Malware Analysis Report

2025-08-05 11:31

Sample ID 241111-p1fbjsylgt
Target 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe
SHA256 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b
Tags
discovery evasion persistence upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b

Threat Level: Known bad

The file 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence upx

Modifies WinLogon for persistence

Modifies visibility of file extensions in Explorer

Modifies visiblity of hidden/system files in Explorer

Disables use of System Restore points

Event Triggered Execution: Image File Execution Options Injection

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Modifies system executable filetype association

Enumerates connected drives

Adds Run key to start application

Drops file in System32 directory

UPX packed file

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Program crash

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 12:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 12:47

Reported

2024-11-11 12:49

Platform

win7-20240729-en

Max time kernel

120s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\LRX3Y6M\\UNT6G3M.exe\"" C:\Windows\LRX3Y6M\system.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\LRX3Y6M\system.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\LRX3Y6M\system.exe N/A

Disables use of System Restore points

evasion

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "C:\\Windows\\notepad.exe" C:\Windows\LRX3Y6M\system.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\LRX3Y6M\system.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" C:\Windows\LRX3Y6M\system.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\LRX3Y6M\system.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\LRX3Y6M\\regedit.cmd" C:\Windows\LRX3Y6M\system.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\LRX3Y6M\system.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\LRX3Y6M\service.exe N/A
N/A N/A C:\Windows\LRX3Y6M\smss.exe N/A
N/A N/A C:\Windows\LRX3Y6M\winlogon.exe N/A
N/A N/A C:\Windows\LRX3Y6M\system.exe N/A
N/A N/A C:\Windows\lsass.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\LRX3Y6M\system.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\sRX6L0Q0 = "C:\\Windows\\system32\\WRQ3X8STYJ1F1E.exe" C:\Windows\LRX3Y6M\system.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\0G3MYJ = "C:\\Windows\\OQD6L0Q.exe" C:\Windows\LRX3Y6M\system.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Windows\LRX3Y6M\service.exe N/A
File opened (read-only) \??\R: C:\Windows\LRX3Y6M\service.exe N/A
File opened (read-only) \??\W: C:\Windows\LRX3Y6M\service.exe N/A
File opened (read-only) \??\O: C:\Windows\LRX3Y6M\service.exe N/A
File opened (read-only) \??\Q: C:\Windows\LRX3Y6M\service.exe N/A
File opened (read-only) \??\U: C:\Windows\LRX3Y6M\service.exe N/A
File opened (read-only) \??\E: C:\Windows\LRX3Y6M\service.exe N/A
File opened (read-only) \??\I: C:\Windows\LRX3Y6M\service.exe N/A
File opened (read-only) \??\M: C:\Windows\LRX3Y6M\service.exe N/A
File opened (read-only) \??\N: C:\Windows\LRX3Y6M\service.exe N/A
File opened (read-only) \??\T: C:\Windows\LRX3Y6M\service.exe N/A
File opened (read-only) \??\Y: C:\Windows\LRX3Y6M\service.exe N/A
File opened (read-only) \??\J: C:\Windows\LRX3Y6M\service.exe N/A
File opened (read-only) \??\K: C:\Windows\LRX3Y6M\service.exe N/A
File opened (read-only) \??\P: C:\Windows\LRX3Y6M\service.exe N/A
File opened (read-only) \??\S: C:\Windows\LRX3Y6M\service.exe N/A
File opened (read-only) \??\Z: C:\Windows\LRX3Y6M\service.exe N/A
File opened (read-only) \??\H: C:\Windows\LRX3Y6M\service.exe N/A
File opened (read-only) \??\L: C:\Windows\LRX3Y6M\service.exe N/A
File opened (read-only) \??\V: C:\Windows\LRX3Y6M\service.exe N/A
File opened (read-only) \??\X: C:\Windows\LRX3Y6M\service.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\regedit.exe C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe N/A
File opened for modification C:\Windows\SysWOW64\WRQ3X8STYJ1F1E.exe C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe N/A
File opened for modification C:\Windows\SysWOW64\WRQ3X8STYJ1F1E.exe C:\Windows\LRX3Y6M\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\LRX3Y6M\system.exe N/A
File opened for modification C:\Windows\SysWOW64\GFI7N5Y.exe C:\Windows\LRX3Y6M\system.exe N/A
File opened for modification C:\Windows\SysWOW64\systear.dll C:\Windows\LRX3Y6M\system.exe N/A
File opened for modification C:\Windows\SysWOW64\systear.dll C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe N/A
File opened for modification C:\Windows\SysWOW64\systear.dll C:\Windows\LRX3Y6M\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\systear.dll C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\PHI7L8V\WRQ3X8S.cmd C:\Windows\LRX3Y6M\service.exe N/A
File opened for modification C:\Windows\SysWOW64\PHI7L8V\WRQ3X8S.cmd C:\Windows\LRX3Y6M\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\WRQ3X8STYJ1F1E.exe C:\Windows\LRX3Y6M\service.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\LRX3Y6M\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\LRX3Y6M\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\regedit.exe C:\Windows\LRX3Y6M\system.exe N/A
File opened for modification C:\Windows\SysWOW64\PHI7L8V C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe N/A
File opened for modification C:\Windows\SysWOW64\PHI7L8V\WRQ3X8S.cmd C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe N/A
File opened for modification C:\Windows\SysWOW64\WRQ3X8STYJ1F1E.exe C:\Windows\LRX3Y6M\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\systear.dll C:\Windows\LRX3Y6M\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\GFI7N5Y.exe C:\Windows\LRX3Y6M\service.exe N/A
File opened for modification C:\Windows\SysWOW64\PHI7L8V\WRQ3X8S.cmd C:\Windows\LRX3Y6M\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\PHI7L8V C:\Windows\LRX3Y6M\service.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\LRX3Y6M\service.exe N/A
File opened for modification C:\Windows\SysWOW64\GFI7N5Y.exe C:\Windows\LRX3Y6M\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\PHI7L8V C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\PHI7L8V C:\Windows\LRX3Y6M\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\PHI7L8V\WRQ3X8S.cmd C:\Windows\LRX3Y6M\system.exe N/A
File opened for modification C:\Windows\SysWOW64\systear.dll C:\Windows\LRX3Y6M\service.exe N/A
File opened for modification C:\Windows\SysWOW64\regedit.exe C:\Windows\LRX3Y6M\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\PHI7L8V C:\Windows\LRX3Y6M\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\regedit.exe C:\Windows\LRX3Y6M\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\GFI7N5Y.exe C:\Windows\LRX3Y6M\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\PHI7L8V C:\Windows\LRX3Y6M\system.exe N/A
File opened for modification C:\Windows\SysWOW64\GFI7N5Y.exe C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe N/A
File opened for modification C:\Windows\SysWOW64\regedit.exe C:\Windows\LRX3Y6M\service.exe N/A
File opened for modification C:\Windows\SysWOW64\PHI7L8V\WRQ3X8S.cmd C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\WRQ3X8STYJ1F1E.exe C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\GFI7N5Y.exe C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\WRQ3X8STYJ1F1E.exe C:\Windows\LRX3Y6M\system.exe N/A
File opened for modification C:\Windows\SysWOW64\regedit.exe C:\Windows\lsass.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\lsass.exe C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\LRX3Y6M\smss.exe N/A
File opened for modification C:\Windows\LRX3Y6M\KOK7O5H.com C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\LRX3Y6M\regedit.cmd C:\Windows\LRX3Y6M\system.exe N/A
File opened for modification C:\Windows\cypreg.dll C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe N/A
