dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305

Analysis

max time kernel
347s
max time network
443s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 00:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe
Size

58KB
MD5

25f4773820efe20baf6a06471701bbb0
SHA1

9ee7e516d27b8d1e9a3cd73285c9e548f8678b44
SHA256

dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305
SHA512

98b092a46dbf0ec1a98395d1130c1fa1aecf36234fb015a46d32182767a7101510d04c76fb0f44838dfb99e2fa5f809c20f305ffe441c6b1528594ea1f23946a
SSDEEP

768:6pUt1E/8mS+amkLFRccny45nHguULyEfq+NfAR3b3rI3k0pYD60a2nBdv2tEvP:6pO1Ek93yAgfGUt23brI3k0Q6F6dUGP

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 10 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

EmangEloh.exedfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exesmss.exewinlogon.exeservice.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O86068Z\\TuxO86068Z.exe\""	EmangEloh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O86068Z\\TuxO86068Z.exe\""	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O86068Z\\TuxO86068Z.exe\""	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M58151\\Ja278153bLay.com\""	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M58151\\Ja278153bLay.com\""	EmangEloh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O86068Z\\TuxO86068Z.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M58151\\Ja278153bLay.com\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M58151\\Ja278153bLay.com\""	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O86068Z\\TuxO86068Z.exe\""	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M58151\\Ja278153bLay.com\""	service.exe

Modifies visibility of file extensions in Explorer 2 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

service.exesmss.exeEmangEloh.exewinlogon.exedfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	service.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	EmangEloh.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exeservice.exesmss.exeEmangEloh.exewinlogon.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	service.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	EmangEloh.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe

Disables RegEdit via registry modification 5 IoCs

evasion

Processes:

dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exeservice.exesmss.exeEmangEloh.exewinlogon.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	service.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	EmangEloh.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe

Executes dropped EXE 4 IoCs

Processes:

service.exesmss.exeEmangEloh.exewinlogon.exe

pid process

3604 service.exe
4976 smss.exe
1060 EmangEloh.exe
4108 winlogon.exe

pid	process
3604	service.exe
4976	smss.exe
1060	EmangEloh.exe
4108	winlogon.exe

Sets file execution options in registry 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

smss.exewinlogon.exedfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exeservice.exeEmangEloh.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe"	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	EmangEloh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	EmangEloh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe"	EmangEloh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	EmangEloh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	winlogon.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe

Drops startup file 5 IoCs

Processes:

service.exesmss.exeEmangEloh.exewinlogon.exedfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd	service.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd	smss.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd	EmangEloh.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd	winlogon.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe

Adds Run key to start application 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

smss.exeEmangEloh.exewinlogon.exedfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exeservice.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\T68Z405 = "C:\\Windows\\sa-187511.exe"	EmangEloh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\RUN	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\T68Z405 = "C:\\Windows\\sa-187511.exe"	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\RUN	service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\T1581511TT4 = "C:\\Windows\\system32\\440510867285l.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\T68Z405 = "C:\\Windows\\sa-187511.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	EmangEloh.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\RUN	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\T1581511TT4 = "C:\\Windows\\system32\\440510867285l.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\T1581511TT4 = "C:\\Windows\\system32\\440510867285l.exe"	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\T68Z405 = "C:\\Windows\\sa-187511.exe"	service.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\RUN	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\T1581511TT4 = "C:\\Windows\\system32\\440510867285l.exe"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\T68Z405 = "C:\\Windows\\sa-187511.exe"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\RUN	EmangEloh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\T1581511TT4 = "C:\\Windows\\system32\\440510867285l.exe"	EmangEloh.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

winlogon.exedfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exeEmangEloh.exeservice.exesmss.exe

