hawkeye | b288adfbd1da93be69b9acd59ca421bfdba59b4dd457c5b457652b61628a9645

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250211-en
resource tags

arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system
submitted
15/02/2025, 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Output.exe
Size

17.4MB
MD5

6c5f34449df54c94c0899b79f4e0daf9
SHA1

f37a250a00fb1637e0584853a5aa46af82d8282a
SHA256

b288adfbd1da93be69b9acd59ca421bfdba59b4dd457c5b457652b61628a9645
SHA512

78875fda16cce785e758dd13f861164b212f5a2b5a0c64e59bc0baeaea1d3362c6987a588c19cf7b8c635bc4bccb69e81c02dbe9d0b0fd94670382ca660a5f0f
SSDEEP

393216:JYJK+TcfoYVSvwM5DpxXUpyW68E52KWfLhgB7jn/1Pn6V5J:28Ng8ebXZJRGhghT/1CV5J

Score

10^/10

hawkeye aspackv2 defense_evasion discovery keylogger spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Hawkeye family
hawkeye
Disables Task Manager via registry modification
defense_evasion

Downloads MZ/PE file 1 IoCs

flow	pid	Process
31	2244	Process not Found

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0007000000023e0f-38.dat	aspack_v212_v242
behavioral2/files/0x0007000000023e15-106.dat	aspack_v212_v242
behavioral2/files/0x0007000000023e19-147.dat	aspack_v212_v242
behavioral2/files/0x0007000000023e1b-178.dat	aspack_v212_v242
behavioral2/files/0x0007000000023e23-254.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\Control Panel\International\Geo\Nation	Output.exe

Executes dropped EXE 31 IoCs

pid	Process
1184	DeskScroller.exe
1180	DesktopBoom.exe
2876	DScroller.exe
2540	Flasher.exe
4232	Flip.exe
4256	halyava.exe
3444	Hello.exe
2716	Hydra.exe
4728	Invert.exe
2188	Launcher.exe
2152	Melting.exe
4392	myWeb.exe
2928	Patterns.exe
640	Popup.exe
3500	rickroll.exe
2604	ScreenScrew.exe
1496	stretch.exe
3700	stretcher.exe
4136	Time.exe
4564	Trololo.exe
4768	Vista.exe
4660	Windows-KB2670838.msu.exe
4856	WindowsUpdate.exe
2436	Avoid.exe
1892	Black&White.exe
4936	Blank.exe
1336	Bubbler.exe
3080	ChilledWindows.exe
4776	CookieClickerHack.exe
864	CrazyNCS.exe
2744	Curfun.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	ChilledWindows.exe
File opened (read-only)	\??\S:	ChilledWindows.exe
File opened (read-only)	\??\Y:	ChilledWindows.exe
File opened (read-only)	\??\A:	ChilledWindows.exe
File opened (read-only)	\??\K:	ChilledWindows.exe
File opened (read-only)	\??\Q:	ChilledWindows.exe
File opened (read-only)	\??\M:	ChilledWindows.exe
File opened (read-only)	\??\W:	ChilledWindows.exe
File opened (read-only)	\??\E:	ChilledWindows.exe
File opened (read-only)	\??\I:	ChilledWindows.exe
File opened (read-only)	\??\J:	ChilledWindows.exe
File opened (read-only)	\??\U:	ChilledWindows.exe
File opened (read-only)	\??\X:	ChilledWindows.exe
File opened (read-only)	\??\Z:	ChilledWindows.exe
File opened (read-only)	\??\B:	ChilledWindows.exe
File opened (read-only)	\??\H:	ChilledWindows.exe
File opened (read-only)	\??\O:	ChilledWindows.exe
File opened (read-only)	\??\P:	ChilledWindows.exe
File opened (read-only)	\??\T:	ChilledWindows.exe
File opened (read-only)	\??\V:	ChilledWindows.exe
File opened (read-only)	\??\G:	ChilledWindows.exe
File opened (read-only)	\??\L:	ChilledWindows.exe
File opened (read-only)	\??\N:	ChilledWindows.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blank.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hello.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hydra.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Popup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenScrew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vista.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DeskScroller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	halyava.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows-KB2670838.msu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bubbler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flasher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Invert.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	myWeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Patterns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stretch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stretcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Curfun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DScroller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Time.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Avoid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Black&White.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CrazyNCS.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
972	MicrosoftEdgeUpdate.exe

