Malware Analysis Report

2024-09-11 12:15

Sample ID 240616-d89pkssbmq
Target e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8
SHA256 e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8
Tags
sality backdoor evasion persistence spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8

Threat Level: Known bad

The file e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8 was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion persistence spyware stealer trojan upx

Windows security bypass

UAC bypass

Modifies WinLogon for persistence

Modifies firewall policy service

Sality

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

UPX dump on OEP (original entry point)

Sets file execution options in registry

Disables RegEdit via registry modification

Loads dropped DLL

Windows security modification

Drops startup file

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

UPX packed file

ACProtect 1.3x - 1.4x DLL software

Deletes itself

Checks whether UAC is enabled

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

System policy modification

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Hide Artifacts
T1564
Hidden Files and Directories
T1564.001
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-16 03:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 03:41

Reported

2024-06-16 03:44

Platform

win10v2004-20240508-en

Max time kernel

22s

Max time network

101s

Command Line

"fontdrvhost.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M02405\\Ja523486bLay.com\"" C:\Windows\M02405\EmangEloh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O20303Z\\TuxO20303Z.exe\"" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M02405\\Ja523486bLay.com\"" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O20303Z\\TuxO20303Z.exe\"" C:\Windows\M02405\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M02405\\Ja523486bLay.com\"" C:\Windows\M02405\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O20303Z\\TuxO20303Z.exe\"" C:\Windows\M02405\EmangEloh.exe N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\M02405\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\M02405\EmangEloh.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\winlogon.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\M02405\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\M02405\EmangEloh.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\winlogon.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\M02405\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\M02405\EmangEloh.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\winlogon.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\M02405\EmangEloh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" C:\Windows\M02405\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\M02405\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe" C:\Windows\M02405\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" C:\Windows\M02405\EmangEloh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\M02405\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\M02405\EmangEloh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe" C:\Windows\M02405\EmangEloh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\winlogon.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd C:\Windows\M02405\smss.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd C:\Windows\M02405\EmangEloh.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\winlogon.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
N/A N/A C:\Windows\M02405\smss.exe N/A
N/A N/A C:\Windows\M02405\EmangEloh.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\winlogon.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\T1024844TT4 = "C:\\Windows\\system32\\773043211538l.exe" C:\Windows\M02405\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\T03Z730 = "C:\\Windows\\sa-421844.exe" C:\Windows\M02405\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\T1024844TT4 = "C:\\Windows\\system32\\773043211538l.exe" C:\Windows\M02405\EmangEloh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\T03Z730 = "C:\\Windows\\sa-421844.exe" C:\Windows\M02405\EmangEloh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\T1024844TT4 = "C:\\Windows\\system32\\773043211538l.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\T03Z730 = "C:\\Windows\\sa-421844.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\winlogon.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\s: C:\Windows\M02405\smss.exe N/A
File opened (read-only) \??\q: C:\Windows\M02405\smss.exe N/A
File opened (read-only) \??\x: C:\Windows\M02405\smss.exe N/A
File opened (read-only) \??\y: C:\Windows\M02405\smss.exe N/A
File opened (read-only) \??\N: C:\Windows\M02405\EmangEloh.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\winlogon.exe N/A
File opened (read-only) \??\l: C:\Windows\M02405\EmangEloh.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\winlogon.exe N/A
File opened (read-only) \??\t: C:\Windows\M02405\smss.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\winlogon.exe N/A
File opened (read-only) \??\h: C:\Windows\M02405\smss.exe N/A
File opened (read-only) \??\k: C:\Windows\M02405\smss.exe N/A
File opened (read-only) \??\u: C:\Windows\M02405\smss.exe N/A
File opened (read-only) \??\s: C:\Windows\M02405\EmangEloh.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\winlogon.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\winlogon.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\winlogon.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\winlogon.exe N/A
File opened (read-only) \??\e: C:\Windows\M02405\smss.exe N/A
File opened (read-only) \??\i: C:\Windows\M02405\smss.exe N/A
File opened (read-only) \??\z: C:\Windows\M02405\smss.exe N/A
File opened (read-only) \??\u: C:\Windows\M02405\EmangEloh.exe N/A
File opened (read-only) \??\v: C:\Windows\M02405\EmangEloh.exe N/A
File opened (read-only) \??\y: C:\Windows\M02405\EmangEloh.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File opened (read-only) \??\N: C:\Windows\M02405\smss.exe N/A
File opened (read-only) \??\k: C:\Windows\M02405\EmangEloh.exe N/A
File opened (read-only) \??\m: C:\Windows\M02405\EmangEloh.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\winlogon.exe N/A
File opened (read-only) \??\o: C:\Windows\M02405\EmangEloh.exe N/A
File opened (read-only) \??\e: C:\Windows\M02405\EmangEloh.exe N/A
