Analysis Overview
SHA256
90a65b41e5f21793e4255ccdd9d0c7f1e27cc43d83c55ff4ab55c48f240988e8
Threat Level: Known bad
The file 4a7fa67ed70d217d5b38b5de5d5a780b was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of UnmapMainImage
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-08 04:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-08 04:58
Reported
2024-01-08 05:02
Platform
win10v2004-20231215-en
Max time kernel
138s
Max time network
175s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\4L8nI\lpksetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\akpo\CameraSettingsUIHost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\2Xe\DisplaySwitch.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\4L8nI\lpksetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\akpo\CameraSettingsUIHost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\2Xe\DisplaySwitch.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\TaskBar\\Xzf\\CAMERA~1.EXE" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\4L8nI\lpksetup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\akpo\CameraSettingsUIHost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\2Xe\DisplaySwitch.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3512 wrote to memory of 4560 | N/A | N/A | C:\Windows\system32\lpksetup.exe |
| PID 3512 wrote to memory of 4560 | N/A | N/A | C:\Windows\system32\lpksetup.exe |
| PID 3512 wrote to memory of 2684 | N/A | N/A | C:\Users\Admin\AppData\Local\4L8nI\lpksetup.exe |
| PID 3512 wrote to memory of 2684 | N/A | N/A | C:\Users\Admin\AppData\Local\4L8nI\lpksetup.exe |
| PID 3512 wrote to memory of 4972 | N/A | N/A | C:\Windows\system32\CameraSettingsUIHost.exe |
| PID 3512 wrote to memory of 4972 | N/A | N/A | C:\Windows\system32\CameraSettingsUIHost.exe |
| PID 3512 wrote to memory of 4504 | N/A | N/A | C:\Users\Admin\AppData\Local\akpo\CameraSettingsUIHost.exe |
| PID 3512 wrote to memory of 4504 | N/A | N/A | C:\Users\Admin\AppData\Local\akpo\CameraSettingsUIHost.exe |
| PID 3512 wrote to memory of 3684 | N/A | N/A | C:\Windows\system32\DisplaySwitch.exe |
| PID 3512 wrote to memory of 3684 | N/A | N/A | C:\Windows\system32\DisplaySwitch.exe |
| PID 3512 wrote to memory of 3328 | N/A | N/A | C:\Users\Admin\AppData\Local\2Xe\DisplaySwitch.exe |
| PID 3512 wrote to memory of 3328 | N/A | N/A | C:\Users\Admin\AppData\Local\2Xe\DisplaySwitch.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\4a7fa67ed70d217d5b38b5de5d5a780b.dll
C:\Windows\system32\lpksetup.exe
C:\Windows\system32\lpksetup.exe
C:\Users\Admin\AppData\Local\4L8nI\lpksetup.exe
C:\Users\Admin\AppData\Local\4L8nI\lpksetup.exe
C:\Windows\system32\CameraSettingsUIHost.exe
C:\Windows\system32\CameraSettingsUIHost.exe
C:\Users\Admin\AppData\Local\akpo\CameraSettingsUIHost.exe
C:\Users\Admin\AppData\Local\akpo\CameraSettingsUIHost.exe
C:\Windows\system32\DisplaySwitch.exe
C:\Windows\system32\DisplaySwitch.exe
C:\Users\Admin\AppData\Local\2Xe\DisplaySwitch.exe