Kills process with taskkill 2 IoCs

defense_evasion

pid	Process
2964	taskkill.exe
3520	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\Local Settings	Output.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2656314083-4170277356-267438488-1000\{62376729-2EF5-4569-8F87-379CB601FB89}	ChilledWindows.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1772	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3608	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1180	DesktopBoom.exe
3608	vlc.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	4136	Time.exe
Token: SeDebugPrivilege	4660	Windows-KB2670838.msu.exe
Token: SeDebugPrivilege	4660	Windows-KB2670838.msu.exe
Token: SeShutdownPrivilege	3080	ChilledWindows.exe
Token: SeCreatePagefilePrivilege	3080	ChilledWindows.exe
Token: 33	1440	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1440	AUDIODG.EXE
Token: SeDebugPrivilege	3520	taskkill.exe
Token: SeDebugPrivilege	2964	taskkill.exe
Token: 33	3608	vlc.exe
Token: SeIncBasePriorityPrivilege	3608	vlc.exe
Token: SeShutdownPrivilege	3080	ChilledWindows.exe
Token: SeCreatePagefilePrivilege	3080	ChilledWindows.exe
Token: SeShutdownPrivilege	3080	ChilledWindows.exe
Token: SeCreatePagefilePrivilege	3080	ChilledWindows.exe
Token: SeSystemtimePrivilege	4136	Time.exe
Token: SeSystemtimePrivilege	4136	Time.exe
Token: SeSystemtimePrivilege	4136	Time.exe
Token: SeSystemtimePrivilege	4136	Time.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
2436	Avoid.exe
4856	WindowsUpdate.exe
4856	WindowsUpdate.exe
4856	WindowsUpdate.exe
3080	ChilledWindows.exe
3608	vlc.exe
3608	vlc.exe
3608	vlc.exe
3608	vlc.exe
3608	vlc.exe
3608	vlc.exe
3608	vlc.exe
3608	vlc.exe
3608	vlc.exe
3608	vlc.exe
3608	vlc.exe
3608	vlc.exe
3608	vlc.exe
3608	vlc.exe
3608	vlc.exe
3608	vlc.exe
3608	vlc.exe
3608	vlc.exe
3608	vlc.exe
3608	vlc.exe
3608	vlc.exe
3608	vlc.exe
3608	vlc.exe
3608	vlc.exe
3608	vlc.exe
3608	vlc.exe
3608	vlc.exe
3608	vlc.exe
3608	vlc.exe
3608	vlc.exe
3608	vlc.exe
3608	vlc.exe
3608	vlc.exe
3608	vlc.exe
3608	vlc.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
4856	WindowsUpdate.exe
4856	WindowsUpdate.exe
4856	WindowsUpdate.exe
3608	vlc.exe
3608	vlc.exe
3608	vlc.exe
3608	vlc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3608	vlc.exe
3608	vlc.exe
3608	vlc.exe
3608	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3536 wrote to memory of 1184	3536	Output.exe	90
PID 3536 wrote to memory of 1184	3536	Output.exe	90
PID 3536 wrote to memory of 1184	3536	Output.exe	90
PID 3536 wrote to memory of 1180	3536	Output.exe	91
PID 3536 wrote to memory of 1180	3536	Output.exe	91
PID 3536 wrote to memory of 2876	3536	Output.exe	92
PID 3536 wrote to memory of 2876	3536	Output.exe	92
PID 3536 wrote to memory of 2876	3536	Output.exe	92
PID 3536 wrote to memory of 2540	3536	Output.exe	94
PID 3536 wrote to memory of 2540	3536	Output.exe	94
PID 3536 wrote to memory of 2540	3536	Output.exe	94
PID 3536 wrote to memory of 4232	3536	Output.exe	95
PID 3536 wrote to memory of 4232	3536	Output.exe	95
PID 3536 wrote to memory of 4232	3536	Output.exe	95
PID 3536 wrote to memory of 4256	3536	Output.exe	96
PID 3536 wrote to memory of 4256	3536	Output.exe	96
PID 3536 wrote to memory of 4256	3536	Output.exe	96
PID 3536 wrote to memory of 3444	3536	Output.exe	97
PID 3536 wrote to memory of 3444	3536	Output.exe	97
PID 3536 wrote to memory of 3444	3536	Output.exe	97
PID 3536 wrote to memory of 2716	3536	Output.exe	98
PID 3536 wrote to memory of 2716	3536	Output.exe	98
PID 3536 wrote to memory of 2716	3536	Output.exe	98
PID 3536 wrote to memory of 4728	3536	Output.exe	99
PID 3536 wrote to memory of 4728	3536	Output.exe	99
PID 3536 wrote to memory of 4728	3536	Output.exe	99
PID 3536 wrote to memory of 2188	3536	Output.exe	100
PID 3536 wrote to memory of 2188	3536	Output.exe	100
PID 3536 wrote to memory of 2188	3536	Output.exe	100
PID 3536 wrote to memory of 2152	3536	Output.exe	101
PID 3536 wrote to memory of 2152	3536	Output.exe	101
PID 3536 wrote to memory of 4392	3536	Output.exe	102
PID 3536 wrote to memory of 4392	3536	Output.exe	102
PID 3536 wrote to memory of 4392	3536	Output.exe	102
PID 3536 wrote to memory of 2928	3536	Output.exe	103
PID 3536 wrote to memory of 2928	3536	Output.exe	103
PID 3536 wrote to memory of 2928	3536	Output.exe	103
PID 3536 wrote to memory of 640	3536	Output.exe	104
PID 3536 wrote to memory of 640	3536	Output.exe	104
PID 3536 wrote to memory of 640	3536	Output.exe	104
PID 3536 wrote to memory of 1772	3536	Output.exe	105
PID 3536 wrote to memory of 1772	3536	Output.exe	105
PID 3536 wrote to memory of 3500	3536	Output.exe	106
PID 3536 wrote to memory of 3500	3536	Output.exe	106
PID 3536 wrote to memory of 2604	3536	Output.exe	108
PID 3536 wrote to memory of 2604	3536	Output.exe	108
PID 3536 wrote to memory of 2604	3536	Output.exe	108
PID 3536 wrote to memory of 1496	3536	Output.exe	109
PID 3536 wrote to memory of 1496	3536	Output.exe	109
PID 3536 wrote to memory of 1496	3536	Output.exe	109
PID 3536 wrote to memory of 3700	3536	Output.exe	110
PID 3536 wrote to memory of 3700	3536	Output.exe	110
PID 3536 wrote to memory of 3700	3536	Output.exe	110
PID 3536 wrote to memory of 4136	3536	Output.exe	111
PID 3536 wrote to memory of 4136	3536	Output.exe	111
PID 3536 wrote to memory of 4136	3536	Output.exe	111
PID 3536 wrote to memory of 4564	3536	Output.exe	112
PID 3536 wrote to memory of 4564	3536	Output.exe	112
PID 3536 wrote to memory of 4768	3536	Output.exe	113
PID 3536 wrote to memory of 4768	3536	Output.exe	113
PID 3536 wrote to memory of 4768	3536	Output.exe	113
PID 3536 wrote to memory of 4660	3536	Output.exe	114
PID 3536 wrote to memory of 4660	3536	Output.exe	114
PID 3536 wrote to memory of 4660	3536	Output.exe	114