File opened (read-only) \??\g: C:\Windows\M02405\EmangEloh.exe N/A
File opened (read-only) \??\q: C:\Windows\M02405\EmangEloh.exe N/A
File opened (read-only) \??\t: C:\Windows\M02405\EmangEloh.exe N/A
File opened (read-only) \??\g: C:\Windows\M02405\smss.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\winlogon.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File opened (read-only) \??\o: C:\Windows\M02405\smss.exe N/A
File opened (read-only) \??\v: C:\Windows\M02405\smss.exe N/A
File opened (read-only) \??\p: C:\Windows\M02405\EmangEloh.exe N/A
File opened (read-only) \??\w: C:\Windows\M02405\EmangEloh.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\winlogon.exe N/A
File opened (read-only) \??\m: C:\Windows\M02405\smss.exe N/A
File opened (read-only) \??\r: C:\Windows\M02405\smss.exe N/A
File opened (read-only) \??\j: C:\Windows\M02405\EmangEloh.exe N/A
File opened (read-only) \??\r: C:\Windows\M02405\EmangEloh.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\winlogon.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\winlogon.exe N/A
File opened (read-only) \??\j: C:\Windows\M02405\smss.exe N/A
File opened (read-only) \??\h: C:\Windows\M02405\EmangEloh.exe N/A
File opened (read-only) \??\i: C:\Windows\M02405\EmangEloh.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\winlogon.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\winlogon.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\winlogon.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File opened (read-only) \??\l: C:\Windows\M02405\smss.exe N/A
File opened (read-only) \??\w: C:\Windows\M02405\smss.exe N/A
File opened (read-only) \??\z: C:\Windows\M02405\EmangEloh.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\winlogon.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\winlogon.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\winlogon.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File opened (read-only) \??\p: C:\Windows\M02405\smss.exe N/A
File opened (read-only) \??\x: C:\Windows\M02405\EmangEloh.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\Norman virus Control 5.18 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created C:\Windows\SysWOW64\773043211538l.exe C:\Windows\M02405\EmangEloh.exe N/A
File created \??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\Blink 182 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\IME\SHARED\Love Song .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File opened for modification C:\Windows\SysWOW64\X26001go\Z773043cie.cmd C:\Windows\M02405\EmangEloh.exe N/A
File created C:\Windows\SysWOW64\773043211538l.exe C:\Windows\M02405\smss.exe N/A
File created \??\c:\Windows\SysWOW64\IME\SHARED\Norman virus Control 5.18 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File opened for modification C:\Windows\SysWOW64\X26001go\Z773043cie.cmd C:\Windows\M02405\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\773043211538l.exe C:\Windows\M02405\EmangEloh.exe N/A
File opened for modification C:\Windows\SysWOW64\773043211538l.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\winlogon.exe N/A
File created \??\c:\Windows\SysWOW64\IME\SHARED\Love Song .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created C:\Windows\SysWOW64\X26001go\Z773043cie.cmd C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
File opened for modification C:\Windows\SysWOW64\773043211538l.exe C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
File created \??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\RaHasIA .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\IME\SHARED\Norman virus Control 5.18 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File opened for modification C:\Windows\SysWOW64\773043211538l.exe C:\Windows\M02405\smss.exe N/A
File created \??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\RaHasIA .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\M02405\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\winlogon.exe N/A
File created C:\Windows\SysWOW64\773043211538l.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File opened for modification C:\Windows\SysWOW64\773043211538l.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\M02405\EmangEloh.exe N/A
File opened for modification C:\Windows\SysWOW64\X26001go\Z773043cie.cmd C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\winlogon.exe N/A
File created C:\Windows\SysWOW64\773043211538l.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\winlogon.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\Blink 182 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\Norman virus Control 5.18 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created C:\Windows\SysWOW64\773043211538l.exe C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
File opened for modification C:\Windows\SysWOW64\X26001go\Z773043cie.cmd C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files (x86)\Google\Update\Download\THe Best Ungu .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File opened for modification \??\c:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Love Song .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created \??\c:\Program Files\Common Files\microsoft shared\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created \??\c:\Program Files\dotnet\shared\Blink 182 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\Norman virus Control 5.18 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\Gallery .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created \??\c:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\THe Best Ungu .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\Titip Folder Jangan DiHapus .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created \??\c:\Program Files\Windows Sidebar\Shared Gadgets\Blink 182 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\Updates\Download\Windows Vista setup .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\Norman virus Control 5.18 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created \??\c:\Program Files\Microsoft Office\Updates\Download\Windows Vista setup .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File opened for modification \??\c:\Program Files\Windows Sidebar\Shared Gadgets\Blink 182 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created \??\c:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\Titip Folder Jangan DiHapus .