File opened for modification C:\Windows\LRX3Y6M\KOK7O5H.com C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe N/A
File opened for modification C:\Windows\LRX3Y6M\smss.exe C:\Windows\LRX3Y6M\service.exe N/A
File opened for modification C:\Windows\LRX3Y6M\UNT6G3M.exe C:\Windows\LRX3Y6M\smss.exe N/A
File opened for modification C:\Windows\LRX3Y6M\service.exe C:\Windows\LRX3Y6M\winlogon.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\LRX3Y6M\winlogon.exe N/A
File opened for modification C:\Windows\moonlight.dll C:\Windows\LRX3Y6M\system.exe N/A
File opened for modification C:\Windows\OQD6L0Q.exe C:\Windows\LRX3Y6M\system.exe N/A
File opened for modification C:\Windows\onceinabluemoon.mid C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\LRX3Y6M\UNT6G3M.exe C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe N/A
File opened for modification C:\Windows\LRX3Y6M\system.exe C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\LRX3Y6M C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe N/A
File opened for modification C:\Windows\LRX3Y6M\UNT6G3M.exe C:\Windows\LRX3Y6M\service.exe N/A
File opened for modification C:\Windows\LRX3Y6M\regedit.cmd C:\Windows\LRX3Y6M\smss.exe N/A
File opened for modification C:\Windows\LRX3Y6M\KOK7O5H.com C:\Windows\LRX3Y6M\smss.exe N/A
File opened for modification C:\Windows\TYJ1F1E.exe C:\Windows\LRX3Y6M\winlogon.exe N/A
File opened for modification C:\Windows\LRX3Y6M\regedit.cmd C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\64enc.en C:\Windows\LRX3Y6M\system.exe N/A
File opened for modification C:\Windows\LRX3Y6M\regedit.cmd C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe N/A
File opened for modification C:\Windows\lsass.exe C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\OQD6L0Q.exe C:\Windows\LRX3Y6M\winlogon.exe N/A
File opened for modification C:\Windows\LRX3Y6M\service.exe C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe N/A
File opened for modification C:\Windows\lsass.exe C:\Windows\LRX3Y6M\service.exe N/A
File opened for modification C:\Windows\lsass.exe C:\Windows\LRX3Y6M\smss.exe N/A
File opened for modification C:\Windows\moonlight.dll C:\Windows\LRX3Y6M\winlogon.exe N/A
File opened for modification C:\Windows\onceinabluemoon.mid C:\Windows\LRX3Y6M\winlogon.exe N/A
File opened for modification C:\Windows\cypreg.dll C:\Windows\LRX3Y6M\winlogon.exe N/A
File opened for modification C:\Windows\lsass.exe C:\Windows\LRX3Y6M\winlogon.exe N/A
File opened for modification C:\Windows\LRX3Y6M\system.exe C:\Windows\LRX3Y6M\system.exe N/A
File opened for modification C:\Windows\cypreg.dll C:\Windows\LRX3Y6M\system.exe N/A
File opened for modification C:\Windows\moonlight.dll C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\LRX3Y6M\service.exe C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\moonlight.dll C:\Windows\LRX3Y6M\smss.exe N/A
File created C:\Windows\MooNlight.txt C:\Windows\LRX3Y6M\smss.exe N/A
File opened for modification C:\Windows\cypreg.dll C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\onceinabluemoon.mid C:\Windows\LRX3Y6M\smss.exe N/A
File opened for modification C:\Windows\LRX3Y6M C:\Windows\LRX3Y6M\smss.exe N/A
File opened for modification C:\Windows\LRX3Y6M\smss.exe C:\Windows\LRX3Y6M\system.exe N/A
File opened for modification C:\Windows\LRX3Y6M\regedit.cmd C:\Windows\LRX3Y6M\service.exe N/A
File opened for modification C:\Windows\TYJ1F1E.exe C:\Windows\LRX3Y6M\service.exe N/A
File opened for modification C:\Windows\cypreg.dll C:\Windows\LRX3Y6M\smss.exe N/A
File opened for modification C:\Windows\OQD6L0Q.exe C:\Windows\LRX3Y6M\smss.exe N/A
File opened for modification C:\Windows\TYJ1F1E.exe C:\Windows\LRX3Y6M\system.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\LRX3Y6M\winlogon.exe C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\LRX3Y6M\service.exe N/A
File opened for modification C:\Windows\LRX3Y6M\winlogon.exe C:\Windows\LRX3Y6M\service.exe N/A
File opened for modification C:\Windows\LRX3Y6M\smss.exe C:\Windows\LRX3Y6M\winlogon.exe N/A
File opened for modification C:\Windows\LRX3Y6M\UNT6G3M.exe C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\LRX3Y6M C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\OQD6L0Q.exe C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe N/A
File opened for modification C:\Windows\moonlight.dll C:\Windows\LRX3Y6M\service.exe N/A
File opened for modification C:\Windows\LRX3Y6M\service.exe C:\Windows\LRX3Y6M\service.exe N/A
File opened for modification C:\Windows\LRX3Y6M\system.exe C:\Windows\LRX3Y6M\winlogon.exe N/A
File opened for modification C:\Windows\LRX3Y6M\regedit.cmd C:\Windows\LRX3Y6M\winlogon.exe N/A
File opened for modification C:\Windows\LRX3Y6M\KOK7O5H.com C:\Windows\LRX3Y6M\winlogon.exe N/A
File opened for modification C:\Windows\LRX3Y6M C:\Windows\LRX3Y6M\system.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\LRX3Y6M\system.exe N/A
File opened for modification C:\Windows\moonlight.dll C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe N/A
File opened for modification C:\Windows\LRX3Y6M\system.exe C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\LRX3Y6M\system.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\lsass.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\LRX3Y6M\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\LRX3Y6M\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\LRX3Y6M\winlogon.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile C:\Windows\LRX3Y6M\system.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" C:\Windows\LRX3Y6M\system.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\LRX3Y6M\system.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\LRX3Y6M\system.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1200 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe C:\Windows\LRX3Y6M\service.exe
PID 1200 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe C:\Windows\LRX3Y6M\service.exe
PID 1200 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe C:\Windows\LRX3Y6M\service.exe
PID 1200 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe C:\Windows\LRX3Y6M\service.exe
PID 1200 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe C:\Windows\LRX3Y6M\smss.exe
PID 1200 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe C:\Windows\LRX3Y6M\smss.exe
PID 1200 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe C:\Windows\LRX3Y6M\smss.exe
PID 1200 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe C:\Windows\LRX3Y6M\smss.exe
PID 1200 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe C:\Windows\LRX3Y6M\system.exe
PID 1200 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe C:\Windows\LRX3Y6M\system.exe
PID 1200 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe C:\Windows\LRX3Y6M\system.exe
PID 1200 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe C:\Windows\LRX3Y6M\system.exe
PID 1200 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe C:\Windows\LRX3Y6M\winlogon.exe
PID 1200 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe C:\Windows\LRX3Y6M\winlogon.exe
PID 1200 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe C:\Windows\LRX3Y6M\winlogon.exe
PID 1200 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe C:\Windows\LRX3Y6M\winlogon.exe
PID 1200 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe C:\Windows\lsass.exe
PID 1200 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe C:\Windows\lsass.exe
PID 1200 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe C:\Windows\lsass.exe
PID 1200 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe C:\Windows\lsass.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe

"C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe"

C:\Windows\LRX3Y6M\service.exe

"C:\Windows\LRX3Y6M\service.exe"

C:\Windows\LRX3Y6M\smss.exe

"C:\Windows\LRX3Y6M\smss.exe"

C:\Windows\LRX3Y6M\system.exe

"C:\Windows\LRX3Y6M\system.exe"

C:\Windows\LRX3Y6M\winlogon.exe

"C:\Windows\LRX3Y6M\winlogon.exe"