C:\Users\Admin\AppData\Local\2Xe\DisplaySwitch.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 146.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.16.208.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/2576-0-0x00000000010E0000-0x00000000010E7000-memory.dmp
memory/2576-1-0x0000000140000000-0x0000000140206000-memory.dmp
memory/2576-4-0x0000000140000000-0x0000000140206000-memory.dmp
memory/3512-6-0x00007FF9D3F0A000-0x00007FF9D3F0B000-memory.dmp
memory/3512-5-0x0000000002830000-0x0000000002831000-memory.dmp
memory/3512-8-0x0000000140000000-0x0000000140206000-memory.dmp
memory/3512-11-0x0000000140000000-0x0000000140206000-memory.dmp
memory/3512-9-0x0000000140000000-0x0000000140206000-memory.dmp
memory/3512-12-0x0000000140000000-0x0000000140206000-memory.dmp
memory/3512-13-0x0000000140000000-0x0000000140206000-memory.dmp
memory/3512-14-0x0000000140000000-0x0000000140206000-memory.dmp
memory/3512-15-0x0000000140000000-0x0000000140206000-memory.dmp
memory/3512-16-0x0000000140000000-0x0000000140206000-memory.dmp
memory/3512-17-0x0000000140000000-0x0000000140206000-memory.dmp
memory/3512-18-0x0000000140000000-0x0000000140206000-memory.dmp
memory/3512-19-0x0000000140000000-0x0000000140206000-memory.dmp
memory/3512-20-0x0000000140000000-0x0000000140206000-memory.dmp
memory/3512-21-0x0000000140000000-0x0000000140206000-memory.dmp
memory/3512-22-0x0000000140000000-0x0000000140206000-memory.dmp
memory/3512-23-0x0000000140000000-0x0000000140206000-memory.dmp
memory/3512-24-0x0000000140000000-0x0000000140206000-memory.dmp
memory/3512-25-0x0000000140000000-0x0000000140206000-memory.dmp
memory/3512-26-0x0000000140000000-0x0000000140206000-memory.dmp
memory/3512-27-0x0000000140000000-0x0000000140206000-memory.dmp
memory/3512-28-0x0000000140000000-0x0000000140206000-memory.dmp
memory/3512-29-0x0000000140000000-0x0000000140206000-memory.dmp
memory/3512-30-0x0000000140000000-0x0000000140206000-memory.dmp
memory/3512-31-0x0000000140000000-0x0000000140206000-memory.dmp
memory/3512-32-0x0000000140000000-0x0000000140206000-memory.dmp
memory/3512-33-0x0000000140000000-0x0000000140206000-memory.dmp
memory/3512-34-0x0000000140000000-0x0000000140206000-memory.dmp
memory/3512-35-0x0000000140000000-0x0000000140206000-memory.dmp
memory/3512-36-0x0000000140000000-0x0000000140206000-memory.dmp
memory/3512-37-0x0000000140000000-0x0000000140206000-memory.dmp
memory/3512-38-0x0000000140000000-0x0000000140206000-memory.dmp
memory/3512-39-0x0000000140000000-0x0000000140206000-memory.dmp
memory/3512-40-0x0000000140000000-0x0000000140206000-memory.dmp
memory/3512-42-0x0000000140000000-0x0000000140206000-memory.dmp
memory/3512-41-0x0000000140000000-0x0000000140206000-memory.dmp
memory/3512-44-0x00000000006F0000-0x00000000006F7000-memory.dmp
memory/3512-50-0x0000000140000000-0x0000000140206000-memory.dmp
memory/3512-51-0x00007FF9D5180000-0x00007FF9D5190000-memory.dmp
memory/3512-60-0x0000000140000000-0x0000000140206000-memory.dmp
memory/3512-62-0x0000000140000000-0x0000000140206000-memory.dmp
C:\Users\Admin\AppData\Local\4L8nI\lpksetup.exe
| MD5 | c75516a32e0aea02a184074d55d1a997 |
| SHA1 | f9396946c078f8b0f28e3a6e21a97eeece31d13f |
| SHA256 | cb3cbeaaff7c07b044f70177e2899a87e80840d177238eb7dd25b8d9e20bef22 |