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File opened for modification \??\c:\Program Files\Common Files\microsoft shared\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File opened for modification \??\c:\Program Files\dotnet\shared\Blink 182 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\Gallery .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\Gallery .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created C:\Program Files\Common Files\System\symsrv.dll C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\Gallery .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created \??\c:\Program Files (x86)\Common Files\Microsoft Shared\Titip Folder Jangan DiHapus .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\Microsoft Shared\Titip Folder Jangan DiHapus .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File opened for modification \??\c:\Program Files (x86)\Google\Update\Download\THe Best Ungu .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created \??\c:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Love Song .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\M02405\smss.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\winlogon.exe N/A
File created \??\c:\Windows\InputMethod\SHARED\Blink 182 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created C:\Windows\M02405\Ja523486bLay.com C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\RaHasIA .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-sharedpc-sharedpccsp_31bf3856ad364e35_10.0.19041.1_none_24f622f1fc5a3f3c\Love Song .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File opened for modification C:\Windows\M02405\EmangEloh.exe C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
File opened for modification C:\Windows\M02405\Ja523486bLay.com C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File opened for modification C:\Windows\sa-421844.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-update-upshared_31bf3856ad364e35_10.0.19041.84_none_85259eff919b7c9e\RaHasIA .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_en-us_64f5aaf4bb13ecef\RaHasIA .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-update-upshared_31bf3856ad364e35_10.0.19041.1151_none_025296d718a7b3a8\Blink 182 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created C:\Windows\M02405\EmangEloh.exe C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
File opened for modification \??\c:\Windows\SystemResources\Windows.ShellCommon.SharedResources\Gallery .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\RaHasIA .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.1_none_6e0e425bd0e83959\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-u..tyvm-sysprep-shared_31bf3856ad364e35_10.0.19041.1_none_3ba048793ab5eb3f\Norman virus Control 5.18 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created C:\Windows\M02405\Ja523486bLay.com C:\Windows\M02405\smss.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-s..mon-sharedresources_31bf3856ad364e35_10.0.19041.1_none_5417ea1f38dbb76b\Data DosenKu .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_6c6bd34f082a97f1\THe Best Ungu .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1_none_a23e6a858fad9595\THe Best Ungu .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File opened for modification C:\Windows\sa-421844.exe C:\Windows\M02405\smss.exe N/A
File created \??\c:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\Blink 182 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_4c786ae2f508e6d5\Love Song .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\Gallery .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_2610450c30b37cc4\Norman virus Control 5.18 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created C:\Windows\sa-421844.exe C:\Windows\M02405\smss.exe N/A
File created \??\c:\Windows\ServiceProfiles\NetworkService\Downloads\Blink 182 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created \??\c:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_5af076e0a3cb0fa7\Norman virus Control 5.18 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-u..ell-sharedutilities_31bf3856ad364e35_10.0.19041.1_none_813610a8a9b59e0a\Titip Folder Jangan DiHapus .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_b6514808f7d87b1a\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\THe Best Ungu .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_abfc9db6c377b91f\Data DosenKu .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.746_none_a06b29f6c4bab99e\RaHasIA .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created \??\c:\Windows\SoftwareDistribution\Download\SharedFileCache\Windows Vista setup .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\Love Song .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File opened for modification C:\Windows\M02405\Ja523486bLay.com C:\Windows\M02405\EmangEloh.exe N/A
File created \??\c:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.964_none_1c1a193f5bfcf136\Windows Vista setup .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_fd7349c396c417ae\THe Best Ungu .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.19041.1_none_a914e3e3f19ceda1\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_netfx4-_dataoraclec.._shared12_neutral_h_b03f5f7f11d50a3a_4.0.15805.0_none_3b8d4dacc2ea6b71\THe Best Ungu .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.746_none_b53f8b98f2b3a373\New mp3 BaraT !! .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File opened for modification C:\Windows\sa-421844.exe C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_56c05939711f0938\Love Song .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created C:\Windows\Ti211538ta.exe C:\Windows\M02405\EmangEloh.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\Gallery .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_d12f2a9a88909fc2\New mp3 BaraT !! .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File opened for modification C:\Windows\M02405\Ja523486bLay.com C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\winlogon.exe N/A
File opened for modification \??\c:\Windows\Downloaded Program Files\Love Song .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created \??\c:\Windows\SoftwareDistribution\Download\Blink 182 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\RaHasIA .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_d404daff82e97769\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_netfx4-_dataperfcou.._shared12_neutral_h_b03f5f7f11d50a3a_4.0.15805.0_none_24ed4511dcc3019e\Data DosenKu .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File opened for modification C:\Windows\Ti211538ta.exe C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
