.dll.a	windhawk_setup.exe
File created	C:\Program Files\Windhawk\Compiler\include\wil\com.h	windhawk_setup.exe
File created	C:\Program Files\Windhawk\Compiler\include\winrt\Windows.Web.Http.h	windhawk_setup.exe
File opened for modification	C:\Program Files\Windhawk\Compiler\include\adtgen.h	windhawk_setup.exe
File created	C:\Program Files\Windhawk\Compiler\include\c++\v1\__algorithm\ranges_clamp.h	windhawk_setup.exe
File created	C:\Program Files\Windhawk\Compiler\include\c++\v1\__chrono\formatter.h	windhawk_setup.exe
File opened for modification	C:\Program Files\Windhawk\Compiler\include\cmnquery.h	windhawk_setup.exe
File created	C:\Program Files\Windhawk\Compiler\include\lmrepl.h	windhawk_setup.exe
File created	C:\Program Files\Windhawk\Compiler\include\scesvc.h	windhawk_setup.exe
File created	C:\Program Files\Windhawk\Compiler\include\xpsrassvc.h	windhawk_setup.exe
File opened for modification	C:\Program Files\Windhawk\Compiler\i686-w64-mingw32\lib\libxaudio2_8.a	windhawk_setup.exe
File opened for modification	C:\Program Files\Windhawk\Compiler\include\activscp.h	windhawk_setup.exe
File created	C:\Program Files\Windhawk\Compiler\include\c++\v1\__charconv\from_chars_integral.h	windhawk_setup.exe
File opened for modification	C:\Program Files\Windhawk\Compiler\include\d2d1_2helper.h	windhawk_setup.exe
File opened for modification	C:\Program Files\Windhawk\Compiler\x86_64-w64-mingw32\lib\librnr20.a	windhawk_setup.exe
File created	C:\Program Files\Windhawk\Compiler\include\winrt\Windows.Foundation.Diagnostics.h	windhawk_setup.exe
File opened for modification	C:\Program Files\Windhawk\Compiler\include\windows.security.cryptography.h	windhawk_setup.exe
File created	C:\Program Files\Windhawk\Compiler\include\winrt\impl\Windows.ApplicationModel.Background.1.h	windhawk_setup.exe
File created	C:\Program Files\Windhawk\UI\resources\app\extensions\json\syntaxes\JSON.tmLanguage.json	windhawk_setup.exe
File created	C:\Program Files\Windhawk\UI\resources\app\out\vs\platform\audioCues\browser\media\error.mp3	windhawk_setup.exe
File created	C:\Program Files\Windhawk\Compiler\include\winsmcrd.h	windhawk_setup.exe
File created	C:\Program Files\Windhawk\Compiler\lib\clang\18\include\sanitizer\ubsan_interface.h	windhawk_setup.exe
File created	C:\Program Files\Windhawk\Compiler\x86_64-w64-mingw32\lib\libaspperf.a	windhawk_setup.exe
File opened for modification	C:\Program Files\Windhawk\UI\resources\app\out\vs\workbench\contrib\terminal\browser	windhawk_setup.exe
File created	C:\Program Files\Windhawk\Compiler\include\c++\v1\__condition_variable\condition_variable.h	windhawk_setup.exe
File opened for modification	C:\Program Files\Windhawk\Compiler\include\chanmgr.h	windhawk_setup.exe
File created	C:\Program Files\Windhawk\Compiler\include\dxgicommon.h	windhawk_setup.exe
File opened for modification	C:\Program Files\Windhawk\Compiler\include\wincodecsdk.idl	windhawk_setup.exe
File opened for modification	C:\Program Files\Windhawk\Compiler\include\windows.gaming.input.custom.idl	windhawk_setup.exe
File created	C:\Program Files\Windhawk\Compiler\lib\clang\18\include\avx512vpopcntdqintrin.h	windhawk_setup.exe
File created	C:\Program Files\Windhawk\Compiler\include\winrt\impl\Windows.ApplicationModel.AppService.2.h	windhawk_setup.exe
File created	C:\Program Files\Windhawk\UI\resources\app\extensions\theme-defaults\fileicons\images\document-dark.svg	windhawk_setup.exe
File opened for modification	C:\Program Files\Windhawk\Compiler\share\man\man1	windhawk_setup.exe
File created	C:\Program Files\Windhawk\Compiler\i686-w64-mingw32\lib\libd3dx9_27.a	windhawk_setup.exe
File opened for modification	C:\Program Files\Windhawk\Compiler\include\bitsmsg.h	windhawk_setup.exe
File opened for modification	C:\Program Files\Windhawk\Compiler\include\c++\v1\__ranges\transform_view.h	windhawk_setup.exe
File opened for modification	C:\Program Files\Windhawk\Compiler\x86_64-w64-mingw32\lib\libdpnhupnp.a	windhawk_setup.exe
File created	C:\Program Files\Windhawk\Compiler\x86_64-w64-mingw32\lib\libkerberos.a	windhawk_setup.exe
File opened for modification	C:\Program Files\Windhawk\Compiler\x86_64-w64-mingw32\lib\libmsdtcuiu.a	windhawk_setup.exe
File created	C:\Program Files\Windhawk\Compiler\i686-w64-mingw32\lib\libdelayimp.a	windhawk_setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g++.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windhawk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VSCodium.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windhawk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VSCodium.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windhawk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VSCodium.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ld.lld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windhawk_setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windhawk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VSCodium.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VSCodium.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VSCodium.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VSCodium.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VSCodium.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VSCodium.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windhawk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VSCodium.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	clang-18.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	VSCodium.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	VSCodium.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	VSCodium.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	VSCodium.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	VSCodium.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	VSCodium.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	VSCodium.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\windhawk	VSCodium.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\windhawk\URL Protocol	VSCodium.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\windhawk\ = "URL:windhawk"	VSCodium.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\windhawk\shell\open\command	VSCodium.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\windhawk\shell	VSCodium.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\windhawk\shell\open	VSCodium.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\windhawk\shell\open\command\ = "\"C:\\Program Files\\Windhawk\\UI\\VSCodium.exe\" \"--open-url\" \"--\" \"%1\""	VSCodium.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	VSCodium.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	VSCodium.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	VSCodium.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1256	schtasks.exe
760	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1564	powershell.exe
1564	powershell.exe
2988	VSCodium.exe
2988	VSCodium.exe
4460	VSCodium.exe
4460	VSCodium.exe
3104	VSCodium.exe
3104	VSCodium.exe
3228	VSCodium.exe