C:\Users\Admin\AppData\Local\Temp\Output.exe
"C:\Users\Admin\AppData\Local\Temp\Output.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3536
- C:\Users\Admin\AppData\Roaming\DeskScroller.exe
  "C:\Users\Admin\AppData\Roaming\DeskScroller.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1184
- C:\Users\Admin\AppData\Roaming\DesktopBoom.exe
  "C:\Users\Admin\AppData\Roaming\DesktopBoom.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1180
- C:\Users\Admin\AppData\Roaming\DScroller.exe
  "C:\Users\Admin\AppData\Roaming\DScroller.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2876
- C:\Users\Admin\AppData\Roaming\Flasher.exe
  "C:\Users\Admin\AppData\Roaming\Flasher.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2540
- C:\Users\Admin\AppData\Roaming\Flip.exe
  "C:\Users\Admin\AppData\Roaming\Flip.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4232
- C:\Users\Admin\AppData\Roaming\halyava.exe
  "C:\Users\Admin\AppData\Roaming\halyava.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4256
- C:\Users\Admin\AppData\Roaming\Hello.exe
  "C:\Users\Admin\AppData\Roaming\Hello.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3444
- C:\Users\Admin\AppData\Roaming\Hydra.exe
  "C:\Users\Admin\AppData\Roaming\Hydra.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2716
- C:\Users\Admin\AppData\Roaming\Invert.exe
  "C:\Users\Admin\AppData\Roaming\Invert.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4728
- C:\Users\Admin\AppData\Roaming\Launcher.exe
  "C:\Users\Admin\AppData\Roaming\Launcher.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2188
- C:\Users\Admin\AppData\Roaming\Melting.exe
  "C:\Users\Admin\AppData\Roaming\Melting.exe"
  2⤵
  - Executes dropped EXE
  PID:2152
- C:\Users\Admin\AppData\Roaming\myWeb.exe
  "C:\Users\Admin\AppData\Roaming\myWeb.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4392
- C:\Users\Admin\AppData\Roaming\Patterns.exe
  "C:\Users\Admin\AppData\Roaming\Patterns.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2928
- C:\Users\Admin\AppData\Roaming\Popup.exe
  "C:\Users\Admin\AppData\Roaming\Popup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:640
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1772
- C:\Users\Admin\AppData\Roaming\rickroll.exe
  "C:\Users\Admin\AppData\Roaming\rickroll.exe"
  2⤵
  - Executes dropped EXE
  PID:3500
- C:\Users\Admin\AppData\Roaming\ScreenScrew.exe
  "C:\Users\Admin\AppData\Roaming\ScreenScrew.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2604
- C:\Users\Admin\AppData\Roaming\stretch.exe
  "C:\Users\Admin\AppData\Roaming\stretch.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1496
- C:\Users\Admin\AppData\Roaming\stretcher.exe
  "C:\Users\Admin\AppData\Roaming\stretcher.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3700
- C:\Users\Admin\AppData\Roaming\Time.exe
  "C:\Users\Admin\AppData\Roaming\Time.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4136
- C:\Users\Admin\AppData\Roaming\Trololo.exe
  "C:\Users\Admin\AppData\Roaming\Trololo.exe"
  2⤵
  - Executes dropped EXE
  PID:4564
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill.exe /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2964
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill.exe /f /im taskmgr.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3520
- C:\Users\Admin\AppData\Roaming\Vista.exe
  "C:\Users\Admin\AppData\Roaming\Vista.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4768
- C:\Users\Admin\AppData\Roaming\Windows-KB2670838.msu.exe
  "C:\Users\Admin\AppData\Roaming\Windows-KB2670838.msu.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4660
- C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
  "C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4856
- C:\Users\Admin\AppData\Roaming\Avoid.exe
  "C:\Users\Admin\AppData\Roaming\Avoid.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:2436
- C:\Users\Admin\AppData\Roaming\Black&White.exe
  "C:\Users\Admin\AppData\Roaming\Black&White.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1892
- C:\Users\Admin\AppData\Roaming\Blank.exe
  "C:\Users\Admin\AppData\Roaming\Blank.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4936
- C:\Users\Admin\AppData\Roaming\Bubbler.exe
  "C:\Users\Admin\AppData\Roaming\Bubbler.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1336
- C:\Users\Admin\AppData\Roaming\ChilledWindows.exe
  "C:\Users\Admin\AppData\Roaming\ChilledWindows.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3080
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\chilledwindows.mp4"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3608
- C:\Users\Admin\AppData\Roaming\CookieClickerHack.exe
  "C:\Users\Admin\AppData\Roaming\CookieClickerHack.exe"
  2⤵
  - Executes dropped EXE
  PID:4776
- C:\Users\Admin\AppData\Roaming\CrazyNCS.exe
  "C:\Users\Admin\AppData\Roaming\CrazyNCS.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:864
- C:\Users\Admin\AppData\Roaming\Curfun.exe
  "C:\Users\Admin\AppData\Roaming\Curfun.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2744

