Malware Analysis Report

2024-10-16 03:30

Sample ID 240811-w2bs3swbqe
Target Black Mesa Monitor Screensaver.exe
SHA256 0af8d5f83519730a4b3b7a40e91e059f54d58a43191671aef17267810ed88aec
Tags
banload discovery downloader dropper trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0af8d5f83519730a4b3b7a40e91e059f54d58a43191671aef17267810ed88aec

Threat Level: Known bad

The file Black Mesa Monitor Screensaver.exe was found to be: Known bad.

Malicious Activity Summary

banload discovery downloader dropper trojan

Banload

Checks BIOS information in registry

Loads dropped DLL

Executes dropped EXE

Checks installed software on the system

Drops file in System32 directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Modifies Control Panel

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

NTFS ADS

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-11 18:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-11 18:24

Reported

2024-08-11 18:25

Platform

win10-20240404-en

Max time kernel

25s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Black Mesa Monitor Screensaver.exe"

Signatures

Banload

trojan dropper downloader banload

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\is-5G492.tmp C:\Users\Admin\AppData\Local\Temp\is-757D7.tmp\Black Mesa Monitor Screensaver.tmp N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Black Mesa Monitor Screensaver\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-757D7.tmp\Black Mesa Monitor Screensaver.tmp N/A
File created C:\Program Files (x86)\Black Mesa Monitor Screensaver\is-PIS8V.tmp C:\Users\Admin\AppData\Local\Temp\is-757D7.tmp\Black Mesa Monitor Screensaver.tmp N/A
File created C:\Program Files (x86)\Black Mesa Monitor Screensaver\is-FDK2M.tmp C:\Users\Admin\AppData\Local\Temp\is-757D7.tmp\Black Mesa Monitor Screensaver.tmp N/A
File created C:\Program Files (x86)\Black Mesa Monitor Screensaver\is-TQI16.tmp C:\Users\Admin\AppData\Local\Temp\is-757D7.tmp\Black Mesa Monitor Screensaver.tmp N/A
File created C:\Program Files (x86)\Black Mesa Monitor Screensaver\is-70QGR.tmp C:\Users\Admin\AppData\Local\Temp\is-757D7.tmp\Black Mesa Monitor Screensaver.tmp N/A
File opened for modification C:\Program Files (x86)\Black Mesa Monitor Screensaver\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-757D7.tmp\Black Mesa Monitor Screensaver.tmp N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Black Mesa Monitor Screensaver.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-757D7.tmp\Black Mesa Monitor Screensaver.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\is-757D7.tmp\Black Mesa Monitor Screensaver.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\SysWOW64\\BLACKM~1.SCR" C:\Users\Admin\AppData\Local\Temp\is-757D7.tmp\Black Mesa Monitor Screensaver.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\Desktop\ScreenSaveActive = "1" C:\Users\Admin\AppData\Local\Temp\is-757D7.tmp\Black Mesa Monitor Screensaver.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\Desktop C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\SysWOW64\\BLACKM~1.SCR" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\Desktop\ScreenSaveActive = "1" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\Desktop\ScreenSaveTimeOut = "900" C:\Windows\SysWOW64\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\zjJmtr\ = "Nw{ZXV\x7fBvz\x7ffF}oL`xgL" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\kRrVMwDganzRl C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\opsvuGqBKc C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\NsyWpMuWeAehC\ = "dQLXSC{WYODGjjJ_HAIvmjkwvp" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\mAExptvuQyox\ = "hVzxg]o[fbzbnT" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63} C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\InprocServer32 C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\aNRwv C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\kRrVMwDganzRl\ = "fSsKLgVj^R`KSnwJ\x7fr{mg" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\wykkcLkf\ = "DvQMIEEXTuWa^fVa^{S}A{]`qmTtfOO]" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\jgpm C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\opsvuGqBKc\ = "Grj[CKkS\x7fwy^Q`OFimT~}jNQ[DHXsT" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\NsyWpMuWeAehC\ = "@MapdMebg|}\x7fQsIsz`LuOLVlrH" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\ProgID\ = "InkObjCore.msinkaut.InkObject.1" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\zjJmtr C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\zjJmtr\ = "NyEW}MXzEm\\PJ{UrphfL" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\kRrVMwDganzRl\ = "tpvHMkhao_E[vl}WLcmPG" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\oqQJt\ = "PM\\CsJJElftAF@QBPLxrDBj_Kh" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\kRrVMwDganzRl\ = "fSsKLgVj^RLKSnwJ\x7fr{mg" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\ = "InkObject Class" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\VersionIndependentProgID C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\VersionIndependentProgID\ = "InkObjCore.msinkaut.InkObject" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\aNRwv C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649} C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\mAExptvuQyox\ = "hVtxg]o[bBUrc`" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\opsvuGqBKc C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\mAExptvuQyox\ = "hVyxg]o[g@I@Gh" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\oqQJt C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\NsyWpMuWeAehC C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\aNRwv\ = "jjNKtGfPE\\LZCg{YS^" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\aNRwv\ = "ZnvABCZ^UR][zB_cxg" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\mAExptvuQyox\ = "\x7fkIhsGTHOlH`nT" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\mAExptvuQyox\ = "\x7fkKhsGTHENRZD\\" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\wykkcLkf C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\NsyWpMuWeAehC\ = "dQLXSC{WYODGjjJ_HAIvajkwvp" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\kRrVMwDganzRl\ = "fS\x7fKLgVj^R`KSnwJ\x7fr{mg" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\wykkcLkf C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\zjJmtr C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\oqQJt C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\jgpm\ = "KcRZRWcAXJfEaJ`y" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\NsyWpMuWeAehC C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\kRrVMwDganzRl C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\mAExptvuQyox\ = "\x7fkDhsGTHJnTRJ\\" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\kRrVMwDganzRl\ = "tpzHMkhao_E[vl}WLcmPG" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\mAExptvuQyox\ = "hV{xg]o[mbSzm`" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\InprocServer32\ = "C:\\Windows\\SysWOW64\\InkObjCore.dll" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\opsvuGqBKc\ = "}@opDIu~n]ltO]jyzF]`nqPb\x7fjFxvg" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\jgpm\ = "]O|lak@|qD\\P~\x7fPn" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\mAExptvuQyox C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\oqQJt\ = "AF]WEPiSxz\\i\\jUrw]d{AkRZa\x7f" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\mAExptvuQyox C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\mAExptvuQyox\ = "\x7fkJhsGTHNN{BGh" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\ProgID C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\kRrVMwDganzRl\ = "tpvHMkhao_i[vl}WLcmPG" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\Programmable C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\NsyWpMuWeAehC\ = "@MapdMebg|}\x7fQsIsz`LuCLVlrH" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\wykkcLkf\ = "|BiCbB`Zk^oJiJEjOEmTJhtlrpxKlmhr" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\jgpm C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A

