File name:

HawkTuah.exe

Full analysis: https://app.any.run/tasks/bf109f5c-b231-4772-a437-6fb2792e0349
Verdict: Malicious activity
Analysis date: March 25, 2025, 00:15:44
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
jeefo
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

A90F95FB8C9452A830AD00907B32A4FA

SHA1:

733F2ABE52BF11AC8C67BD46884696FEC2E108F9

SHA256:

C17EA114B183F3B03F174005581738E012078374118C289FF754FBB3E55CB3BE

SSDEEP:

98304:5cBPGrlVqmhLirnac+wyKhHpgFs/DrVCKCaBIzxcg7KIA8pnN+cBIKJACH09Br+N:v+ZW/WnAz9dJGVXNEJG7fVRIpye

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • JEEFO has been detected

      • HawkTuah.exe (PID: 7988)
      • icsys.icn.exe (PID: 4180)
      • explorer.exe (PID: 6476)
      • svchost.exe (PID: 4040)

    • Changes the autorun value in the registry

      • explorer.exe (PID: 6476)
      • svchost.exe (PID: 4040)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • HawkTuah.exe (PID: 7988)
      • spoolsv.exe (PID: 7312)
      • explorer.exe (PID: 6476)
      • icsys.icn.exe (PID: 4180)

    • Starts application with an unusual extension

      • HawkTuah.exe (PID: 7988)

    • Starts CMD.EXE for commands execution

      • hawktuah.exe  (PID: 8016)
      • cmd.exe (PID: 7388)

    • Application launched itself

      • cmd.exe (PID: 7388)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 4756)

    • Executes application which crashes

      • hawktuah.exe  (PID: 8016)

    • Starts itself from another location

      • HawkTuah.exe (PID: 7988)
      • explorer.exe (PID: 6476)
      • spoolsv.exe (PID: 7312)
      • svchost.exe (PID: 4040)
      • icsys.icn.exe (PID: 4180)

    • The process creates files with name similar to system file names

      • spoolsv.exe (PID: 7312)
      • icsys.icn.exe (PID: 4180)

    • Creates or modifies Windows services

      • svchost.exe (PID: 4040)

  • INFO

    • Create files in a temporary directory

      • HawkTuah.exe (PID: 7988)
      • explorer.exe (PID: 6476)
      • spoolsv.exe (PID: 7312)
      • svchost.exe (PID: 4040)
      • spoolsv.exe (PID: 5772)
      • icsys.icn.exe (PID: 4180)

    • Checks supported languages

      • HawkTuah.exe (PID: 7988)
      • hawktuah.exe  (PID: 8016)
      • icsys.icn.exe (PID: 4180)
      • explorer.exe (PID: 6476)
      • spoolsv.exe (PID: 7312)
      • svchost.exe (PID: 4040)
      • spoolsv.exe (PID: 5772)

    • The sample compiled with english language support

      • HawkTuah.exe (PID: 7988)

    • Reads the computer name

      • hawktuah.exe  (PID: 8016)
      • svchost.exe (PID: 4040)
      • HawkTuah.exe (PID: 7988)

    • Reads the software policy settings

      • slui.exe (PID: 7012)

    • Checks proxy server information

      • slui.exe (PID: 7012)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:04:01 07:08:22+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 106496
InitializedDataSize: 12288
UninitializedDataSize: -
EntryPoint: 0x290c
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
ProductName: Project1
FileVersion: 1
ProductVersion: 1
InternalName: TJprojMain
OriginalFileName: TJprojMain.exe
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
139
Monitored processes
17
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #JEEFO hawktuah.exe hawktuah.exe  cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs timeout.exe no specs werfault.exe no specs svchost.exe #JEEFO icsys.icn.exe #JEEFO explorer.exe spoolsv.exe #JEEFO svchost.exe spoolsv.exe no specs slui.exe hawktuah.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
4040c:\windows\resources\svchost.exeC:\Windows\Resources\svchost.exe
spoolsv.exe
User:
admin
Integrity Level:
HIGH
Version:
1.00
Modules
Images
c:\windows\resources\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
4180C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe
HawkTuah.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\themes\icsys.icn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
4756cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
5304C:\WINDOWS\system32\WerFault.exe -u -p 8016 -s 932C:\Windows\System32\WerFault.exehawktuah.exe 
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
2147942405
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
5772c:\windows\resources\spoolsv.exe PRC:\Windows\Resources\spoolsv.exesvchost.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\spoolsv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
6476c:\windows\resources\themes\explorer.exeC:\Windows\Resources\Themes\explorer.exe
icsys.icn.exe
User:
admin
Integrity Level:
HIGH
Version:
1.00
Modules
Images
c:\windows\resources\themes\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
6620\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6964\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7012C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
4 388
Read events
4 369
Write events
15
Delete events
4