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x514 0x518
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QzlCREQ5NDAtNzdDMy00NDQ2LUE1RjMtMzg1MTY4QTY2RUM0fSIgdXNlcmlkPSJ7MkM5NUNFMEMtMTNGMy00QzI1LThDMTktOTNCMUI3MTE5RkI0fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MjYyMzBGOEYtQUE1Qi00QjY3LUI1ODAtQ0QxMzBERkM2RkU2fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIzIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODM0MTAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NTUzNjg2NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1Mjg4MjAzMzIzIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
384KB

MD5
002431f5b7eabad7ce1c484e65fc8eea

SHA1
e3f0bd51e5dd2951266fbc547599a74a5bd249c6

SHA256
e5418820ebf420515ebf02fe48aa053cfc2db8c4535434c2072b914074d1d96c

SHA512
a5609c145d593a7d5280f286e3163632551e1427608d6bb487ff5c9db7184c6d519838adbc53bab63e5b3eb5f656b123b9acfc347c57118e4da6cb0a68b75df9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Roaming\Avoid.exe

Filesize
248KB

MD5
20d2c71d6d9daf4499ffc4a5d164f1c3

SHA1
38e5dcd93f25386d05a34a5b26d3fba1bf02f7c8

SHA256
3ac8cc58dcbceaec3dab046aea050357e0e2248d30b0804c738c9a5b037c220d

SHA512
8ffd56fb3538eb60da2dde9e3d6eee0dac8419c61532e9127f47c4351b6e53e01143af92b2e26b521e23cdbbf15d7a358d3757431e572e37a1eede57c7d39704

Download Submit
C:\Users\Admin\AppData\Roaming\Black&White.exe

Filesize
14KB

MD5
00dd057add024c605c0414a985d31c32

SHA1
1d00812873ff86b33120923b705c872e13efd5cc

SHA256
2665f52d47ee7dfbffabcf58c0da31e311d3efa97442e85944a61bac8629e2af

SHA512
3eb9439c75ac9b32a121ee959aa94f11a5c73d26aa24d76bf0af149a045ad1368711797ef949ba834cb6da970005b5e829bc96fba5d841a2256022b973000226

Download Submit
C:\Users\Admin\AppData\Roaming\Blank.exe

Filesize
71KB

MD5
5c70d18d0078e484a9a0a40f8f585bbb

SHA1
b3f886d37be5d04bfa5ac93b5d30c9b5cab72e21

SHA256
81252087cbffce0278cb4fc96ef4e38902d3a2a353fa761fe1a979c7bf959dcf

SHA512
67020862c4409ed267819016c1a76fd08010a5e34274ab17bab76d6fda0d8792deabb509b43580c3ee7c870b770151aa196d812f1cc4040b8ac2bc286fe8c6c5

Download Submit
C:\Users\Admin\AppData\Roaming\Bubbler.exe

Filesize
67KB

MD5
5c8434c362e791e2d40dc47603d2b552

SHA1
3181705211deaa2204b4e936e196411a2f0e7b87

SHA256
65ee141434e58dddb67d135728d5f8dfb38ee28fc4627b4c5ce3a831c3a724ae

SHA512
a4907232d77278cfdbd67ba75dc6fb48f0ce162623126f57efd04ef816fe396f4eb68dca1eaa7876d3a683472f473e229e689b3f75b9fd80a2ceb369dc227110

Download Submit
C:\Users\Admin\AppData\Roaming\ChilledWindows.exe

Filesize
4.4MB

MD5
6a4853cd0584dc90067e15afb43c4962

SHA1
ae59bbb123e98dc8379d08887f83d7e52b1b47fc

SHA256
ccb9502bf8ba5becf8b758ca04a5625c30b79e2d10d2677cc43ae4253e1288ec

SHA512
feb223e0de9bd64e32dc4f3227e175b58196b5e614bca8c2df0bbca2442a564e39d66bcd465154149dc7ebbd3e1ca644ed09d9a9174b52236c76e7388cb9d996

Download Submit
C:\Users\Admin\AppData\Roaming\CookieClickerHack.exe

Filesize
68KB

MD5
bc1e7d033a999c4fd006109c24599f4d

SHA1
b927f0fc4a4232a023312198b33272e1a6d79cec

SHA256
13adae722719839af8102f98730f3af1c5a56b58069bfce8995acd2123628401

SHA512
f5d9b8c1fd9239894ec9c075542bff0bcef79871f31038e627ae257b8c1db9070f4d124448a78e60ccc8bc12f138102a54825e9d7647cd34832984c7c24a6276