3228	VSCodium.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3284	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	728	windhawk_setup.exe
Token: SeSecurityPrivilege	728	windhawk_setup.exe
Token: SeDebugPrivilege	2296	windhawk.exe
Token: SeShutdownPrivilege	3284	Explorer.EXE
Token: SeCreatePagefilePrivilege	3284	Explorer.EXE
Token: SeShutdownPrivilege	3284	Explorer.EXE
Token: SeCreatePagefilePrivilege	3284	Explorer.EXE
Token: SeShutdownPrivilege	3284	Explorer.EXE
Token: SeCreatePagefilePrivilege	3284	Explorer.EXE
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeShutdownPrivilege	3284	Explorer.EXE
Token: SeCreatePagefilePrivilege	3284	Explorer.EXE
Token: SeShutdownPrivilege	3284	Explorer.EXE
Token: SeCreatePagefilePrivilege	3284	Explorer.EXE
Token: SeShutdownPrivilege	3284	Explorer.EXE
Token: SeCreatePagefilePrivilege	3284	Explorer.EXE
Token: SeShutdownPrivilege	3284	Explorer.EXE
Token: SeCreatePagefilePrivilege	3284	Explorer.EXE
Token: SeShutdownPrivilege	3284	Explorer.EXE
Token: SeCreatePagefilePrivilege	3284	Explorer.EXE
Token: SeShutdownPrivilege	3284	Explorer.EXE
Token: SeCreatePagefilePrivilege	3284	Explorer.EXE
Token: SeShutdownPrivilege	3284	Explorer.EXE
Token: SeCreatePagefilePrivilege	3284	Explorer.EXE
Token: SeShutdownPrivilege	3284	Explorer.EXE
Token: SeCreatePagefilePrivilege	3284	Explorer.EXE
Token: SeShutdownPrivilege	3284	Explorer.EXE
Token: SeCreatePagefilePrivilege	3284	Explorer.EXE
Token: SeShutdownPrivilege	3284	Explorer.EXE
Token: SeCreatePagefilePrivilege	3284	Explorer.EXE
Token: SeShutdownPrivilege	3284	Explorer.EXE
Token: SeCreatePagefilePrivilege	3284	Explorer.EXE
Token: SeShutdownPrivilege	3284	Explorer.EXE
Token: SeCreatePagefilePrivilege	3284	Explorer.EXE
Token: SeShutdownPrivilege	3284	Explorer.EXE
Token: SeCreatePagefilePrivilege	3284	Explorer.EXE
Token: SeShutdownPrivilege	3308	VSCodium.exe
Token: SeCreatePagefilePrivilege	3308	VSCodium.exe
Token: SeShutdownPrivilege	3308	VSCodium.exe
Token: SeCreatePagefilePrivilege	3308	VSCodium.exe
Token: SeShutdownPrivilege	3308	VSCodium.exe
Token: SeCreatePagefilePrivilege	3308	VSCodium.exe
Token: SeShutdownPrivilege	3308	VSCodium.exe
Token: SeCreatePagefilePrivilege	3308	VSCodium.exe
Token: SeShutdownPrivilege	3308	VSCodium.exe
Token: SeCreatePagefilePrivilege	3308	VSCodium.exe
Token: SeShutdownPrivilege	3308	VSCodium.exe
Token: SeCreatePagefilePrivilege	3308	VSCodium.exe
Token: SeShutdownPrivilege	3308	VSCodium.exe
Token: SeCreatePagefilePrivilege	3308	VSCodium.exe
Token: SeShutdownPrivilege	3308	VSCodium.exe
Token: SeCreatePagefilePrivilege	3308	VSCodium.exe
Token: SeShutdownPrivilege	3308	VSCodium.exe
Token: SeCreatePagefilePrivilege	3308	VSCodium.exe
Token: SeShutdownPrivilege	3308	VSCodium.exe
Token: SeCreatePagefilePrivilege	3308	VSCodium.exe
Token: SeShutdownPrivilege	3308	VSCodium.exe
Token: SeCreatePagefilePrivilege	3308	VSCodium.exe
Token: SeShutdownPrivilege	3308	VSCodium.exe
Token: SeCreatePagefilePrivilege	3308	VSCodium.exe
Token: SeShutdownPrivilege	3308	VSCodium.exe
Token: SeCreatePagefilePrivilege	3308	VSCodium.exe
Token: SeShutdownPrivilege	3308	VSCodium.exe
Token: SeCreatePagefilePrivilege	3308	VSCodium.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
3636	windhawk.exe
3636	windhawk.exe
3636	windhawk.exe
3636	windhawk.exe
3636	windhawk.exe
3308	VSCodium.exe
3636	windhawk.exe
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
3636	windhawk.exe
3636	windhawk.exe
3636	windhawk.exe
3636	windhawk.exe
3636	windhawk.exe
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2516	2296	windhawk.exe	41
PID 2296 wrote to memory of 2516	2296	windhawk.exe	41
PID 2296 wrote to memory of 2740	2296	windhawk.exe	47
PID 2296 wrote to memory of 2740	2296	windhawk.exe	47
PID 2296 wrote to memory of 2688	2296	windhawk.exe	52
PID 2296 wrote to memory of 2688	2296	windhawk.exe	52
PID 2296 wrote to memory of 3284	2296	windhawk.exe	53
PID 2296 wrote to memory of 3284	2296	windhawk.exe	53
PID 2296 wrote to memory of 3756	2296	windhawk.exe	56
PID 2296 wrote to memory of 3756	2296	windhawk.exe	56
PID 2296 wrote to memory of 3816	2296	windhawk.exe	57
PID 2296 wrote to memory of 3816	2296	windhawk.exe	57
PID 2296 wrote to memory of 3824	2296	windhawk.exe	58
PID 2296 wrote to memory of 3824	2296	windhawk.exe	58
PID 2296 wrote to memory of 4048	2296	windhawk.exe	60
PID 2296 wrote to memory of 4048	2296	windhawk.exe	60
PID 2296 wrote to memory of 2872	2296	windhawk.exe	61
PID 2296 wrote to memory of 2872	2296	windhawk.exe	61
PID 2296 wrote to memory of 4384	2296	windhawk.exe	62
PID 2296 wrote to memory of 4384	2296	windhawk.exe	62
PID 2296 wrote to memory of 996	2296	windhawk.exe	72
PID 2296 wrote to memory of 996	2296	windhawk.exe	72
PID 2296 wrote to memory of 4724	2296	windhawk.exe	73
PID 2296 wrote to memory of 4724	2296	windhawk.exe	73
PID 2296 wrote to memory of 2508	2296	windhawk.exe	75
PID 2296 wrote to memory of 2508	2296	windhawk.exe	75
PID 2296 wrote to memory of 728	2296	windhawk.exe	78
PID 2296 wrote to memory of 728	2296	windhawk.exe	78
PID 2296 wrote to memory of 3636	2296	windhawk.exe	80
PID 2296 wrote to memory of 3636	2296	windhawk.exe	80
PID 2296 wrote to memory of 3636	2296	windhawk.exe	80
PID 2296 wrote to memory of 3636	2296	windhawk.exe	80
PID 2296 wrote to memory of 3636	2296	windhawk.exe	80
PID 728 wrote to memory of 2356	728	windhawk_setup.exe	81
PID 728 wrote to memory of 2356	728	windhawk_setup.exe	81
PID 728 wrote to memory of 2356	728	windhawk_setup.exe	81
PID 728 wrote to memory of 2356	728	windhawk_setup.exe	81
PID 728 wrote to memory of 2356	728	windhawk_setup.exe	81
PID 728 wrote to memory of 1256	728	windhawk_setup.exe	83
PID 728 wrote to memory of 1256	728	windhawk_setup.exe	83
PID 728 wrote to memory of 1256	728	windhawk_setup.exe	83
PID 728 wrote to memory of 1256	728	windhawk_setup.exe	83
PID 728 wrote to memory of 1256	728	windhawk_setup.exe	83
PID 728 wrote to memory of 3860	728	windhawk_setup.exe	85
PID 728 wrote to memory of 3860	728	windhawk_setup.exe	85
PID 728 wrote to memory of 3860	728	windhawk_setup.exe	85
PID 728 wrote to memory of 3860	728	windhawk_setup.exe	85
PID 728 wrote to memory of 3860	728	windhawk_setup.exe	85
PID 728 wrote to memory of 3924	728	windhawk_setup.exe	87
PID 728 wrote to memory of 3924	728	windhawk_setup.exe	87
PID 728 wrote to memory of 3924	728	windhawk_setup.exe	87
PID 728 wrote to memory of 3924	728	windhawk_setup.exe	87
PID 728 wrote to memory of 3924	728	windhawk_setup.exe	87
PID 3860 wrote to memory of 1564	3860	cmd.exe	89
PID 3860 wrote to memory of 1564	3860	cmd.exe	89
PID 3860 wrote to memory of 1564	3860	cmd.exe	89
PID 3860 wrote to memory of 1564	3860	cmd.exe	89
PID 3860 wrote to memory of 1564	3860	cmd.exe	89
PID 2296 wrote to memory of 1404	2296	windhawk.exe	86
PID 2296 wrote to memory of 1404	2296	windhawk.exe	86
PID 728 wrote to memory of 760	728	windhawk_setup.exe	90
PID 728 wrote to memory of 760	728	windhawk_setup.exe	90
PID 728 wrote to memory of 760	728	windhawk_setup.exe	90
PID 728 wrote to memory of 760	728	windhawk_setup.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Executes dropped EXE
PID:2516

