Malware Analysis Report

2025-03-14 23:11

Sample ID 240406-31qn6sfe48
Target a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6
SHA256 a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6
Tags
evasion persistence upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6

Threat Level: Known bad

The file a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6 was found to be: Known bad.

Malicious Activity Summary

evasion persistence upx

Modifies visibility of file extensions in Explorer

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Disables use of System Restore points

Sets file execution options in registry

ACProtect 1.3x - 1.4x DLL software

Executes dropped EXE

Loads dropped DLL

UPX packed file

Modifies system executable filetype association

Checks computer location settings

Adds Run key to start application

Enumerates connected drives

Drops desktop.ini file(s)

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 23:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 23:59

Reported

2024-04-07 00:01

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\\KCJ2S8C.exe\"" C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\\KCJ2S8C.exe\"" C:\Windows\lsass.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\lsass.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\lsass.exe N/A

Disables use of System Restore points

evasion

Sets file execution options in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" C:\Windows\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\\regedit.cmd" C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "C:\\Windows\\notepad.exe" C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\\regedit.cmd" C:\Windows\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "C:\\Windows\\notepad.exe" C:\Windows\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Windows\lsass.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\lsass.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sHN2X5G0 = "C:\\Windows\\system32\\MHG8N4IINW6S6Q.exe" C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0S8CNW = "C:\\Windows\\DGQ2X5G.exe" C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sHN2X5G0 = "C:\\Windows\\system32\\MHG8N4IINW6S6Q.exe" C:\Windows\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0S8CNW = "C:\\Windows\\DGQ2X5G.exe" C:\Windows\lsass.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened (read-only) \??\W: C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened (read-only) \??\H: C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened (read-only) \??\I: C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened (read-only) \??\J: C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened (read-only) \??\K: C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened (read-only) \??\E: C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened (read-only) \??\T: C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened (read-only) \??\X: C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened (read-only) \??\S: C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened (read-only) \??\Y: C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened (read-only) \??\Z: C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened (read-only) \??\L: C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened (read-only) \??\N: C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened (read-only) \??\P: C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened (read-only) \??\Q: C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened (read-only) \??\U: C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened (read-only) \??\G: C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened (read-only) \??\M: C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened (read-only) \??\O: C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened (read-only) \??\R: C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\systear.dll C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe N/A
File opened for modification C:\Windows\SysWOW64\MHG8N4IINW6S6Q.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\ETV3Y4K C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened for modification C:\Windows\SysWOW64\ETV3Y4K C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
File opened for modification C:\Windows\SysWOW64\MHG8N4IINW6S6Q.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\regedit.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
File opened for modification C:\Windows\SysWOW64\MHG8N4IINW6S6Q.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
File opened for modification C:\Windows\SysWOW64\SRV3D1N.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
File opened for modification C:\Windows\SysWOW64\ETV3Y4K\MHG8N4I.cmd C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\MHG8N4IINW6S6Q.exe C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe N/A
File opened for modification C:\Windows\SysWOW64\ETV3Y4K C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\MHG8N4IINW6S6Q.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\ETV3Y4K\MHG8N4I.cmd C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened for modification C:\Windows\SysWOW64\ETV3Y4K\MHG8N4I.cmd C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\ETV3Y4K\MHG8N4I.cmd C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\systear.dll C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
File opened for modification C:\Windows\SysWOW64\ETV3Y4K C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\regedit.exe C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe N/A
File opened for modification C:\Windows\SysWOW64\MHG8N4IINW6S6Q.exe C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe N/A
File opened for modification C:\Windows\SysWOW64\ETV3Y4K C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\regedit.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\systear.dll C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\ETV3Y4K\MHG8N4I.cmd C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
File opened for modification C:\Windows\SysWOW64\SRV3D1N.exe C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\systear.dll C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\SRV3D1N.exe C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
File opened for modification C:\Windows\SysWOW64\regedit.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\regedit.exe C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\systear.dll C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened for modification C:\Windows\SysWOW64\SRV3D1N.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\SRV3D1N.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\systear.dll C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ETV3Y4K C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe N/A
File opened for modification C:\Windows\SysWOW64\ETV3Y4K\MHG8N4I.cmd C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\regedit.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened for modification C:\Windows\SysWOW64\SRV3D1N.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe N/A
File opened for modification C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
File opened for modification C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe N/A
File opened for modification C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe N/A
File opened for modification C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe N/A
File opened for modification C:\Windows\lsass.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
File opened for modification C:\Windows\moonlight.dll C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe N/A
File opened for modification C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E} C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe N/A
File opened for modification C:\Windows\cypreg.dll C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe N/A
File opened for modification C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E} C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\DGQ2X5G.exe C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\onceinabluemoon.mid C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe N/A
File opened for modification C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\XDX3E1U.com C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe N/A
File opened for modification C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened for modification C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened for modification C:\Windows\DGQ2X5G.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\KCJ2S8C.exe C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe N/A
File opened for modification C:\Windows\moonlight.dll C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
File opened for modification C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe N/A
File opened for modification C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe N/A
File opened for modification C:\Windows\INW6S6Q.exe C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\lsass.exe C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe N/A
File opened for modification C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E} C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe N/A
File opened for modification C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe N/A
File opened for modification C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe N/A
File opened for modification C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe N/A
File opened for modification C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened for modification C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\KCJ2S8C.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe N/A
File opened for modification C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\KCJ2S8C.exe C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe N/A
File opened for modification C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe N/A
File opened for modification C:\Windows\lsass.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened for modification C:\Windows\INW6S6Q.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened for modification C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\XDX3E1U.com C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened for modification C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\KCJ2S8C.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
File opened for modification C:\Windows\INW6S6Q.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
File opened for modification C:\Windows\moonlight.dll C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened for modification C:\Windows\64enc.en C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
File opened for modification C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened for modification C:\Windows\cypreg.dll C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe N/A
File opened for modification C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe N/A
File opened for modification C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe N/A
File created C:\Windows\MooNlight.R.txt C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe N/A
File opened for modification C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
File opened for modification C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\cypreg.dll C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe N/A
File opened for modification C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened for modification C:\Windows\DGQ2X5G.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened for modification C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe N/A
File opened for modification C:\Windows\onceinabluemoon.mid C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
File opened for modification C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe N/A
File opened for modification C:\Windows\onceinabluemoon.mid C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened for modification C:\Windows\lsass.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe N/A
File opened for modification C:\Windows\INW6S6Q.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe N/A
File opened for modification C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\KCJ2S8C.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe N/A
File opened for modification C:\Windows\cypreg.dll C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
File opened for modification C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\KCJ2S8C.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
File created C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\zia04360 C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" C:\Windows\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile C:\Windows\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\lsass.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3120 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe
PID 3120 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe
PID 3120 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe
PID 3120 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe
PID 3120 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe
PID 3120 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe
PID 3120 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
PID 3120 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
PID 3120 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
PID 3120 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe
PID 3120 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe
PID 3120 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe
PID 3120 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe C:\Windows\lsass.exe
PID 3120 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe C:\Windows\lsass.exe
PID 3120 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe C:\Windows\lsass.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe

"C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe"

C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe

"C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe"

C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe

"C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe"

C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe

"C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe"

C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe

"C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe"

C:\Windows\lsass.exe

"C:\Windows\lsass.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
DE 172.217.16.196:80 www.google.com tcp
US 8.8.8.8:53 smtp.cryptsoft.com udp
US 8.8.8.8:53 196.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 mail.cryptsoft.com udp
DE 142.250.185.211:25 mail.cryptsoft.com tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 ns1.cryptsoft.com udp
US 8.8.8.8:53 mx1.cryptsoft.com udp
US 8.8.8.8:53 mail1.cryptsoft.com udp
US 8.8.8.8:53 mx.cryptsoft.com udp
US 8.8.8.8:53 mxs.cryptsoft.com udp
US 8.8.8.8:53 relay.cryptsoft.com udp
US 8.8.8.8:53 gate.cryptsoft.com udp
US 8.8.8.8:53 smtp.openssl.org udp
US 8.8.8.8:53 mail.openssl.org udp
NL 34.32.178.11:25 mail.openssl.org tcp
US 8.8.8.8:53 ns1.openssl.org udp
US 8.8.8.8:53 mx1.openssl.org udp
US 8.8.8.8:53 mail1.openssl.org udp
US 8.8.8.8:53 mx.openssl.org udp
US 8.8.8.8:53 mxs.openssl.org udp
US 8.8.8.8:53 relay.openssl.org udp
US 8.8.8.8:53 gate.openssl.org udp
US 8.8.8.8:53 smtp.cryptsoft.com udp
DE 142.250.185.211:25 mail.cryptsoft.com tcp
US 8.8.8.8:53 42.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 ns1.cryptsoft.com udp
US 8.8.8.8:53 mx1.cryptsoft.com udp
US 8.8.8.8:53 mail1.cryptsoft.com udp
US 8.8.8.8:53 mx.cryptsoft.com udp
US 8.8.8.8:53 mxs.cryptsoft.com udp
US 8.8.8.8:53 relay.cryptsoft.com udp
US 8.8.8.8:53 gate.cryptsoft.com udp
US 8.8.8.8:53 smtp.cryptsoft.com udp
DE 142.250.185.211:25 mail.cryptsoft.com tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 ns1.cryptsoft.com udp
US 8.8.8.8:53 mx1.cryptsoft.com udp
US 8.8.8.8:53 mail1.cryptsoft.com udp
US 8.8.8.8:53 mx.cryptsoft.com udp
US 8.8.8.8:53 mxs.cryptsoft.com udp
US 8.8.8.8:53 relay.cryptsoft.com udp
US 8.8.8.8:53 gate.cryptsoft.com udp
US 8.8.8.8:53 smtp.cryptsoft.com udp
DE 142.250.185.211:25 mail.cryptsoft.com tcp
US 8.8.8.8:53 ns1.cryptsoft.com udp
US 8.8.8.8:53 mx1.cryptsoft.com udp
US 8.8.8.8:53 mail1.cryptsoft.com udp
US 8.8.8.8:53 mx.cryptsoft.com udp
US 8.8.8.8:53 mxs.cryptsoft.com udp
US 8.8.8.8:53 relay.cryptsoft.com udp
US 8.8.8.8:53 gate.cryptsoft.com udp
US 8.8.8.8:53 smtp.openssl.org udp
NL 34.32.178.11:25 mail.openssl.org tcp
US 8.8.8.8:53 ns1.openssl.org udp
US 8.8.8.8:53 mx1.openssl.org udp
US 8.8.8.8:53 mail1.openssl.org udp
US 8.8.8.8:53 mx.openssl.org udp
US 8.8.8.8:53 mxs.openssl.org udp
US 8.8.8.8:53 relay.openssl.org udp
US 8.8.8.8:53 gate.openssl.org udp
US 8.8.8.8:53 smtp.cryptsoft.com udp
DE 142.250.185.211:25 mail.cryptsoft.com tcp

Files

memory/3120-0-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe

MD5 b1e9bf46b66db105e59fffca2e786076
SHA1 4b4aa72e6718be89d71b6a31891569330ccd38d2
SHA256 b50fedfcc9e85d3f9c2be727779eb94bb3fa44280a82fd671b86ef31bbda5476
SHA512 e5f66e0612b4025cc940f3d7ec5aee35f7193dda7f5f9cc8f0b97ab0f712e042eb4590b06e054d68928741bb924bfad37edc9a5540059c1cb7cdff58773933e2

memory/4408-63-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe

MD5 774bac352fb3bd6477ddd3940e543f1b
SHA1 d2f67dffd89e4a2de56508f87e9dacff5a0dbfc8
SHA256 1ffa5f72e0de52aceca0284700d3a03d44da78e36411e6be654d0c8a60cc8357
SHA512 5ab0003fd3968f52fc964c5e0676cc816c4a88090b0a99fce7190b981e07b50c7a090d04300f57bb7e831ed454222f09ce4f4142364965492ad2e7d870017983

C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe

MD5 3ab76f47abbe853e88b0c2b171846b2e
SHA1 348916b094b5311fcb6e97fb954097c13043f2e4
SHA256 1ab1d91b56ac6d8a2ad9b1e4e6c75e2caf51f8aa6a56b6931b59d6a6447186a6
SHA512 3fe20ee661cdc92acab204e914989054edca1d93ca78a19a6889974e0b25ce184b40ff885e459fb2e9cbc1146f8de15e39eec643da86db4cdf91861268cb8c8f

memory/2204-75-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe

MD5 365c3d1e0b2208ca5b49d06d877c24d7
SHA1 2c9292eeb4cb99caf579c6f6187c43c638594a62
SHA256 78a8d1a8208de4ff2c3440160f398c662739f1a74c2fbd549df8be066c54208f
SHA512 f07fea49320a58c2a4b903ded88d5f56d848b9f0b6707b43f1546c5be04fcf0bdc0d603e2c12d7b9af81206b73a3878875f3db3fd0a9084a258e32eb1d6a7587

memory/4292-88-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2836-128-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Windows\lsass.exe