Download Submit
C:\Users\Admin\AppData\Roaming\CrazyNCS.exe

Filesize
122KB

MD5
d043ba91e42e0d9a68c9866f002e8a21

SHA1
e9f177e1c57db0a15d1dc6b3e6c866d38d85b17c

SHA256
6820c71df417e434c5ad26438c901c780fc5a80b28a466821b47d20b8424ef08

SHA512
3e9783646e652e9482b3e7648fb0a5f7c8b6c386bbc373d5670d750f6f99f6137b5501e21332411609cbcc0c20f829ab8705c2835e2756455f6754c9975ac6bd

Download Submit
C:\Users\Admin\AppData\Roaming\Curfun.exe

Filesize
138KB

MD5
0b3b2dff5503cb032acd11d232a3af55

SHA1
6efc31c1d67f70cf77c319199ac39f70d5a7fa95

SHA256
ef878461a149024f3065121ff4e165731ecabef1b94b0b3ed2eda010ad39202b

SHA512
484014d65875e706f7e5e5f54c2045d620e5cce5979bf7f37b45c613e6d948719c0b8e466df5d8908706133ce4c4b71a11b804417831c9dbaf72b6854231ea17

Download Submit
C:\Users\Admin\AppData\Roaming\DScroller.exe

Filesize
11KB

MD5
c6aac231bd73d7cd9fe9474265fb2a0a

SHA1
693742b31b1f33761062744a9d317c6cb30e7e17

SHA256
3558cbfb4478d2f47b600c52bd5018443b86221639602f33ea0385ef3eef6ec5

SHA512
a32daa9b7e98b45aba2fc1c9620fca7cda218fb30fce5fa48231c4de92adeb15c8a856179a21f14b5a7acdf7294748f464c2448f3d38ddf71e9e714d913f1988

Download Submit
C:\Users\Admin\AppData\Roaming\DeskScroller.exe

Filesize
8KB

MD5
d704b61a5521a22261ee9025259374fb

SHA1
a55a7211c0b2ef2d04824b897ee8ba4d20af6874

SHA256
8d4383f98fb673652fda948463e2cd0957ce3c6a1f7912d38245b14cc0e7c4dc

SHA512
105f600c76d591909c315ccdb56917badc8b03f81dfe46530db4c4fc03459bfd2b527cc1f81e9d63cbd5c7f7e2447ecfbfb541bb2dca9efd6fca5ade9a0eaa58

Download Submit
C:\Users\Admin\AppData\Roaming\DesktopBoom.exe

Filesize
1.1MB

MD5
f0a661d33aac3a3ce0c38c89bec52f89

SHA1
709d6465793675208f22f779f9e070ed31d81e61

SHA256
c20e78ce9028299d566684d35b1230d055e5ea0e9b94d0aff58f650e0468778a

SHA512
57cdb3c38f2e90d03e6dc1f9d8d1131d40d3919f390bb1783343c82465461319e70483dc3cd3efdbd9a62dfc88d74fc706f05d760ffd8506b16fd7686e414443

Download Submit
C:\Users\Admin\AppData\Roaming\Flasher.exe

Filesize
246KB

MD5
9254ca1da9ff8ad492ca5fa06ca181c6

SHA1
70fa62e6232eae52467d29cf1c1dacb8a7aeab90

SHA256
30676ad5dc94c3fec3d77d87439b2bf0a1aaa7f01900b68002a06f11caee9ce6

SHA512
a84fbbdea4e743f3e41878b9cf6db219778f1479aa478100718af9fc8d7620fc7a3295507e11df39c7863cb896f946514e50368db480796b6603c8de5580685a

Download Submit
C:\Users\Admin\AppData\Roaming\Flip.exe

Filesize
10KB

MD5
fc3fcc73569dc5917637de3c0271d9a5

SHA1
9efe1d66d9a4df5868ef12ad70b179517bab0f56

SHA256
008b1fbf3dc9b576733d066d69cb0038c8f58699b10f2f2a589e685c2f63fbe3

SHA512
92b6dbe06489f9e69ecd0fdba3c29b83ac2a85c12aebf04e493fc30bd72e78c363b9cd8ffd8c4d9643de79581c3e4ab6fc72eae1602b2fc97443e0f982155bf0

Download Submit
C:\Users\Admin\AppData\Roaming\Hello.exe

Filesize
10KB

MD5
9bbf8c162b7d054161ed1f4db8d478b0

SHA1
157bffed52c8c7abfeeef731bea33086e713ec74

SHA256
2aabaa220e383a19c27bfad1262e972ec443e3bf56ea116a7600fe7f72661a02

SHA512
bf62209c8e1cb93a60f944f0342d2c0b8ff31abddc1b31c80130b6c175e060581f51a1252bdd95e481016aac16778bfe208e67fd0ba5e6e9297622c878416912

Download Submit
C:\Users\Admin\AppData\Roaming\Hydra.exe

Filesize
43KB

MD5
b2eca909a91e1946457a0b36eaf90930

SHA1
3200c4e4d0d4ece2b2aadb6939be59b91954bcfa

SHA256
0b6c0af51cde971b3e5f8aa204f8205418ab8c180b79a5ac1c11a6e0676f0f7c

SHA512
607d20e4a46932c7f4d9609ef9451e2303cd79e7c4778fe03f444e7dc800d6de7537fd2648c7c476b9f098588dc447e8c39d8b21cd528d002dfa513a19c6ebbf