C:\Windows\lsass.exe

"C:\Windows\lsass.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:80 www.google.com tcp
US 8.8.8.8:53 smtp.hotmail.com udp
US 8.8.8.8:53 mail.hotmail.com udp
US 65.55.72.183:25 mail.hotmail.com tcp
US 8.8.8.8:53 ns1.hotmail.com udp
US 8.8.8.8:53 mx1.hotmail.com udp
US 65.55.92.136:25 mx1.hotmail.com tcp
US 8.8.8.8:53 mail1.hotmail.com udp
US 8.8.8.8:53 mx.hotmail.com udp
US 8.8.8.8:53 mxs.hotmail.com udp
US 8.8.8.8:53 relay.hotmail.com udp
US 8.8.8.8:53 gate.hotmail.com udp
US 65.55.72.183:25 mail.hotmail.com tcp
US 65.55.92.136:25 mx1.hotmail.com tcp
US 8.8.8.8:53 smtp.w3.org udp
US 3.230.165.231:25 smtp.w3.org tcp

Files

memory/1200-0-0x0000000000400000-0x000000000045D000-memory.dmp

C:\Windows\LRX3Y6M\service.exe

MD5 90072ec618888584c5c87a7054da3992
SHA1 0dbeaf7f24915b82e0f30457773c6983c6e09ed7
SHA256 a1c8067ed74231868846f0c1640c79050fb10453ba32b24f78d886e310e1a608
SHA512 64f319154be1dab81418749ff47573b666b34ea038e4042b60b20ed9ae2440f30c6adce1ec987f6039d9ae4d7b23eca90d2ae3cdf7135824dbdb1917eab4a278

memory/1200-47-0x0000000003500000-0x0000000003510000-memory.dmp

memory/2516-58-0x0000000000400000-0x000000000045D000-memory.dmp

C:\Windows\LRX3Y6M\smss.exe

MD5 75fbc65ea0c44506da070473e447bbb4
SHA1 741c036d7cdd737d07cfb8c6dca51960fa338f0a
SHA256 547649e6c8c49ef45874ae871edeccdf8c05e7e914baa65eb3bd352ab646a94e
SHA512 8172fc9f43dac11f03e5b48a32b3208c188f0aa8076c09ef20008d0c0f2f3069c3517c121e5d1233728f1bf37aa8fa3f90bfdcf5fe77196c998cd1b2d2688d00

memory/2668-68-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1200-57-0x0000000003500000-0x000000000355D000-memory.dmp

memory/1200-56-0x0000000003500000-0x000000000355D000-memory.dmp

\Windows\LRX3Y6M\system.exe

MD5 b579b43ef4283d244650f6d6d0e175db
SHA1 eed7fe8498b16b6654f358f0e7791c47f29abead
SHA256 ad4c3edcaa5ee5e8b3b2a2907d791bba6b546c854b7497fb686366ded9d94767
SHA512 8c4ed83e844dff49c33f4375f8f60bd33678b4a21e735f8759b433dbbfa4bb87408fab71275ea57b5304b5700a3832e77f5175fd50260b4e7d29dad1bb92c78b

C:\Windows\LRX3Y6M\winlogon.exe

MD5 ae5dedb6b5e3daac9a39d19e2812eb1b
SHA1 ae1e253523a0f293e5b739aab90ada57abe3eb30
SHA256 04cfcf8e451a9b0231c5063ca8507e4bed6489f0fb01367bea2cd3619caf4fd6
SHA512 1ff9ba9b7d8eda5425d8d3b21a0164e9afed2e839f6b36856c1dcb5b9225cfe100c0db0e0c64ec272bc2f866450a07fa58ef05e441fdaf705155c72565364666

C:\Windows\SysWOW64\systear.dll

MD5 d1b06c1feba95fece35fd91d705f778f
SHA1 8a0d51016931fadb4cd65610ad2f82b122f899bc
SHA256 ce790862a1ee0cf67f6c548e6363314fe51dcb825a907bfeecc85dc2fc4d3caa
SHA512 56f67dc9ac44282fc5c3f460311533dab2931a89ae3d448fdd743d21b42a069315152a420fedfa698a966416e3067959d2229dee9e33f75861b20b73b96472e3

C:\Windows\OQD6L0Q.exe

MD5 3b90ef6d1b1efc0ee0df0dff37ebad38
SHA1 215fdb06ddf8123ad1d9626f0bd9ed6e9ca514e7
SHA256 17541ff72f845a86cf09a0a780907541a31e435d5fa8d7265daff19c4727c355
SHA512 04700d5090133ec689ac46b29728781a97bd20d51ce68ebbad763eb997c0ece346b0d7dfb582f3187d7c8970dece49774fef86114636095d620addb190ea7b16

C:\Windows\SysWOW64\GFI7N5Y.exe

MD5 57e1f3ae7b7f2c75090a030c18218040
SHA1 99e899f66ba91819b89fb7cf72298ae957fae5a1
SHA256 52d891a83ca71ea90f590922af372b9e9790b940efd73fb20e2af55672a341a1
SHA512 9214fef6efbd66e9feec6117357d677a01829d9e10afc25d1dfbceca7751140428c51298a200c3ceda5bbb21a042ad08b807ec8279ed4b40e3d94d288a0f960b

C:\Windows\SysWOW64\WRQ3X8STYJ1F1E.exe

MD5 9c779d1d362a96d569ad44607284a1f4
SHA1 30d9af11e4fef2b199a3ad521de718f1cf158224
SHA256 2b538620d691745805591295b469866a63c35c5a6b581a5a0f976884c8bbde4d
SHA512 979ad6e2c3a1080cf63c8a50e7ce410147da0c5f4b2a3c5c302767bc870a560f595a52d66197e9c501017eefd96f0e2650bef1271ef51081a2aa978ba2c2df0b

C:\Windows\LRX3Y6M\KOK7O5H.com

MD5 5fb78dc1b8ca953c092ec59cbc0c09c6
SHA1 52705bb92ebe0353a42b457c05c0d42fc3f46001
SHA256 d90b3f155cd47648083d2d2897ad3f1ac9debc5969628cdfcaf8def1a7cde3cc
SHA512 a32a3164d330284b9b12f21336fd4e1d2fb34354de54e2abea98d75b77455ba2a6a0fa3968daae8fd05e76d5b0eb4462675aced7f45f9bd3940885cb42c5ecc6

C:\Windows\lsass.exe

MD5 06b5ea9ddc5503d52137fb909cc0210f
SHA1 d8bf80712eff604ab2843b9627c5f2e5cdae38d3
SHA256 c0166599756f9d522f65183cf57b98aa999633641b361bf7938b7bb609283c9d
SHA512 2b2956b890b0d87ee7aeffbc85eb8077c893763c29ea78a0db3bb76f3025b4013986b70a4e6e0030771b4823032a01a11f3da5bbc0fd72daffb4bb91fd78ab50

C:\Windows\onceinabluemoon.mid

MD5 0e528d000aad58b255c1cf8fd0bb1089
SHA1 2445d2cc0921aea9ae53b8920d048d6537940ec6
SHA256 c8aa5c023bf32f1c1e27b8136cf4d622101e58a80417d97271d3c0ba44528cae
SHA512 89ff6a1f1bf364925704a83ab4d222e2335e6486e0b90641f0133236b5f6b0fede1e9f17b577d6d069537e737b761f745d1fde4a9d0b43cb59143edf2d9c2116

C:\Windows\moonlight.dll

MD5 8e6e31f8df128a746ff9a3a38f8f78c0
SHA1 e4da9aa336eb7e254592e585b29d8b4e23f3e4bd
SHA256 dc33796b634ea14ed80a492257f698d103a57e1a041ccab92945efa8201a65f7
SHA512 eddacadcb86d8ead42185af5ce779f35dcbf262b2e12dc1cb816c3c5e35563201a839b861eb4a2cda472a5a27b2dfb76a0310d6eb94b49e9d5b58af869ef22c6