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
- Executes dropped EXE
PID:2740

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
- Executes dropped EXE
PID:2688

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3284
- C:\Users\Admin\AppData\Local\Temp\windhawk_setup.exe
  "C:\Users\Admin\AppData\Local\Temp\windhawk_setup.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:728
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn WindhawkRunUITask /f
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2356
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn WindhawkRunUITask /xml "C:\Users\Admin\AppData\Local\Temp\nshCB41.tmp\WindhawkRunUITask.xml"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1256
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /S /C "powershell -ExecutionPolicy Bypass -Command "& {$ErrorActionPreference = \"Stop\";$scheduler = New-Object -ComObject \"Schedule.Service\";$scheduler.Connect();$task = $scheduler.GetFolder(\"\").GetTask(\"WindhawkRunUITask\");$sec = $task.GetSecurityDescriptor(0xF);$sec = $sec + '(A;;GRGX;;;AU)';$task.SetSecurityDescriptor($sec, 0)}" -FFFeatureOff"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3860
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Loads dropped DLL
      PID:1404
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -ExecutionPolicy Bypass -Command "& {$ErrorActionPreference = \"Stop\";$scheduler = New-Object -ComObject \"Schedule.Service\";$scheduler.Connect();$task = $scheduler.GetFolder(\"\").GetTask(\"WindhawkRunUITask\");$sec = $task.GetSecurityDescriptor(0xF);$sec = $sec + '(A;;GRGX;;;AU)';$task.SetSecurityDescriptor($sec, 0)}" -FFFeatureOff
      4⤵
      Loads dropped DLL
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1564
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn WindhawkUpdateTask /f
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3924
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn WindhawkUpdateTask /xml "C:\Users\Admin\AppData\Local\Temp\nshCB41.tmp\WindhawkUpdateTask.xml"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:760
- - C:\Program Files\Windhawk\windhawk.exe
    "C:\Program Files\Windhawk\windhawk.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1144
  - - C:\Program Files\Windhawk\UI\VSCodium.exe
      "C:\Program Files\Windhawk\UI\VSCodium.exe" "C:\ProgramData\Windhawk\EditorWorkspace" --locale=en --no-sandbox --disable-gpu-sandbox
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Modifies registry class
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:3308
    - - C:\Program Files\Windhawk\UI\VSCodium.exe
        
        "C:\Program Files\Windhawk\UI\VSCodium.exe" --type=gpu-process --disable-gpu-sandbox --no-sandbox --user-data-dir="C:\ProgramData\Windhawk\UIData\user-data" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1360 --field-trial-handle=1688,i,8974846487946457807,8429630343914426957,131072 --disable-features=CalculateNativeWinOcclusion,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4532
    - - C:\Program Files\Windhawk\UI\VSCodium.exe
        
        "C:\Program Files\Windhawk\UI\VSCodium.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\ProgramData\Windhawk\UIData\user-data" --standard-schemes=vscode-webview,vscode-file --secure-schemes=vscode-webview,vscode-file --bypasscsp-schemes --cors-schemes=vscode-webview,vscode-file --fetch-schemes=vscode-webview,vscode-file --service-worker-schemes=vscode-webview --streaming-schemes --mojo-platform-channel-handle=1832 --field-trial-handle=1688,i,8974846487946457807,8429630343914426957,131072 --disable-features=CalculateNativeWinOcclusion,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1496
    - - C:\Program Files\Windhawk\UI\VSCodium.exe
        
        "C:\Program Files\Windhawk\UI\VSCodium.exe" --type=renderer --user-data-dir="C:\ProgramData\Windhawk\UIData\user-data" --standard-schemes=vscode-webview,vscode-file --secure-schemes=vscode-webview,vscode-file --bypasscsp-schemes --cors-schemes=vscode-webview,vscode-file --fetch-schemes=vscode-webview,vscode-file --service-worker-schemes=vscode-webview --streaming-schemes --app-user-model-id=RamenSoftware.Windhawk --app-path="C:\Program Files\Windhawk\UI\resources\app" --no-sandbox --no-zygote --enable-blink-features=HighlightAPI,WebAppWindowControlsOverlay --no-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2520 --field-trial-handle=1688,i,8974846487946457807,8429630343914426957,131072 --disable-features=CalculateNativeWinOcclusion,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --vscode-window-config=vscode:d5a28a8b-e5d3-45f0-8ee4-216989f96556 /prefetch:1
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2372
    - - C:\Program Files\Windhawk\UI\VSCodium.exe
        
        "C:\Program Files\Windhawk\UI\VSCodium.exe" --type=renderer --user-data-dir="C:\ProgramData\Windhawk\UIData\user-data" --standard-schemes=vscode-webview,vscode-file --secure-schemes=vscode-webview,vscode-file --bypasscsp-schemes --cors-schemes=vscode-webview,vscode-file --fetch-schemes=vscode-webview,vscode-file --service-worker-schemes=vscode-webview --streaming-schemes --app-user-model-id=RamenSoftware.Windhawk --app-path="C:\Program Files\Windhawk\UI\resources\app" --no-sandbox --no-zygote --node-integration-in-worker --no-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2760 --field-trial-handle=1688,i,8974846487946457807,8429630343914426957,131072 --disable-features=CalculateNativeWinOcclusion,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --vscode-window-config=vscode:3ec0c952-e74a-4ea0-9acb-33a38badab1f --vscode-window-kind=shared-process /prefetch:1
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2068
      - C:\Program Files\Windhawk\UI\VSCodium.exe
        
        "C:\Program Files\Windhawk\UI\VSCodium.exe" "c:\Program Files\Windhawk\UI\resources\app\out\bootstrap-fork" --type=ptyHost --logsPath C:\ProgramData\Windhawk\UIData\user-data\logs\20241005T172512
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4460
      - C:\Program Files\Windhawk\UI\VSCodium.exe
        