Download Submit
C:\Users\Admin\AppData\Roaming\Invert.exe

Filesize
13KB

MD5
0cdadd11f9888e0beed3b914fdd1308a

SHA1
5fdb5aab369e8873a9ddf9858fb40427479b198f

SHA256
3ec6564b1fab7c90167e287e01ae26e800d049098332b42e67fa00a416b6cc93

SHA512
493d94db6c8075d85fb0069e314f47b9939431d7e18f9c5ec332efa91397e5a09c653bce22c5f7b4cc73f5e180b0c8b505b550e882ad39866f6799526701638a

Download Submit
C:\Users\Admin\AppData\Roaming\Launcher.exe

Filesize
197KB

MD5
7506eb94c661522aff09a5c96d6f182b

SHA1
329bbdb1f877942d55b53b1d48db56a458eb2310

SHA256
d5b962dfe37671b5134f0b741a662610b568c2b5374010ee92b5b7857d87872c

SHA512
d815a9391ef3d508b89fc221506b95f4c92d586ec38f26aec0f239750f34cf398eed3d818fa439f6aa6ed3b30f555a1903d93eeeec133b80849a4aa6685ec070

Download Submit
C:\Users\Admin\AppData\Roaming\Melting.exe

Filesize
12KB

MD5
833619a4c9e8c808f092bf477af62618

SHA1
b4a0efa26f790e991cb17542c8e6aeb5030d1ebf

SHA256
92a284981c7ca33f1af45ce61738479fbcbb5a4111f5498e2cb54931c8a36c76

SHA512
4f231fc16339d568b5cf9353133aeae835eb262dab68bc80d92f37b43df64dce4fae0e913cbaa3bb61351a759aeecf9d280bc5779b0853c980559a654d6cca11

Download Submit
C:\Users\Admin\AppData\Roaming\Patterns.exe

Filesize
11KB

MD5
b03dfd6a6d029948924b5486a5bd1931

SHA1
bf04f4cf5d98fbfc6f6d9a8cb12c3d60823f3f11

SHA256
33644f58e9eb469a733dba31db9af9fde1ba5298fc18389c0a78879a4406fc4f

SHA512
1903a9c0e106ceeb340d4a66460b4af8fee40b7c12872b5ca91bf470d56edc1b91e7c57b1f6388efe50c70d379b12858eaaf08269f6e2d658ad8102a2f89d6e5

Download Submit
C:\Users\Admin\AppData\Roaming\Popup.exe

Filesize
373KB

MD5
9c3e9e30d51489a891513e8a14d931e4

SHA1
4e5a5898389eef8f464dee04a74f3b5c217b7176

SHA256
f8f7b5f20ca57c61df6dc8ff49f2f5f90276a378ec17397249fdc099a6e1dcd8

SHA512
bf45677b7dd6c67ad350ec6ecad5bc3f04dea179fae0ff0a695c69f7de919476dd7a69c25b04c8530a35119e4933f4a8c327ed6dcef892b1114dfd7e494a19a7

Download Submit
C:\Users\Admin\AppData\Roaming\ScreenScrew.exe

Filesize
111KB

MD5
e87a04c270f98bb6b5677cc789d1ad1d

SHA1
8c14cb338e23d4a82f6310d13b36729e543ff0ca

SHA256
e03520794f00fb39ef3cfff012f72a5d03c60f89de28dbe69016f6ed151b5338

SHA512
8784f4d42908e54ecedfb06b254992c63920f43a27903ccedd336daaeed346db44e1f40e7db971735da707b5b32206be1b1571bc0d6a2d6eb90bbf9d1f69de13

Download Submit
C:\Users\Admin\AppData\Roaming\Time.exe

Filesize
111KB

MD5
9d0d2fcb45b1ff9555711b47e0cd65e5

SHA1
958f29a99cbb135c92c5d1cdffb9462be35ee9fd

SHA256
dc476ae39effdd80399b6e36f1fde92c216a5bbdb6b8b2a7ecbe753e91e4c993

SHA512
8fd4ce4674cd52a3c925149945a7a50a139302be17f6ee3f30271ebe1aa6d92bcb15a017dca989cd837a5d23cd56eaacc6344dc7730234a4629186976c857ca9

Download Submit
C:\Users\Admin\AppData\Roaming\Trololo.exe

Filesize
3.0MB

MD5
b6d61b516d41e209b207b41d91e3b90d

SHA1
e50d4b7bf005075cb63d6bd9ad48c92a00ee9444

SHA256
3d0efd55bde5fb7a73817940bac2a901d934b496738b7c5cab7ea0f6228e28fe

SHA512
3217fc904e4c71b399dd273786634a6a6c19064a9bf96960df9b3357001c12b9547813412173149f6185eb5d300492d290342ec955a8347c6f9dcac338c136da