C:\Users\Admin\Pictures\My Pictures.exe

MD5 4487d18c55215cb3283c1e7a42922553
SHA1 c0751e09a543d04380a20968a67b1aae1d719395
SHA256 4de8c23e832a45f00a5f09599346bd9d55b2c783ee7d4bceb1c38bf008113862
SHA512 c4fc8fdbfb3f6d54accec62d5e6563b3494dd18e81c55177617824fba4437fd93af92cf42e0764a58ae5e1609de6ad910531f6c4a50d5a9bd73dadeba6e865f7

C:\Windows\SysWOW64\GFI7N5Y.exe

MD5 7f64cf01611c4309604eae7c019b2153
SHA1 5d1d7519fb13bdc211d155b67ffdc75620ba60e3
SHA256 b48c993cfcaa285c3f42b36ab1f818b739077510caa41131410150eb668aa247
SHA512 d66ce29b5bca9b5ce025e64b6117518047c0d45613c9253d9564b3b3846995e3e33d40bae48a6d1b8cfb3811cc74e36fc6f4d8f8ce282f4442fcd35072b1f708

C:\Windows\LRX3Y6M\UNT6G3M.exe

MD5 368235db7f39ee8a096397c1bbdc51ac
SHA1 2349aaf298e40c9bcee59accd7049e6a05e57d1f
SHA256 16ba71a8dc7ae99aac9a4c8a0c0bec44ce306dd035f61f2e0f438a6cd1339c0a
SHA512 a9c91269e70612997d4ac0113e056386d94eb9466fdcc7d335f50ac9795997d3ce33a499ed0f1968f12bb75371ba3a6028b615c5c74809cd6f28d44e0277cc8d

C:\Windows\SysWOW64\GFI7N5Y.exe

MD5 bd372e095c037675ea4171add0520462
SHA1 697a203cb99b4242d067d78860fac36d73644892
SHA256 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b
SHA512 b2111d5ae527ae91a62aea3f307ed94a81b8af09dacfed1bdb1386b65ab459b8642fb3b93560bd54f87b99a9339c3904c1985368418a14615a40978e54ca5a4a

memory/1200-215-0x0000000000400000-0x000000000045D000-memory.dmp

C:\Windows\SysWOW64\PHI7L8V\WRQ3X8S.cmd

MD5 0102f0f1e9677f4b385178e20b84ef50
SHA1 98dcfe2b9eb3de89411603a22c4608b4b2281cbc
SHA256 5ca35fffc029e5af81cb09c3b8c9dc371583682b000f7b7c9f061b72df53b1ac
SHA512 680484a66648f8117a76b7ba356d2ac17fdad6fed2350fd9eef34496ffc7d37e4938cc96275e550fb1b0447eddc18b9f6b473411070704f54b327db69577eb0f

C:\Windows\cypreg.dll

MD5 a18f4968b8f8fe9082185bcf1ae2d131
SHA1 992f97e5491a3336c19f8a8fa42f57eaf6f7646a
SHA256 a8a3f3cab149177fc8d736329368b84ef92ddd3133fc62c6a26586560a51c3df
SHA512 a5542b365a2c5cd1779ef6b173b44863acb279d0614d501c7217e6598bba174139580ad96649baebda8cdb51c8bcced497717bc6a3fe83a181f03656e8ec3d16

memory/1200-214-0x0000000003500000-0x0000000003510000-memory.dmp

memory/1972-213-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1200-210-0x0000000000400000-0x000000000045D000-memory.dmp

C:\Windows\LRX3Y6M\KOK7O5H.com

MD5 894883be9122eefe8e34dd77a1ae6976
SHA1 9b5708f4cdf49fe23b2d909bd91eea970969251e
SHA256 5d4539f31e7d1972bfc10d96d208460954558c87db37c0e4a15e580e16d8b0cf
SHA512 044bf18113a3107bb2fa1de92788499e2c7124237011ea8c015a479ca9961558fa4dc22cd30ee50160b13f76ccaf22c3b1e68735cdc3325fb54cbbed4e39621f

C:\Windows\OQD6L0Q.exe

MD5 8e42cccf0e20cd52109e924af79dcfe6
SHA1 83dbae88ea6cecdfdaf60dd4968cd150a072e55e
SHA256 daa6646a4177d8a23a245e93be53215e72e0b2a8176f4e0c19903d136bdb0622
SHA512 c77aab6f2880745e754fa93b12de94188f6556b15c946e4d614558727678980a23747f1d49ba6b7d9447e0fa370f8023db7fec513450b24882761471655b7c07

C:\Windows\OQD6L0Q.exe

MD5 026e7c3c870358292e69bc9b0e142e24
SHA1 37d07eb7653ed24af7b52fe7a837f67511da7da5
SHA256 c653690639b032162e7c4d402dc257147899ab1b1b805b2e2dd8e6f1d250e416
SHA512 cefe102a699adf553add26ac5a0c6e3602f9c59ec1f0b486a32103ad5c6a578caa966719c539228e663df56eebc375a49999e64e4822bb416ec3646ed785141e

C:\Windows\LRX3Y6M\regedit.cmd

MD5 4b1cbe1d39e63d3ce2d24ba4d29bfbbb
SHA1 82edf37f3c7bd5017a15fc9f5736fd1860bb6a5f
SHA256 57aa273536c28256c2887981c86c2458a54ab7674ce3a4272661818da428bdbd
SHA512 af9bd9d3b52d6f00ad8ab19de863b0c618a6f8376317b68af0c70a560e400720233ccd5025dd98001fc8de3fecee478be14269909f65a81d78dfce52cb4602ab

C:\Windows\cypreg.dll

MD5 d98c8e75e0b733b355221719abeb71e4
SHA1 e83c3d1bb4a5e346e8cd2582112ad8c44e18da2a
SHA256 4128459a5e29bc260f774480f81d2a1b558c7b5adb4bfb0c2bcce1d939b497f5
SHA512 312bfb82a0aa07e508fdeccade049f6edf434705ea6feefc5f24512283b2141700feb60d543523bc765be0b53bd6e95a533a6bad2a467abf0437228b2edcd7fe

C:\Windows\system\msvbvm60.dll

MD5 0b56afade202c406eacbf7cdc87152e0
SHA1 6781240f65be24dd3d171f9b9d950b61349c565a
SHA256 494797cd029292876cea51dd6ef96e361416fc35682d2503dcb7ee989e77a98a
SHA512 5e2792f2ae7473218e92e7e40c39d0f46d31252205ec2fc4433f438797b3bb0d056847f882912ec2e4039c8229edc17e2e9e5b0f134bfab1e674b8273215ecb5

memory/1200-73-0x0000000003510000-0x000000000356D000-memory.dmp

memory/2692-90-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1200-89-0x0000000003510000-0x000000000356D000-memory.dmp

memory/2516-236-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2668-240-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2692-241-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2808-242-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1972-243-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2808-246-0x0000000010000000-0x0000000010075000-memory.dmp

memory/2808-250-0x0000000010000000-0x0000000010075000-memory.dmp

memory/2808-251-0x0000000010000000-0x0000000010075000-memory.dmp

memory/2808-252-0x0000000010000000-0x0000000010075000-memory.dmp

memory/2808-253-0x0000000010000000-0x0000000010075000-memory.dmp

memory/2808-254-0x0000000010000000-0x0000000010075000-memory.dmp

memory/2808-255-0x0000000010000000-0x0000000010075000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 12:47

Reported

2024-11-11 12:49

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

115s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\FLR1S4G\\OGN3W1G.exe\"" C:\Windows\FLR1S4G\system.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\FLR1S4G\system.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\FLR1S4G\system.exe N/A