MD5 17f3a947a0ca312b07f53eedeb8bc8ce
SHA1 54b16107f9b31076e101885fa26ef92694af6cea
SHA256 969733386849ad56e0e43b3ba36c012fc854f6858fa23ce703f84c28ef4b376e
SHA512 51315a2e6497aecf0f62bac7a286da17a5879fa2e3d4d85c208d6dbae02578497660928e992bd4e83e19935ea9187f52ac9e3aa6d3251e997a76d64811a2860d

C:\Windows\SysWOW64\systear.dll

MD5 a084d1ea1109ec7755a53a25c938f601
SHA1 07ce271a400a9aa30729811d117f7100d1cd3cbd
SHA256 b46e77b0441437b88eea922dea7a0a7b07bc1632084c53f3f221d6ecfe4966eb
SHA512 957486af49a4d4cef873079f94053fcc7c5137274f8b41ef61de47b756e17b62259cfabe2ba95b76cc8fabc1f1f57a3d1162f656ee8161fa207e5c0e5f944adb

C:\Windows\lsass.exe

MD5 a8458ea8a01af4ff80d038d7b7d15ad6
SHA1 4977200ff18d99ab05d0e31700be2e8df609706a
SHA256 2dcf4b3a5698b77265e361ceb0f49700296745a9ffedaf9190aada89508768b5
SHA512 434d0833b4f0bebfa429791d52f157c12aa2029a6773bb538d98e1d1945647a22c9bdff6be091ec8ec0ba35209538b2901b2bf388b79567eb75cf3a70cd60ee1

C:\Windows\system\msvbvm60.dll

MD5 220cd5b36a14cfc83715839698aeaaa8
SHA1 e2957eb14abffa17ad61b7555221803444f92288
SHA256 eb319cc5c5e432b3f111b185fa12e1410b43d90b81b4bd8d7f007c860256b4b1
SHA512 65f4473e6f2f6af2c9197fb25955b58f1f2504b3cf364e6e6f41b9e1ba9fb6a80613797a0b4b24b41ce88b1f2afbb52cc3efcc5a362c4f54f2beb745028a9441

C:\Windows\cypreg.dll

MD5 c5c7392dc94c13ef23f98cb3729bf711
SHA1 404d820f4b62462eb932275e3b58a1be42896e7c
SHA256 b73e8cf25db9683d28cca18b3db91fefa1f8c1f6c06bcb0ff1855c9ca3e498f3
SHA512 7153bfab3578b60732b0f86fef10bbb722e978124b1d71c58373e8dfbf3a989983314ab63b40ef99722c42d12da2a28955c770d0f1223993145fd9246ff0cc43

C:\Windows\SysWOW64\SRV3D1N.exe

MD5 95d9b6be956d3b8c5923ead8e8e00a86
SHA1 784ac590f3389fffa13943dea34953901e4b1d85
SHA256 f1672cf0a3975348841d4dc678d4b1ae1cd562b12b93a57136b3240599d47c56
SHA512 55d28245f17a30543cde4294ddf75a9da1e6b7d2b77c4550c3d6485d1256ba52fd75aacd33308fff25f0b036965e5b89703dd3b6e51ee12fb1c63054ad7921bd

C:\Windows\lsass.exe

MD5 cb55d6bee483beaaba3e8afecbb7c188
SHA1 3082d338404ae0b0ca596c55b1c640459d165749
SHA256 d2ca904aeffe53df5b7a91648a42f178326d2154837dba6dc9901a10f5218d46
SHA512 536f206c69af447d8a4718c6927e442f5133793a83110e7b55d126f777a0cdea221418a2216d15a14496a344ffae0dc272b89c29e55949e7c52a617a84e8bacd

memory/2564-289-0x0000000000400000-0x0000000000458000-memory.dmp

memory/3120-290-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\KCJ2S8C.exe

MD5 c220beb3f2435c42f43881abdf89f645
SHA1 cd82f8c1957f6810f60f0b136f30c93a992e7a7a
SHA256 e0d7aed82453819f3d7e1b870ff0326ca8a833d38f500309e9f18a99995addeb
SHA512 aa718546b67d8204e9cb4b3c82efd2310e0de4e6d686bcece908d2f0db95695f2446439bc38f977d857f63b3f221e2ef3d8d65ec80d09f57439e263b3d575e3f

C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\XDX3E1U.com

MD5 8f5569e92956e6931da809e70399377d
SHA1 183d5cf394906772a149c18fadc21c6733909ef4
SHA256 c5f713b717215bc4148af481a814cf2f17bb113539f4744212a234338821b23b
SHA512 e2e908e08e6028f4da58eed63ba9820a59c791565f1615b4228614bb9e66d2acceeecdcb0a22b3671af482ec07e090c918d5f5224ea11d0a507f35db7e8063ac

C:\Windows\INW6S6Q.exe

MD5 d15d2977b476351fc639827f2a00203d
SHA1 b6e0d50ea8ea63880d11fe22d604afdce671106b
SHA256 a78b7cf484dff5b5a24d7aa6623e1dae6589bff8c081ec252db40f44bb261b7e
SHA512 426aa21baf8852522048ac54147cdadb8d05211dbc2dce0b9f36f36a22d4014194a81874f50e25205b16138a670498e997db9dc87ef21c7a1321de258448c76a

C:\Windows\DGQ2X5G.exe

MD5 e91ba0ba50c72aab58487f078311143d
SHA1 8f29cac9d40c5a25f915b9706c8be44e1ba2daf4
SHA256 f018138171ebc63906dfbcaf863714dc76ece21e138525a057cd545843eee613
SHA512 f8560fc257d8c91d0f026d4676007d80187ec14ba667de8c3edef42a8ad329536ddd8c1dc8c0514b959f5a9fa0ed59d72a0c49f63de0f41d4dff594fb43c5086

C:\Windows\SysWOW64\ETV3Y4K\MHG8N4I.cmd

MD5 b2e3d71986f3bf85b782ecbb30e8c2b8
SHA1 75c5124dceafd0ab41cba35548867d2bd6adff0f
SHA256 f613814761d9bc39657d085b0c79b7b50250da192389ad945a6d38726bf9c82b
SHA512 2105af7498f09759611cfc5f7272fd95b9e1cd0394d1959231ee93b3be8e229d84863ada80ddd41cb351559d05ec04de1c40a08a5b50a3b788cb4a7c7e20ce08

C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd

MD5 0250a3d4a3c212a2cb7eca673527ec42
SHA1 f5c28ddced09c5e64c311f73a66bc838d166f8e3
SHA256 a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6
SHA512 3bd04723717367348af0171d030333d0eedaab84ab0016f1c9fe44c05500d587c67229502364130d8d9b6d17295d2e6217698e9a4f91973ea01880b02e823873