File opened for modification C:\Windows\M02405\Ja523486bLay.com C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
File created C:\Windows\M02405\EmangEloh.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_2fe79eae2833b9b1\Data DosenKu .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_c6da8048542fddc7\Windows Vista setup .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_it-it_f1a0741e853eda74\Blink 182 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created C:\Windows\Ti211538ta.exe C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-t..ervices-tsfairshare_31bf3856ad364e35_10.0.19041.746_none_0b33a1c93a22de1c\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.1_none_4a03fd12cb3f16c2\Norman virus Control 5.18 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile C:\Windows\M02405\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" C:\Windows\M02405\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile C:\Windows\M02405\EmangEloh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" C:\Windows\M02405\EmangEloh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\winlogon.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A
N/A N/A C:\Windows\M02405\smss.exe N/A
N/A N/A C:\Windows\M02405\EmangEloh.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\winlogon.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3740 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 3740 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 3740 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 3740 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 3740 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 3740 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 3740 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 3740 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 3740 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 3740 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 3740 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 3740 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 3740 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 3740 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 3740 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 3740 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 3740 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 3740 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 3740 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 3740 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 3740 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 3740 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 3740 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 3740 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 3740 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 3740 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 3740 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 3740 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\system32\fontdrvhost.exe
PID 3740 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\system32\fontdrvhost.exe
PID 3740 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\system32\dwm.exe
PID 3740 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\system32\sihost.exe
PID 3740 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\system32\svchost.exe
PID 3740 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\system32\taskhostw.exe
PID 3740 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\Explorer.EXE
PID 3740 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\system32\svchost.exe
PID 3740 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\system32\DllHost.exe
PID 3740 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3740 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\System32\RuntimeBroker.exe
PID 3740 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3740 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\System32\RuntimeBroker.exe
PID 3740 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\System32\RuntimeBroker.exe
PID 3740 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3740 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3740 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\System32\Conhost.exe
PID 3740 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe
PID 3740 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe
PID 3740 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe
PID 3740 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\M02405\smss.exe
PID 3740 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\M02405\smss.exe
PID 3740 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\M02405\smss.exe
PID 3740 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\M02405\EmangEloh.exe
PID 3740 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\M02405\EmangEloh.exe
PID 3740 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\M02405\EmangEloh.exe
PID 3740 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\winlogon.exe
PID 3740 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\winlogon.exe
PID 3740 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\winlogon.exe
PID 3304 wrote to memory of 800 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe C:\Windows\system32\fontdrvhost.exe
PID 3304 wrote to memory of 808 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe C:\Windows\system32\fontdrvhost.exe
PID 3304 wrote to memory of 316 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe C:\Windows\system32\dwm.exe
PID 3304 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe C:\Windows\system32\sihost.exe
PID 3304 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe C:\Windows\system32\svchost.exe
PID 3304 wrote to memory of 672 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe C:\Windows\system32\taskhostw.exe
PID 3304 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe C:\Windows\Explorer.EXE
PID 3304 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe C:\Windows\system32\svchost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe

"C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe"

C:\Windows\SysWOW64\arp.exe

arp -a

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\arp.exe

arp -s 10.127.0.1 e7-08-c9-1c-1f-87

C:\Windows\SysWOW64\arp.exe

arp -s 10.127.255.255 59-f5-e2-a6-d9-23

C:\Windows\SysWOW64\arp.exe

arp -s 136.243.76.173 ff-1e-cd-d7-7f-81

C:\Windows\SysWOW64\arp.exe

arp -s 224.0.0.22 e6-6a-7d-b9-26-91

C:\Windows\SysWOW64\arp.exe

arp -s 224.0.0.251 e1-30-84-53-2c-dc

C:\Windows\SysWOW64\arp.exe

arp -s 224.0.0.252 1d-83-d1-94-12-63

C:\Windows\SysWOW64\arp.exe

arp -s 239.255.255.250 89-3b-d5-6b-9b-6c

C:\Windows\SysWOW64\arp.exe

arp -s 255.255.255.255 c5-cf-12-75-6d-cd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe"

C:\Windows\M02405\smss.exe

"C:\Windows\M02405\smss.exe"

C:\Windows\M02405\EmangEloh.exe

"C:\Windows\M02405\EmangEloh.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\winlogon.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\winlogon.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

Network

Country Destination Domain Proto
US 52.111.229.48:443 tcp

Files

memory/3740-0-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Program Files\Common Files\System\symsrv.dll

MD5 4fcd7574537cebec8e75b4e646996643
SHA1 efa59bb9050fb656b90d5d40c942fb2a304f2a8b
SHA256 8ea3b17e4b783ffc0bc387b81b823bf87af0d57da74541d88ba85314bb232a5d
SHA512 7f1a7ef64d332a735db82506b47d84853af870785066d29ccaf4fdeab114079a9f0db400e01ba574776a0d652a248658fe1e8f9659cdced19ad6eea09644ea3e

memory/3740-5-0x0000000010000000-0x0000000010033000-memory.dmp

memory/3740-7-0x00000000028E0000-0x000000000396E000-memory.dmp

memory/3740-13-0x00000000028E0000-0x000000000396E000-memory.dmp

memory/3740-11-0x00000000028E0000-0x000000000396E000-memory.dmp

memory/3740-10-0x00000000028E0000-0x000000000396E000-memory.dmp

memory/3740-9-0x00000000028E0000-0x000000000396E000-memory.dmp

memory/3740-14-0x00000000028E0000-0x000000000396E000-memory.dmp

memory/3740-12-0x00000000028E0000-0x000000000396E000-memory.dmp

memory/3740-16-0x00000000028E0000-0x000000000396E000-memory.dmp

memory/3740-67-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3740-24-0x00000000028E0000-0x000000000396E000-memory.dmp

memory/3740-66-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3740-59-0x0000000003D10000-0x0000000003D12000-memory.dmp

memory/3740-15-0x00000000028E0000-0x000000000396E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O20303Z\service.exe