Disables use of System Restore points

evasion

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\FLR1S4G\\regedit.cmd" C:\Windows\FLR1S4G\system.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\FLR1S4G\system.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "C:\\Windows\\notepad.exe" C:\Windows\FLR1S4G\system.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\FLR1S4G\system.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" C:\Windows\FLR1S4G\system.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\FLR1S4G\system.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\FLR1S4G\service.exe N/A
N/A N/A C:\Windows\FLR1S4G\smss.exe N/A
N/A N/A C:\Windows\FLR1S4G\system.exe N/A
N/A N/A C:\Windows\FLR1S4G\winlogon.exe N/A
N/A N/A C:\Windows\lsass.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\FLR1S4G\system.exe N/A
N/A N/A C:\Windows\FLR1S4G\system.exe N/A
N/A N/A C:\Windows\FLR1S4G\system.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\FLR1S4G\system.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sLR1U3C0 = "C:\\Windows\\system32\\JDC6J2EFKT5O5N.exe" C:\Windows\FLR1S4G\system.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0W1GKT = "C:\\Windows\\XCM1U3C.exe" C:\Windows\FLR1S4G\system.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Windows\FLR1S4G\service.exe N/A
File opened (read-only) \??\M: C:\Windows\FLR1S4G\service.exe N/A
File opened (read-only) \??\N: C:\Windows\FLR1S4G\service.exe N/A
File opened (read-only) \??\R: C:\Windows\FLR1S4G\service.exe N/A
File opened (read-only) \??\W: C:\Windows\FLR1S4G\service.exe N/A
File opened (read-only) \??\Y: C:\Windows\FLR1S4G\service.exe N/A
File opened (read-only) \??\I: C:\Windows\FLR1S4G\service.exe N/A
File opened (read-only) \??\J: C:\Windows\FLR1S4G\service.exe N/A
File opened (read-only) \??\S: C:\Windows\FLR1S4G\service.exe N/A
File opened (read-only) \??\T: C:\Windows\FLR1S4G\service.exe N/A
File opened (read-only) \??\U: C:\Windows\FLR1S4G\service.exe N/A
File opened (read-only) \??\H: C:\Windows\FLR1S4G\service.exe N/A
File opened (read-only) \??\L: C:\Windows\FLR1S4G\service.exe N/A
File opened (read-only) \??\O: C:\Windows\FLR1S4G\service.exe N/A
File opened (read-only) \??\V: C:\Windows\FLR1S4G\service.exe N/A
File opened (read-only) \??\X: C:\Windows\FLR1S4G\service.exe N/A
File opened (read-only) \??\E: C:\Windows\FLR1S4G\service.exe N/A
File opened (read-only) \??\G: C:\Windows\FLR1S4G\service.exe N/A
File opened (read-only) \??\Z: C:\Windows\FLR1S4G\service.exe N/A
File opened (read-only) \??\P: C:\Windows\FLR1S4G\service.exe N/A
File opened (read-only) \??\Q: C:\Windows\FLR1S4G\service.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\IXC5F6O\JDC6J2E.cmd C:\Windows\FLR1S4G\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\IXC5F6O C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\FLR1S4G\service.exe N/A
File opened for modification C:\Windows\SysWOW64\IXC5F6O C:\Windows\FLR1S4G\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\POR1X0K.exe C:\Windows\FLR1S4G\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\POR1X0K.exe C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\IXC5F6O\JDC6J2E.cmd C:\Windows\FLR1S4G\service.exe N/A
File opened for modification C:\Windows\SysWOW64\IXC5F6O\JDC6J2E.cmd C:\Windows\FLR1S4G\system.exe N/A
File opened for modification C:\Windows\SysWOW64\POR1X0K.exe C:\Windows\FLR1S4G\system.exe N/A
File opened for modification C:\Windows\SysWOW64\IXC5F6O C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\regedit.exe C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe N/A
File opened for modification C:\Windows\SysWOW64\regedit.exe C:\Windows\FLR1S4G\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\systear.dll C:\Windows\FLR1S4G\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\IXC5F6O\JDC6J2E.cmd C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\IXC5F6O C:\Windows\FLR1S4G\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\regedit.exe C:\Windows\FLR1S4G\service.exe N/A
File opened for modification C:\Windows\SysWOW64\regedit.exe C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\IXC5F6O C:\Windows\FLR1S4G\service.exe N/A
File opened for modification C:\Windows\SysWOW64\IXC5F6O\JDC6J2E.cmd C:\Windows\FLR1S4G\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\JDC6J2EFKT5O5N.exe C:\Windows\FLR1S4G\service.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\FLR1S4G\system.exe N/A
File opened for modification C:\Windows\SysWOW64\systear.dll C:\Windows\FLR1S4G\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\systear.dll C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe N/A
File opened for modification C:\Windows\SysWOW64\JDC6J2EFKT5O5N.exe C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe N/A
File opened for modification C:\Windows\SysWOW64\systear.dll C:\Windows\FLR1S4G\system.exe N/A
File opened for modification C:\Windows\SysWOW64\systear.dll C:\Windows\FLR1S4G\service.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\FLR1S4G\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\IXC5F6O\JDC6J2E.cmd C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe N/A
File opened for modification C:\Windows\SysWOW64\POR1X0K.exe C:\Windows\FLR1S4G\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\POR1X0K.exe C:\Windows\FLR1S4G\service.exe N/A
File opened for modification C:\Windows\SysWOW64\regedit.exe C:\Windows\FLR1S4G\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\JDC6J2EFKT5O5N.exe C:\Windows\FLR1S4G\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\JDC6J2EFKT5O5N.exe C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\systear.dll C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\POR1X0K.exe C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe N/A
File opened for modification C:\Windows\SysWOW64\JDC6J2EFKT5O5N.exe C:\Windows\FLR1S4G\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\IXC5F6O C:\Windows\FLR1S4G\system.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\FLR1S4G\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\regedit.exe C:\Windows\FLR1S4G\system.exe N/A
File opened for modification C:\Windows\SysWOW64\JDC6J2EFKT5O5N.exe C:\Windows\FLR1S4G\system.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\FLR1S4G C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe N/A
File opened for modification C:\Windows\FLR1S4G\system.exe C:\Windows\FLR1S4G\winlogon.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\FLR1S4G\system.exe N/A
File opened for modification C:\Windows\FKT5O5N.exe C:\Windows\FLR1S4G\smss.exe N/A
File opened for modification C:\Windows\moonlight.dll C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\cypreg.dll C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\FLR1S4G\service.exe C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe N/A
File opened for modification C:\Windows\FLR1S4G\UXT1X8R.com C:\Windows\FLR1S4G\winlogon.exe N/A
File opened for modification C:\Windows\FLR1S4G\regedit.cmd C:\Windows\FLR1S4G\service.exe N/A
File opened for modification C:\Windows\moonlight.dll C:\Windows\FLR1S4G\system.exe N/A
File opened for modification C:\Windows\FLR1S4G\winlogon.exe C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\FKT5O5N.exe C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\lsass.exe C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe N/A
File opened for modification C:\Windows\FLR1S4G\service.exe C:\Windows\FLR1S4G\winlogon.exe N/A
File opened for modification C:\Windows\FLR1S4G\regedit.cmd C:\Windows\FLR1S4G\winlogon.exe N/A
File opened for modification C:\Windows\cypreg.dll C:\Windows\FLR1S4G\system.exe N/A
File opened for modification C:\Windows\FLR1S4G\OGN3W1G.exe C:\Windows\FLR1S4G\system.exe N/A
File opened for modification C:\Windows\FLR1S4G\winlogon.exe C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe N/A
File opened for modification C:\Windows\lsass.exe C:\Windows\FLR1S4G\service.exe N/A
File opened for modification C:\Windows\FLR1S4G\system.exe C:\Windows\FLR1S4G\smss.exe N/A
File opened for modification C:\Windows\FLR1S4G\OGN3W1G.exe C:\Windows\FLR1S4G\smss.exe N/A
File opened for modification C:\Windows\moonlight.dll C:\Windows\FLR1S4G\winlogon.exe N/A
File opened for modification C:\Windows\FLR1S4G\winlogon.exe C:\Windows\FLR1S4G\service.exe N/A
File opened for modification C:\Windows\FLR1S4G\smss.exe C:\Windows\FLR1S4G\service.exe N/A
File opened for modification C:\Windows\FLR1S4G\regedit.cmd C:\Windows\FLR1S4G\system.exe N/A
File opened for modification C:\Windows\XCM1U3C.exe C:\Windows\FLR1S4G\system.exe N/A
File opened for modification C:\Windows\FLR1S4G\UXT1X8R.com C:\Windows\FLR1S4G\smss.exe N/A
File opened for modification C:\Windows\FLR1S4G\OGN3W1G.exe C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe N/A
File opened for modification C:\Windows\FLR1S4G\smss.exe C:\Windows\FLR1S4G\winlogon.exe N/A
File opened for modification C:\Windows\FKT5O5N.exe C:\Windows\FLR1S4G\system.exe N/A
File opened for modification C:\Windows\FLR1S4G C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\onceinabluemoon.mid C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe N/A
File opened for modification C:\Windows\FLR1S4G\smss.exe C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe N/A
File opened for modification C:\Windows\FLR1S4G\OGN3W1G.exe C:\Windows\FLR1S4G\winlogon.exe N/A
File opened for modification C:\Windows\FLR1S4G\system.exe C:\Windows\FLR1S4G\system.exe N/A
File opened for modification C:\Windows\XCM1U3C.exe C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\FLR1S4G\winlogon.exe C:\Windows\FLR1S4G\winlogon.exe N/A
File opened for modification C:\Windows\cypreg.dll C:\Windows\FLR1S4G\service.exe N/A
File opened for modification C:\Windows\FLR1S4G\regedit.cmd C:\Windows\FLR1S4G\smss.exe N/A
File opened for modification C:\Windows\XCM1U3C.exe C:\Windows\FLR1S4G\smss.exe N/A
File opened for modification C:\Windows\FLR1S4G\UXT1X8R.com C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe N/A
File opened for modification C:\Windows\onceinabluemoon.mid C:\Windows\FLR1S4G\winlogon.exe N/A
File opened for modification C:\Windows\FLR1S4G\service.exe C:\Windows\FLR1S4G\service.exe N/A
File opened for modification C:\Windows\cypreg.dll C:\Windows\FLR1S4G\winlogon.exe N/A
File opened for modification C:\Windows\moonlight.dll C:\Windows\FLR1S4G\smss.exe N/A
File opened for modification C:\Windows\FLR1S4G\service.exe C:\Windows\FLR1S4G\system.exe N/A
File opened for modification C:\Windows\64enc.en C:\Windows\FLR1S4G\system.exe N/A
File opened for modification C:\Windows\FLR1S4G\regedit.cmd C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe N/A
File opened for modification C:\Windows\FKT5O5N.exe C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe N/A
File opened for modification C:\Windows\FLR1S4G C:\Windows\FLR1S4G\service.exe N/A
File opened for modification C:\Windows\FKT5O5N.exe C:\Windows\FLR1S4G\service.exe N/A
File opened for modification C:\Windows\onceinabluemoon.mid C:\Windows\FLR1S4G\system.exe N/A
File opened for modification C:\Windows\FLR1S4G C:\Windows\FLR1S4G\system.exe N/A
File opened for modification C:\Windows\FLR1S4G\smss.exe C:\Windows\FLR1S4G\smss.exe N/A
File opened for modification C:\Windows\FLR1S4G\smss.exe C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\FLR1S4G\OGN3W1G.exe C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\FLR1S4G C:\Windows\FLR1S4G\winlogon.exe N/A
File opened for modification C:\Windows\FLR1S4G\system.exe C:\Windows\FLR1S4G\service.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\FLR1S4G\smss.exe N/A
File opened for modification C:\Windows\lsass.exe C:\Windows\FLR1S4G\system.exe N/A
File opened for modification C:\Windows\FLR1S4G\UXT1X8R.com C:\Windows\FLR1S4G\system.exe N/A
File opened for modification C:\Windows\FLR1S4G\UXT1X8R.com C:\Windows\lsass.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\FLR1S4G\service.exe N/A
File opened for modification C:\Windows\FLR1S4G\service.exe C:\Windows\FLR1S4G\smss.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\lsass.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\FLR1S4G\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\FLR1S4G\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\FLR1S4G\system.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\FLR1S4G\winlogon.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile C:\Windows\FLR1S4G\system.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" C:\Windows\FLR1S4G\system.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\FLR1S4G\system.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\FLR1S4G\system.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1472 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe C:\Windows\FLR1S4G\service.exe
PID 1472 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe C:\Windows\FLR1S4G\service.exe
PID 1472 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe C:\Windows\FLR1S4G\service.exe
PID 1472 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe C:\Windows\FLR1S4G\smss.exe
PID 1472 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe C:\Windows\FLR1S4G\smss.exe
PID 1472 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe C:\Windows\FLR1S4G\smss.exe
PID 1472 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe C:\Windows\FLR1S4G\system.exe
PID 1472 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe C:\Windows\FLR1S4G\system.exe
PID 1472 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe C:\Windows\FLR1S4G\system.exe
PID 1472 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe C:\Windows\FLR1S4G\winlogon.exe
PID 1472 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe C:\Windows\FLR1S4G\winlogon.exe
PID 1472 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe C:\Windows\FLR1S4G\winlogon.exe
PID 1472 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe C:\Windows\lsass.exe
PID 1472 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe C:\Windows\lsass.exe
PID 1472 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe C:\Windows\lsass.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe

"C:\Users\Admin\AppData\Local\Temp\3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b.exe"

C:\Windows\FLR1S4G\service.exe

"C:\Windows\FLR1S4G\service.exe"

C:\Windows\FLR1S4G\smss.exe

"C:\Windows\FLR1S4G\smss.exe"

C:\Windows\FLR1S4G\system.exe

"C:\Windows\FLR1S4G\system.exe"

C:\Windows\FLR1S4G\winlogon.exe

"C:\Windows\FLR1S4G\winlogon.exe"

C:\Windows\lsass.exe

"C:\Windows\lsass.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3512 -ip 3512

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 1168

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3512 -ip 3512

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 1376

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3512 -ip 3512

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 1404

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:80 www.google.com tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 smtp.cs.sta udp
US 8.8.8.8:53 mail.cs.sta udp
US 8.8.8.8:53 ns1.cs.sta udp
US 8.8.8.8:53 mx1.cs.sta udp
US 8.8.8.8:53 mail1.cs.sta udp
US 8.8.8.8:53 mx.cs.sta udp
US 8.8.8.8:53 mxs.cs.sta udp
US 8.8.8.8:53 relay.cs.sta udp
US 8.8.8.8:53 gate.cs.sta udp
US 8.8.8.8:53 smtp.burtleburtle.net udp
US 65.254.250.102:25 smtp.burtleburtle.net tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 mail.burtleburtle.net udp
US 65.254.250.102:25 mail.burtleburtle.net tcp
US 8.8.8.8:53 ns1.burtleburtle.net udp
US 65.254.250.102:25 ns1.burtleburtle.net tcp
US 8.8.8.8:53 mx1.burtleburtle.net udp
US 65.254.250.102:25 mx1.burtleburtle.net tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 mail1.burtleburtle.net udp
US 65.254.250.102:25 mail1.burtleburtle.net tcp