        "C:\Program Files\Windhawk\UI\VSCodium.exe" "c:\Program Files\Windhawk\UI\resources\app\out\bootstrap-fork" --type=fileWatcher
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3104
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "wsl.exe -l -q"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:1616
    - - C:\Program Files\Windhawk\UI\VSCodium.exe
        
        "C:\Program Files\Windhawk\UI\VSCodium.exe" --inspect-port=0 "c:\Program Files\Windhawk\UI\resources\app\out\bootstrap-fork" --type=extensionHost --skipWorkspaceStorageLock
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2988
      - C:\Program Files\Windhawk\UI\VSCodium.exe
        
        "C:\Program Files\Windhawk\UI\VSCodium.exe" "c:\Program Files\Windhawk\UI\resources\app\extensions\json-language-features\server\dist\node\jsonServerMain" --node-ipc --clientProcessId=2988
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3228
      - \??\c:\Program Files\Windhawk\windhawk.exe
        
        "c:\Program Files\Windhawk\windhawk.exe" -new-updates-found
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2608
      - \??\c:\Program Files\Windhawk\Compiler\bin\g++.exe
        
        "c:\Program Files\Windhawk\Compiler\bin\g++.exe" -std=c++23 -O2 -shared -DUNICODE -D_UNICODE -DWINVER=0x0A00 -D_WIN32_WINNT=0x0A00 -D_WIN32_IE=0x0A00 -DNTDDI_VERSION=0x0A000008 -D__USE_MINGW_ANSI_STDIO=0 -DWH_MOD "-DWH_MOD_ID=L\"windows-11-taskbar-styler\"" "-DWH_MOD_VERSION=L\"1.3.7\"" "c:\Program Files\Windhawk\Engine\1.5.1\64\windhawk.lib" c:\ProgramData\Windhawk\EditorWorkspace\mod.wh.cpp -include windhawk_api.h -target x86_64-w64-mingw32 -o C:\ProgramData\Windhawk\Engine\Mods\64\windows-11-taskbar-styler_1.3.7_535670.dll -lcomctl32 -lole32 -loleaut32 -lruntimeobject -Wl,--export-all-symbols
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:780
        
        \??\c:\Program Files\Windhawk\Compiler\bin\clang-18.exe
        
        "c:\Program Files\Windhawk\Compiler\bin\clang-18" --start-no-unused-arguments --driver-mode=g++ -target i686-w64-mingw32 -rtlib=compiler-rt -unwindlib=libunwind -stdlib=libc++ -fuse-ld=lld --end-no-unused-arguments -std=c++23 -O2 -shared -DUNICODE -D_UNICODE -DWINVER=0x0A00 -D_WIN32_WINNT=0x0A00 -D_WIN32_IE=0x0A00 -DNTDDI_VERSION=0x0A000008 -D__USE_MINGW_ANSI_STDIO=0 -DWH_MOD "-DWH_MOD_ID=L\"windows-11-taskbar-styler\"" "-DWH_MOD_VERSION=L\"1.3.7\"" "c:\Program Files\Windhawk\Engine\1.5.1\64\windhawk.lib" c:\ProgramData\Windhawk\EditorWorkspace\mod.wh.cpp -include windhawk_api.h -target x86_64-w64-mingw32 -o C:\ProgramData\Windhawk\Engine\Mods\64\windows-11-taskbar-styler_1.3.7_535670.dll -lcomctl32 -lole32 -loleaut32 -lruntimeobject -Wl,--export-all-symbols
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:880
        
        C:\Program Files\Windhawk\Compiler\bin\clang-18.exe
        
        "C:/Program Files/Windhawk/Compiler/bin/clang-18.exe" -cc1 -triple x86_64-w64-windows-gnu -emit-obj -dumpdir "C:\ProgramData\Windhawk\Engine\Mods\64\windows-11-taskbar-styler_1.3.7_535670.dll-" -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name mod.wh.cpp -mrelocation-model pic -pic-level 2 -mframe-pointer=none -fmath-errno -ffp-contract=on -fno-rounding-math -mconstructor-aliases -mms-bitfields -funwind-tables=2 -fno-use-init-array -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb "-fdebug-compilation-dir=c:/Program Files/Windhawk/Compiler" "-fcoverage-compilation-dir=c:/Program Files/Windhawk/Compiler" -resource-dir "C:/Program Files/Windhawk/Compiler/lib/clang/18" -include windhawk_api.h -D UNICODE -D _UNICODE -D WINVER=0x0A00 -D _WIN32_WINNT=0x0A00 -D _WIN32_IE=0x0A00 -D NTDDI_VERSION=0x0A000008 -D __USE_MINGW_ANSI_STDIO=0 -D WH_MOD -D "WH_MOD_ID=L\"windows-11-taskbar-styler\"" -D "WH_MOD_VERSION=L\"1.3.7\"" -internal-isystem "c:/Program Files/Windhawk/Compiler/x86_64-w64-mingw32/include/c++/v1" -internal-isystem "c:/Program Files/Windhawk/Compiler/include/c++/v1" -internal-isystem "C:/Program Files/Windhawk/Compiler/lib/clang/18/include" -internal-isystem "c:/Program Files/Windhawk/Compiler/x86_64-w64-mingw32/include" -internal-isystem "c:/Program Files/Windhawk/Compiler/x86_64-w64-mingw32/usr/include" -internal-isystem "c:/Program Files/Windhawk/Compiler/include" -O2 -std=c++23 -fdeprecated-macro -ferror-limit 19 -fno-use-cxa-atexit -fgnuc-version=4.2.1 -fno-implicit-modules -fskip-odr-check-in-gmf -fcxx-exceptions -fexceptions -exception-model=seh -vectorize-loops -vectorize-slp -faddrsig -o C:/Users/Admin/AppData/Local/Temp/mod-d8e085.o -x c++ "c:\ProgramData\Windhawk\EditorWorkspace\mod.wh.cpp"
        8⤵
        Executes dropped EXE
        
        PID:2272
        
        \??\c:\Program Files\Windhawk\Compiler\bin\ld.lld.exe
        
        "c:/Program Files/Windhawk/Compiler/bin/ld.lld" -m i386pep --shared -Bdynamic -e DllMainCRTStartup --enable-auto-image-base -o "C:\ProgramData\Windhawk\Engine\Mods\64\windows-11-taskbar-styler_1.3.7_535670.dll" "c:/Program Files/Windhawk/Compiler/x86_64-w64-mingw32/lib/dllcrt2.o" "c:/Program Files/Windhawk/Compiler/x86_64-w64-mingw32/lib/crtbegin.o" "-Lc:/Program Files/Windhawk/Compiler/x86_64-w64-mingw32/lib" "-Lc:/Program Files/Windhawk/Compiler/x86_64-w64-mingw32/mingw/lib" "-LC:/Program Files/Windhawk/Compiler/lib/clang/18/lib/windows" "c:\Program Files\Windhawk\Engine\1.5.1\64\windhawk.lib" C:/Users/Admin/AppData/Local/Temp/mod-d8e085.o -lcomctl32 -lole32 -loleaut32 -lruntimeobject --export-all-symbols -lc++ -lmingw32 "C:/Program Files/Windhawk/Compiler/lib/clang/18/lib/windows/libclang_rt.builtins-x86_64.a" -lunwind -lmoldname -lmingwex -lmsvcrt -ladvapi32 -lshell32 -luser32 -lkernel32 -lmingw32 "C:/Program Files/Windhawk/Compiler/lib/clang/18/lib/windows/libclang_rt.builtins-x86_64.a" -lunwind -lmoldname -lmingwex -lmsvcrt -lkernel32 "c:/Program Files/Windhawk/Compiler/x86_64-w64-mingw32/lib/crtend.o"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1384
    - - C:\Program Files\Windhawk\UI\VSCodium.exe
        