description	ioc	process
File opened (read-only)	\??\p:	winlogon.exe
File opened (read-only)	\??\N:	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe
File opened (read-only)	\??\q:	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe
File opened (read-only)	\??\g:	EmangEloh.exe
File opened (read-only)	\??\v:	winlogon.exe
File opened (read-only)	\??\x:	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe
File opened (read-only)	\??\z:	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe
File opened (read-only)	\??\p:	EmangEloh.exe
File opened (read-only)	\??\j:	EmangEloh.exe
File opened (read-only)	\??\N:	EmangEloh.exe
File opened (read-only)	\??\o:	EmangEloh.exe
File opened (read-only)	\??\l:	winlogon.exe
File opened (read-only)	\??\x:	winlogon.exe
File opened (read-only)	\??\r:	service.exe
File opened (read-only)	\??\v:	service.exe
File opened (read-only)	\??\f:	EmangEloh.exe
File opened (read-only)	\??\s:	service.exe
File opened (read-only)	\??\z:	smss.exe
File opened (read-only)	\??\w:	EmangEloh.exe
File opened (read-only)	\??\y:	EmangEloh.exe
File opened (read-only)	\??\p:	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe
File opened (read-only)	\??\w:	smss.exe
File opened (read-only)	\??\m:	EmangEloh.exe
File opened (read-only)	\??\o:	winlogon.exe
File opened (read-only)	\??\r:	winlogon.exe
File opened (read-only)	\??\y:	smss.exe
File opened (read-only)	\??\e:	winlogon.exe
File opened (read-only)	\??\g:	winlogon.exe
File opened (read-only)	\??\h:	service.exe
File opened (read-only)	\??\k:	winlogon.exe
File opened (read-only)	\??\u:	winlogon.exe
File opened (read-only)	\??\e:	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe
File opened (read-only)	\??\t:	service.exe
File opened (read-only)	\??\i:	EmangEloh.exe
File opened (read-only)	\??\r:	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe
File opened (read-only)	\??\i:	smss.exe
File opened (read-only)	\??\s:	smss.exe
File opened (read-only)	\??\u:	EmangEloh.exe
File opened (read-only)	\??\o:	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe
File opened (read-only)	\??\w:	service.exe
File opened (read-only)	\??\N:	smss.exe
File opened (read-only)	\??\k:	smss.exe
File opened (read-only)	\??\o:	service.exe
File opened (read-only)	\??\r:	smss.exe
File opened (read-only)	\??\h:	EmangEloh.exe
File opened (read-only)	\??\z:	winlogon.exe
File opened (read-only)	\??\s:	EmangEloh.exe
File opened (read-only)	\??\f:	winlogon.exe
File opened (read-only)	\??\N:	winlogon.exe
File opened (read-only)	\??\f:	smss.exe
File opened (read-only)	\??\k:	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe
File opened (read-only)	\??\g:	service.exe
File opened (read-only)	\??\p:	service.exe
File opened (read-only)	\??\v:	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe
File opened (read-only)	\??\m:	service.exe
File opened (read-only)	\??\t:	EmangEloh.exe
File opened (read-only)	\??\j:	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe
File opened (read-only)	\??\l:	EmangEloh.exe
File opened (read-only)	\??\z:	EmangEloh.exe
File opened (read-only)	\??\w:	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe
File opened (read-only)	\??\h:	smss.exe
File opened (read-only)	\??\x:	service.exe
File opened (read-only)	\??\h:	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe
File opened (read-only)	\??\f:	service.exe

Drops file in System32 directory 20 IoCs

Processes:

service.exewinlogon.exedfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exeEmangEloh.exesmss.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	service.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\440510867285l.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe
File created	C:\Windows\SysWOW64\440510867285l.exe	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe
File opened for modification	C:\Windows\SysWOW64\440510867285l.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\X83567go\Z440510cie.cmd	EmangEloh.exe
File created	C:\Windows\SysWOW64\440510867285l.exe	EmangEloh.exe
File created	C:\Windows\SysWOW64\440510867285l.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\X83567go\Z440510cie.cmd	service.exe
File created	C:\Windows\SysWOW64\440510867285l.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\X83567go\Z440510cie.cmd	smss.exe
File opened for modification	C:\Windows\SysWOW64\440510867285l.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\440510867285l.exe	EmangEloh.exe
File opened for modification	C:\Windows\SysWOW64\X83567go\Z440510cie.cmd	winlogon.exe
File created	C:\Windows\SysWOW64\X83567go\Z440510cie.cmd	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe
File opened for modification	C:\Windows\SysWOW64\440510867285l.exe	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	smss.exe
File created	C:\Windows\SysWOW64\440510867285l.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	EmangEloh.exe