| SHA512 | 92994fdb75b15742e33e6d7a499664b722e45b9c160d8cc42d30bc727044063d589f45853692b5b754df6ff0fd21294dc32fed985b153f93f4bcf9f8c89a5bcc |
C:\Users\Admin\AppData\Local\4L8nI\dpx.dll
| MD5 | 6e70ca9b7fe3c8a6c31d5472942719f2 |
| SHA1 | e917855d5135e6999058902903d372ffdb311887 |
| SHA256 | 406d60cc2f46084d0e6c03abb45ca83ded8b691a76bad4936bc5dde55a23eb60 |
| SHA512 | 8966edc3c05f2e3c9bd03976e7a1865294882eeaa8c219bb70b5392b549192c403bc9dab4a1553bc088f9531c2baa4e192ae929092c7ec8e9cb6cefc36f998f1 |
memory/2684-72-0x0000000140000000-0x0000000140207000-memory.dmp
memory/2684-71-0x0000020DBB6A0000-0x0000020DBB6A7000-memory.dmp
memory/2684-77-0x0000000140000000-0x0000000140207000-memory.dmp
C:\Users\Admin\AppData\Local\akpo\CameraSettingsUIHost.exe
| MD5 | 9e98636523a653c7a648f37be229cf69 |
| SHA1 | bd4da030e7cf4d55b7c644dfacd26b152e6a14c4 |
| SHA256 | 3bf20bc5a208dfa1ea26a042fd0010b1268dcfedc94ed775f11890bc1d95e717 |
| SHA512 | 41966166e2ddfe40e6f4e6da26bc490775caac9997465c6dd94ba6a664d3a797ffc2aa5684c95702e8657e5cea62a46a75aee3e7d5e07a47dcaaa5c4da565e78 |
C:\Users\Admin\AppData\Local\akpo\DUI70.dll
| MD5 | fd442f3d7f6dd895cf22beb399b1457e |
| SHA1 | 23f0465e2986227f7abdbab91703d18d28991cb9 |
| SHA256 | 7cbda93c898fcba7cc4cf1fcb8961cf9cb2dedf6ba1155bd9b5a9cb209c2bac9 |
| SHA512 | eff0cc72483ae093bbfa0ffb648122858145bbd398c94041aa43210aa34dfd6a30d6130ffe470bdba4b483c0162e7073cbdedbbb75591e13dd5f8daa2d830ca2 |
memory/4504-88-0x0000000140000000-0x000000014024C000-memory.dmp
memory/4504-89-0x000001C4862D0000-0x000001C4862D7000-memory.dmp
memory/4504-94-0x0000000140000000-0x000000014024C000-memory.dmp
C:\Users\Admin\AppData\Local\2Xe\DisplaySwitch.exe
| MD5 | 5338d4beddf23db817eb5c37500b5735 |
| SHA1 | 1b5c56f00b53fca3205ff24770203af46cbc7c54 |
| SHA256 | 8b581f1d15a6920e4ecfe172d8ef753d0a2bf1a47e686a8d5d8e01147fa4c65e |
| SHA512 | 173170b83e0048ee05da18c0c957744204954da58a93c532b669d62edb632c4c73d0744c13eb864ecf357ff12831aa46c4f2445dc33b62a4547385b9e0297b0c |
C:\Users\Admin\AppData\Local\2Xe\dwmapi.dll
| MD5 | b1086dfffa39be40b4925f4ffbbc1020 |
| SHA1 | 1c8a3225645ca9fba9a9859f41aa210eadf63fd4 |
| SHA256 | edd63b891e1e213a201b1f666a906ee7e5e216c2e6a781d02a487b84bce1887f |
| SHA512 | c0c3285b199ac3481db3047cc563642b73ca2130ff792a31c83214905e424d6fd5cf283bd5b00c8e3f67b73beda32f6aa9a7d157655fceb913c0c6d2cf4556c5 |
memory/3328-105-0x000001AFBA670000-0x000001AFBA677000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk
| MD5 | fc2585fb614f0a92aae23cd1e4b1c20d |
| SHA1 | 3c06b315f8078bfc5d33d553b7c81ece02f45d53 |
| SHA256 | c23e07f4fb83f9f1d369ad0237386302710e2ff88fcf63a9c48b055b2081250e |
| SHA512 | 4bcfb0b9f84509327a4acc60fc3ceeafd20924233673654c02452bd691aa944d14cb281211b5207395befcccc2022103cc7114c5a7cea7d4fd0920af3d488075 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-08 04:58
Reported
2024-01-08 05:01
Platform
win7-20231215-en
Max time kernel
15s
Max time network