MD5 33c124ea157d4b4d0908771222b64382
SHA1 2118218f888c9ec1c84573ea08a3206adc3b0ca2
SHA256 6622fb695321c3c4f92f4a92e1b4ab7bb1f58bdcca3b3385b883ad8ed7ae39f2
SHA512 59aa85775c166a5fe080e2d9399bdd47a8a4d0f20a5ec714a9447f6be357a58dbc506fed55dd2e1d6c23358f2115e29b13b4e774a53ce73a31a9de4b2e219451

memory/3740-28-0x0000000000402000-0x0000000000405000-memory.dmp

memory/3740-27-0x0000000004C20000-0x0000000004C21000-memory.dmp

memory/3740-26-0x0000000003D10000-0x0000000003D12000-memory.dmp

memory/3304-81-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4104-110-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3740-106-0x00000000028E0000-0x000000000396E000-memory.dmp

C:\Windows\system\msvbvm60.dll

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

memory/3740-105-0x00000000028E0000-0x000000000396E000-memory.dmp

memory/4124-143-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\[TheMoonlight].txt

MD5 68c7836c8ff19e87ca33a7959a2bdff5
SHA1 cc5d0205bb71c10bbed22fe47e59b1f6817daab7
SHA256 883b19ec550f7ddb1e274a83d58d66c771ab10fefd136bab79483f2eb84e7fec
SHA512 3656005148788ed7ac8f5b5f8f6f4736c2dc4a94771291170e61666beb81e63be2a1a0f2913233b0e3f12ddfa7f1e89da9cd8323306413395ee78b2ece7fbfe8

memory/3740-160-0x0000000003D10000-0x0000000003D12000-memory.dmp

memory/3740-174-0x0000000010000000-0x0000000010033000-memory.dmp

memory/3740-177-0x00000000028E0000-0x000000000396E000-memory.dmp

memory/3740-173-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4120-157-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3740-25-0x0000000000570000-0x0000000000572000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 17543c552682708dbb26a37d32b9c838
SHA1 b4093a7f6a90c092596967ea5b378c8e4d9c4e18
SHA256 34ab2124b1b5518af4bda4e99eeada62a58fb3aa9e2829fa7b6c0c2d5485c835
SHA512 384bcb11a9a6d594d42ff6f146118d16f29097023fe80aa2318c7a09cd8d865636e70977e8ba1ec63ca9df6c103efd9aedcb88e31f9716f343fc308fe8564cb8