Drops file in Program Files directory 12 IoCs

Processes:

service.exe

description	ioc	process
File created	\??\c:\Program Files\Microsoft Office\Updates\Download\Lagu - Server .scr	service.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\Blink 182 .exe	service.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Data DosenKu .exe	service.exe
File created	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\THe Best Ungu .scr	service.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\THe Best Ungu .scr	service.exe
File created	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\Blink 182 .exe	service.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\Blink 182 .exe	service.exe
File created	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\Norman virus Control 5.18 .exe	service.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\Norman virus Control 5.18 .exe	service.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\Blink 182 .exe	service.exe
File created	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Data DosenKu .exe	service.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\Updates\Download\Lagu - Server .scr	service.exe

Drops file in Windows directory 59 IoCs

Processes:

dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exeservice.exesmss.exewinlogon.exeEmangEloh.exe

description	ioc	process
File created	C:\Windows\Ti867285ta.exe	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe
File opened for modification	C:\Windows\Ti867285ta.exe	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe
File opened for modification	C:\Windows\Ti867285ta.exe	service.exe
File created	C:\Windows\Ti867285ta.exe	smss.exe
File opened for modification	C:\Windows\M58151\Ja278153bLay.com	smss.exe
File created	C:\Windows\M58151\Ja278153bLay.com	winlogon.exe
File opened for modification	C:\Windows\M58151	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe
File created	C:\Windows\M58151\EmangEloh.exe	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe
File opened for modification	C:\Windows\sa-187511.exe	service.exe
File created	C:\Windows\M58151\smss.exe	smss.exe
File created	C:\Windows\M58151\Ja278153bLay.com	smss.exe
File created	C:\Windows\Ti867285ta.exe	EmangEloh.exe
File opened for modification	C:\Windows\M58151\EmangEloh.exe	EmangEloh.exe
File opened for modification	C:\Windows\sa-187511.exe	EmangEloh.exe
File created	C:\Windows\Ti867285ta.exe	winlogon.exe
File opened for modification	C:\Windows\[TheMoonlight].txt	winlogon.exe
File created	C:\Windows\M58151\Ja278153bLay.com	service.exe
File created	C:\Windows\sa-187511.exe	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe
File created	C:\Windows\M58151\smss.exe	service.exe
File opened for modification	C:\Windows\sa-187511.exe	smss.exe
File created	C:\Windows\M58151\smss.exe	EmangEloh.exe
File created	C:\Windows\sa-187511.exe	EmangEloh.exe
File created	C:\Windows\sa-187511.exe	service.exe
File opened for modification	C:\Windows\sa-187511.exe	winlogon.exe
File opened for modification	C:\Windows\sa-187511.exe	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe
File created	C:\Windows\sa-187511.exe	smss.exe
File opened for modification	C:\Windows\M58151	winlogon.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	winlogon.exe
File created	C:\Windows\M58151\smss.exe	winlogon.exe
File opened for modification	C:\Windows\M58151\EmangEloh.exe	winlogon.exe
File opened for modification	C:\Windows\M58151	EmangEloh.exe
File created	C:\Windows\M58151\EmangEloh.exe	EmangEloh.exe
File opened for modification	C:\Windows\Ti867285ta.exe	winlogon.exe
File created	C:\Windows\M58151\EmangEloh.exe	winlogon.exe
File opened for modification	C:\Windows\M58151\Ja278153bLay.com	winlogon.exe
File opened for modification	C:\Windows\M58151\Ja278153bLay.com	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe
File opened for modification	C:\Windows\M58151	service.exe
File opened for modification	C:\Windows\Ti867285ta.exe	smss.exe
File created	C:\Windows\M58151\Ja278153bLay.com	EmangEloh.exe
File opened for modification	C:\Windows\M58151\Ja278153bLay.com	EmangEloh.exe
File created	C:\Windows\sa-187511.exe	winlogon.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe
File created	C:\Windows\M58151\EmangEloh.exe	smss.exe
File created	C:\Windows\[TheMoonlight].txt	smss.exe
File opened for modification	C:\Windows\Ti867285ta.exe	EmangEloh.exe
File created	C:\Windows\M58151\smss.exe	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe
File created	C:\Windows\M58151\Ja278153bLay.com	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe
File opened for modification	C:\Windows\M58151\EmangEloh.exe	smss.exe
File created	C:\Windows\M58151\EmangEloh.exe	service.exe
File opened for modification	C:\Windows\M58151\EmangEloh.exe	service.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\[TheMoonlight].txt	EmangEloh.exe
File created	C:\Windows\system\msvbvm60.dll	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe
File opened for modification	C:\Windows\M58151	smss.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	EmangEloh.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	service.exe
File opened for modification	C:\Windows\M58151\Ja278153bLay.com	service.exe
File opened for modification	C:\Windows\M58151\EmangEloh.exe	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe
File created	C:\Windows\Ti867285ta.exe	service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 11 IoCs