Modification events

(PID) Process:(7988) HawkTuah.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(4180) icsys.icn.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(4040) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Explorer
Value:
c:\windows\resources\themes\explorer.exe RO
(PID) Process:(4040) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Svchost
Value:
c:\windows\resources\svchost.exe RO
(PID) Process:(4040) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Explorer
Value:
(PID) Process:(4040) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Svchost
Value:
(PID) Process:(6476) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Explorer
Value:
c:\windows\resources\themes\explorer.exe RO
(PID) Process:(6476) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Svchost
Value:
c:\windows\resources\svchost.exe RO
(PID) Process:(6476) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Explorer
Value:
(PID) Process:(6476) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Svchost
Value:
Executable files
5
Suspicious files
4
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
4180icsys.icn.exeC:\Windows\Resources\Themes\explorer.exeexecutable
MD5:4E719298848C9776185A59D311C27EC6
SHA256:79A844FE3E1D09EB017CD1C194EE91D4C9CC26E20AC5B2134D5F5BBFCF020FE3
7312spoolsv.exeC:\Windows\Resources\svchost.exeexecutable
MD5:C4440993CA81057CCCC16B67F4CBE316
SHA256:F2C07F0FB4227C0E937FE07EE30105E7CBB58466B0EF4F9B692487D0AC6E79A7
7988HawkTuah.exeC:\Users\admin\Desktop\hawktuah.exe executable
MD5:BDCC8462FEE79FF2F4C57A3EE9C6C962
SHA256:F71C2795AA99D923FA970B2DEC7C11B1E7A7787130179CD7F4C9EA0C905F6E4A
7988HawkTuah.exeC:\Windows\Resources\Themes\icsys.icn.exeexecutable
MD5:B4AF7F5E9AD36AA61F1166A20037E2B7
SHA256:68ADFD92C8972A2DF57EA51812C1E8D4E42CFAD860C4DBBC2F1E1F6D72688996
7312spoolsv.exeC:\Users\admin\AppData\Local\Temp\~DF8E383C6B6B955DDA.TMPbinary
MD5:6A41BF22E9E10C1930FC910C9DF00A31
SHA256:AA014607B1B12BD2218A098D3712C2EBD3D55A8B6C97BC032DD67532EC3ED4C2
5772spoolsv.exeC:\Users\admin\AppData\Local\Temp\~DF61574B37A59E07E6.TMPbinary
MD5:E11D579C042E5D0A2A0B6BDE6FD863F1
SHA256:04192E50C124335279AF2B938FB95E9B40514B7202A10D156E8EC5F9ABBF4CC4
4180icsys.icn.exeC:\Users\admin\AppData\Local\Temp\~DF5489C17A21503B76.TMPbinary
MD5:7692356A16D50EC7D8F6E586C0E487CF
SHA256:146E326B5CA54600E81C97B21938A8F6E51EBC0326871AF4E976BD0C260DED6D
7988HawkTuah.exeC:\Users\admin\AppData\Local\Temp\~DF0F725530613FDF95.TMPbinary
MD5:4316AEED0F45FDF7C513EDF14A8E4189
SHA256:2746C7DC32F55F864836159EC6880056D6E1A69DFBB328EFAE3A7C671B1D724A
6476explorer.exeC:\Windows\Resources\spoolsv.exeexecutable
MD5:C8D065A658EC61F515B2C2A7CC374AA5
SHA256:ACC436CFC9C4027FCC20DB89DB7BE508A39E3BB6F1E6899AF04C350911B1DDDE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
21
DNS requests
6
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:137
unknown
4
System
192.168.100.255:138
unknown
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
8016
hawktuah.exe 
104.26.1.5:443
keyauth.win
CLOUDFLARENET
US
unknown
7560
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
7012
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
unknown
google.com
  • 142.250.185.142
unknown
keyauth.win
  • 104.26.1.5
  • 172.67.72.57
  • 104.26.0.5
unknown
activation-v2.sls.microsoft.com
  • 40.91.76.224
unknown

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET INFO KeyAuth Open-source Authentication System Domain in DNS Lookup (keyauth .win)
8016
hawktuah.exe 
Potentially Bad Traffic
ET INFO KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
HawkTuah.exe