NTFS ADS

Description Indicator Process Target
File created C:\ProgramData\TEMP:0C1DBA97 C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
File opened for modification C:\ProgramData\TEMP:0C1DBA97 C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Token: 33 N/A C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-757D7.tmp\Black Mesa Monitor Screensaver.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3016 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\Black Mesa Monitor Screensaver.exe C:\Users\Admin\AppData\Local\Temp\is-757D7.tmp\Black Mesa Monitor Screensaver.tmp
PID 3016 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\Black Mesa Monitor Screensaver.exe C:\Users\Admin\AppData\Local\Temp\is-757D7.tmp\Black Mesa Monitor Screensaver.tmp
PID 3016 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\Black Mesa Monitor Screensaver.exe C:\Users\Admin\AppData\Local\Temp\is-757D7.tmp\Black Mesa Monitor Screensaver.tmp
PID 3756 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\is-757D7.tmp\Black Mesa Monitor Screensaver.tmp C:\Windows\SysWOW64\rundll32.exe
PID 3756 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\is-757D7.tmp\Black Mesa Monitor Screensaver.tmp C:\Windows\SysWOW64\rundll32.exe
PID 3756 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\is-757D7.tmp\Black Mesa Monitor Screensaver.tmp C:\Windows\SysWOW64\rundll32.exe
PID 1120 wrote to memory of 592 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr
PID 1120 wrote to memory of 592 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr
PID 1120 wrote to memory of 592 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr
PID 1120 wrote to memory of 1824 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr
PID 1120 wrote to memory of 1824 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr
PID 1120 wrote to memory of 1824 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr
PID 1120 wrote to memory of 1684 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr
PID 1120 wrote to memory of 1684 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr
PID 1120 wrote to memory of 1684 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr

Processes

C:\Users\Admin\AppData\Local\Temp\Black Mesa Monitor Screensaver.exe

"C:\Users\Admin\AppData\Local\Temp\Black Mesa Monitor Screensaver.exe"

C:\Users\Admin\AppData\Local\Temp\is-757D7.tmp\Black Mesa Monitor Screensaver.tmp

"C:\Users\Admin\AppData\Local\Temp\is-757D7.tmp\Black Mesa Monitor Screensaver.tmp" /SL5="$60138,2762590,56832,C:\Users\Admin\AppData\Local\Temp\Black Mesa Monitor Screensaver.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" desk.cpl,InstallScreenSaver C:\Windows\SysWOW64\BLACKM~1.SCR

C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr

"C:\Windows\system32\Black Mesa Monitor Screensaver.scr" /p 131722

C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr

"C:\Windows\system32\Black Mesa Monitor Screensaver.scr" /s

C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr

"C:\Windows\system32\Black Mesa Monitor Screensaver.scr" /p 131722

Network

N/A

Files

memory/3016-0-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3016-2-0x0000000000401000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-757D7.tmp\Black Mesa Monitor Screensaver.tmp

MD5 a2c4d52c66b4b399facadb8cc8386745
SHA1 c326304c56a52a3e5bfbdce2fef54604a0c653e0
SHA256 6c0465ce64c07e729c399a338705941d77727c7d089430957df3e91a416e9d2a
SHA512 2a66256ff8535e2b300aa0ca27b76e85d42422b0aaf5e7e6d055f7abb9e338929c979e185c6be8918d920fb134b7f28a76b714579cacb8ace09000c046dd34d6

memory/3756-8-0x0000000000400000-0x00000000004BC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

MD5 ad14e0edd2c6ec4391860d4f1b4d5d25
SHA1 22ddfef5c4ffa9030b08c6372b6694d987033732
SHA256 0f07ff61fa78c825add8fef8087e536a0c658d46c5ea948ba2d4e173e5903954
SHA512 2340341f45356b6628b2246c7f2c96ec760041d88ed328eb82ba8d5db64e9cf4f301e7d3b9e6728aeb549f424082f9baa5275b77e0c8e8dfb3f9443b89296520