Processes:

dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exesmss.exewinlogon.exeservice.exeEmangEloh.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	EmangEloh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	EmangEloh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	winlogon.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exeservice.exesmss.exeEmangEloh.exewinlogon.exe

pid process

1304 dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe
3604 service.exe
4976 smss.exe
1060 EmangEloh.exe
4108 winlogon.exe

pid	process
1304	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe
3604	service.exe
4976	smss.exe
1060	EmangEloh.exe
4108	winlogon.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe

description	pid	process	target process
PID 1304 wrote to memory of 3604	1304	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe	service.exe
PID 1304 wrote to memory of 3604	1304	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe	service.exe
PID 1304 wrote to memory of 3604	1304	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe	service.exe
PID 1304 wrote to memory of 4976	1304	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe	smss.exe
PID 1304 wrote to memory of 4976	1304	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe	smss.exe
PID 1304 wrote to memory of 4976	1304	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe	smss.exe
PID 1304 wrote to memory of 1060	1304	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe	EmangEloh.exe
PID 1304 wrote to memory of 1060	1304	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe	EmangEloh.exe
PID 1304 wrote to memory of 1060	1304	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe	EmangEloh.exe
PID 1304 wrote to memory of 4108	1304	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe	winlogon.exe
PID 1304 wrote to memory of 4108	1304	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe	winlogon.exe
PID 1304 wrote to memory of 4108	1304	dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe
"C:\Users\Admin\AppData\Local\Temp\dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1304

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe"
2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Drops startup file
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3604

C:\Windows\M58151\smss.exe
"C:\Windows\M58151\smss.exe"
2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Drops startup file
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4976

C:\Windows\M58151\EmangEloh.exe
"C:\Windows\M58151\EmangEloh.exe"
2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Drops startup file
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1060

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe"
2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Drops startup file
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4108

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd
Filesize
58KB

MD5
25f4773820efe20baf6a06471701bbb0

SHA1
9ee7e516d27b8d1e9a3cd73285c9e548f8678b44

SHA256
dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305

SHA512
98b092a46dbf0ec1a98395d1130c1fa1aecf36234fb015a46d32182767a7101510d04c76fb0f44838dfb99e2fa5f809c20f305ffe441c6b1528594ea1f23946a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd
Filesize
58KB

MD5
25f4773820efe20baf6a06471701bbb0

SHA1
9ee7e516d27b8d1e9a3cd73285c9e548f8678b44

SHA256
dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305

SHA512
98b092a46dbf0ec1a98395d1130c1fa1aecf36234fb015a46d32182767a7101510d04c76fb0f44838dfb99e2fa5f809c20f305ffe441c6b1528594ea1f23946a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd
Filesize
58KB