Files

memory/1472-0-0x0000000000400000-0x000000000045D000-memory.dmp

C:\Windows\FLR1S4G\service.exe

MD5 1cc826448cf9163cd41c64ccde4e2cb3
SHA1 d26e4f9405d704064288f01feda21053804518b4
SHA256 49739dc6c520093b8ccf34cb06b8987354e36e0a7e8ba5dba1bb6c55fd1a1aa8
SHA512 a20e0e47375cd22fcfb3595a25cd95340cdc81c1f37c8589438041af8dbe707d6e659be7626e589c145b7e140421d946b1ad7b5aed97bc32cf7842c283bf3ed3

memory/2056-57-0x0000000000400000-0x000000000045D000-memory.dmp

C:\Windows\FLR1S4G\system.exe

MD5 d5566830fe21bc739effa10b9ffcfd77
SHA1 2ca8ec08fc5172ba6749d6cadeb97635d6a2f728
SHA256 890fb28d507ed1ec7323c2494712f84e45b7ff756b4e673da87652b33fb2f622
SHA512 ebac071a458049f6b3d36dc4599afc2e027b782d0d4dcaa43f979cfc74c4b12834992096d73d7f9279d4519b86029ade367be3a86a10c8bd36ecfd558034b45c

C:\Windows\FLR1S4G\smss.exe

MD5 5fb78dc1b8ca953c092ec59cbc0c09c6
SHA1 52705bb92ebe0353a42b457c05c0d42fc3f46001
SHA256 d90b3f155cd47648083d2d2897ad3f1ac9debc5969628cdfcaf8def1a7cde3cc
SHA512 a32a3164d330284b9b12f21336fd4e1d2fb34354de54e2abea98d75b77455ba2a6a0fa3968daae8fd05e76d5b0eb4462675aced7f45f9bd3940885cb42c5ecc6

memory/988-73-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3512-87-0x0000000000400000-0x000000000045D000-memory.dmp

C:\Windows\FLR1S4G\winlogon.exe

MD5 f0db78a6b00f01f9f89cc55302e772a0
SHA1 031a0bdec48375c324829c9d6a8132be5c36b3ce
SHA256 43f8142434e77cd84043829e4c05c4ddda5930f202396d3115008fdd770c57c3
SHA512 2ae3389cfb52c8d87459393340c0dcd07b423d7166b69ee954c26a5c5806522d051be66f5c1129b2397611f66fa6631d389f96c924b4a36c752b492cc796db8d

C:\Windows\lsass.exe

MD5 026e7c3c870358292e69bc9b0e142e24
SHA1 37d07eb7653ed24af7b52fe7a837f67511da7da5
SHA256 c653690639b032162e7c4d402dc257147899ab1b1b805b2e2dd8e6f1d250e416
SHA512 cefe102a699adf553add26ac5a0c6e3602f9c59ec1f0b486a32103ad5c6a578caa966719c539228e663df56eebc375a49999e64e4822bb416ec3646ed785141e

memory/3436-123-0x0000000000400000-0x000000000045D000-memory.dmp

C:\Windows\SysWOW64\systear.dll

MD5 f422e9aae4dd373496be5cb6250ea17f
SHA1 442a3b537eeaffb2cd1f6e518d263985993c0469
SHA256 94e2cbeaa7bd94a07bc1553ce9b364d52de24657471318b7834722bfef55027c
SHA512 34e5b383164cc2c8a06b45b8c0777b6d16ab11c4cf47a8792d009118072fa61b69079b1c1ea20a969c03c9143702b51e0f91454673fd82b7bae35e858bd733b0

C:\Windows\moonlight.dll

MD5 8e6e31f8df128a746ff9a3a38f8f78c0
SHA1 e4da9aa336eb7e254592e585b29d8b4e23f3e4bd
SHA256 dc33796b634ea14ed80a492257f698d103a57e1a041ccab92945efa8201a65f7
SHA512 eddacadcb86d8ead42185af5ce779f35dcbf262b2e12dc1cb816c3c5e35563201a839b861eb4a2cda472a5a27b2dfb76a0310d6eb94b49e9d5b58af869ef22c6

C:\Windows\onceinabluemoon.mid

MD5 0e528d000aad58b255c1cf8fd0bb1089
SHA1 2445d2cc0921aea9ae53b8920d048d6537940ec6
SHA256 c8aa5c023bf32f1c1e27b8136cf4d622101e58a80417d97271d3c0ba44528cae
SHA512 89ff6a1f1bf364925704a83ab4d222e2335e6486e0b90641f0133236b5f6b0fede1e9f17b577d6d069537e737b761f745d1fde4a9d0b43cb59143edf2d9c2116

C:\Windows\system\msvbvm60.dll

MD5 c14d86b2aa572ba9973828133ffd9d83
SHA1 db863f0efc33b72522b228f25835826fad532d32
SHA256 86a9eb67eca6d722a633e967a25866b874560ba49a49d024e9584f3db5a1a14e
SHA512 9c0d57b0a6be0d6c4f81268f75f4032cf81e6287a781fdc7b0050d1ed31c1456d6650186b0e3bf1204d47c92b358b59707f260e7042837c78a8777692fd67d34

C:\Windows\system\msvbvm60.dll

MD5 f2c0b2e1251d0bbced555c5d292c6e7a
SHA1 f660aab70472c3e480e27699d0d33b0a2d5520c9
SHA256 2f1075a0715c4f5c954c12ac69b396a32312c5bae8266291c50b0c7b69b7dcea
SHA512 c4ce8f3badef64a0280baed8eaf71dd3bab2b03d0933e7191c33d70476c32471e94e33875a72b266af4105973342903fcdc8af7f55a020b07d78e1b774b7daf9

C:\Windows\lsass.exe

MD5 894883be9122eefe8e34dd77a1ae6976
SHA1 9b5708f4cdf49fe23b2d909bd91eea970969251e
SHA256 5d4539f31e7d1972bfc10d96d208460954558c87db37c0e4a15e580e16d8b0cf
SHA512 044bf18113a3107bb2fa1de92788499e2c7124237011ea8c015a479ca9961558fa4dc22cd30ee50160b13f76ccaf22c3b1e68735cdc3325fb54cbbed4e39621f

C:\Windows\cypreg.dll

MD5 45c87e723ef890963a244048007fafab
SHA1 724b8494460f10a8be3773aca69a904b1f9f6054
SHA256 1112c19bd06e331ad2a4ce38c0742528f9b92b6f1c7a757d38f32a83e26cf58e
SHA512 2fc969800f75b0ccd27a2c7817423ed81bd56e5eff03329ee485a5ca413c8d934614c32cf9b67b2b6d1e6312f0ae2030577987b7112945c7194efa3969376727

C:\Windows\FLR1S4G\OGN3W1G.exe

MD5 bd372e095c037675ea4171add0520462
SHA1 697a203cb99b4242d067d78860fac36d73644892
SHA256 3ab746224034868cbc69a2a474589c4fe3d1a3e9b494ee276d692aa97ce8859b
SHA512 b2111d5ae527ae91a62aea3f307ed94a81b8af09dacfed1bdb1386b65ab459b8642fb3b93560bd54f87b99a9339c3904c1985368418a14615a40978e54ca5a4a

C:\Windows\SysWOW64\systear.dll

MD5 5fc322327c1f94e05986422ea77f5400
SHA1 9d1475e52e0c0a4fb5f760424d2511b5e0abdf13
SHA256 474552b7055bc73b4b1d0e0eff23b5cfbb559d016942980d68cb89b3518f156a
SHA512 305bf6a35b2e4eeafc26f6aa54c53b774f1cc0fdb9c47fce1ac77ec854cfc63221b5c5285b59d0828a3df3e22c03aa886f2256f2f9cd48b69842cb6a49a76c35

C:\Windows\system\msvbvm60.dll

MD5 c6e72c1e418663017ccfea1bedf7eee7
SHA1 797a84957ebd22647d8e7ac62a81061496ea2ef2
SHA256 d6f15036a1fd7489d7c2a04dcb2be2f44dd9a0e752e5206698f7b462970f2e9a
SHA512 3f693de5fa31421e9a5c4ecf9182ac654a388a4934bc58b9e5e509419ea0e371d458ed8fe838f742003b3a250347e92ef9c23eac32f2cdca46fe494ff771191c