memory/3304-262-0x0000000002F90000-0x000000000401E000-memory.dmp

memory/4104-273-0x00000000033E0000-0x00000000033E1000-memory.dmp

memory/3304-271-0x0000000002B70000-0x0000000002B71000-memory.dmp

memory/3304-267-0x0000000002F90000-0x000000000401E000-memory.dmp

memory/3304-266-0x0000000002F90000-0x000000000401E000-memory.dmp

memory/4120-277-0x0000000002210000-0x0000000002211000-memory.dmp

memory/4120-281-0x00000000020A0000-0x00000000020A2000-memory.dmp

memory/4124-280-0x00000000020D0000-0x00000000020D2000-memory.dmp

memory/4104-279-0x0000000002DC0000-0x0000000002DC2000-memory.dmp

memory/3304-278-0x0000000002290000-0x0000000002292000-memory.dmp

memory/3304-268-0x0000000002F90000-0x000000000401E000-memory.dmp

memory/3304-269-0x0000000002F90000-0x000000000401E000-memory.dmp

memory/4124-275-0x00000000029F0000-0x00000000029F1000-memory.dmp

memory/3304-282-0x0000000002F90000-0x000000000401E000-memory.dmp

memory/3304-285-0x0000000002F90000-0x000000000401E000-memory.dmp

memory/3304-265-0x0000000002F90000-0x000000000401E000-memory.dmp

memory/3304-264-0x0000000002F90000-0x000000000401E000-memory.dmp

memory/3304-289-0x0000000002F90000-0x000000000401E000-memory.dmp

memory/3304-288-0x0000000002F90000-0x000000000401E000-memory.dmp

memory/3304-296-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4124-298-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4104-297-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4120-299-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3304-300-0x0000000002F90000-0x000000000401E000-memory.dmp

memory/3304-301-0x0000000002F90000-0x000000000401E000-memory.dmp

memory/3304-302-0x0000000002F90000-0x000000000401E000-memory.dmp

memory/3304-304-0x0000000002F90000-0x000000000401E000-memory.dmp

memory/3304-305-0x0000000002F90000-0x000000000401E000-memory.dmp

memory/3304-306-0x0000000002F90000-0x000000000401E000-memory.dmp

C:\cpupqe.pif

MD5 bdaf6e3e63aea6337f3a21dcb79df73c
SHA1 1cd60dce9d2a6ad66c4d67f305ac64f31d2f3f4b
SHA256 12c1adf1a85dff7b9b2298d9e93cf0effac286f7a266c2f1d7a68f4bcdbf952a
SHA512 1c01f8a8eacd29cf9c4e77976179a6407d970c63c0b09d332fb18c6baedff43fa4f0a4bde72304355032db8016f9c2f4068d5ea8e910e3acb8a8d5876e3abcb6