C:\Windows\SysWOW64\systear.dll

MD5 55d6fa556090e6994345aff237c8239f
SHA1 40e56c29ca042bb4f723b2f745ce627c3c41123c
SHA256 27de7c9aaf0dfe62ae73ab5a42cc5eced150609efd0cdbe5e626ae7b6dd5ddec
SHA512 3ee1264fed70f6d575b35505bcde71378317f3a52d8f41f3302013b989c1912ca7fa7a1bd360fda98ec2954c55fda201ef8ecdf428a8c8363ba5f1126dfb7c6d

C:\Windows\cypreg.dll

MD5 da277f942f662c7cc42f98c5f6203ad3
SHA1 1f7c7f5b09b2b7ea73c85e74ed4e09ecb72727e4
SHA256 c277b2e10adab2360bd59d4ee4b53cc63ce545605226a43453422293a3277b1b
SHA512 da91c15fb47f782ee9338b4ea8fca1553af29b3849d82330c31d68b764b235107170c6c32573b4afe6adddc07d963c808a92f8d6f1bb7a5ec113183cf639a6e6

C:\Windows\SysWOW64\ETV3Y4K\MHG8N4I.cmd

MD5 872321abfe95710cb9719b3ebb43d141
SHA1 3f9c7ca159e920a7c7f29dd5aeae4dbdcb3f5720
SHA256 4a997f05eb453921b9d48da407185879b8326a4340d59f148d73628a84a0618b
SHA512 65ccd32226750bfaa88adcd6477b9e7ddb067ee953c410132564744a07dc1fbc71e0b78aad574b79f05773c839348a8153afb827bee2f2c294944d9fa4f97b3a

C:\Windows\YHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\KCJ2S8C.exe

MD5 8c26b72b39ba45b0611d7f9f37ba5d15
SHA1 cc27be51bfcdee8f2b32e8ee550ce4fde4a932ee
SHA256 1240a28f6dfe724810cb154febbf2e159725a2b911d895dddfda2f594a91bcc7
SHA512 d5822f31f16a5f1cff727d4fcda2195f4cf08139bb4533090f26bbcdcd706620c7bf4f3c1f4c72d775b492d0e8cbf04465ce4f88ea4625745ed8545062efeac5

C:\Windows\SysWOW64\MHG8N4IINW6S6Q.exe

MD5 b7d6ca24b7bb661cc4146270833ae507
SHA1 d37439cb07f385b29a31559f717da4e91aee0825
SHA256 e31c827b320ec6de63a2f293ff68e4bf6fc933c0a0342d974025c37707bf2fce
SHA512 db2cf801a898c19bafd731e008daf3afc95d87261df103127cd78f4ca91c85912be514396a03a43c292f96fed4b526e7f4abe485144d01ad7a5eed12a422a60c

C:\Windows\INW6S6Q.exe

MD5 f290a6ba1ae43b0b88bb48e831f1275f
SHA1 9ad01164707bb0fe25aa142b5fb2091fc40766de
SHA256 c12b765870e48341bede7f42be73cc62f10a3997c26377e676d9470608e6319b
SHA512 de6135ebf6d39e5b7c7a4c664e14a90e3ffa590d4b9a880841c80ee21b5cf7dfeb5b408be636c8dce14eebe0297171c11eb32bd0d0efdd1d842f86e7f2c9bfa6

C:\Windows\DGQ2X5G.exe

MD5 c4789bab0ae8c80d8334af0ce57ac767
SHA1 d63f30c0fb43d62182f4e11b54fc28a697505838
SHA256 c735dca4bd593ec10ade2d8f63caa11bbd019e32c0ed0a751090a23ecddae813
SHA512 17c82c00541aeeff2098333ee98c0fbd53f6d95507b02f2691669a61d5b968064bc5a56205f2c9c1d28a1aa27ba19311cd230d3b4bab2acbb29a8cb2f37209ec

C:\Windows\SysWOW64\SRV3D1N.exe

MD5 a3ae0f44806bed6e47fdc84a7bb62d34
SHA1 bd6f5f794b498d1d3b0601746753f003de591aa6
SHA256 8367e9bec91524c7c7dc98d31317cb9a74f865557d63146b9ae212943884d660
SHA512 7ac49bec02ea867adf6f58e53f9c44c5454eed90e699c5184fbe933db1c87488bac36fcfa24a415614860bbfffef32d064cbbf632469ab6b3a3aa0c14ba17160

C:\Windows\INW6S6Q.exe

MD5 ef40baba9f614d075fc230fb8ce5b655
SHA1 4bc43275303175a48d8138e076e8f8de297a1d5e
SHA256 96200fdea7abd03c0b06a6e4e7ef1e2e1404e4f1efd7562799b7c58374d96b07
SHA512 ba9fb3b4c045d887337f287c9c17a0dd9f8b3869504e9272227cf109700dd14228cc3c9198a85330f91e839a96a7f88ff9bc43f6ff36db59249288e4a84faa59

C:\Windows\cypreg.dll

MD5 cad01ce988370f1f7ba6d1b366b67350
SHA1 456ee670f051bc6dc0f6ac660c202da6cf08ca2c
SHA256 ed6cdafd3b8f026f7b564a46e608f49332d8499187dcbfe5e7f4f105a31e8c4c
SHA512 dc133d6c905391a99b2989217d1cb5879bfea710f90a3f013fa3e62e55399edbfee7a167360fde9d33f87016f82a7707da40e4892c0ab72a441e57a13b664821

C:\Windows\system\msvbvm60.dll

MD5 9e453b7ea22dc49f143180ecf4ead7d6
SHA1 57ce539a801faa8164b7ce4b5fac66093bae2b73
SHA256 fed61ef395ee1ecf2cf0b7f0c7c954171f7d4b23c7152d472c45d57b2db06743
SHA512 ec9f399cf584bacb6aa1944bd25bde867a994673277a6912a847af594ed4f1800148628edf87fcc241b9739c2c2517cd8892de6222d39a1e18e26136ad1f3763

C:\Windows\onceinabluemoon.mid

MD5 0e528d000aad58b255c1cf8fd0bb1089
SHA1 2445d2cc0921aea9ae53b8920d048d6537940ec6
SHA256 c8aa5c023bf32f1c1e27b8136cf4d622101e58a80417d97271d3c0ba44528cae
SHA512 89ff6a1f1bf364925704a83ab4d222e2335e6486e0b90641f0133236b5f6b0fede1e9f17b577d6d069537e737b761f745d1fde4a9d0b43cb59143edf2d9c2116