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

MD5 bd861f4cd48640ade200aae6896f45a0
SHA1 8fc7688b5f1fe42e629d2ce1c630dcd77f6a10e6
SHA256 c0c797843ebf5387d14252f1147601041f0b7b680192ad2a29d9629205e89399
SHA512 b2e053e96936852305b70b9764aed68a25e46af1d80a35d6734e7e77f089aab2fe8f89d620bf9ef99421cbb7b88ba4f7c8c2d892f307e2250224580c42269afe

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

MD5 88f6840df20957085734772ae60ff28d
SHA1 ba8665bd32265fb5685ebf9e82b3f1ea20e41e8b
SHA256 fc9853a10bdef43df464172a3030f6ff280841265097bd39d17c561cae2314d8
SHA512 2adfdcc3097981b26135c25fd1a03621a1ed2a1573cbf742059b28835f8bfe7089ea0aeb1c30393299b74939e8c8135d4112c20c47234653e17fc280cd89cf2c

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

MD5 6717e79545f3b286a5e79bb1bb41ed57
SHA1 ebcc7945814b33dde160051b613e85f774417ec2
SHA256 7403abbe5b0597da3f64f1c183d6499858a92f2e92e851ddfca3a3fd50521e85
SHA512 9cece5efb808f1410440a14b7113642ed05434e78678bf7d17392e5543127a4b0748e33174dfbf4d2ed204efb774df504a63138f23d8dfc15c33431c5c7fa581

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

MD5 7014934e6077847aab722c935384bb8f
SHA1 ac64a966844b4507b60ee3cbed4545402a0eaca8
SHA256 dbbb01f8e2efbf672dbea860d22356ec8025b6ce95a8faa8661d65e3c96644de
SHA512 4570b8e203e8142ae3e032c4f67c92b72622d42c3500ec5b7843f633c3f3201c1a29d434627aead1a3d38f5131b03a14bd766afd0e5713be4a2057e2c876d13e

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

MD5 0aa5aeb580565321b18e1d1f25d190ba
SHA1 86b0a1e223dcfcd90846d82e722bd7410fb5edd6
SHA256 0d01a6f675422526a2f51b6ff95956b48de38a0324afeb3cac19334c1f396217
SHA512 a376c40bdd0f3bf32938a522def539d222d73f5549b943ec2b90fb93451903fca8f1eb258601577a5c16d6bd70786235b4d20146129d02461d439557644cc5f5

C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr

MD5 91cce0d13104f694fcb110df259189fc
SHA1 5d663ce4b6d877abbb937897a3bf00b933d815e9
SHA256 932b803b498308d97782847fc00c6f54dfacc847aaf24ffb658064f3622994fd
SHA512 af9d8e7a0b4825e516196e4b8d9c510b71d8cc8663c9280b7db413e1193440c1bb7b5faa5de41850cfe2299b09526e3eaae1f086f7e1f15113daa23b31f20eea

memory/592-725-0x0000000003830000-0x0000000003A09000-memory.dmp

memory/592-726-0x0000000000400000-0x0000000000A2B000-memory.dmp

memory/592-721-0x0000000003830000-0x0000000003A09000-memory.dmp

memory/3756-731-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/3016-732-0x0000000000400000-0x0000000000414000-memory.dmp

memory/592-736-0x0000000000400000-0x0000000000A2B000-memory.dmp

memory/592-739-0x0000000000400000-0x0000000000A2B000-memory.dmp

memory/592-740-0x0000000003D10000-0x0000000003D30000-memory.dmp

memory/592-737-0x0000000000400000-0x0000000000A2B000-memory.dmp

memory/592-741-0x0000000000400000-0x0000000000A2B000-memory.dmp

C:\Program Files (x86)\Black Mesa Monitor Screensaver\conf.dat

MD5 d77bdddf6a46fee68c17080d37c6633d
SHA1 fc5046888da49193ac54faf54298752df8ed4c88
SHA256 039cb063a6f59038791583f76780c6d0c6098736103d7cecae5fe0ea9d1c28d2
SHA512 be5e748649f3bbbf576f46c974d71c50d4d80ffb3f603953f831894e7f2eeca303c75d204624e463d3772ec80c9bf90aea227d3109bd7a4c19d3a818c64d1ce4

memory/592-744-0x0000000003830000-0x0000000003A09000-memory.dmp

memory/592-743-0x0000000000400000-0x0000000000A2B000-memory.dmp

memory/592-747-0x0000000003830000-0x0000000003A09000-memory.dmp

C:\Program Files (x86)\Black Mesa Monitor Screensaver\bmmonitor3 [High quality and size].avi