MD5
25f4773820efe20baf6a06471701bbb0

SHA1
9ee7e516d27b8d1e9a3cd73285c9e548f8678b44

SHA256
dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305

SHA512
98b092a46dbf0ec1a98395d1130c1fa1aecf36234fb015a46d32182767a7101510d04c76fb0f44838dfb99e2fa5f809c20f305ffe441c6b1528594ea1f23946a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd
Filesize
58KB

MD5
25f4773820efe20baf6a06471701bbb0

SHA1
9ee7e516d27b8d1e9a3cd73285c9e548f8678b44

SHA256
dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305

SHA512
98b092a46dbf0ec1a98395d1130c1fa1aecf36234fb015a46d32182767a7101510d04c76fb0f44838dfb99e2fa5f809c20f305ffe441c6b1528594ea1f23946a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\TuxO86068Z.exe
Filesize
58KB

MD5
25f4773820efe20baf6a06471701bbb0

SHA1
9ee7e516d27b8d1e9a3cd73285c9e548f8678b44

SHA256
dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305

SHA512
98b092a46dbf0ec1a98395d1130c1fa1aecf36234fb015a46d32182767a7101510d04c76fb0f44838dfb99e2fa5f809c20f305ffe441c6b1528594ea1f23946a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\TuxO86068Z.exe
Filesize
58KB

MD5
25f4773820efe20baf6a06471701bbb0

SHA1
9ee7e516d27b8d1e9a3cd73285c9e548f8678b44

SHA256
dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305

SHA512
98b092a46dbf0ec1a98395d1130c1fa1aecf36234fb015a46d32182767a7101510d04c76fb0f44838dfb99e2fa5f809c20f305ffe441c6b1528594ea1f23946a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\TuxO86068Z.exe
Filesize
58KB

MD5
25f4773820efe20baf6a06471701bbb0

SHA1
9ee7e516d27b8d1e9a3cd73285c9e548f8678b44

SHA256
dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305

SHA512
98b092a46dbf0ec1a98395d1130c1fa1aecf36234fb015a46d32182767a7101510d04c76fb0f44838dfb99e2fa5f809c20f305ffe441c6b1528594ea1f23946a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\TuxO86068Z.exe
Filesize
58KB

MD5
25f4773820efe20baf6a06471701bbb0

SHA1
9ee7e516d27b8d1e9a3cd73285c9e548f8678b44

SHA256
dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305

SHA512
98b092a46dbf0ec1a98395d1130c1fa1aecf36234fb015a46d32182767a7101510d04c76fb0f44838dfb99e2fa5f809c20f305ffe441c6b1528594ea1f23946a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe
Filesize
58KB

MD5
25f4773820efe20baf6a06471701bbb0

SHA1
9ee7e516d27b8d1e9a3cd73285c9e548f8678b44

SHA256
dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305

SHA512
98b092a46dbf0ec1a98395d1130c1fa1aecf36234fb015a46d32182767a7101510d04c76fb0f44838dfb99e2fa5f809c20f305ffe441c6b1528594ea1f23946a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\service.exe
Filesize
58KB

MD5
25f4773820efe20baf6a06471701bbb0

SHA1
9ee7e516d27b8d1e9a3cd73285c9e548f8678b44

SHA256
dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305

SHA512
98b092a46dbf0ec1a98395d1130c1fa1aecf36234fb015a46d32182767a7101510d04c76fb0f44838dfb99e2fa5f809c20f305ffe441c6b1528594ea1f23946a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe
Filesize
58KB

MD5
25f4773820efe20baf6a06471701bbb0

SHA1
9ee7e516d27b8d1e9a3cd73285c9e548f8678b44

SHA256
dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305

SHA512
98b092a46dbf0ec1a98395d1130c1fa1aecf36234fb015a46d32182767a7101510d04c76fb0f44838dfb99e2fa5f809c20f305ffe441c6b1528594ea1f23946a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O86068Z\winlogon.exe
Filesize
58KB