C:\Windows\moonlight.dll

MD5 c55534452c57efa04f4109310f71ccca
SHA1 b97a3d9e2c1ad9314562b7d0d77b2a4b34e77d61
SHA256 4cbbe69bcd0a2debae6a584e1fa49f8d4a27f90d9cd364255bbbd930ca0a38bc
SHA512 ad324f1f1bfde9c9b6057d5526ae62155b3b897d27225ed74fdb867a2c6d5f21cebfb63e3dc68bd807993b0f4c72fb3ce880696b9c3358b3b982204d60c7161a

C:\Windows\system\msvbvm60.dll

MD5 f45f8d9fa3e4b3cec0d13e83ab9efaee
SHA1 05a098f8a554143aabcdb839afd82d5ca3923b55
SHA256 e13fb59a98f3d4bc9f1826c79dd36e53b587b7353823dd952183f0f3502725da
SHA512 71c2bf5214e36d1d38726a466b43e8e43319e47ca58483e18ee71d289baa4198f9d6a271e5a9cf66fdfbbdabd3dfc31768e750a262fd008f5bc3fc1eaca3caad

memory/4408-311-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2204-312-0x0000000000400000-0x0000000000458000-memory.dmp

memory/4292-313-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2836-314-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2564-320-0x0000000000400000-0x0000000000458000-memory.dmp

memory/4292-326-0x0000000010000000-0x0000000010075000-memory.dmp

memory/4292-332-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2836-337-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2836-338-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2564-339-0x0000000000400000-0x0000000000458000-memory.dmp

memory/4292-348-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2836-350-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2836-356-0x0000000000400000-0x0000000000458000-memory.dmp

memory/4292-360-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2836-362-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2564-365-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2564-371-0x0000000000400000-0x0000000000458000-memory.dmp

memory/4292-374-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2836-376-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2564-377-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2564-383-0x0000000000400000-0x0000000000458000-memory.dmp

memory/4292-386-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2836-388-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2564-389-0x0000000000400000-0x0000000000458000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 23:59

Reported

2024-04-07 00:01

Platform

win7-20240221-en

Max time kernel

150s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\\LDK2T0D.exe\"" C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\\LDK2T0D.exe\"" C:\Windows\lsass.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\lsass.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\lsass.exe N/A