MD5 fbe78fb6977b6ee0e98783e7089e82cf
SHA1 630afbec2cbf6098fccbe1f0e6ecc55a7b9e5e4e
SHA256 16645007455bc40e2aa8da1b1eb5ab07f7ae0aca9cae3b90668b569bed5fb6e0
SHA512 7c1b64bb8ffc101871644dc0db37cabcc4aaddf169662912b84457e9426faf3b57f8dcdafb5ff63946e1e531a8ffa9a8b8a302abfa1ed9063bea7add4e7e08ff

memory/592-750-0x0000000003830000-0x0000000003A09000-memory.dmp

memory/592-753-0x0000000000400000-0x0000000000A2B000-memory.dmp

memory/1824-755-0x0000000003970000-0x0000000003B49000-memory.dmp

memory/1824-760-0x0000000000400000-0x0000000000A2B000-memory.dmp

memory/1824-759-0x0000000003970000-0x0000000003B49000-memory.dmp

C:\ProgramData\Licenses\064D58E86EDBDD346.Lic

MD5 fd9c453013da37a867de4ec2db984841
SHA1 2b6805ade0cbfa527565333aac0be12616825a90
SHA256 43612ca391f7d8425d53e688c04c50520a75f327ae55b4220059b1e4f7bd1326
SHA512 146eb11b2c22115d6911ed8319be49b2701bb17c57fb90f2920e21bfb4d6631cbf8b778aedf07563b511b026d9cc3f6a91828e6df8e42bf6989c8af8867b9174

memory/1824-767-0x0000000000400000-0x0000000000A2B000-memory.dmp

memory/1824-770-0x0000000000400000-0x0000000000A2B000-memory.dmp

memory/1824-774-0x0000000000400000-0x0000000000A2B000-memory.dmp

memory/1824-775-0x0000000003970000-0x0000000003B49000-memory.dmp

memory/1824-772-0x0000000000400000-0x0000000000A2B000-memory.dmp

memory/1824-768-0x0000000000400000-0x0000000000A2B000-memory.dmp

memory/1824-771-0x0000000003E70000-0x0000000003E90000-memory.dmp

memory/1824-778-0x0000000003970000-0x0000000003B49000-memory.dmp

memory/1824-779-0x0000000003970000-0x0000000003B49000-memory.dmp

memory/1824-782-0x0000000003970000-0x0000000003B49000-memory.dmp

memory/1824-784-0x0000000000400000-0x0000000000A2B000-memory.dmp

memory/1684-786-0x00000000036F0000-0x00000000038C9000-memory.dmp

memory/1684-790-0x00000000036F0000-0x00000000038C9000-memory.dmp

C:\ProgramData\Licenses\064D58E86EDBDD346.Lic

MD5 49934729c9eff8e8884fd08cf7f1bf8e
SHA1 bb55cd42c56d698dc8ccb35f525271c91da1e2d7
SHA256 86f01f3c69eda8de3f9e30fe8a58971135b4ecce8382d797d8a3da31142bd7ad
SHA512 3e340dcb95c823e645f18769ca416d27d82fb6ef5018c78ab4ad6bea1eb0597cb6207b77fc83e3fea3179ee5fb38a267eaf8ca38b4f029e992b7824679240d85

C:\ProgramData\TEMP:0C1DBA97

MD5 6feb2cc13c7c52814bb2f030d2c4b41b
SHA1 b0d9fd87278744d6fad1d985fde92e77b7f1f332
SHA256 fda8c6a4ba486450a06394da22243a40f618eff04ee4116390ae10200601737d
SHA512 0d98c7a2fceedaa8e486b282e7034890440adf2fe06c0862e83c6013811e7dbee13539a52c96785f8b8d0eff15f5461320c5e081b1c1d553f7196ef0ad7cf977

memory/1684-798-0x0000000000400000-0x0000000000A2B000-memory.dmp

memory/1684-799-0x0000000000400000-0x0000000000A2B000-memory.dmp

memory/1684-801-0x0000000000400000-0x0000000000A2B000-memory.dmp

memory/1684-802-0x0000000003620000-0x0000000003640000-memory.dmp

memory/1684-803-0x0000000000400000-0x0000000000A2B000-memory.dmp

memory/1684-806-0x00000000036F0000-0x00000000038C9000-memory.dmp

memory/1684-805-0x0000000000400000-0x0000000000A2B000-memory.dmp

memory/1684-809-0x00000000036F0000-0x00000000038C9000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-11 18:24

Reported

2024-08-11 18:27

Platform

win7-20240729-en

Max time kernel

149s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Black Mesa Monitor Screensaver.exe"