        "C:\Program Files\Windhawk\UI\VSCodium.exe" --type=renderer --user-data-dir="C:\ProgramData\Windhawk\UIData\user-data" --standard-schemes=vscode-webview,vscode-file --secure-schemes=vscode-webview,vscode-file --bypasscsp-schemes --cors-schemes=vscode-webview,vscode-file --fetch-schemes=vscode-webview,vscode-file --service-worker-schemes=vscode-webview --streaming-schemes --app-user-model-id=RamenSoftware.Windhawk --app-path="C:\Program Files\Windhawk\UI\resources\app" --enable-sandbox --enable-blink-features=HighlightAPI,WebAppWindowControlsOverlay --no-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2928 --field-trial-handle=1688,i,8974846487946457807,8429630343914426957,131072 --disable-features=CalculateNativeWinOcclusion,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --vscode-window-config=vscode:d5a28a8b-e5d3-45f0-8ee4-216989f96556 /prefetch:1
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2224
    - - C:\Windows\system32\wsl.exe
        
        C:\Windows\Sysnative\wsl.exe --status
        5⤵
        
        PID:4492

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
PID:3756

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Executes dropped EXE
PID:3816

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Executes dropped EXE
PID:3824

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Executes dropped EXE
PID:4048

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2872

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4384

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Loads dropped DLL
PID:996

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
- Executes dropped EXE
PID:4724

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2508

C:\Program Files\Windhawk\windhawk.exe
"C:\Program Files\Windhawk\windhawk.exe" -service
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Program Files\Windhawk\windhawk.exe
  "C:\Program Files\Windhawk\windhawk.exe" -tray-only
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3636

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- Loads dropped DLL
PID:2816

C:\Program Files\Windhawk\windhawk.exe
"C:\Program Files\Windhawk\windhawk.exe" -check-for-updates
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windhawk\Compiler\i686-w64-mingw32\lib\gcrt2.o

Filesize
2KB

MD5
30bc92170c41a90ada79dd377ace7b01

SHA1
1179bb5a55d736b2f046a796737cc19f996a8b6a

SHA256
0115210e2469944ae998ca69fcc39953e2692f6692304d33fad9aacfacfe1ba7

SHA512
b78884b448e1cd855c549f60e855404f6c34d61a3b94a6a031a62163babdb87c51122107a0da8e6e8bedd4a094377b4cc045220fdeef4aadf808d8b4f2944dad

Download Submit
C:\Program Files\Windhawk\Compiler\i686-w64-mingw32\lib\libd3dcompiler_35.a

Filesize
2KB

MD5
a6833e66680b7457352965a85482e126

SHA1
b67e69b6b16ec490b0804ac5b01a26073fb38f55

SHA256
18aa8cb29c35ca25ebf616aedc059371ea3cb481435662830a29d3ee3d1a0b78

SHA512
11697bf09a1cabd46c7dd0349b3c04859ef0c1028a51e438ead2ecf107d143e31ed144213a8927aed7d8d9a137b03be97592cb0f5f55fc1f2d4be31921c1e3ed

Download Submit
C:\Program Files\Windhawk\Compiler\i686-w64-mingw32\lib\libssp_nonshared.a

Filesize
8B

MD5
ab0a4c8c62da160eaae565341c07f202

SHA1
c98a17c08a612b399bcbcffed621456142bf10af

SHA256
f0a17a43c74d2fe5474fa2fd29c8f14799e777d7d75a2cc4d11c20a6e7b161c5

SHA512
220dbd2e437313c441bc34a9707ccc2e70a9c864399cfcb2aad34a012b75c45316758f8b6e85c668920beb510e0a4bc11a3129ee4d9df25a3fd090e944437dab

Download Submit
C:\Program Files\Windhawk\Compiler\include\scardsrv.h

Filesize
238B

MD5
1f0d70d404140b0b980828d2d02345ce

SHA1
cc21371a235a392bd17807d6774c60e64ff5bb28

SHA256
a32207b286686ad5f42d72a5c96308b96c5cb5f42fb2a7deef01843e657c6035

SHA512
d1a5589be969b15e09379c630fd56849d2a57eb6d26068899753c7701c97ff695fefe63648749f2bc7526cd0fd8816970ecec00d5f476f84f9cb10c0e9a377a0

Download Submit
C:\Program Files\Windhawk\Compiler\include\txctx.h

Filesize
237B

MD5
78e0d5a995d78a006930de3633bbd3be

SHA1
f58a7650dece31af5c4f3931981dc9bb2584c101

SHA256
255a11df990657af623e682c7c3a81274fbb4a80c10f1dc2280cb3ce4eb98cf4

SHA512
18a5f5166a12b157e5727e7e4187c1b9521530419fefbb355be693da8fa959a852a6b00eadf4d759c74931f7943ca3f08ce01ac7497a80892b79489aa1bf8b38

Download Submit
C:\Program Files\Windhawk\Compiler\share\libc++\v1\std.compat\cfloat.inc

Filesize
440B

MD5
c90884b4b37c4416bc9e06b7e05eee83

SHA1
a7910f32378931a4c8cf86186cde5f0488c96196

SHA256
ba6d2968e387be16375170a945d210b42a3f103bb7c1c8ab7c9d3d190c746105

SHA512
6f0ecb0f9e5a65747e6f59b29b4e6a1da04a1d17fffcf971936193df58423dbfac0ca4898d3ef924b1244f515553755534b3685584da567b65401efc08b180e1

Download Submit
C:\Program Files\Windhawk\Compiler\share\libc++\v1\std\cfloat.inc

Filesize
461B

MD5
2d594af0d5a963e56d9f77abf7042abb

SHA1
c716f93b2bd4c23a05bee2830b99756bfbf69de6

SHA256
dde40ec35e6728a5ddcde229fe62f85c6c8d2a573126de3a3603fc8981ae6d2a

SHA512
4a3a0f8593a6f84e3884b9ad06a59c305a834f59ba357714d3a7f07d5440fbd93c6ac049c4390a67c198299999be7839d2b034d31a0b3c287d132c50740c2928

Download Submit
C:\Program Files\Windhawk\Compiler\x86_64-w64-mingw32\lib\gcrt2.o

Filesize
2KB

MD5
95b85c946719739b5aa5c30395802386

SHA1
0e481993feb633e388ae9bec972e5c11b65d59c8

SHA256
c5a4b460090009d50c715eb9b4cb9df12cf18826490860ee95fdac1802638d65

SHA512
56c5be94c7de012021adb22a1c6bbc905f27200ac92ca65cc00734a4fe7a724d431b262a853d009d3d87ba83f7c829746c714eeb60b815054482adb7e3bc8fc4

Download Submit
C:\Program Files\Windhawk\Compiler\x86_64-w64-mingw32\lib\libd3dcompiler_35.a