Disables use of System Restore points

evasion

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" C:\Windows\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\\regedit.cmd" C:\Windows\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "C:\\Windows\\notepad.exe" C:\Windows\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\\regedit.cmd" C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "C:\\Windows\\notepad.exe" C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\lsass.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\lsass.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\0T0DCL = "C:\\Windows\\PSE7M0S.exe" C:\Windows\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\sIO7M0S0 = "C:\\Windows\\system32\\NIH8O4JUCL2H2F.exe" C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\0T0DCL = "C:\\Windows\\PSE7M0S.exe" C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\sIO7M0S0 = "C:\\Windows\\system32\\NIH8O4JUCL2H2F.exe" C:\Windows\lsass.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created \??\UNC\IZKCKOTP\V$\desktop.ini C:\Windows\lsass.exe N/A
File created \??\UNC\IZKCKOTP\G$\desktop.ini C:\Windows\lsass.exe N/A
File created \??\UNC\IZKCKOTP\I$\desktop.ini C:\Windows\lsass.exe N/A
File created \??\UNC\IZKCKOTP\F$\desktop.ini C:\Windows\lsass.exe N/A
File created \??\UNC\IZKCKOTP\Y$\desktop.ini C:\Windows\lsass.exe N/A
File created \??\UNC\IZKCKOTP\ADMIN$\desktop.ini C:\Windows\lsass.exe N/A
File created \??\UNC\IZKCKOTP\A$\desktop.ini C:\Windows\lsass.exe N/A
File created \??\UNC\IZKCKOTP\C$\desktop.ini C:\Windows\lsass.exe N/A
File created \??\UNC\IZKCKOTP\W$\desktop.ini C:\Windows\lsass.exe N/A
File created \??\UNC\IZKCKOTP\L$\desktop.ini C:\Windows\lsass.exe N/A
File created \??\UNC\IZKCKOTP\U$\desktop.ini C:\Windows\lsass.exe N/A
File created \??\UNC\IZKCKOTP\K$\desktop.ini C:\Windows\lsass.exe N/A
File created \??\UNC\IZKCKOTP\Q$\desktop.ini C:\Windows\lsass.exe N/A
File created \??\UNC\IZKCKOTP\T$\desktop.ini C:\Windows\lsass.exe N/A
File created \??\UNC\IZKCKOTP\X$\desktop.ini C:\Windows\lsass.exe N/A
File created \??\UNC\IZKCKOTP\desktop.ini C:\Windows\lsass.exe N/A
File created \??\UNC\IZKCKOTP\J$\desktop.ini C:\Windows\lsass.exe N/A
File created \??\UNC\IZKCKOTP\N$\desktop.ini C:\Windows\lsass.exe N/A
File created \??\UNC\IZKCKOTP\O$\desktop.ini C:\Windows\lsass.exe N/A
File created \??\UNC\IZKCKOTP\P$\desktop.ini C:\Windows\lsass.exe N/A
File created \??\UNC\IZKCKOTP\R$\desktop.ini C:\Windows\lsass.exe N/A
File created \??\UNC\IZKCKOTP\S$\desktop.ini C:\Windows\lsass.exe N/A
File created \??\UNC\IZKCKOTP\B$\desktop.ini C:\Windows\lsass.exe N/A
File created \??\UNC\IZKCKOTP\D$\desktop.ini C:\Windows\lsass.exe N/A
File created \??\UNC\IZKCKOTP\H$\desktop.ini C:\Windows\lsass.exe N/A
File created \??\UNC\IZKCKOTP\M$\desktop.ini C:\Windows\lsass.exe N/A
File created \??\UNC\IZKCKOTP\Z$\desktop.ini C:\Windows\lsass.exe N/A
File created \??\UNC\IZKCKOTP\E$\desktop.ini C:\Windows\lsass.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\X: C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened (read-only) \??\N: C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened (read-only) \??\Q: C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened (read-only) \??\R: C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened (read-only) \??\K: C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened (read-only) \??\U: C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened (read-only) \??\V: C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened (read-only) \??\G: C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened (read-only) \??\H: C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened (read-only) \??\I: C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened (read-only) \??\S: C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened (read-only) \??\T: C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened (read-only) \??\W: C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened (read-only) \??\Z: C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened (read-only) \??\J: C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened (read-only) \??\L: C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened (read-only) \??\O: C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened (read-only) \??\Y: C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened (read-only) \??\E: C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened (read-only) \??\M: C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened (read-only) \??\P: C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\systear.dll C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe N/A
File opened for modification C:\Windows\SysWOW64\FUW3C4L C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened for modification C:\Windows\SysWOW64\HGK7P6C.exe C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\NIH8O4JUCL2H2F.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
File opened for modification C:\Windows\SysWOW64\NIH8O4JUCL2H2F.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\NIH8O4JUCL2H2F.exe C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\NIH8O4JUCL2H2F.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened for modification C:\Windows\SysWOW64\systear.dll C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened for modification C:\Windows\SysWOW64\HGK7P6C.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\regedit.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\systear.dll C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\regedit.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
File opened for modification C:\Windows\SysWOW64\FUW3C4L C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\FUW3C4L\NIH8O4J.cmd C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\FUW3C4L C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe N/A
File opened for modification C:\Windows\SysWOW64\FUW3C4L\NIH8O4J.cmd C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe N/A
File opened for modification C:\Windows\SysWOW64\NIH8O4JUCL2H2F.exe C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe N/A
File opened for modification C:\Windows\SysWOW64\systear.dll C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\FUW3C4L C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\FUW3C4L C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe N/A
File opened for modification C:\Windows\SysWOW64\HGK7P6C.exe C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe N/A
File opened for modification C:\Windows\SysWOW64\NIH8O4JUCL2H2F.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\FUW3C4L\NIH8O4J.cmd C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened for modification C:\Windows\SysWOW64\FUW3C4L\NIH8O4J.cmd C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened for modification C:\Windows\SysWOW64\regedit.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\systear.dll C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\HGK7P6C.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\FUW3C4L\NIH8O4J.cmd C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\HGK7P6C.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
File opened for modification C:\Windows\SysWOW64\systear.dll C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
File opened for modification C:\Windows\SysWOW64\HGK7P6C.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\regedit.exe C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\FUW3C4L\NIH8O4J.cmd C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\regedit.exe C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe N/A
File opened for modification C:\Windows\SysWOW64\regedit.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened for modification C:\Windows\SysWOW64\FUW3C4L C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened for modification C:\Windows\cypreg.dll C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe N/A
File opened for modification C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe N/A
File opened for modification C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\LDK2T0D.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
File opened for modification C:\Windows\cypreg.dll C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened for modification C:\Windows\onceinabluemoon.mid C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened for modification C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened for modification C:\Windows\cypreg.dll C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe N/A
File opened for modification C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe N/A
File opened for modification C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\LDK2T0D.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe N/A
File opened for modification C:\Windows\onceinabluemoon.mid C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
File opened for modification C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
File opened for modification C:\Windows\onceinabluemoon.mid C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe N/A
File opened for modification C:\Windows\lsass.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe N/A
File opened for modification C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened for modification C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E} C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened for modification C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened for modification C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\MPM7Q5J.com C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened for modification C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E} C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe N/A
File opened for modification C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E} C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
File opened for modification C:\Windows\lsass.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
File opened for modification C:\Windows\moonlight.dll C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe N/A
File opened for modification C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe N/A
File created C:\Windows\MooNlight.R.txt C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe N/A
File opened for modification C:\Windows\PSE7M0S.exe C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\UCL2H2F.exe C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\MPM7Q5J.com C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe N/A
File opened for modification C:\Windows\lsass.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened for modification C:\Windows\lsass.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe N/A
File opened for modification C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened for modification C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
File opened for modification C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe C:\Windows\lsass.exe N/A
File created C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\MYpIC.zip C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
File opened for modification C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe N/A
File opened for modification C:\Windows\UCL2H2F.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe N/A
File opened for modification C:\Windows\UCL2H2F.exe C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe N/A
File opened for modification C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe N/A
File opened for modification C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
File opened for modification C:\Windows\moonlight.dll C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened for modification C:\Windows\UCL2H2F.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened for modification C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe N/A
File opened for modification C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe N/A
File opened for modification C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe N/A
File opened for modification C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\PSE7M0S.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened for modification C:\Windows\cypreg.dll C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe N/A
File opened for modification C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\LDK2T0D.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe N/A
File opened for modification C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
File opened for modification C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\MPM7Q5J.com C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
File opened for modification C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe N/A
File opened for modification C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\MPM7Q5J.com C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\LDK2T0D.exe C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe N/A
File opened for modification C:\Windows\onceinabluemoon.mid C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe N/A
File opened for modification C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe N/A
File opened for modification C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe N/A
File opened for modification C:\Windows\UCL2H2F.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
File opened for modification C:\Windows\PSE7M0S.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe N/A
File opened for modification C:\Windows\lsass.exe C:\Windows\lsass.exe N/A
File created C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\zia02440 C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile C:\Windows\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" C:\Windows\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 328 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe
PID 328 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe
PID 328 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe
PID 328 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe
PID 328 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe
PID 328 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe
PID 328 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe
PID 328 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe
PID 328 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
PID 328 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
PID 328 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
PID 328 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
PID 328 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe
PID 328 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe
PID 328 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe
PID 328 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe
PID 328 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe C:\Windows\lsass.exe
PID 328 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe C:\Windows\lsass.exe
PID 328 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe C:\Windows\lsass.exe
PID 328 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe C:\Windows\lsass.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe

"C:\Users\Admin\AppData\Local\Temp\a38b8b168c33aa1ef7652a07d48181d0f75ce38f6f6c42f36f7f8c395e30c3a6.exe"

C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe

"C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe"

C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe

"C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe"

C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe

"C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe"

C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe

"C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe"

C:\Windows\lsass.exe

"C:\Windows\lsass.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
DE 172.217.16.196:80 www.google.com tcp
US 8.8.8.8:53 smtp.mozilla.org udp
US 63.245.208.103:25 smtp.mozilla.org tcp
US 8.8.8.8:53 mail.mozilla.org udp
US 8.8.8.8:53 ns1.mozilla.org udp
US 63.245.215.5:25 ns1.mozilla.org tcp
US 8.8.8.8:53 mx1.mozilla.org udp
US 8.8.8.8:53 mail1.mozilla.org udp
US 8.8.8.8:53 mx.mozilla.org udp
US 63.245.215.5:25 ns1.mozilla.org tcp
US 8.8.8.8:53 mxs.mozilla.org udp
US 8.8.8.8:53 relay.mozilla.org udp
US 8.8.8.8:53 gate.mozilla.org udp
US 8.8.8.8:53 smtp.mozilla.org udp
US 63.245.208.103:25 smtp.mozilla.org tcp
US 8.8.8.8:53 ns1.mozilla.org udp
US 63.245.215.5:25 ns1.mozilla.org tcp
US 63.245.215.5:25 ns1.mozilla.org tcp