Signatures

Banload

trojan dropper downloader banload

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\is-PUHML.tmp C:\Users\Admin\AppData\Local\Temp\is-JQAQ7.tmp\Black Mesa Monitor Screensaver.tmp N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Black Mesa Monitor Screensaver\is-OFRT9.tmp C:\Users\Admin\AppData\Local\Temp\is-JQAQ7.tmp\Black Mesa Monitor Screensaver.tmp N/A
File opened for modification C:\Program Files (x86)\Black Mesa Monitor Screensaver\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-JQAQ7.tmp\Black Mesa Monitor Screensaver.tmp N/A
File created C:\Program Files (x86)\Black Mesa Monitor Screensaver\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-JQAQ7.tmp\Black Mesa Monitor Screensaver.tmp N/A
File created C:\Program Files (x86)\Black Mesa Monitor Screensaver\is-PSKI8.tmp C:\Users\Admin\AppData\Local\Temp\is-JQAQ7.tmp\Black Mesa Monitor Screensaver.tmp N/A
File created C:\Program Files (x86)\Black Mesa Monitor Screensaver\is-RH331.tmp C:\Users\Admin\AppData\Local\Temp\is-JQAQ7.tmp\Black Mesa Monitor Screensaver.tmp N/A
File created C:\Program Files (x86)\Black Mesa Monitor Screensaver\is-3P0G1.tmp C:\Users\Admin\AppData\Local\Temp\is-JQAQ7.tmp\Black Mesa Monitor Screensaver.tmp N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Black Mesa Monitor Screensaver.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-JQAQ7.tmp\Black Mesa Monitor Screensaver.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaveTimeOut = "900" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Appearance\Schemes C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\is-JQAQ7.tmp\Black Mesa Monitor Screensaver.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\SysWOW64\\BLACKM~1.SCR" C:\Users\Admin\AppData\Local\Temp\is-JQAQ7.tmp\Black Mesa Monitor Screensaver.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaveActive = "1" C:\Users\Admin\AppData\Local\Temp\is-JQAQ7.tmp\Black Mesa Monitor Screensaver.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\SysWOW64\\BLACKM~1.SCR" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaveActive = "1" C:\Windows\SysWOW64\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\FLsyvqnuvl C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\ezqt\ = "`nqPb\x7f`zX^Y{KLQKcYUIjEHsaVw" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\hlEJ\ = "DT\x7focFP" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\hlEJ\ = "Dbq@zJp" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\wKyujuokaitrG\ = "D]Hw]n`GvmgRGOLgVt_P|OSnw" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\eMaxVq C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649} C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\wKyujuokaitrG\ = "v|Mt\x7fHV|rUuqBLMkh\x7fn]Y_vl}" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\hlEJ C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\ezqt\ = "~}jNQ[Ntx[j_Way|mGpwY|pHxUK" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\wKyujuokaitrG\ = "D]Hw]nkgvmgRGOLgVt_P|OSnw" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\eMaxVq\ = "zbs]wNKl^BLVkyTTyx[Rs||E" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\lainalsHikZ\ = "HMaiTG|BIBmvtxgb\\zTK``_B" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\hlEJ\ = "DEFvyn`" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\wKyujuokaitrG\ = "D]Hw]ndWvmgRGOLgVt_P|OSnw" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\eMaxVq\ = "zbs]wNKl^BLVkyTTyx[ns||E" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\eMaxVq\ = "DKxN^BHqr}FtLVBxWNhnPAUK" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\eMaxVq\ = "zbs]wNKl^BLVkyTTyx[^s||E" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\Mnnlfy C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\ezqt\ = "`nqPb\x7f`zX^Y{KLQKcYeIjEHsaVG" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\eMaxVq C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\eMaxVq\ = "DKxN^BHqr}FtLVBxWNhrPAUK" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\XcydqisTecs C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\ezqt C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\eMaxVq\ = "zbs]wNKl^BLVkyTTyxZrs||E" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\wKyujuokaitrG\ = "D]Hw]n|wvmgRGOLgVt_P|OSnw" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\hlEJ\ = "DcpIKsP" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\wKyujuokaitrG\ = "v|Mt\x7fHQ\\rUuqBLMkh\x7fn]Y_vl}" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\eMaxVq\ = "zbs]wNKl^BLVkyTTyx[Ns||E" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\wKyujuokaitrG\ = "D]Hw]nlGvmgRGOLgVt_P|OSnw" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\wKyujuokaitrG\ = "v|Mt\x7fH]\\rUuqBLMkh\x7fn]Y_vl}" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\ezqt C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\Mnnlfy C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\ezqt\ = "~}jNQ[Ntx[j_Way|mG`wY|pHxU[" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\eMaxVq\ = "DKxN^BHqr}FtLVBxWNhRPAUK" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\hlEJ\ = "DNseZE`" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\eMaxVq\ = "DKxN^BHqr}FtLVBxWNhvPAUK" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\hlEJ\ = "~@bRQ\\`" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\hlEJ\ = "~_pliY@" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\hlEJ\ = "~[lPjRp" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\eMaxVq\ = "zbs]wNKl^BLVkyTTyx[Fs||E" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\hlEJ\ = "~QCO__@" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\wKyujuokaitrG\ = "v|Mt\x7fHE|rUuqBLMkh\x7fn]Y_vl}" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\Mnnlfy\ = "Nyq[s}_^M]XRJ{UpqCfijOZH" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\hlEJ\ = "~gNaug`" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\hlEJ\ = "~vo|{d@" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\Mnnlfy\ = "NwOVVfxf~J{dF}oNaSgi{D[\\" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\XcydqisTecs\ = "LpuQaZVgWJepU\x7ft|AMBZ`\x7fBbIc\\c" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\XcydqisTecs\ = "zjVGuF~OM`a@rnhuDdz_Jhrfqijg" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\XcydqisTecs\ = "LpuQaZVgWJepU\x7ft|AMBZ`\x7fBbIc\\c" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\wKyujuokaitrG\ = "v|Mt\x7fHAlrUuqBLMkh\x7fn]Y_vl}" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\hlEJ\ = "~Y{bc~p" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\hlEJ\ = "D`frsfp" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\ezqt\ = "~}jNQ[Ntx[j_Way|mG`wY|pHxU[" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\ = "PSFactoryBuffer" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\hlEJ C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\XcydqisTecs C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\eMaxVq\ = "zbs]wNKl^BLVkyTTyx[Vs||E" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\InprocServer32 C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\XcydqisTecs\ = "zjVGuF~OM`a@rnhuDdz_Jhrfqijg" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\ezqt\ = "~}jNQ[Ntx[j_Way|mGPwY|pHxUk" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\hlEJ\ = "Dx}JCI@" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\hlEJ\ = "DZJk\\kp" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A