Filesize
2KB

MD5
d2c085bda6edba7c0bc2611576a3eaa2

SHA1
0b82e1b3d5e9075d6411432b8838fd964b7a6b7f

SHA256
a836e2c842878a7df2351079edc9cbaa5a9dd14a2a1ca4ef042447d4a5446601

SHA512
dc9c5afb02d3a2cab3028f086b822738c39c366358bcf12a1780e5be14eb55c865ef6348e59e94f4896c3fe5db383c5bb83009dbe2bdbf7fd65701cceed87567

Download Submit
C:\Program Files\Windhawk\Compiler\x86_64-w64-mingw32\share\mingw32\COPYING

Filesize
2KB

MD5
bb936f0e04d8f1e19ad545100cee9654

SHA1
ca7a993958b886d2435da65fe6996b89e57e8354

SHA256
99a69660981156c21336fdb5661f89341b013c94e4bf9e1c7467b4745718397f

SHA512
07e171b66b74e967e3a233639de62df503304c8ec7185019cd61849ec82c5f0e33fcce1b92fc3fc2fc3116b6b17f332d1b31571f804e970a8a624fafb625b693

Download Submit
C:\Program Files\Windhawk\Engine\1.5.1\32\windhawk.dll

Filesize
866KB

MD5
50b6669e7b8cf120b2066e2d366d3994

SHA1
374d45d76e536320716c5808b168e2fb58522c14

SHA256
8e690f5d967df2eedf3d0ee542b8b9df3febfb7c70939df28fc363aa7c66acf5

SHA512
cfd11b16825378549282c4bffe54e622b734f5df540b0a7299ac0c9055ea57e59c853d117c79d9a8029d00a80b3a48ff9477a22caafc9fabb0b80ee6441e03f4

Download Submit
C:\Program Files\Windhawk\Engine\1.5.1\64\windhawk.dll

Filesize
940KB

MD5
3fb6ebd7d8db72e172e911a266277d55

SHA1
aa8448ca2d56b196b5773ac5804df26b298100d8

SHA256
1a04cc0166d12d9e2f6b7c842961f0916086f680d941993e073ee2f6c4d46c38

SHA512
0e2d6016d6d55794188b64fa638b778bbb03b16b6a9b86d967ea3387540f561743d17851ca973e1176073070a635d35c0321f3b5e1e706750080fda89f3c6187

Download Submit
C:\Program Files\Windhawk\Engine\1.5.1\engine.ini

Filesize
224B

MD5
8ab713faf7a25a288e92a46bd4f5576b

SHA1
26f032e7b074a788ed91df1777b1e82f3411198b

SHA256
63f6c638bbd1f0bd8852dd6460d40561c13b103b9e70d4b3c53d0b671162708f

SHA512
3c8bfa0f2a1b0c1518badb21c856013fb940320a4d2b13d667ad4807f5ac112af6e07155b354fde1100dee90efcbad014b896e1419766ee6bd1a2201ec12d7d3

Download Submit
C:\Program Files\Windhawk\UI\resources\app\extensions\markdown-language-features\dist\extension.js.LICENSE.txt

Filesize
5KB

MD5
1ec85b4d25937dcbeff1c35b7fa5c6bc

SHA1
e782b747b88450957391619b376abf98f11f7aa3

SHA256
38ee4192b4a1f7da0535d4f2bd219ab5b108b1d3b6b9871ca00c762464b60701

SHA512
95ded5456a7ce6fb3af391bc859cfb1d964e718d3540cc29c5f1288550f109fc12dbbcf9ffff923cd486f23bd90d5f2020e7d580724fe445480be09a1f173573

Download Submit
C:\Program Files\Windhawk\UI\resources\app\out\vs\code\electron-sandbox\processExplorer\processExplorer.js

Filesize
42KB

MD5
fc848a0f835f1bdd835ea2efd680cca0

SHA1
751ba7ee0e9740557981b670502b10a8ca38f41b

SHA256
b5e31fcdc54694d52b1955c2d57134bbd8b0f9f0b2ce28de5b9a9b92eaab19a4

SHA512
03bc050c287d7948d350fff8ba25d3e75903fe27b2f89faba3b7d40487b2e70c93bf50c39c61cbab3a8d54d5221c85a1cc50d1c5443b5e80e8e3fba91ba73607

Download Submit
C:\Program Files\Windhawk\UI\resources\app\out\vs\workbench\browser\parts\editor\media\letterpress-hcLight.svg

Filesize
4KB

MD5
70ab425ac6de0c114b7b57b180a73219

SHA1
e8612a2c34c219d543f79486e1c5c10d581f084d

SHA256
0602eb49509d57434b724afed57b1f2dcbb8b78a731e38ed8eb61aaf75c6397b

SHA512
ee762d3656cb2851d3cf116c1dcdd2b58dedfece1784166bd27741e4f6ca52dcfa6599436bc7a060fdcc149aa71802d1163b9f90a7bc789eebc8bebaeaed4453

Download Submit
C:\Program Files\Windhawk\windhawk.exe

Filesize
763KB

MD5
4e26dc9976c4577830c9b287b3b9633e

SHA1
f257668bc1630e82d7a9e2b91fbd16440a9f0d72

SHA256
685d95cc192a9a46869d11b5f3dab7945c0570f4e5972a02042fde2257e96f87

SHA512
8c3d5bf8e76547321031047c2593e3da6ab1e8ca75d1f38922f87a5a2d5a455c8207984a2ccd5ee806fcbbdbc58574ca859bb8009d1d87d132c5110edf411b2e

Download Submit
C:\Program Files\Windhawk\windhawk.ini

Filesize
314B

MD5
b2ae0ad9f88256ce9381e081f0ef5ff2

SHA1
7d8036ade580de6c8a054e2bce6f1e27e0d9c75f

SHA256
24d721bcca8e7bc2b320aaa711dc948ac7ec2a78e38daaa188c6d3b78e1bff74

SHA512
fd2d83a83012bf3ad779339b8d5610099f1bcc0b34ccd2c45d15eb8096d6eb76268917dcee6d63a94e163ad04beb2f06eff2f2f9d1d81d42ba7d6ba37518d71f

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windhawk.lnk

Filesize
1KB

MD5
69786112c3f6d978587027d0e85e27a2

SHA1
aa226175885a29a353a3a0d4c3af487f3865f215

SHA256
430eda6450fedf60abe68d209fcf66c3256f8409d77a07aedcac0c7cbd7ea3d0

SHA512
786132b84ea70c5881e470e617aece5190bd8ddbfc2a2bb7d4ecbdf073700ba145c2b87d94336a2d5f01c531dc4f69a34ca507463868213e729810dddd6ccdd5

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windhawk.lnk~RFe5953c3.TMP

Filesize
1KB

MD5
75faf0e29fa61d9cb07c64a231387b19

SHA1
9d4c43608dab9248eaa4864414528dad5220321a

SHA256
523ba5f0fe7d94e9ae557ed580a980c1d317685e9e6b157bbff14c6287764b19

SHA512
ab85112e38100d0cb6342e82c70878fe28b060f5ace69486835167089bcd8a198ef6a7dff9de4b5925cd42bba4109d5d7d0860e468d8bb5d7593e8b7e070dc2a