Files

memory/328-1-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe

MD5 8c26b72b39ba45b0611d7f9f37ba5d15
SHA1 cc27be51bfcdee8f2b32e8ee550ce4fde4a932ee
SHA256 1240a28f6dfe724810cb154febbf2e159725a2b911d895dddfda2f594a91bcc7
SHA512 d5822f31f16a5f1cff727d4fcda2195f4cf08139bb4533090f26bbcdcd706620c7bf4f3c1f4c72d775b492d0e8cbf04465ce4f88ea4625745ed8545062efeac5

memory/328-55-0x0000000000480000-0x0000000000490000-memory.dmp

memory/328-56-0x0000000003670000-0x00000000036C8000-memory.dmp

memory/2580-58-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe

MD5 a3ae0f44806bed6e47fdc84a7bb62d34
SHA1 bd6f5f794b498d1d3b0601746753f003de591aa6
SHA256 8367e9bec91524c7c7dc98d31317cb9a74f865557d63146b9ae212943884d660
SHA512 7ac49bec02ea867adf6f58e53f9c44c5454eed90e699c5184fbe933db1c87488bac36fcfa24a415614860bbfffef32d064cbbf632469ab6b3a3aa0c14ba17160

memory/2468-68-0x0000000000400000-0x0000000000458000-memory.dmp

memory/328-72-0x0000000003670000-0x00000000036C8000-memory.dmp

\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe

MD5 b7d6ca24b7bb661cc4146270833ae507
SHA1 d37439cb07f385b29a31559f717da4e91aee0825
SHA256 e31c827b320ec6de63a2f293ff68e4bf6fc933c0a0342d974025c37707bf2fce
SHA512 db2cf801a898c19bafd731e008daf3afc95d87261df103127cd78f4ca91c85912be514396a03a43c292f96fed4b526e7f4abe485144d01ad7a5eed12a422a60c

C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe

MD5 6866748ab03507913f943e12d30ab95c
SHA1 a227fae9415e7a48735ec0d82a2ff62866318386
SHA256 f8442ee261a209a9e5fd65cedc096c35ffb237f739ee5e6b592bd5deab86396b
SHA512 5fc524b4c4e87f987f57336bd3c010aac78669188d3afafedd1c625d6a9d4d3b4456bc69b490c8cb14bdb538f33246f235036f52cdff75d96820f4dd1bb50e2a

C:\Windows\onceinabluemoon.mid

MD5 0e528d000aad58b255c1cf8fd0bb1089
SHA1 2445d2cc0921aea9ae53b8920d048d6537940ec6
SHA256 c8aa5c023bf32f1c1e27b8136cf4d622101e58a80417d97271d3c0ba44528cae
SHA512 89ff6a1f1bf364925704a83ab4d222e2335e6486e0b90641f0133236b5f6b0fede1e9f17b577d6d069537e737b761f745d1fde4a9d0b43cb59143edf2d9c2116

C:\Windows\SysWOW64\HGK7P6C.exe

MD5 8f5569e92956e6931da809e70399377d
SHA1 183d5cf394906772a149c18fadc21c6733909ef4
SHA256 c5f713b717215bc4148af481a814cf2f17bb113539f4744212a234338821b23b
SHA512 e2e908e08e6028f4da58eed63ba9820a59c791565f1615b4228614bb9e66d2acceeecdcb0a22b3671af482ec07e090c918d5f5224ea11d0a507f35db7e8063ac

C:\Windows\SysWOW64\NIH8O4JUCL2H2F.exe

MD5 a8e59d2831c7ab69b0ff9c9f94981d12
SHA1 01cc3438f9dc6a291f4718baf28aef10eaf6149a
SHA256 c6e3a758b21f9b207896d4715a4a7eec9b2857f7fc0bb7b24b15c88f54bba383
SHA512 981e29eff730cec915965edef634b1f8fdc77224f28350193e4a373183bc120716058c886eb3348eb873812096afb0c0c0fe330781822ae80752842eaa69cd39

C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\MPM7Q5J.com

MD5 95d9b6be956d3b8c5923ead8e8e00a86
SHA1 784ac590f3389fffa13943dea34953901e4b1d85
SHA256 f1672cf0a3975348841d4dc678d4b1ae1cd562b12b93a57136b3240599d47c56
SHA512 55d28245f17a30543cde4294ddf75a9da1e6b7d2b77c4550c3d6485d1256ba52fd75aacd33308fff25f0b036965e5b89703dd3b6e51ee12fb1c63054ad7921bd

C:\Windows\PSE7M0S.exe

MD5 ef40baba9f614d075fc230fb8ce5b655
SHA1 4bc43275303175a48d8138e076e8f8de297a1d5e
SHA256 96200fdea7abd03c0b06a6e4e7ef1e2e1404e4f1efd7562799b7c58374d96b07
SHA512 ba9fb3b4c045d887337f287c9c17a0dd9f8b3869504e9272227cf109700dd14228cc3c9198a85330f91e839a96a7f88ff9bc43f6ff36db59249288e4a84faa59

C:\Windows\lsass.exe

MD5 cb55d6bee483beaaba3e8afecbb7c188
SHA1 3082d338404ae0b0ca596c55b1c640459d165749
SHA256 d2ca904aeffe53df5b7a91648a42f178326d2154837dba6dc9901a10f5218d46
SHA512 536f206c69af447d8a4718c6927e442f5133793a83110e7b55d126f777a0cdea221418a2216d15a14496a344ffae0dc272b89c29e55949e7c52a617a84e8bacd

C:\Windows\moonlight.dll

MD5 c55534452c57efa04f4109310f71ccca
SHA1 b97a3d9e2c1ad9314562b7d0d77b2a4b34e77d61
SHA256 4cbbe69bcd0a2debae6a584e1fa49f8d4a27f90d9cd364255bbbd930ca0a38bc
SHA512 ad324f1f1bfde9c9b6057d5526ae62155b3b897d27225ed74fdb867a2c6d5f21cebfb63e3dc68bd807993b0f4c72fb3ce880696b9c3358b3b982204d60c7161a

C:\Windows\SysWOW64\systear.dll

MD5 a38fc29f54710f4871f34d6b8ccffe99
SHA1 694963882b972aef35a99bd489824bea1334b0f4
SHA256 938cff6674c6eeac438445648a8dc3f4bffe6ffc214debd17de0364297a26077
SHA512 df33fe8180d86fbb4f9bc30fc8af8c218495177f68c4b46bd6d73194ced70eb682428f8af56c0c7d4b9bdac3f9b7e06083c03e0d4e2141d3c950b4942538697b