127s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\6g9cy\fvenotify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\T1Z0\winlogon.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\rmwSRP\consent.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\6g9cy\fvenotify.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\T1Z0\winlogon.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\rmwSRP\consent.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fskzoiv = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\PRINTE~1\\WOOW25~1\\winlogon.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\6g9cy\fvenotify.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\T1Z0\winlogon.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\rmwSRP\consent.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1260 wrote to memory of 868 | N/A | N/A | C:\Windows\system32\fvenotify.exe |
| PID 1260 wrote to memory of 868 | N/A | N/A | C:\Windows\system32\fvenotify.exe |
| PID 1260 wrote to memory of 868 | N/A | N/A | C:\Windows\system32\fvenotify.exe |
| PID 1260 wrote to memory of 2420 | N/A | N/A | C:\Users\Admin\AppData\Local\6g9cy\fvenotify.exe |
| PID 1260 wrote to memory of 2420 | N/A | N/A | C:\Users\Admin\AppData\Local\6g9cy\fvenotify.exe |
| PID 1260 wrote to memory of 2420 | N/A | N/A | C:\Users\Admin\AppData\Local\6g9cy\fvenotify.exe |
| PID 1260 wrote to memory of 616 | N/A | N/A | C:\Windows\system32\winlogon.exe |
| PID 1260 wrote to memory of 616 | N/A | N/A | C:\Windows\system32\winlogon.exe |
| PID 1260 wrote to memory of 616 | N/A | N/A | C:\Windows\system32\winlogon.exe |
| PID 1260 wrote to memory of 2792 | N/A | N/A | C:\Users\Admin\AppData\Local\T1Z0\winlogon.exe |
| PID 1260 wrote to memory of 2792 | N/A | N/A | C:\Users\Admin\AppData\Local\T1Z0\winlogon.exe |
| PID 1260 wrote to memory of 2792 | N/A | N/A | C:\Users\Admin\AppData\Local\T1Z0\winlogon.exe |
| PID 1260 wrote to memory of 1748 | N/A | N/A | C:\Windows\system32\consent.exe |
| PID 1260 wrote to memory of 1748 | N/A | N/A | C:\Windows\system32\consent.exe |
| PID 1260 wrote to memory of 1748 | N/A | N/A | C:\Windows\system32\consent.exe |
| PID 1260 wrote to memory of 892 | N/A | N/A | C:\Users\Admin\AppData\Local\rmwSRP\consent.exe |
| PID 1260 wrote to memory of 892 | N/A | N/A | C:\Users\Admin\AppData\Local\rmwSRP\consent.exe |
| PID 1260 wrote to memory of 892 | N/A | N/A | C:\Users\Admin\AppData\Local\rmwSRP\consent.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\4a7fa67ed70d217d5b38b5de5d5a780b.dll
C:\Windows\system32\fvenotify.exe
C:\Windows\system32\fvenotify.exe
C:\Users\Admin\AppData\Local\6g9cy\fvenotify.exe
C:\Users\Admin\AppData\Local\6g9cy\fvenotify.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\winlogon.exe
C:\Users\Admin\AppData\Local\T1Z0\winlogon.exe
C:\Users\Admin\AppData\Local\T1Z0\winlogon.exe
C:\Windows\system32\consent.exe
C:\Windows\system32\consent.exe
C:\Users\Admin\AppData\Local\rmwSRP\consent.exe
C:\Users\Admin\AppData\Local\rmwSRP\consent.exe
Network
Files
memory/2452-0-0x00000000002A0000-0x00000000002A7000-memory.dmp
memory/2452-1-0x0000000140000000-0x0000000140206000-memory.dmp
memory/1260-4-0x0000000077366000-0x0000000077367000-memory.dmp
memory/1260-10-0x0000000140000000-0x0000000140206000-memory.dmp