C:\Windows\SysWOW64\JDC6J2EFKT5O5N.exe

MD5 ae5dedb6b5e3daac9a39d19e2812eb1b
SHA1 ae1e253523a0f293e5b739aab90ada57abe3eb30
SHA256 04cfcf8e451a9b0231c5063ca8507e4bed6489f0fb01367bea2cd3619caf4fd6
SHA512 1ff9ba9b7d8eda5425d8d3b21a0164e9afed2e839f6b36856c1dcb5b9225cfe100c0db0e0c64ec272bc2f866450a07fa58ef05e441fdaf705155c72565364666

C:\Windows\XCM1U3C.exe

MD5 bdf2927626b061514e4c696eaf8fde74
SHA1 cc61eab7bac0807a3f40e6d730056397e0fbe9bd
SHA256 1cb4026142be72f6437039a5185ef2809495da404272a785f1a91034b0af8188
SHA512 868d2af3b2f1f1feaea26b82ec2640394d074725faf932ab71ae77a67138aa9d1ec29c1a5a33aafdd7643ae2ecaf93ab71a2dff8e90f29d030a394fbc1c70c53

memory/1472-289-0x0000000000400000-0x000000000045D000-memory.dmp

memory/4668-288-0x0000000000400000-0x000000000045D000-memory.dmp

C:\Windows\FLR1S4G\OGN3W1G.exe

MD5 57e1f3ae7b7f2c75090a030c18218040
SHA1 99e899f66ba91819b89fb7cf72298ae957fae5a1
SHA256 52d891a83ca71ea90f590922af372b9e9790b940efd73fb20e2af55672a341a1
SHA512 9214fef6efbd66e9feec6117357d677a01829d9e10afc25d1dfbceca7751140428c51298a200c3ceda5bbb21a042ad08b807ec8279ed4b40e3d94d288a0f960b

C:\Windows\FLR1S4G\regedit.cmd

MD5 1edb736c351db3b75a27c5f83ef780b8
SHA1 fa8f6029460143d56855fbd66eab9fbeeaf9cbff
SHA256 c936ae12e9ef151c7fbe57be25184fccc92bcc6ccbd75eab67f2c1d2fee5164a
SHA512 1b29b1e90c261be0e1c8b30df9d5f7afe24a455a2cd64f03ed2bbca915dec4b6b3b3358e2bce6ade6c589684d60633635a2b7dec98d517df7b81209bbcf83f76

C:\Windows\XCM1U3C.exe

MD5 90072ec618888584c5c87a7054da3992
SHA1 0dbeaf7f24915b82e0f30457773c6983c6e09ed7
SHA256 a1c8067ed74231868846f0c1640c79050fb10453ba32b24f78d886e310e1a608
SHA512 64f319154be1dab81418749ff47573b666b34ea038e4042b60b20ed9ae2440f30c6adce1ec987f6039d9ae4d7b23eca90d2ae3cdf7135824dbdb1917eab4a278

C:\Windows\FLR1S4G\regedit.cmd

MD5 4487d18c55215cb3283c1e7a42922553
SHA1 c0751e09a543d04380a20968a67b1aae1d719395
SHA256 4de8c23e832a45f00a5f09599346bd9d55b2c783ee7d4bceb1c38bf008113862
SHA512 c4fc8fdbfb3f6d54accec62d5e6563b3494dd18e81c55177617824fba4437fd93af92cf42e0764a58ae5e1609de6ad910531f6c4a50d5a9bd73dadeba6e865f7

C:\Windows\cypreg.dll

MD5 a6679ff6d0b14ec2b1ef181feb1d9fef
SHA1 c5459a8aa055e4cbb9518d1ef5d411d48ef8de8f
SHA256 5f93083e889ae9ca1f498cdebe90ddef52315edf22fc201fe7d9eba4e1e2e9b9
SHA512 322229369f1b73c5c1be2bd54d574c84519625559ee4d7f355786f51c82f8b0d5101571807af54c755f6e3e8bceeda33a8e06490b2a805cd19d91e9e5b7d7563

C:\Windows\cypreg.dll

MD5 7d48fdf0c4cc365871c367d00f323b2f
SHA1 51ec4a45bf0e2a140d001126cae872ae24dce7fa
SHA256 8a4872dbf252c53d5eef62feaa616e9933f357b5dde182680baf182c424c4a19
SHA512 296dcf36cf5cc9fa9080737b80a5cc9c7340f2ffce64041cd484ee3a86468e05e51af39a981b57e8f81251e599ae6e3fee0c6b040e42add6d7dbcba00e39ec9a

C:\Windows\system\msvbvm60.dll

MD5 d93921be0a8cc54b2914d59edda504ff
SHA1 61699b7bf5b7b3903ed8a99623367054f57a934a
SHA256 2160e45f6bb10d3e3a8765ffc01b42dd6a68159abf14c1a8dea2602365bb002d
SHA512 6dc0088e685920d63b7898a413d1351b37c5c431d02ffd04c3db42527ec09178641a94abefdaa2dd2a70792240d1caf25f943fe04ca4eb9556a52f9ed17e4a36

C:\Windows\FLR1S4G\OGN3W1G.exe

MD5 199c63ea5c0db458d15522c47a5f629f
SHA1 17a8610280618ec3710d76ca67f2bec4602616c5
SHA256 389cb54684a1682a9f46b8bc538df4ce31a33de8f2314364735b9a70450f94d5
SHA512 29d2b92435d6d47661e895ef2d140a81d9038512d8d939fcf92f47090480edc4cd267f4b09e111f239203050861ab74f0eb0367028c056e6f3b4a3ab7142055b

C:\Windows\FLR1S4G\regedit.cmd

MD5 0102f0f1e9677f4b385178e20b84ef50
SHA1 98dcfe2b9eb3de89411603a22c4608b4b2281cbc
SHA256 5ca35fffc029e5af81cb09c3b8c9dc371583682b000f7b7c9f061b72df53b1ac
SHA512 680484a66648f8117a76b7ba356d2ac17fdad6fed2350fd9eef34496ffc7d37e4938cc96275e550fb1b0447eddc18b9f6b473411070704f54b327db69577eb0f

C:\Windows\FLR1S4G\UXT1X8R.com

MD5 06b5ea9ddc5503d52137fb909cc0210f
SHA1 d8bf80712eff604ab2843b9627c5f2e5cdae38d3
SHA256 c0166599756f9d522f65183cf57b98aa999633641b361bf7938b7bb609283c9d
SHA512 2b2956b890b0d87ee7aeffbc85eb8077c893763c29ea78a0db3bb76f3025b4013986b70a4e6e0030771b4823032a01a11f3da5bbc0fd72daffb4bb91fd78ab50

C:\Windows\FLR1S4G\regedit.cmd

MD5 368235db7f39ee8a096397c1bbdc51ac
SHA1 2349aaf298e40c9bcee59accd7049e6a05e57d1f
SHA256 16ba71a8dc7ae99aac9a4c8a0c0bec44ce306dd035f61f2e0f438a6cd1339c0a
SHA512 a9c91269e70612997d4ac0113e056386d94eb9466fdcc7d335f50ac9795997d3ce33a499ed0f1968f12bb75371ba3a6028b615c5c74809cd6f28d44e0277cc8d

memory/2056-309-0x0000000000400000-0x000000000045D000-memory.dmp

memory/988-310-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3512-311-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3436-312-0x0000000000400000-0x000000000045D000-memory.dmp

memory/4668-313-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3512-315-0x0000000010000000-0x0000000010075000-memory.dmp