MD5
25f4773820efe20baf6a06471701bbb0

SHA1
9ee7e516d27b8d1e9a3cd73285c9e548f8678b44

SHA256
dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305

SHA512
98b092a46dbf0ec1a98395d1130c1fa1aecf36234fb015a46d32182767a7101510d04c76fb0f44838dfb99e2fa5f809c20f305ffe441c6b1528594ea1f23946a

Download Submit
C:\Windows\M58151\EmangEloh.exe
Filesize
58KB

MD5
25f4773820efe20baf6a06471701bbb0

SHA1
9ee7e516d27b8d1e9a3cd73285c9e548f8678b44

SHA256
dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305

SHA512
98b092a46dbf0ec1a98395d1130c1fa1aecf36234fb015a46d32182767a7101510d04c76fb0f44838dfb99e2fa5f809c20f305ffe441c6b1528594ea1f23946a

Download Submit
C:\Windows\M58151\EmangEloh.exe
Filesize
58KB

MD5
25f4773820efe20baf6a06471701bbb0

SHA1
9ee7e516d27b8d1e9a3cd73285c9e548f8678b44

SHA256
dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305

SHA512
98b092a46dbf0ec1a98395d1130c1fa1aecf36234fb015a46d32182767a7101510d04c76fb0f44838dfb99e2fa5f809c20f305ffe441c6b1528594ea1f23946a

Download Submit
C:\Windows\M58151\Ja278153bLay.com
Filesize
58KB

MD5
25f4773820efe20baf6a06471701bbb0

SHA1
9ee7e516d27b8d1e9a3cd73285c9e548f8678b44

SHA256
dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305

SHA512
98b092a46dbf0ec1a98395d1130c1fa1aecf36234fb015a46d32182767a7101510d04c76fb0f44838dfb99e2fa5f809c20f305ffe441c6b1528594ea1f23946a

Download Submit
C:\Windows\M58151\smss.exe
Filesize
58KB

MD5
25f4773820efe20baf6a06471701bbb0

SHA1
9ee7e516d27b8d1e9a3cd73285c9e548f8678b44

SHA256
dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305

SHA512
98b092a46dbf0ec1a98395d1130c1fa1aecf36234fb015a46d32182767a7101510d04c76fb0f44838dfb99e2fa5f809c20f305ffe441c6b1528594ea1f23946a

Download Submit
C:\Windows\M58151\smss.exe
Filesize
58KB

MD5
25f4773820efe20baf6a06471701bbb0

SHA1
9ee7e516d27b8d1e9a3cd73285c9e548f8678b44

SHA256
dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305

SHA512
98b092a46dbf0ec1a98395d1130c1fa1aecf36234fb015a46d32182767a7101510d04c76fb0f44838dfb99e2fa5f809c20f305ffe441c6b1528594ea1f23946a

Download Submit
C:\Windows\SysWOW64\440510867285l.exe
Filesize
58KB

MD5
25f4773820efe20baf6a06471701bbb0

SHA1
9ee7e516d27b8d1e9a3cd73285c9e548f8678b44

SHA256
dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305

SHA512
98b092a46dbf0ec1a98395d1130c1fa1aecf36234fb015a46d32182767a7101510d04c76fb0f44838dfb99e2fa5f809c20f305ffe441c6b1528594ea1f23946a

Download Submit
C:\Windows\SysWOW64\X83567go\Z440510cie.cmd
Filesize
58KB

MD5
25f4773820efe20baf6a06471701bbb0

SHA1
9ee7e516d27b8d1e9a3cd73285c9e548f8678b44

SHA256
dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305

SHA512
98b092a46dbf0ec1a98395d1130c1fa1aecf36234fb015a46d32182767a7101510d04c76fb0f44838dfb99e2fa5f809c20f305ffe441c6b1528594ea1f23946a

Download Submit
C:\Windows\SysWOW64\X83567go\Z440510cie.cmd
Filesize
58KB

MD5
25f4773820efe20baf6a06471701bbb0

SHA1
9ee7e516d27b8d1e9a3cd73285c9e548f8678b44

SHA256
dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305

SHA512
98b092a46dbf0ec1a98395d1130c1fa1aecf36234fb015a46d32182767a7101510d04c76fb0f44838dfb99e2fa5f809c20f305ffe441c6b1528594ea1f23946a

