Malware Analysis Report

2025-01-06 09:27

Sample ID 240601-f3wlwabc9w
Target f941dd6949d9d8c2c997ce4c78906f97a96f6fbcbead90e71ff4bb8876866d92
SHA256 f941dd6949d9d8c2c997ce4c78906f97a96f6fbcbead90e71ff4bb8876866d92
Tags
evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f941dd6949d9d8c2c997ce4c78906f97a96f6fbcbead90e71ff4bb8876866d92

Threat Level: Known bad

The file f941dd6949d9d8c2c997ce4c78906f97a96f6fbcbead90e71ff4bb8876866d92 was found to be: Known bad.

Malicious Activity Summary

evasion persistence trojan

Windows security bypass

Sets file execution options in registry

Modifies Installed Components in the registry

Loads dropped DLL

Windows security modification

Executes dropped EXE

Modifies WinLogon

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 05:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 05:24

Reported

2024-06-01 05:26

Platform

win7-20240220-en

Max time kernel

149s

Max time network

121s

Command Line

winlogon.exe

Signatures

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" C:\Windows\SysWOW64\axdasik.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" C:\Windows\SysWOW64\axdasik.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" C:\Windows\SysWOW64\axdasik.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" C:\Windows\SysWOW64\axdasik.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4249534D-495a-4858-4249-534D495A4858}\IsInstalled = "1" C:\Windows\SysWOW64\axdasik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4249534D-495a-4858-4249-534D495A4858}\StubPath = "C:\\Windows\\system32\\ucfoabod.exe" C:\Windows\SysWOW64\axdasik.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4249534D-495a-4858-4249-534D495A4858} C:\Windows\SysWOW64\axdasik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4249534D-495a-4858-4249-534D495A4858}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" C:\Windows\SysWOW64\axdasik.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe C:\Windows\SysWOW64\axdasik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" C:\Windows\SysWOW64\axdasik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ahcoanet.exe" C:\Windows\SysWOW64\axdasik.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" C:\Windows\SysWOW64\axdasik.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" C:\Windows\SysWOW64\axdasik.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" C:\Windows\SysWOW64\axdasik.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" C:\Windows\SysWOW64\axdasik.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} C:\Windows\SysWOW64\axdasik.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify C:\Windows\SysWOW64\axdasik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" C:\Windows\SysWOW64\axdasik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\acxudoar.dll" C:\Windows\SysWOW64\axdasik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" C:\Windows\SysWOW64\axdasik.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ucfoabod.exe C:\Windows\SysWOW64\axdasik.exe N/A
File created C:\Windows\SysWOW64\ucfoabod.exe C:\Windows\SysWOW64\axdasik.exe N/A
File opened for modification C:\Windows\SysWOW64\axdasik.exe C:\Windows\SysWOW64\axdasik.exe N/A
File opened for modification C:\Windows\SysWOW64\axdasik.exe C:\Users\Admin\AppData\Local\Temp\f941dd6949d9d8c2c997ce4c78906f97a96f6fbcbead90e71ff4bb8876866d92.exe N/A
File created C:\Windows\SysWOW64\axdasik.exe C:\Users\Admin\AppData\Local\Temp\f941dd6949d9d8c2c997ce4c78906f97a96f6fbcbead90e71ff4bb8876866d92.exe N/A
File opened for modification C:\Windows\SysWOW64\ahcoanet.exe C:\Windows\SysWOW64\axdasik.exe N/A
File created C:\Windows\SysWOW64\ahcoanet.exe C:\Windows\SysWOW64\axdasik.exe N/A
File opened for modification C:\Windows\SysWOW64\acxudoar.dll C:\Windows\SysWOW64\axdasik.exe N/A
File created C:\Windows\SysWOW64\acxudoar.dll C:\Windows\SysWOW64\axdasik.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\axdasik.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2784 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\f941dd6949d9d8c2c997ce4c78906f97a96f6fbcbead90e71ff4bb8876866d92.exe C:\Windows\SysWOW64\axdasik.exe
PID 2784 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\f941dd6949d9d8c2c997ce4c78906f97a96f6fbcbead90e71ff4bb8876866d92.exe C:\Windows\SysWOW64\axdasik.exe
PID 2784 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\f941dd6949d9d8c2c997ce4c78906f97a96f6fbcbead90e71ff4bb8876866d92.exe C:\Windows\SysWOW64\axdasik.exe
PID 2784 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\f941dd6949d9d8c2c997ce4c78906f97a96f6fbcbead90e71ff4bb8876866d92.exe C:\Windows\SysWOW64\axdasik.exe
PID 2272 wrote to memory of 436 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\system32\winlogon.exe
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 2524 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\SysWOW64\axdasik.exe
PID 2272 wrote to memory of 2524 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\SysWOW64\axdasik.exe
PID 2272 wrote to memory of 2524 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\SysWOW64\axdasik.exe
PID 2272 wrote to memory of 2524 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\SysWOW64\axdasik.exe
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 1204 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\f941dd6949d9d8c2c997ce4c78906f97a96f6fbcbead90e71ff4bb8876866d92.exe