Download Submit
C:\ProgramData\Windhawk\EditorWorkspace\.vscode\settings.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\ProgramData\Windhawk\EditorWorkspace\.vscode\settings.json

Filesize
132B

MD5
dba8585757015ec118827534ea6b9a93

SHA1
0caa2c4753afd6e61e5aafe74f2e3e75671c2e8e

SHA256
212bf7f1772994c8399eaacee875d378e3ac263e6a4950d117666a4f1dce4f08

SHA512
bcc5263c683b149f8c0f7f638c5cfff6e18d39ca83685998b28c43e864020de124047061f614c630e278157b28fe8e4eebbbf673e0493f904adafa506ca11ce7

Download Submit
C:\ProgramData\Windhawk\UIData\argv.json

Filesize
799B

MD5
18027ee9ac670d632c74c512fee15785

SHA1
d1755c680c7b60173a9a0b7dbe234bcd632cbabb

SHA256
23e3363412b57fda08ee3235a2abad67a1d45844c5a1b0d5ce99f0b61e607a91

SHA512
f4168d5235167fc41d8ff7edadb1103ac831197082209a41cd42b4cf27fa578f11e63bf43342937dca2793f20f3f43db9edef65dc25a933996934e4cf4ad6c3f

Download Submit
C:\ProgramData\Windhawk\UIData\extensions\extensions.json

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\ProgramData\Windhawk\UIData\user-data\Service Worker\CacheStorage\2a552d8ecb4d32cf0e3f74522e1d423caaa77a40\84fde107-9d28-41cc-960b-03b71cadaac3\index-dir\the-real-index

Filesize
216B

MD5
58d09928d7c8e1b8df31d06530bcd8bf

SHA1
a012c21f161ac96363c4eb865c7a975bd8e79cbe

SHA256
073a8433ec53559400736ee7d3a46eaf457090191baba8e796879a9e14a51595

SHA512
417ebc13a1ad0bf4d3081eb3b1ef069db0b7cf280af61f82ab7f12c4ec1abca55150f7f560eb58bdb7983efa38bd48b57ed7da152dae8d9040cb7cebb42df728

Download Submit
C:\ProgramData\Windhawk\UIData\user-data\Service Worker\CacheStorage\2a552d8ecb4d32cf0e3f74522e1d423caaa77a40\84fde107-9d28-41cc-960b-03b71cadaac3\index-dir\the-real-index~RFe59bc61.TMP

Filesize
48B

MD5
f10c68c647c48f6a7763f9d25433d003

SHA1
f4f31f9380158b9a5e754ab35d1dc2698ca9a8fe

SHA256
996990ada62b163cf29a69c458bc8aff73d4fa77344949570e0c10b8a31f76c7

SHA512
4ef8ac3a888496aec4f267a1009a2db779abe5f981180cc9df2296a8c99b985a0039f0659ee60275132cdcfacaa1491dd85f0a0a95e9302618164d791b860bdc

Download Submit
C:\ProgramData\Windhawk\UIData\user-data\Service Worker\CacheStorage\2a552d8ecb4d32cf0e3f74522e1d423caaa77a40\index.txt

Filesize
146B

MD5
73fc916d7c5cf37cde85862d7ab63f64

SHA1
bd8ba2c2dfc7281b398dece79d9bc86e31595861

SHA256
5bbd32fa609a5b5e1d93a2b61f20698999623c616e11c1f34f212b0c14e43b35

SHA512
800c29e348e1ed16f8405dac23cf64c40e4d4083b0459d9cd56e6e39e119605bfc72437959a5ffa7f373eabfc86bf0f6694772acd8a90da65b993c0bc651d0d1

Download Submit
C:\ProgramData\Windhawk\UIData\user-data\Service Worker\CacheStorage\2a552d8ecb4d32cf0e3f74522e1d423caaa77a40\index.txt~RFe59bc9f.TMP

Filesize
150B

MD5
8a5833ef2a72447f343049af51ae52a8

SHA1
b2c2dc12c4a0addde0f8858700ccbe3efffc0616

SHA256
1a73ee1a4b87472c8db10b2799d3d31f746abf1d4f7994c9beb60f85965f886a

SHA512
69fbd32cd549c543fe4a748c2f69fff65fa3d42336a14ede427bcfd6d4cd33db640450e2595fc1b6aeec87da2d5f6b135a5c85eddfcfbdafd0588717863ed7a0

Download Submit
C:\ProgramData\Windhawk\UIData\user-data\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\ProgramData\Windhawk\UIData\user-data\Service Worker\ScriptCache\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\ProgramData\Windhawk\UIData\user-data\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
9062d08a3ff5a76bc2282ee4a11b53ff

SHA1
0364f01055c69c64440167527f61cac3548db88d

SHA256
f4d77d8a1c5cd116b898aa92ebd91cf097317b889526851cd7210c1a809e5088

SHA512
bccb76a28cb37dd58cedb69ea67f2d47ba5ab2cf1d909f884e3e36dd526c360009fcbcff57d0912704792ce4340f203e7ac57a527a75c2202f3f2ac8d8c95793

Download Submit
C:\ProgramData\Windhawk\UIData\user-data\Service Worker\ScriptCache\index-dir\the-real-index~RFe59b963.TMP

Filesize
72B

MD5
6c06a8f4c189fe6023ce6b4c9aa9bd69

SHA1
31bfa66a16ec7d1af97c5144c491c093093cd9f8

SHA256
496ffd288807a0d30103e92e7b11f4b427616c4d3f2088274fd263830fd8821f

SHA512
0e42e91fd6ba78df2db92c3851b95bf0922dbb881acf9b69ff9965b82f11a3400119998def723ff1d6d01e4dd83190a0132c4247a8fe307266f6415dd0782343

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ihhi0vmw.al4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshCB41.tmp\AccessControl.dll

Filesize
15KB

MD5
d74bb4447af48da081c7d9b499f3a023

SHA1
dadf6e140e6fd8e49a1851cc144bb022e0adb185

SHA256
5fd5d8aec97cffaad9b7df6371b348d436cf1401e86fab614dc4cb8575428e52

SHA512
9a15de5c6b08914f5e5bbc1c318fb0e84da28a316cf51ccddca8dfb64cd67b7ad06acac307b41d5086a0740055d327007ff890807d6853bb2e767179a3b3d758

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshCB41.tmp\ApplicationID.dll

Filesize
198KB

MD5
91c2e2f34b5bba068e9a6178e13a4e5c

SHA1
affcac00894c9afd152e55d0bff7899349edcd6c

SHA256
f6851dcbf0a39edecd8a46564bc455e5273736c3dbcb02b954c201c79ccdf117

SHA512
ce7f629bc0e6e10eca9d671513062f353d8d47666df58c9ad7cc7f767df520b75b2da1f9d6551eae86c738455919463ec89a0c3dc2a8366fa021e6fa6e292000

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshCB41.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshCB41.tmp\LangDLL.dll

Filesize
5KB

MD5
549ee11198143574f4d9953198a09fe8

SHA1
2e89ba5f30e1c1c4ce517f28ec1505294bb6c4c1

SHA256
131aa0df90c08dce2eecee46cce8759e9afff04bf15b7b0002c2a53ae5e92c36

SHA512
0fb4cea4fd320381fe50c52d1c198261f0347d6dcee857917169fcc3e2083ed4933beff708e81d816787195cca050f3f5f9c5ac9cc7f781831b028ef5714bec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshCB41.tmp\SimpleSC.dll