Download Submit
C:\Users\Admin\AppData\Roaming\Vista.exe

Filesize
1.9MB

MD5
faa6cb3e816adaeaabf2930457c79c33

SHA1
6539de41b48d271bf4237e6eb09b0ee40f9a2140

SHA256
6680317e6eaa04315b47aaadd986262cd485c8a4bd843902f4c779c858a3e31b

SHA512
58859556771203d736ee991b651a6a409de7e3059c2afe81d4545864295c383f75cfbabf3cffaa0c412a6ec27bf939f0893c28152f53512c7885e597db8d2c66

Download Submit
C:\Users\Admin\AppData\Roaming\Windows-KB2670838.msu.exe

Filesize
728KB

MD5
6e49c75f701aa059fa6ed5859650b910

SHA1
ccb7898c509c3a1de96d2010d638f6a719f6f400

SHA256
f91f02fd27ada64f36f6df59a611fef106ff7734833dea825d0612e73bdfb621

SHA512
ccd1b581a29de52d2313a97eb3c3b32b223dba1e7a49c83f7774b374bc2d16b13fba9566de6762883f3b64ed8e80327b454e5d32392af2a032c22653fed0fff8

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe

Filesize
760KB

MD5
515198a8dfa7825f746d5921a4bc4db9

SHA1
e1da0b7f046886c1c4ff6993f7f98ee9a1bc90ae

SHA256
0fda176b199295f72fafc3bc25cefa27fa44ed7712c3a24ca2409217e430436d

SHA512
9e47037fe40b79ebf056a9c6279e318d85da9cd7e633230129d77a1b8637ecbafc60be38dd21ca9077ebfcb9260d87ff7fcc85b8699b3135148fe956972de3e8

Download Submit
C:\Users\Admin\AppData\Roaming\chilledwindows.mp4

Filesize
3.6MB

MD5
698ddcaec1edcf1245807627884edf9c

SHA1
c7fcbeaa2aadffaf807c096c51fb14c47003ac20

SHA256
cde975f975d21edb2e5faa505205ab8a2c5a565ba1ff8585d1f0e372b2a1d78b

SHA512
a2c326f0c653edcd613a3cefc8d82006e843e69afc787c870aa1b9686a20d79e5ab4e9e60b04d1970f07d88318588c1305117810e73ac620afd1fb6511394155

Download Submit
C:\Users\Admin\AppData\Roaming\halyava.exe

Filesize
8KB

MD5
9f32f1fb5155d01ce47a6b0e679ff2fe

SHA1
ad131beb815ca355a09cb2e4572d2d85f1d1259c

SHA256
c9bcd8aa2ba6364e441f609494a57a729b53e0360b7a8317e2baed76770e6d3c

SHA512
34ac158c558a967b8bd2ac99d8c236174f2aabd62604c8890c6236ab89e7d9345753483ad91285a02a29d4a7e1c297e0bd20767605243ed1cc03a976a226ad83

Download Submit
C:\Users\Admin\AppData\Roaming\myWeb.exe

Filesize
15KB

MD5
68cabf111614c64cc454a6a5fe9ee4ff

SHA1
74a036f32c37025699280fb474b6f7815a9d118c

SHA256
81162716b98c2af6e76c0acc1188c03db1e8f9485ebdff38a6364bff4aa59406

SHA512
cc01c441172de1bc9a414b2660d8a5330adf12fcdf2721caebadf45937864577a48fba9dd202f154f91a7a028dd8679896ecc22b9bddea9839d7af918835dad7

Download Submit
C:\Users\Admin\AppData\Roaming\readme.txt

Filesize
819B

MD5
98c32890244ae9bce586cd45c41372a1

SHA1
09455ab292743be38487f9ce1e1f1dceb50d86be

SHA256
eaa59e61ff4049f95acfb07b49063740be923153bf570cb329ffcfe88f119375

SHA512
7adecdd5843a014c5513803f60eb2563c539d2bb70dd9bfd327a795cfe9295e822d26c5d12dc289c0ae7487cdb008a7e3c5efeb9b4b2a1fbdbbfa5225a3f59e6

Download Submit
C:\Users\Admin\AppData\Roaming\rickroll.exe

Filesize
129KB

MD5
0ec108e32c12ca7648254cf9718ad8d5

SHA1
78e07f54eeb6af5191c744ebb8da83dad895eca1

SHA256
48b08ea78124ca010784d9f0faae751fc4a0c72c0e7149ded81fc03819f5d723

SHA512
1129e685f5dd0cb2fa22ef4fe5da3f1e2632e890333ce17d3d06d04a4097b4d9f4ca7d242611ffc9e26079900945cf04ab6565a1c322e88e161f1929d18a2072

Download Submit
C:\Users\Admin\AppData\Roaming\stretch.exe

Filesize
10KB

MD5
709fe771c0771fd218966de90d2b8083

SHA1
d57956ba2116a02c8e7a8d5d1118b62195f9e239

SHA256
137773df88edfdfbba296b1354666c3b57a810dd229dea1c3566f5d3390858a2

SHA512
fb9566efeb5edd81b49a6e175c8516381fafae487b88b8510598de038d767c27bd493cc889041857683db12b7a860c226990221f12b3467968329742441a36ea

Download Submit
C:\Users\Admin\AppData\Roaming\stretcher.exe

Filesize
11KB

MD5
8362e99800b0893acde429974e3bec18

SHA1
171fcd759a711ccfae5c17bc28733d96b3c4c501

SHA256
0fa2eed94a65179a43b1435b0a9f450632b35f03eb46562edd95433bcf27afac

SHA512
cd4de6bfb80bf7c9666e2119a8ec9630b4f150f3a492be6c6d9ef37bc93e05deaf99733eeba7ea78024de905dfb9cc666752db1cfe3a8f0dafd26e7e92a4f9a9