NTFS ADS

Description Indicator Process Target
File created C:\ProgramData\TEMP:0C1DBA97 C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
File opened for modification C:\ProgramData\TEMP:0C1DBA97 C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
File opened for modification C:\ProgramData\TEMP:0C1DBA97 C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Token: 33 N/A C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Token: 33 N/A C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-JQAQ7.tmp\Black Mesa Monitor Screensaver.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1520 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\Black Mesa Monitor Screensaver.exe C:\Users\Admin\AppData\Local\Temp\is-JQAQ7.tmp\Black Mesa Monitor Screensaver.tmp
PID 1520 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\Black Mesa Monitor Screensaver.exe C:\Users\Admin\AppData\Local\Temp\is-JQAQ7.tmp\Black Mesa Monitor Screensaver.tmp
PID 1520 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\Black Mesa Monitor Screensaver.exe C:\Users\Admin\AppData\Local\Temp\is-JQAQ7.tmp\Black Mesa Monitor Screensaver.tmp
PID 1520 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\Black Mesa Monitor Screensaver.exe C:\Users\Admin\AppData\Local\Temp\is-JQAQ7.tmp\Black Mesa Monitor Screensaver.tmp
PID 1520 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\Black Mesa Monitor Screensaver.exe C:\Users\Admin\AppData\Local\Temp\is-JQAQ7.tmp\Black Mesa Monitor Screensaver.tmp
PID 1520 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\Black Mesa Monitor Screensaver.exe C:\Users\Admin\AppData\Local\Temp\is-JQAQ7.tmp\Black Mesa Monitor Screensaver.tmp
PID 1520 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\Black Mesa Monitor Screensaver.exe C:\Users\Admin\AppData\Local\Temp\is-JQAQ7.tmp\Black Mesa Monitor Screensaver.tmp
PID 2524 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\is-JQAQ7.tmp\Black Mesa Monitor Screensaver.tmp C:\Windows\SysWOW64\rundll32.exe
PID 2524 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\is-JQAQ7.tmp\Black Mesa Monitor Screensaver.tmp C:\Windows\SysWOW64\rundll32.exe
PID 2524 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\is-JQAQ7.tmp\Black Mesa Monitor Screensaver.tmp C:\Windows\SysWOW64\rundll32.exe
PID 2524 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\is-JQAQ7.tmp\Black Mesa Monitor Screensaver.tmp C:\Windows\SysWOW64\rundll32.exe
PID 2524 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\is-JQAQ7.tmp\Black Mesa Monitor Screensaver.tmp C:\Windows\SysWOW64\rundll32.exe
PID 2524 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\is-JQAQ7.tmp\Black Mesa Monitor Screensaver.tmp C:\Windows\SysWOW64\rundll32.exe
PID 2524 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\is-JQAQ7.tmp\Black Mesa Monitor Screensaver.tmp C:\Windows\SysWOW64\rundll32.exe
PID 2712 wrote to memory of 3956 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr
PID 2712 wrote to memory of 3956 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr
PID 2712 wrote to memory of 3956 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr
PID 2712 wrote to memory of 3956 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr
PID 2712 wrote to memory of 2052 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr
PID 2712 wrote to memory of 2052 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr
PID 2712 wrote to memory of 2052 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr
PID 2712 wrote to memory of 2052 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr
PID 2712 wrote to memory of 2668 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr
PID 2712 wrote to memory of 2668 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr
PID 2712 wrote to memory of 2668 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr
PID 2712 wrote to memory of 2668 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr

Processes

C:\Users\Admin\AppData\Local\Temp\Black Mesa Monitor Screensaver.exe

"C:\Users\Admin\AppData\Local\Temp\Black Mesa Monitor Screensaver.exe"

C:\Users\Admin\AppData\Local\Temp\is-JQAQ7.tmp\Black Mesa Monitor Screensaver.tmp

"C:\Users\Admin\AppData\Local\Temp\is-JQAQ7.tmp\Black Mesa Monitor Screensaver.tmp" /SL5="$40112,2762590,56832,C:\Users\Admin\AppData\Local\Temp\Black Mesa Monitor Screensaver.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" desk.cpl,InstallScreenSaver C:\Windows\SysWOW64\BLACKM~1.SCR

C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr

"C:\Windows\system32\Black Mesa Monitor Screensaver.scr" /p 196974

C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr

"C:\Windows\system32\Black Mesa Monitor Screensaver.scr" /s

C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr

"C:\Windows\system32\Black Mesa Monitor Screensaver.scr" /p 196974

Network

N/A

Files

memory/1520-3-0x0000000000401000-0x000000000040B000-memory.dmp

memory/1520-0-0x0000000000400000-0x0000000000414000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-JQAQ7.tmp\Black Mesa Monitor Screensaver.tmp

MD5 a2c4d52c66b4b399facadb8cc8386745
SHA1 c326304c56a52a3e5bfbdce2fef54604a0c653e0
SHA256 6c0465ce64c07e729c399a338705941d77727c7d089430957df3e91a416e9d2a
SHA512 2a66256ff8535e2b300aa0ca27b76e85d42422b0aaf5e7e6d055f7abb9e338929c979e185c6be8918d920fb134b7f28a76b714579cacb8ace09000c046dd34d6

memory/2524-8-0x0000000000400000-0x00000000004BC000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-HAV1K.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/1520-15-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2524-16-0x0000000000400000-0x00000000004BC000-memory.dmp

\Program Files (x86)\Black Mesa Monitor Screensaver\unins000.exe

MD5 6c82d5316ed0cd83d6f9e5a9f0914650
SHA1 d642c72bfe4b83609c3466c7bb85e2f53b6be48b
SHA256 b9e1fc89ff8ec82fb050bd32829b45f828d84226a6890ab385221c7fc6a462ed
SHA512 1cd031cec42b5d6b08c66bb1944ba8db7de0f1363e68cd915b81eaa1e53752e43560010389f338840f11b34893a8c5c132c843bb0d8ef805713152606f0586ad

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

MD5 020570a88c0692f7f3d1d42379058765
SHA1 bef5e581e4c7ef4f171c165911145dca9c68287e
SHA256 16efc91532dc5d3d151ce5bdb882e6831d562a54bf8592c31052159ce929cddb
SHA512 1f47d19f8f2dc77e7ab9fa12b096bb41600f84b67cc22fd41886b9a759c32c3565db23a1dfe039a1d376ffe7d510b3603f0acc5df14886d254235329e074ef9e

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

MD5 501b0d8b22c7edc8da4d2cdc27c47475
SHA1 78fd2f35000def8722d93747af4737d0f64ff4c8
SHA256 98cf4bfab67eb63eca03efb20c1928328a0ea65e8e8e811798d2686763844dac
SHA512 a596f60f6a568be76ae00e58155f62b3101dbb1002b9dc036a31377f0f8566176f344a01abfb8421e14349b3facdd198166dbb1c61563702d669db52c84cb759

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

MD5 a39005ce895e639bbc59d632b69a1beb
SHA1 2332f9f589ded1567bbd6d68a3caaa0c66f3660a
SHA256 ea3e3aadafc1e112948a7efb7935c3cda3e93af011397b6769e51e85efc27a1b
SHA512 e4666011204b84a3e800a4f2b0a00a59cddb9dcb50b51b59c925ff22b636817db9380b50416c164fd677b3455b680270643c30c54219986684e1a7b7affef569

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

MD5 8d74686bf2b7ce117c7537bf23535776
SHA1 b0f7077bc7a654573d2da0f89050acecbe225142
SHA256 37f45956f7978cf370a8ca27a7ae620710388b70cba91765b65c600b3e63e7c7
SHA512 9cc58bf977c87dbada28e3eab93965c50143620aff2a92ceec7d4fdae90189f5fef7ddea44c9b0ac7c6172108bf637678698adce282dc52a0a2f154a20eaa0df

C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr

MD5 91cce0d13104f694fcb110df259189fc
SHA1 5d663ce4b6d877abbb937897a3bf00b933d815e9
SHA256 932b803b498308d97782847fc00c6f54dfacc847aaf24ffb658064f3622994fd
SHA512 af9d8e7a0b4825e516196e4b8d9c510b71d8cc8663c9280b7db413e1193440c1bb7b5faa5de41850cfe2299b09526e3eaae1f086f7e1f15113daa23b31f20eea

memory/2712-701-0x00000000040D0000-0x00000000046FB000-memory.dmp

memory/3956-708-0x0000000000400000-0x0000000000A2B000-memory.dmp

memory/3956-707-0x0000000003040000-0x0000000003219000-memory.dmp

memory/3956-703-0x0000000003040000-0x0000000003219000-memory.dmp

memory/1520-714-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2524-713-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/3956-719-0x0000000000400000-0x0000000000A2B000-memory.dmp

memory/3956-722-0x0000000002FD0000-0x0000000002FF0000-memory.dmp

memory/3956-721-0x0000000000400000-0x0000000000A2B000-memory.dmp

memory/3956-718-0x0000000000400000-0x0000000000A2B000-memory.dmp

memory/3956-726-0x0000000003040000-0x0000000003219000-memory.dmp

memory/3956-725-0x0000000000400000-0x0000000000A2B000-memory.dmp

memory/3956-723-0x0000000000400000-0x0000000000A2B000-memory.dmp

C:\Program Files (x86)\Black Mesa Monitor Screensaver\conf.dat

MD5 d77bdddf6a46fee68c17080d37c6633d
SHA1 fc5046888da49193ac54faf54298752df8ed4c88
SHA256 039cb063a6f59038791583f76780c6d0c6098736103d7cecae5fe0ea9d1c28d2
SHA512 be5e748649f3bbbf576f46c974d71c50d4d80ffb3f603953f831894e7f2eeca303c75d204624e463d3772ec80c9bf90aea227d3109bd7a4c19d3a818c64d1ce4

memory/3956-729-0x0000000003040000-0x0000000003219000-memory.dmp

memory/3956-731-0x0000000003AD0000-0x0000000003ADA000-memory.dmp

memory/3956-732-0x0000000003AD0000-0x0000000003ADA000-memory.dmp

C:\Program Files (x86)\Black Mesa Monitor Screensaver\bmmonitor3 [High quality and size].avi

MD5 fbe78fb6977b6ee0e98783e7089e82cf
SHA1 630afbec2cbf6098fccbe1f0e6ecc55a7b9e5e4e
SHA256 16645007455bc40e2aa8da1b1eb5ab07f7ae0aca9cae3b90668b569bed5fb6e0
SHA512 7c1b64bb8ffc101871644dc0db37cabcc4aaddf169662912b84457e9426faf3b57f8dcdafb5ff63946e1e531a8ffa9a8b8a302abfa1ed9063bea7add4e7e08ff

memory/3956-735-0x0000000003AE0000-0x0000000003AEA000-memory.dmp

memory/3956-734-0x0000000003AE0000-0x0000000003AEA000-memory.dmp

memory/3956-736-0x0000000003AD0000-0x0000000003ADA000-memory.dmp

memory/3956-737-0x0000000003AD0000-0x0000000003ADA000-memory.dmp

memory/2052-749-0x0000000003030000-0x0000000003209000-memory.dmp

memory/2052-745-0x0000000003030000-0x0000000003209000-memory.dmp

memory/2052-750-0x0000000000400000-0x0000000000A2B000-memory.dmp

memory/2712-743-0x00000000040D0000-0x00000000046FB000-memory.dmp

memory/3956-739-0x0000000003040000-0x0000000003219000-memory.dmp

memory/3956-742-0x0000000000400000-0x0000000000A2B000-memory.dmp

C:\ProgramData\Licenses\064D58E86EDBDD346.Lic

MD5 177599e4e84efc61ed8fc926cf67537b
SHA1 1827b75f0ccdd1583ccd8e7c5d0384cb363efc1f
SHA256 5439ae835599b1007ceae385acd9c935abd3e0274279aa409ae2a36d8c4fecdf
SHA512 4b07c8eac66a43bde113370f40de1340e16911d3dd55d9ed1c0a61e8f45171a3fb80b44c7bc0907e47af8e57e85ae4754e7e8e2001ed35100f4abb39be74a260

memory/2052-761-0x0000000000220000-0x0000000000240000-memory.dmp

memory/2052-760-0x0000000000400000-0x0000000000A2B000-memory.dmp

memory/2052-758-0x0000000000400000-0x0000000000A2B000-memory.dmp

memory/2052-757-0x0000000000400000-0x0000000000A2B000-memory.dmp

memory/2052-762-0x0000000000400000-0x0000000000A2B000-memory.dmp

memory/2052-770-0x0000000003030000-0x0000000003209000-memory.dmp

memory/2052-769-0x0000000003000000-0x000000000300A000-memory.dmp

memory/2052-768-0x0000000003000000-0x000000000300A000-memory.dmp

memory/2052-765-0x0000000003030000-0x0000000003209000-memory.dmp

memory/2052-764-0x0000000000400000-0x0000000000A2B000-memory.dmp

memory/2052-775-0x0000000000400000-0x0000000000A2B000-memory.dmp

memory/2052-774-0x0000000003030000-0x0000000003209000-memory.dmp

memory/2712-783-0x00000000040D0000-0x00000000046FB000-memory.dmp

memory/2668-782-0x00000000032D0000-0x00000000034A9000-memory.dmp

memory/2668-778-0x00000000032D0000-0x00000000034A9000-memory.dmp

memory/2712-784-0x00000000040D0000-0x00000000046FB000-memory.dmp

memory/2668-785-0x0000000000400000-0x0000000000A2B000-memory.dmp

C:\ProgramData\TEMP:0C1DBA97

MD5 905b4a4ea75110acbe5343d0531e05c7
SHA1 7d88f23f2b911211695df3d2f99593daeb007041
SHA256 627c08c6c31656e86207abee698034f156504986be65867f8179bcf411ee8a12
SHA512 2c65b9de79bbcca36046a256227f6d727ae7f0d2e8c358b5a44446289d48e35c0a43b1fd2697efeb787e40014bdad269686fe55b249922079d76288b470c1e1d

C:\ProgramData\Licenses\064D58E86EDBDD346.Lic

MD5 3088b319faac391e8064545b860e425f
SHA1 003ddc389ea1b31c8d93d34b3dc4c40b51db4db0
SHA256 53eec94f4a1f0ddd2001a67177d576de65d09216f624d50f31ed2adc20a8cdc8
SHA512 32146bf2ebe68e096dd0cbf3da39f0cd9ea0e814bcfdf6cad29e318fd53c46f8f894e668e839df6f76f2deef24a8c7e309f51f65552844c85c72fe2d0ee536d0

memory/2668-794-0x0000000000400000-0x0000000000A2B000-memory.dmp

memory/2668-797-0x00000000038D0000-0x00000000038F0000-memory.dmp

memory/2668-793-0x0000000000400000-0x0000000000A2B000-memory.dmp

memory/2668-796-0x0000000000400000-0x0000000000A2B000-memory.dmp

memory/2668-798-0x0000000000400000-0x0000000000A2B000-memory.dmp

memory/2668-801-0x00000000032D0000-0x00000000034A9000-memory.dmp

memory/2668-800-0x0000000000400000-0x0000000000A2B000-memory.dmp

memory/2668-804-0x00000000032D0000-0x00000000034A9000-memory.dmp

memory/2668-807-0x00000000015D0000-0x00000000015DA000-memory.dmp

memory/2668-806-0x00000000015D0000-0x00000000015DA000-memory.dmp

memory/2668-809-0x00000000016F0000-0x00000000016FA000-memory.dmp

memory/2668-810-0x00000000016F0000-0x00000000016FA000-memory.dmp

memory/2668-808-0x00000000016F0000-0x00000000016FA000-memory.dmp

memory/2712-811-0x00000000040D0000-0x00000000046FB000-memory.dmp

memory/2668-812-0x0000000000400000-0x0000000000A2B000-memory.dmp

memory/2668-813-0x00000000015D0000-0x00000000015DA000-memory.dmp

memory/2668-814-0x00000000015D0000-0x00000000015DA000-memory.dmp

memory/2668-815-0x00000000016F0000-0x00000000016FA000-memory.dmp