memory/1260-16-0x0000000140000000-0x0000000140206000-memory.dmp
memory/1260-23-0x0000000140000000-0x0000000140206000-memory.dmp
memory/1260-32-0x0000000140000000-0x0000000140206000-memory.dmp
memory/1260-40-0x0000000140000000-0x0000000140206000-memory.dmp
memory/1260-42-0x0000000140000000-0x0000000140206000-memory.dmp
memory/1260-41-0x0000000002B80000-0x0000000002B87000-memory.dmp
memory/1260-49-0x0000000140000000-0x0000000140206000-memory.dmp
memory/1260-51-0x00000000775D0000-0x00000000775D2000-memory.dmp
memory/1260-50-0x0000000077471000-0x0000000077472000-memory.dmp
memory/1260-39-0x0000000140000000-0x0000000140206000-memory.dmp
memory/1260-60-0x0000000140000000-0x0000000140206000-memory.dmp
memory/1260-66-0x0000000140000000-0x0000000140206000-memory.dmp
memory/2420-79-0x0000000140000000-0x0000000140207000-memory.dmp
memory/2420-78-0x0000000000180000-0x0000000000187000-memory.dmp
memory/2420-83-0x0000000140000000-0x0000000140207000-memory.dmp
memory/1260-38-0x0000000140000000-0x0000000140206000-memory.dmp
memory/1260-36-0x0000000140000000-0x0000000140206000-memory.dmp
memory/1260-37-0x0000000140000000-0x0000000140206000-memory.dmp
memory/1260-35-0x0000000140000000-0x0000000140206000-memory.dmp
memory/1260-34-0x0000000140000000-0x0000000140206000-memory.dmp
memory/1260-33-0x0000000140000000-0x0000000140206000-memory.dmp
memory/1260-31-0x0000000140000000-0x0000000140206000-memory.dmp
memory/1260-29-0x0000000140000000-0x0000000140206000-memory.dmp
memory/1260-30-0x0000000140000000-0x0000000140206000-memory.dmp
memory/1260-28-0x0000000140000000-0x0000000140206000-memory.dmp
memory/1260-27-0x0000000140000000-0x0000000140206000-memory.dmp
memory/1260-26-0x0000000140000000-0x0000000140206000-memory.dmp
memory/1260-25-0x0000000140000000-0x0000000140206000-memory.dmp
memory/1260-24-0x0000000140000000-0x0000000140206000-memory.dmp
memory/1260-22-0x0000000140000000-0x0000000140206000-memory.dmp
memory/1260-21-0x0000000140000000-0x0000000140206000-memory.dmp
memory/1260-20-0x0000000140000000-0x0000000140206000-memory.dmp
memory/1260-19-0x0000000140000000-0x0000000140206000-memory.dmp
memory/1260-18-0x0000000140000000-0x0000000140206000-memory.dmp
memory/1260-17-0x0000000140000000-0x0000000140206000-memory.dmp
memory/1260-14-0x0000000140000000-0x0000000140206000-memory.dmp
memory/1260-15-0x0000000140000000-0x0000000140206000-memory.dmp
memory/1260-13-0x0000000140000000-0x0000000140206000-memory.dmp
memory/1260-11-0x0000000140000000-0x0000000140206000-memory.dmp
memory/1260-12-0x0000000140000000-0x0000000140206000-memory.dmp
memory/1260-9-0x0000000140000000-0x0000000140206000-memory.dmp
memory/2452-8-0x0000000140000000-0x0000000140206000-memory.dmp
memory/1260-7-0x0000000140000000-0x0000000140206000-memory.dmp
memory/1260-5-0x0000000002BA0000-0x0000000002BA1000-memory.dmp
memory/2792-103-0x0000000140000000-0x0000000140208000-memory.dmp
memory/2792-102-0x0000000000080000-0x0000000000087000-memory.dmp
memory/892-126-0x0000000000310000-0x0000000000317000-memory.dmp
memory/1260-152-0x0000000077366000-0x0000000077367000-memory.dmp