C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\LDK2T0D.exe

MD5 365c3d1e0b2208ca5b49d06d877c24d7
SHA1 2c9292eeb4cb99caf579c6f6187c43c638594a62
SHA256 78a8d1a8208de4ff2c3440160f398c662739f1a74c2fbd549df8be066c54208f
SHA512 f07fea49320a58c2a4b903ded88d5f56d848b9f0b6707b43f1546c5be04fcf0bdc0d603e2c12d7b9af81206b73a3878875f3db3fd0a9084a258e32eb1d6a7587

C:\Windows\SysWOW64\NIH8O4JUCL2H2F.exe

MD5 a8458ea8a01af4ff80d038d7b7d15ad6
SHA1 4977200ff18d99ab05d0e31700be2e8df609706a
SHA256 2dcf4b3a5698b77265e361ceb0f49700296745a9ffedaf9190aada89508768b5
SHA512 434d0833b4f0bebfa429791d52f157c12aa2029a6773bb538d98e1d1945647a22c9bdff6be091ec8ec0ba35209538b2901b2bf388b79567eb75cf3a70cd60ee1

C:\Windows\CIO0P3D.{645FF040-5081-101B-9F08-00AA002F954E}\MPM7Q5J.com

MD5 d15d2977b476351fc639827f2a00203d
SHA1 b6e0d50ea8ea63880d11fe22d604afdce671106b
SHA256 a78b7cf484dff5b5a24d7aa6623e1dae6589bff8c081ec252db40f44bb261b7e
SHA512 426aa21baf8852522048ac54147cdadb8d05211dbc2dce0b9f36f36a22d4014194a81874f50e25205b16138a670498e997db9dc87ef21c7a1321de258448c76a

C:\Windows\UCL2H2F.exe

MD5 774bac352fb3bd6477ddd3940e543f1b
SHA1 d2f67dffd89e4a2de56508f87e9dacff5a0dbfc8
SHA256 1ffa5f72e0de52aceca0284700d3a03d44da78e36411e6be654d0c8a60cc8357
SHA512 5ab0003fd3968f52fc964c5e0676cc816c4a88090b0a99fce7190b981e07b50c7a090d04300f57bb7e831ed454222f09ce4f4142364965492ad2e7d870017983

C:\Windows\lsass.exe

MD5 c4789bab0ae8c80d8334af0ce57ac767
SHA1 d63f30c0fb43d62182f4e11b54fc28a697505838
SHA256 c735dca4bd593ec10ade2d8f63caa11bbd019e32c0ed0a751090a23ecddae813
SHA512 17c82c00541aeeff2098333ee98c0fbd53f6d95507b02f2691669a61d5b968064bc5a56205f2c9c1d28a1aa27ba19311cd230d3b4bab2acbb29a8cb2f37209ec

C:\Windows\cypreg.dll

MD5 d98c8e75e0b733b355221719abeb71e4
SHA1 e83c3d1bb4a5e346e8cd2582112ad8c44e18da2a
SHA256 4128459a5e29bc260f774480f81d2a1b558c7b5adb4bfb0c2bcce1d939b497f5
SHA512 312bfb82a0aa07e508fdeccade049f6edf434705ea6feefc5f24512283b2141700feb60d543523bc765be0b53bd6e95a533a6bad2a467abf0437228b2edcd7fe

C:\Windows\system\msvbvm60.dll

MD5 0b56afade202c406eacbf7cdc87152e0
SHA1 6781240f65be24dd3d171f9b9d950b61349c565a
SHA256 494797cd029292876cea51dd6ef96e361416fc35682d2503dcb7ee989e77a98a
SHA512 5e2792f2ae7473218e92e7e40c39d0f46d31252205ec2fc4433f438797b3bb0d056847f882912ec2e4039c8229edc17e2e9e5b0f134bfab1e674b8273215ecb5

memory/2508-91-0x0000000000400000-0x0000000000458000-memory.dmp

memory/360-86-0x0000000000400000-0x0000000000458000-memory.dmp

memory/328-208-0x0000000003F40000-0x0000000003F98000-memory.dmp

memory/844-211-0x0000000000400000-0x0000000000458000-memory.dmp

memory/328-213-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Windows\SysWOW64\HGK7P6C.exe

MD5 ed26830aa3b0b24476c1adf0a5064b50
SHA1 3bea9232f79dcf80e9ef58f01d69bdf069def5bc
SHA256 e60f2fb7df2f1faf881d9146af15839aefc28ec231830dab6e31dee00de83d5b
SHA512 377b7879316e3f853ae01371481ad91a34b6ec0a69ce97299adad574c0908396507355ffe73df0e17a1828b00c4f1a36a2ccdeb19dabc5699508d81e8d679fae

C:\Windows\PSE7M0S.exe

MD5 b2e3d71986f3bf85b782ecbb30e8c2b8
SHA1 75c5124dceafd0ab41cba35548867d2bd6adff0f
SHA256 f613814761d9bc39657d085b0c79b7b50250da192389ad945a6d38726bf9c82b
SHA512 2105af7498f09759611cfc5f7272fd95b9e1cd0394d1959231ee93b3be8e229d84863ada80ddd41cb351559d05ec04de1c40a08a5b50a3b788cb4a7c7e20ce08

memory/2580-235-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2468-239-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2580-240-0x0000000000400000-0x0000000000458000-memory.dmp

memory/360-242-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2508-243-0x0000000000400000-0x0000000000458000-memory.dmp

memory/844-245-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Pictures.exe

MD5 b1e9bf46b66db105e59fffca2e786076
SHA1 4b4aa72e6718be89d71b6a31891569330ccd38d2
SHA256 b50fedfcc9e85d3f9c2be727779eb94bb3fa44280a82fd671b86ef31bbda5476
SHA512 e5f66e0612b4025cc940f3d7ec5aee35f7193dda7f5f9cc8f0b97ab0f712e042eb4590b06e054d68928741bb924bfad37edc9a5540059c1cb7cdff58773933e2

memory/360-255-0x0000000000400000-0x0000000000458000-memory.dmp

memory/360-256-0x0000000010000000-0x0000000010075000-memory.dmp

memory/2508-259-0x0000000000400000-0x0000000000458000-memory.dmp

memory/360-262-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2508-263-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2508-268-0x0000000000400000-0x0000000000458000-memory.dmp

memory/360-272-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2508-273-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2508-278-0x0000000000400000-0x0000000000458000-memory.dmp

memory/844-288-0x0000000000400000-0x0000000000458000-memory.dmp

memory/844-293-0x0000000000400000-0x0000000000458000-memory.dmp

memory/844-298-0x0000000000400000-0x0000000000458000-memory.dmp

memory/360-301-0x0000000000400000-0x0000000000458000-memory.dmp

memory/844-308-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2508-312-0x0000000000400000-0x0000000000458000-memory.dmp