"C:\Users\Admin\AppData\Local\Temp\f941dd6949d9d8c2c997ce4c78906f97a96f6fbcbead90e71ff4bb8876866d92.exe"

C:\Windows\SysWOW64\axdasik.exe

"C:\Windows\SysWOW64\axdasik.exe"

C:\Windows\SysWOW64\axdasik.exe

--k33p

Network

Country Destination Domain Proto
US 8.8.8.8:53 cdmusewdsit.tk udp
US 8.8.8.8:53 cdmusewdsit.tk udp

Files

\Windows\SysWOW64\axdasik.exe

MD5 e72e8a8e918648725ca3a5fde5624f31
SHA1 8e5c89fdd5c707456ac4481008c3e08488564d9b
SHA256 ce17f737c208b80791f4d2478f52ce0217fba253952849aba34b50985ba92e98
SHA512 d454261ad2c510f009f3070fa3c119cd8692840a817cd8ed8c221aed3769f6432ff5a92c198783cf174713a2985b05ae8bb9034b961006c642705ee413663b23

memory/2784-7-0x0000000000400000-0x0000000000403000-memory.dmp

C:\Windows\SysWOW64\ucfoabod.exe

MD5 e8ffec8089dfc11a21f5cb1e56bac37c
SHA1 f8050cbc4af20928fd93005a9713062b8e02b512
SHA256 749e7b3bf81a93fb443e93bb08400b1f817ef5021b71eb8847e6b41342255fa8
SHA512 a1bb5fec9fae35db0acf6f0d06fbb82fac87cdd778abef6f6eb263319e249024e625991e0173f471fd275e997e831d253bdb8a0d731b66ddb8840b9ec39664c8

C:\Windows\SysWOW64\ahcoanet.exe

MD5 6e78c65aa92a67f8e755b624975ae370
SHA1 9b944b9ed796fc785d8245de69fc56e9429911d5
SHA256 cd89693bb8c523eff17c528aae333475f344085358685c600c6269a048c6187d
SHA512 0090927a487e86841cf1ba8434ff2f41525fa3a90c8c8c6a7017bf7dbe43a876be986f46bc7982de6eebf1f17dc5cdd26387accd0c917afa2f59d35217e59a5c

C:\Windows\SysWOW64\acxudoar.dll

MD5 f37b21c00fd81bd93c89ce741a88f183
SHA1 b2796500597c68e2f5638e1101b46eaf32676c1c
SHA256 76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512 252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

memory/2272-53-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2524-54-0x0000000000400000-0x0000000000414000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 05:24