Download Submit
C:\Windows\SysWOW64\X83567go\Z440510cie.cmd
Filesize
58KB

MD5
25f4773820efe20baf6a06471701bbb0

SHA1
9ee7e516d27b8d1e9a3cd73285c9e548f8678b44

SHA256
dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305

SHA512
98b092a46dbf0ec1a98395d1130c1fa1aecf36234fb015a46d32182767a7101510d04c76fb0f44838dfb99e2fa5f809c20f305ffe441c6b1528594ea1f23946a

Download Submit
C:\Windows\SysWOW64\X83567go\Z440510cie.cmd
Filesize
58KB

MD5
25f4773820efe20baf6a06471701bbb0

SHA1
9ee7e516d27b8d1e9a3cd73285c9e548f8678b44

SHA256
dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305

SHA512
98b092a46dbf0ec1a98395d1130c1fa1aecf36234fb015a46d32182767a7101510d04c76fb0f44838dfb99e2fa5f809c20f305ffe441c6b1528594ea1f23946a

Download Submit
C:\Windows\Ti867285ta.exe
Filesize
58KB

MD5
25f4773820efe20baf6a06471701bbb0

SHA1
9ee7e516d27b8d1e9a3cd73285c9e548f8678b44

SHA256
dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305

SHA512
98b092a46dbf0ec1a98395d1130c1fa1aecf36234fb015a46d32182767a7101510d04c76fb0f44838dfb99e2fa5f809c20f305ffe441c6b1528594ea1f23946a

Download Submit
C:\Windows\[TheMoonlight].txt
Filesize
109B

MD5
68c7836c8ff19e87ca33a7959a2bdff5

SHA1
cc5d0205bb71c10bbed22fe47e59b1f6817daab7

SHA256
883b19ec550f7ddb1e274a83d58d66c771ab10fefd136bab79483f2eb84e7fec

SHA512
3656005148788ed7ac8f5b5f8f6f4736c2dc4a94771291170e61666beb81e63be2a1a0f2913233b0e3f12ddfa7f1e89da9cd8323306413395ee78b2ece7fbfe8

Download Submit
C:\Windows\[TheMoonlight].txt
Filesize
109B

MD5
68c7836c8ff19e87ca33a7959a2bdff5

SHA1
cc5d0205bb71c10bbed22fe47e59b1f6817daab7

SHA256
883b19ec550f7ddb1e274a83d58d66c771ab10fefd136bab79483f2eb84e7fec

SHA512
3656005148788ed7ac8f5b5f8f6f4736c2dc4a94771291170e61666beb81e63be2a1a0f2913233b0e3f12ddfa7f1e89da9cd8323306413395ee78b2ece7fbfe8

Download Submit
C:\Windows\sa-187511.exe
Filesize
58KB

MD5
25f4773820efe20baf6a06471701bbb0

SHA1
9ee7e516d27b8d1e9a3cd73285c9e548f8678b44

SHA256
dfc2f935f757c708c388d7fe0bf14c97af5e9e53b13b3944225e803232647305

SHA512
98b092a46dbf0ec1a98395d1130c1fa1aecf36234fb015a46d32182767a7101510d04c76fb0f44838dfb99e2fa5f809c20f305ffe441c6b1528594ea1f23946a

Download Submit
C:\Windows\system\msvbvm60.dll
Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\system\msvbvm60.dll
Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\system\msvbvm60.dll
Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\system\msvbvm60.dll
Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
memory/1060-161-0x0000000000000000-mapping.dmp

Download
memory/1060-175-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1304-132-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1304-137-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1304-171-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3604-135-0x0000000000000000-mapping.dmp

Download
memory/3604-143-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4108-180-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4108-165-0x0000000000000000-mapping.dmp

Download
memory/4976-138-0x0000000000000000-mapping.dmp

Download