Filesize
1.1MB

MD5
7b89329c6d8693fb2f6a4330100490a0

SHA1
851b605cdc1c390c4244db56659b6b9aa8abd22c

SHA256
1620cdf739f459d1d83411f93648f29dcf947a910cc761e85ac79a69639d127d

SHA512
ac07972987ee610a677ea049a8ec521a720f7352d8b93411a95fd4b35ec29bfd1d6ccf55b48f32cc84c3dceef05855f723a88708eb4cf23caec77e7f6596786a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshCB41.tmp\System.dll

Filesize
12KB

MD5
192639861e3dc2dc5c08bb8f8c7260d5

SHA1
58d30e460609e22fa0098bc27d928b689ef9af78

SHA256
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6

SHA512
6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshCB41.tmp\WindhawkRunUITask.xml

Filesize
2KB

MD5
c5a8c610ef39cca87d8eb9c43b85184d

SHA1
059446b83be2ada64e91e7b86b51dc55bfdd1355

SHA256
10b198979ca99ca5bb387af5684014227687a00cf9e0ff71ea8a0ccfcf8250fc

SHA512
1c0f5a36df78d5734ee139138b903dbdf85108d7b78abc76cdb1afd528103fba514e403404bff2eef9b7ad7f115b5b365cf1767377ed56d22fc27de175df3a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshCB41.tmp\nsDialogs.dll

Filesize
9KB

MD5
b7d61f3f56abf7b7ff0d4e7da3ad783d

SHA1
15ab5219c0e77fd9652bc62ff390b8e6846c8e3e

SHA256
89a82c4849c21dfe765052681e1fad02d2d7b13c8b5075880c52423dca72a912

SHA512
6467c0de680fadb8078bdaa0d560d2b228f5a22d4d8358a1c7d564c6ebceface5d377b870eaf8985fbee727001da569867554154d568e3b37f674096bbafafb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshCB41.tmp\nsExec.dll

Filesize
7KB

MD5
11092c1d3fbb449a60695c44f9f3d183

SHA1
b89d614755f2e943df4d510d87a7fc1a3bcf5a33

SHA256
2cd3a2d4053954db1196e2526545c36dfc138c6de9b81f6264632f3132843c77

SHA512
c182e0a1f0044b67b4b9fb66cef9c4955629f6811d98bbffa99225b03c43c33b1e85cacabb39f2c45ead81cd85e98b201d5f9da4ee0038423b1ad947270c134a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshCB41.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Public\Desktop\Windhawk.lnk

Filesize
1KB

MD5
03f8007e70bd378e3171cf1315b1c3c4

SHA1
e8980b33700aa4ea412301854f69c6f74922ae88

SHA256
85a71de4c90a445153be46514743235be8f303932f5ae6bb1b1f4830a2174535

SHA512
02531e75b5eb48b986be179cc0fe5fe66dc5130ede2f20dc035ed2cae4b02929f62cd205d3cce10f9e39e906e21b99195fb41eca9c692b0a142b6542dbcc42f2

Download Submit
C:\Users\Public\Desktop\Windhawk.lnk~RFe5953e3.TMP

Filesize
1KB

MD5
a7dc72a61037f26d92fa59f7c060fadd

SHA1
2a1ca614990370aec55a30420a201546ac36346e

SHA256
82ddea46e399d949e9b9f482a641b8d39d2f49c4ec471b98cabd6c249b9a647b

SHA512
1734c45f26c27db15df9260811301781b75d3dd616244a69274b4b1a69215ac375fb1ee3b2d50093d3e1695fe7857bbdfabed79bb5fb0e4754f626025e962da1

Download Submit
memory/728-12345-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/728-12273-0x0000000000790000-0x00000000008AC000-memory.dmp

Filesize
1.1MB

Download
memory/728-12323-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/996-12317-0x0000000030E80000-0x0000000030E81000-memory.dmp

Filesize
4KB

Download
memory/1404-12365-0x0000000023BA0000-0x0000000023BA1000-memory.dmp

Filesize
4KB

Download
memory/1564-12374-0x00000000052A0000-0x00000000052C2000-memory.dmp

Filesize
136KB

Download
memory/1564-12419-0x00000000060B0000-0x00000000060FC000-memory.dmp

Filesize
304KB

Download
memory/1564-12395-0x0000000005B80000-0x0000000005ED7000-memory.dmp

Filesize
3.3MB

Download
memory/1564-12375-0x0000000005AA0000-0x0000000005B06000-memory.dmp

Filesize
408KB

Download
memory/1564-12368-0x0000000005300000-0x000000000592A000-memory.dmp

Filesize
6.2MB

Download
memory/1564-12364-0x0000000002860000-0x0000000002896000-memory.dmp

Filesize
216KB

Download
memory/1564-12361-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/1564-12376-0x0000000005B10000-0x0000000005B76000-memory.dmp

Filesize
408KB

Download
memory/1564-12418-0x0000000006060000-0x000000000607E000-memory.dmp

Filesize
120KB

Download
memory/1564-12423-0x0000000006590000-0x00000000065AA000-memory.dmp

Filesize
104KB

Download
memory/1564-12422-0x00000000077B0000-0x0000000007E2A000-memory.dmp

Filesize
6.5MB

Download
memory/1616-12630-0x0000000023630000-0x0000000023631000-memory.dmp

Filesize
4KB

Download
memory/2296-12325-0x0000000001120000-0x0000000001121000-memory.dmp

Filesize
4KB

Download
memory/2296-12336-0x0000000001160000-0x0000000001161000-memory.dmp

Filesize
4KB

Download
memory/2508-12321-0x000000002D020000-0x000000002D021000-memory.dmp

Filesize
4KB

Download
memory/2516-12292-0x000000000CC00000-0x000000000CC01000-memory.dmp

Filesize
4KB

Download
memory/2688-12296-0x0000000013740000-0x0000000013741000-memory.dmp

Filesize
4KB

Download
memory/2740-12294-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download
memory/2816-12420-0x0000000027C20000-0x0000000027C21000-memory.dmp

Filesize
4KB

Download
memory/2872-12313-0x0000000001900000-0x0000000001901000-memory.dmp

Filesize
4KB

Download
memory/3284-12298-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/3284-12876-0x00007FFB201A0000-0x00007FFB201A1000-memory.dmp

Filesize
4KB

Download
memory/3636-12335-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/3756-12302-0x0000000023130000-0x0000000023131000-memory.dmp

Filesize
4KB

Download
memory/3816-12307-0x000000001AED0000-0x000000001AED1000-memory.dmp

Filesize
4KB

Download
memory/3824-12309-0x0000000017550000-0x0000000017551000-memory.dmp

Filesize
4KB

Download
memory/4048-12311-0x0000000027F30000-0x0000000027F31000-memory.dmp

Filesize
4KB

Download
memory/4384-12315-0x00000000135C0000-0x00000000135C1000-memory.dmp

Filesize
4KB

Download
memory/4492-12681-0x0000000037AC0000-0x0000000037AC1000-memory.dmp

Filesize
4KB

Download
memory/4724-12319-0x0000000012680000-0x0000000012681000-memory.dmp

Filesize
4KB

Download