Reported

2024-06-01 05:26

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

153s

Command Line

winlogon.exe

Signatures

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" C:\Windows\SysWOW64\axdasik.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" C:\Windows\SysWOW64\axdasik.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" C:\Windows\SysWOW64\axdasik.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" C:\Windows\SysWOW64\axdasik.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5350444F-4846-4d41-5350-444F48464d41} C:\Windows\SysWOW64\axdasik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5350444F-4846-4d41-5350-444F48464d41}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" C:\Windows\SysWOW64\axdasik.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5350444F-4846-4d41-5350-444F48464d41}\IsInstalled = "1" C:\Windows\SysWOW64\axdasik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5350444F-4846-4d41-5350-444F48464d41}\StubPath = "C:\\Windows\\system32\\ucfoabod.exe" C:\Windows\SysWOW64\axdasik.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe C:\Windows\SysWOW64\axdasik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" C:\Windows\SysWOW64\axdasik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ahcoanet.exe" C:\Windows\SysWOW64\axdasik.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" C:\Windows\SysWOW64\axdasik.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" C:\Windows\SysWOW64\axdasik.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" C:\Windows\SysWOW64\axdasik.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" C:\Windows\SysWOW64\axdasik.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" C:\Windows\SysWOW64\axdasik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\acxudoar.dll" C:\Windows\SysWOW64\axdasik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" C:\Windows\SysWOW64\axdasik.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} C:\Windows\SysWOW64\axdasik.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify C:\Windows\SysWOW64\axdasik.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\axdasik.exe C:\Users\Admin\AppData\Local\Temp\f941dd6949d9d8c2c997ce4c78906f97a96f6fbcbead90e71ff4bb8876866d92.exe N/A
File created C:\Windows\SysWOW64\ahcoanet.exe C:\Windows\SysWOW64\axdasik.exe N/A
File opened for modification C:\Windows\SysWOW64\ucfoabod.exe C:\Windows\SysWOW64\axdasik.exe N/A
File created C:\Windows\SysWOW64\ucfoabod.exe C:\Windows\SysWOW64\axdasik.exe N/A
File opened for modification C:\Windows\SysWOW64\acxudoar.dll C:\Windows\SysWOW64\axdasik.exe N/A
File created C:\Windows\SysWOW64\acxudoar.dll C:\Windows\SysWOW64\axdasik.exe N/A
File created C:\Windows\SysWOW64\axdasik.exe C:\Users\Admin\AppData\Local\Temp\f941dd6949d9d8c2c997ce4c78906f97a96f6fbcbead90e71ff4bb8876866d92.exe N/A
File opened for modification C:\Windows\SysWOW64\ahcoanet.exe C:\Windows\SysWOW64\axdasik.exe N/A
File opened for modification C:\Windows\SysWOW64\axdasik.exe C:\Windows\SysWOW64\axdasik.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A
N/A N/A C:\Windows\SysWOW64\axdasik.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\axdasik.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1496 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\f941dd6949d9d8c2c997ce4c78906f97a96f6fbcbead90e71ff4bb8876866d92.exe C:\Windows\SysWOW64\axdasik.exe
PID 1496 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\f941dd6949d9d8c2c997ce4c78906f97a96f6fbcbead90e71ff4bb8876866d92.exe C:\Windows\SysWOW64\axdasik.exe
PID 1496 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\f941dd6949d9d8c2c997ce4c78906f97a96f6fbcbead90e71ff4bb8876866d92.exe C:\Windows\SysWOW64\axdasik.exe
PID 2920 wrote to memory of 612 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\system32\winlogon.exe
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 1040 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\SysWOW64\axdasik.exe
PID 2920 wrote to memory of 1040 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\SysWOW64\axdasik.exe
PID 2920 wrote to memory of 1040 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\SysWOW64\axdasik.exe
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE
PID 2920 wrote to memory of 3452 N/A C:\Windows\SysWOW64\axdasik.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\f941dd6949d9d8c2c997ce4c78906f97a96f6fbcbead90e71ff4bb8876866d92.exe

"C:\Users\Admin\AppData\Local\Temp\f941dd6949d9d8c2c997ce4c78906f97a96f6fbcbead90e71ff4bb8876866d92.exe"

C:\Windows\SysWOW64\axdasik.exe

"C:\Windows\SysWOW64\axdasik.exe"

C:\Windows\SysWOW64\axdasik.exe

--k33p

Network

Country Destination Domain Proto
US 8.8.8.8:53 bbmwsmquiu.tk udp
US 8.8.8.8:53 bbmwsmquiu.tk udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp

Files

C:\Windows\SysWOW64\axdasik.exe

MD5 e72e8a8e918648725ca3a5fde5624f31
SHA1 8e5c89fdd5c707456ac4481008c3e08488564d9b
SHA256 ce17f737c208b80791f4d2478f52ce0217fba253952849aba34b50985ba92e98
SHA512 d454261ad2c510f009f3070fa3c119cd8692840a817cd8ed8c221aed3769f6432ff5a92c198783cf174713a2985b05ae8bb9034b961006c642705ee413663b23

memory/1496-3-0x0000000000400000-0x0000000000403000-memory.dmp

C:\Windows\SysWOW64\ucfoabod.exe

MD5 ee6788f7108560abd31c17fe48a46d37
SHA1 0e7ebc0c4b9fe31a370c8a39e8b5544d4b866440
SHA256 df20521057a05b3b5f077a8e03527403fbb5924395d26bc36a416c1caf42de61
SHA512 db38eb186a7a6e3bf668fb791e1e14810a74b6c27cadff5cfdd3e5e1dfbf19555e6c29767609820c10ec2cc3de0abef770bc66248e081ddf63de1dc90b641b07

C:\Windows\SysWOW64\ahcoanet.exe

MD5 4dd927704ed94b855bbc40db51508f9e
SHA1 5a8bcd7fbf7b5a5e1bd527f5c84649ebfce13e40
SHA256 33dc4b836cf071e70ca37fcb5a508c79e2b987bda609c7255c1a767cfdbed39d
SHA512 d337aa40cdfa1ba804a71917fe0a1479eeb15db937d519c0810815bece5fcb0e91b22e5c883fdaaf926273fbb46096d9095f142eebde5bed153c8560ba7a2072

C:\Windows\SysWOW64\acxudoar.dll

MD5 f37b21c00fd81bd93c89ce741a88f183
SHA1 b2796500597c68e2f5638e1101b46eaf32676c1c
SHA256 76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512 252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

memory/2920-47-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1040-48-0x0000000000400000-0x0000000000414000-memory.dmp