Download Submit
memory/640-393-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/864-419-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1184-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2188-392-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2436-399-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2540-391-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2604-395-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2716-180-0x0000000004EE0000-0x0000000004EEA000-memory.dmp

Filesize
40KB

Download
memory/2716-139-0x0000000000580000-0x0000000000590000-memory.dmp

Filesize
64KB

Download
memory/2716-157-0x0000000004E30000-0x0000000004EC2000-memory.dmp

Filesize
584KB

Download
memory/2716-152-0x0000000005300000-0x00000000058A4000-memory.dmp

Filesize
5.6MB

Download
memory/3080-320-0x00000000003A0000-0x0000000000804000-memory.dmp

Filesize
4.4MB

Download
memory/3080-372-0x000000001EDA0000-0x000000001EDD8000-memory.dmp

Filesize
224KB

Download
memory/3080-373-0x000000001ED70000-0x000000001ED7E000-memory.dmp

Filesize
56KB

Download
memory/3080-370-0x0000000002980000-0x0000000002988000-memory.dmp

Filesize
32KB

Download
memory/3444-87-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3500-394-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3536-0-0x00007FF87DE03000-0x00007FF87DE05000-memory.dmp

Filesize
8KB

Download
memory/3536-1-0x0000000000C60000-0x0000000001DCC000-memory.dmp

Filesize
17.4MB

Download
memory/3608-408-0x00007FF88E000000-0x00007FF88E011000-memory.dmp

Filesize
68KB

Download
memory/3608-416-0x00007FF87ADC0000-0x00007FF87ADD1000-memory.dmp

Filesize
68KB

Download
memory/3608-439-0x00007FF86F060000-0x00007FF870110000-memory.dmp

Filesize
16.7MB

Download
memory/3608-431-0x00007FF876780000-0x00007FF876A36000-memory.dmp

Filesize
2.7MB

Download
memory/3608-401-0x00007FF666E90000-0x00007FF666F88000-memory.dmp

Filesize
992KB

Download
memory/3608-404-0x00007FF893A20000-0x00007FF893A38000-memory.dmp

Filesize
96KB

Download
memory/3608-414-0x00007FF88D150000-0x00007FF88D171000-memory.dmp

Filesize
132KB

Download
memory/3608-403-0x00007FF876780000-0x00007FF876A36000-memory.dmp

Filesize
2.7MB

Download
memory/3608-405-0x00007FF891650000-0x00007FF891667000-memory.dmp

Filesize
92KB

Download
memory/3608-406-0x00007FF88EA60000-0x00007FF88EA71000-memory.dmp

Filesize
68KB

Download
memory/3608-402-0x00007FF891570000-0x00007FF8915A4000-memory.dmp

Filesize
208KB

Download
memory/3608-410-0x00007FF88D520000-0x00007FF88D531000-memory.dmp

Filesize
68KB

Download
memory/3608-409-0x00007FF88D9E0000-0x00007FF88D9FD000-memory.dmp

Filesize
116KB

Download
memory/3608-413-0x00007FF87ADE0000-0x00007FF87AE21000-memory.dmp

Filesize
260KB

Download
memory/3608-407-0x00007FF88E8C0000-0x00007FF88E8D7000-memory.dmp

Filesize
92KB

Download
memory/3608-418-0x00007FF87AD80000-0x00007FF87AD91000-memory.dmp

Filesize
68KB

Download
memory/3608-412-0x00007FF86EE50000-0x00007FF86F05B000-memory.dmp

Filesize
2.0MB

Download
memory/3608-417-0x00007FF87ADA0000-0x00007FF87ADB1000-memory.dmp

Filesize
68KB

Download
memory/3608-411-0x00007FF86F060000-0x00007FF870110000-memory.dmp

Filesize
16.7MB

Download
memory/3608-415-0x00007FF88D060000-0x00007FF88D078000-memory.dmp

Filesize
96KB

Download
memory/4136-396-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4564-318-0x0000000001AE0000-0x0000000001AE8000-memory.dmp

Filesize
32KB

Download
memory/4564-319-0x000000001CD90000-0x000000001CDDC000-memory.dmp

Filesize
304KB

Download
memory/4564-302-0x000000001C0F0000-0x000000001C196000-memory.dmp

Filesize
664KB

Download
memory/4564-304-0x000000001C670000-0x000000001CB3E000-memory.dmp

Filesize
4.8MB

Download
memory/4564-316-0x000000001CC30000-0x000000001CCCC000-memory.dmp

Filesize
624KB

Download
memory/4660-274-0x0000000000960000-0x0000000000A1C000-memory.dmp

Filesize
752KB

Download
memory/4768-397-0x0000000000400000-0x0000000000ABC000-memory.dmp

Filesize
6.7MB

Download
memory/4856-273-0x0000000000400000-0x00000000006BC000-memory.dmp

Filesize
2.7MB

Download
memory/4856-400-0x0000000000400000-0x00000000006BC000-memory.dmp

Filesize
2.7MB

Download
memory/4936-300-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads