Malware Analysis Report

2024-09-22 11:18

Sample ID 231229-26jmdacecp
Target 06914834645d9ab3058300de4c756954
SHA256 50c6eeab65b9c35d55dde8ba5cca1eaba4091d0a5611a353f9561e3e37453e67
Tags
hawkeye keylogger spyware stealer trojan persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

50c6eeab65b9c35d55dde8ba5cca1eaba4091d0a5611a353f9561e3e37453e67

Threat Level: Known bad

The file 06914834645d9ab3058300de4c756954 was found to be: Known bad.

Malicious Activity Summary

hawkeye keylogger spyware stealer trojan persistence

HawkEye

Checks computer location settings

Loads dropped DLL

Deletes itself

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2023-12-29 23:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-29 23:11

Reported

2023-12-30 06:42

Platform

win7-20231215-en

Max time kernel

1s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06914834645d9ab3058300de4c756954.exe"

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2168 set thread context of 2668 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06914834645d9ab3058300de4c756954.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2140 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\06914834645d9ab3058300de4c756954.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
PID 2140 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\06914834645d9ab3058300de4c756954.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
PID 2140 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\06914834645d9ab3058300de4c756954.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
PID 2140 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\06914834645d9ab3058300de4c756954.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
PID 2168 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 2168 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 2168 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 2168 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 2168 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 2168 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 2168 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 2168 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 2168 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 2168 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 2168 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 2168 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 2168 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 2168 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\06914834645d9ab3058300de4c756954.exe

"C:\Users\Admin\AppData\Local\Temp\06914834645d9ab3058300de4c756954.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe

"C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe"

C:\Users\Admin\AppData\Local\Temp\System\lsn.exe

"C:\Users\Admin\AppData\Local\Temp\System\lsn.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 freefoodnetwork.servegame.com udp

Files

memory/2140-0-0x00000000742F0000-0x000000007489B000-memory.dmp

memory/2140-2-0x00000000005D0000-0x0000000000610000-memory.dmp

memory/2140-1-0x00000000742F0000-0x000000007489B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

MD5 06914834645d9ab3058300de4c756954
SHA1 437546390ab6be7ab887e82148ba8b923bedd844
SHA256 50c6eeab65b9c35d55dde8ba5cca1eaba4091d0a5611a353f9561e3e37453e67
SHA512 08869a715d99a8034ee9e473c0c56f8fa4d35afbb67467a4d27ffd9d34f7d32f87a2b1f1141657ce7de27888fdca477af3d4756d6e5799d5dd27b5acbe2ff953

memory/2168-16-0x00000000742F0000-0x000000007489B000-memory.dmp

memory/2168-17-0x00000000742F0000-0x000000007489B000-memory.dmp

memory/2140-15-0x00000000742F0000-0x000000007489B000-memory.dmp

memory/2168-14-0x0000000000120000-0x0000000000160000-memory.dmp

\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2668-33-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2668-32-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2668-39-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2548-46-0x0000000000C50000-0x0000000000C90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\System\lsn.exe

MD5 0aa7e4dd12b1fc4d899bb86b0fd56233
SHA1 3bbd901ecc48959847deb145da3f3af6dc194afd
SHA256 d1267fc8e53b1cb8cda98eec93daf21ded66ba6ac9c05b0b7315444d459384e9
SHA512 2f2cd1892ab79a9dba46d1c1d848cd85ec876968b07316ccbda275b88960dc1718da7e4d433c88d0a52d2637bb5c99eda1135529f956e4a54c14f09bbc3f8e11

memory/2608-54-0x0000000000940000-0x0000000000980000-memory.dmp

memory/2608-59-0x00000000742F0000-0x000000007489B000-memory.dmp

memory/2608-57-0x00000000742F0000-0x000000007489B000-memory.dmp

memory/2548-52-0x00000000742F0000-0x000000007489B000-memory.dmp

memory/2548-47-0x00000000742F0000-0x000000007489B000-memory.dmp

memory/2668-44-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2668-37-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2668-35-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2668-31-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2668-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2668-28-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2668-27-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2668-26-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2668-25-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2668-24-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2668-23-0x0000000000400000-0x0000000000466000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

MD5 673c630c339470fb63850411fc5af025
SHA1 938da03d56e1c206abc0fb7d729855a0a877a103
SHA256 64b7ba818f2ac7e79037f57649b441d293bde5e213eae6289e1d16b753ecae70
SHA512 8f51561e75a5acc3bff8a8006fc0934b55884255b4ffd6a43b028f4d1379f74694464a614da94195b3a240abf1756a83cdb399efcef209b75ee37789743a0713

memory/2168-73-0x00000000742F0000-0x000000007489B000-memory.dmp

memory/2168-72-0x0000000000120000-0x0000000000160000-memory.dmp

memory/2548-74-0x0000000000C50000-0x0000000000C90000-memory.dmp

memory/2548-75-0x00000000742F0000-0x000000007489B000-memory.dmp

memory/2608-77-0x00000000742F0000-0x000000007489B000-memory.dmp

memory/2608-76-0x0000000000940000-0x0000000000980000-memory.dmp

memory/2608-78-0x00000000742F0000-0x000000007489B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-29 23:11

Reported

2023-12-30 06:45

Platform

win10v2004-20231215-en

Max time kernel

208s

Max time network

214s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06914834645d9ab3058300de4c756954.exe"

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\06914834645d9ab3058300de4c756954.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\lsn.exe" C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06914834645d9ab3058300de4c756954.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 784 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\06914834645d9ab3058300de4c756954.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
PID 784 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\06914834645d9ab3058300de4c756954.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
PID 784 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\06914834645d9ab3058300de4c756954.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
PID 4440 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 4440 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 4440 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 4440 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 4440 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 4440 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 4440 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 4440 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 4440 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 4440 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 4440 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 4440 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 4440 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 4440 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Users\Admin\AppData\Local\Temp\System\lsn.exe
PID 4440 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Users\Admin\AppData\Local\Temp\System\lsn.exe
PID 4440 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Users\Admin\AppData\Local\Temp\System\lsn.exe
PID 1128 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe
PID 1128 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe
PID 1128 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\System\lsn.exe C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe
PID 4076 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 4076 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 4076 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 4076 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 4076 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 4076 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 4076 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 4076 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 4076 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 4076 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 4076 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 4076 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 4076 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\06914834645d9ab3058300de4c756954.exe

"C:\Users\Admin\AppData\Local\Temp\06914834645d9ab3058300de4c756954.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\System\lsn.exe

"C:\Users\Admin\AppData\Local\Temp\System\lsn.exe"

C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe

"C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 20.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 freefoodnetwork.servegame.com udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 19.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 freefoodnetwork.servegame.com udp
US 8.8.8.8:53 freefoodnetwork.servegame.com udp
US 8.8.8.8:53 freefoodnetwork.servegame.com udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 freefoodnetwork.servegame.com udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 freefoodnetwork.servegame.com udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 freefoodnetwork.servegame.com udp
US 8.8.8.8:53 freefoodnetwork.servegame.com udp
US 8.8.8.8:53 freefoodnetwork.servegame.com udp
US 8.8.8.8:53 freefoodnetwork.servegame.com udp
US 8.8.8.8:53 freefoodnetwork.servegame.com udp
US 8.8.8.8:53 freefoodnetwork.servegame.com udp

Files

memory/784-0-0x0000000074610000-0x0000000074BC1000-memory.dmp

memory/784-1-0x0000000074610000-0x0000000074BC1000-memory.dmp

memory/784-2-0x0000000001070000-0x0000000001080000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

MD5 06914834645d9ab3058300de4c756954
SHA1 437546390ab6be7ab887e82148ba8b923bedd844
SHA256 50c6eeab65b9c35d55dde8ba5cca1eaba4091d0a5611a353f9561e3e37453e67
SHA512 08869a715d99a8034ee9e473c0c56f8fa4d35afbb67467a4d27ffd9d34f7d32f87a2b1f1141657ce7de27888fdca477af3d4756d6e5799d5dd27b5acbe2ff953

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

MD5 67ef5517548723978e5cd794a876f58d
SHA1 ac66c27a79d3fe09662d24a31694247315c6a89b
SHA256 181cf30af3598295240f2ae55863ba9d8c7644e8fbf1c0fa40fa588a315e9b74
SHA512 6dac233a4f6dfe2ca7a0723ff0ab50d574a846023164f1b77aac5dc9c9e17a8b54ab51042c1ffef1cd7ab694e47ac0f9014524e14a91b750ae2efc97af66daca

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

MD5 405dac6e503e33a3284e1233719180f0
SHA1 2f3bc1521646b29e28616b496112d0508339f2f9
SHA256 f6468459342b6785f6ce899056367b201ea672bfbfc6748637244efa5f813f9a
SHA512 71d5dd83bad80f01ffbd780e87bd68e3351cbdb6a9c52ab37ffc821d4da3097397aee86a3b49d5a1c8a72f95090900e50bb4958f4cc315c25b7038076a902b1f

memory/784-14-0x0000000074610000-0x0000000074BC1000-memory.dmp

memory/4440-15-0x00000000011B0000-0x00000000011C0000-memory.dmp

memory/4440-13-0x0000000074610000-0x0000000074BC1000-memory.dmp

memory/4440-16-0x0000000074610000-0x0000000074BC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

MD5 673c630c339470fb63850411fc5af025
SHA1 938da03d56e1c206abc0fb7d729855a0a877a103
SHA256 64b7ba818f2ac7e79037f57649b441d293bde5e213eae6289e1d16b753ecae70
SHA512 8f51561e75a5acc3bff8a8006fc0934b55884255b4ffd6a43b028f4d1379f74694464a614da94195b3a240abf1756a83cdb399efcef209b75ee37789743a0713

memory/4172-22-0x0000000000400000-0x0000000000466000-memory.dmp

memory/4172-23-0x0000000000400000-0x0000000000466000-memory.dmp

memory/4172-24-0x0000000000400000-0x0000000000466000-memory.dmp

memory/4172-25-0x0000000000400000-0x0000000000466000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\System\lsn.exe

MD5 0aa7e4dd12b1fc4d899bb86b0fd56233
SHA1 3bbd901ecc48959847deb145da3f3af6dc194afd
SHA256 d1267fc8e53b1cb8cda98eec93daf21ded66ba6ac9c05b0b7315444d459384e9
SHA512 2f2cd1892ab79a9dba46d1c1d848cd85ec876968b07316ccbda275b88960dc1718da7e4d433c88d0a52d2637bb5c99eda1135529f956e4a54c14f09bbc3f8e11

memory/1128-36-0x0000000074610000-0x0000000074BC1000-memory.dmp

memory/1128-38-0x0000000000980000-0x0000000000990000-memory.dmp

memory/1128-37-0x0000000074610000-0x0000000074BC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe

MD5 e47d13264fbbe29e21869e49a807f5ae
SHA1 d1921b917f876f40cd9fe084c740ef7fc975c707
SHA256 64f359e10527add11f5a66afe42060a8809758fdd4d49d7cd6e7a85d655a70a8
SHA512 e8a76a2cfd6de90a91ddea8803e5d70c17761e738598e34a00e3739593bd93d09cae41719ebd0d8e547f00eb0519a727e424c2410e31b19e6eb098ecbe8c17c7

C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe

MD5 bc79ff45c32c61579605c78b4f1cd6e4
SHA1 cc5f5ad7fbeb987037514d9380c1bbb675d2b0c4
SHA256 ba57163a10722a5bfada6db3c984dcb3e8aa96bbcda621ccf2ef986a3cf82c45
SHA512 972fd3ce64a1255f10f3f6cdb66cbad6b36692f2fb5cdfa370d0aa6e3912e38b87f3625491fbdcb2eba4bebf5817bddab09f04432762ee08c525adc663ae9695

memory/4076-41-0x0000000074610000-0x0000000074BC1000-memory.dmp

memory/4076-42-0x0000000000760000-0x0000000000770000-memory.dmp

memory/4076-44-0x0000000074610000-0x0000000074BC1000-memory.dmp

memory/4440-45-0x0000000074610000-0x0000000074BC1000-memory.dmp

memory/4440-49-0x00000000011B0000-0x00000000011C0000-memory.dmp

memory/4440-50-0x0000000074610000-0x0000000074BC1000-memory.dmp

memory/1128-51-0x0000000074610000-0x0000000074BC1000-memory.dmp

memory/1128-52-0x0000000000980000-0x0000000000990000-memory.dmp

memory/4076-54-0x0000000000760000-0x0000000000770000-memory.dmp

memory/4076-53-0x0000000074610000-0x0000000074BC1000-memory.dmp