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 03:41

Reported

2024-06-16 03:44

Platform

win7-20240611-en

Max time kernel

15s

Max time network

119s

Command Line

"taskhost.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O41524Z\\TuxO41524Z.exe\"" C:\Windows\M13616\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M13616\\Ja280153bLay.com\"" C:\Windows\M13616\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O41524Z\\TuxO41524Z.exe\"" C:\Windows\M13616\EmangEloh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M13616\\Ja280153bLay.com\"" C:\Windows\M13616\EmangEloh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O41524Z\\TuxO41524Z.exe\"" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M13616\\Ja280153bLay.com\"" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\M13616\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\M13616\EmangEloh.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\M13616\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\M13616\EmangEloh.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\M13616\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\M13616\EmangEloh.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\M13616\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" C:\Windows\M13616\EmangEloh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\M13616\EmangEloh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" C:\Windows\M13616\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\M13616\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe" C:\Windows\M13616\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\M13616\EmangEloh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe" C:\Windows\M13616\EmangEloh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd C:\Windows\M13616\smss.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd C:\Windows\M13616\EmangEloh.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\service.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\service.exe N/A
N/A N/A C:\Windows\M13616\smss.exe N/A
N/A N/A C:\Windows\M13616\EmangEloh.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
N/A N/A C:\Windows\M13616\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
N/A N/A C:\Windows\M13616\EmangEloh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\T1136511TT4 = "C:\\Windows\\system32\\440610878205l.exe" C:\Windows\M13616\EmangEloh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\T24Z406 = "C:\\Windows\\sa-188511.exe" C:\Windows\M13616\EmangEloh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\T1136511TT4 = "C:\\Windows\\system32\\440610878205l.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\T24Z406 = "C:\\Windows\\sa-188511.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\T1136511TT4 = "C:\\Windows\\system32\\440610878205l.exe" C:\Windows\M13616\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\T24Z406 = "C:\\Windows\\sa-188511.exe" C:\Windows\M13616\smss.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\g: C:\Windows\M13616\smss.exe N/A
File opened (read-only) \??\z: C:\Windows\M13616\smss.exe N/A
File opened (read-only) \??\e: C:\Windows\M13616\EmangEloh.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
File opened (read-only) \??\e: C:\Windows\M13616\smss.exe N/A
File opened (read-only) \??\l: C:\Windows\M13616\smss.exe N/A
File opened (read-only) \??\N: C:\Windows\M13616\smss.exe N/A
File opened (read-only) \??\r: C:\Windows\M13616\smss.exe N/A
File opened (read-only) \??\y: C:\Windows\M13616\EmangEloh.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
File opened (read-only) \??\o: C:\Windows\M13616\smss.exe N/A
File opened (read-only) \??\y: C:\Windows\M13616\smss.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
File opened (read-only) \??\z: C:\Windows\M13616\EmangEloh.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
File opened (read-only) \??\l: C:\Windows\M13616\EmangEloh.exe N/A
File opened (read-only) \??\p: C:\Windows\M13616\EmangEloh.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
File opened (read-only) \??\s: C:\Windows\M13616\smss.exe N/A
File opened (read-only) \??\o: C:\Windows\M13616\EmangEloh.exe N/A
File opened (read-only) \??\v: C:\Windows\M13616\EmangEloh.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
File opened (read-only) \??\x: C:\Windows\M13616\smss.exe N/A
File opened (read-only) \??\q: C:\Windows\M13616\EmangEloh.exe N/A
File opened (read-only) \??\t: C:\Windows\M13616\EmangEloh.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
File opened (read-only) \??\h: C:\Windows\M13616\smss.exe N/A
File opened (read-only) \??\j: C:\Windows\M13616\EmangEloh.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
File opened (read-only) \??\u: C:\Windows\M13616\smss.exe N/A
File opened (read-only) \??\m: C:\Windows\M13616\EmangEloh.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
File opened (read-only) \??\v: C:\Windows\M13616\smss.exe N/A
File opened (read-only) \??\s: C:\Windows\M13616\EmangEloh.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
File opened (read-only) \??\w: C:\Windows\M13616\smss.exe N/A
File opened (read-only) \??\i: C:\Windows\M13616\smss.exe N/A
File opened (read-only) \??\m: C:\Windows\M13616\smss.exe N/A
File opened (read-only) \??\q: C:\Windows\M13616\smss.exe N/A
File opened (read-only) \??\N: C:\Windows\M13616\EmangEloh.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
File opened (read-only) \??\i: C:\Windows\M13616\EmangEloh.exe N/A
File opened (read-only) \??\k: C:\Windows\M13616\EmangEloh.exe N/A
File opened (read-only) \??\w: C:\Windows\M13616\EmangEloh.exe N/A
File opened (read-only) \??\x: C:\Windows\M13616\EmangEloh.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
File opened (read-only) \??\k: C:\Windows\M13616\smss.exe N/A
File opened (read-only) \??\r: C:\Windows\M13616\EmangEloh.exe N/A
File opened (read-only) \??\u: C:\Windows\M13616\EmangEloh.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
File opened (read-only) \??\j: C:\Windows\M13616\smss.exe N/A
File opened (read-only) \??\p: C:\Windows\M13616\smss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\440610878205l.exe C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\service.exe N/A
File opened for modification C:\Windows\SysWOW64\440610878205l.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\service.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\M13616\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\X84667go\Z440610cie.cmd C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
File created C:\Windows\SysWOW64\X84667go\Z440610cie.cmd C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
File opened for modification C:\Windows\SysWOW64\X84667go\Z440610cie.cmd C:\Windows\M13616\smss.exe N/A
File created C:\Windows\SysWOW64\440610878205l.exe C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
File created C:\Windows\SysWOW64\440610878205l.exe C:\Windows\M13616\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\M13616\EmangEloh.exe N/A
File created C:\Windows\SysWOW64\440610878205l.exe C:\Windows\M13616\EmangEloh.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\440610878205l.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\X84667go\Z440610cie.cmd C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\service.exe N/A
File created C:\Windows\SysWOW64\440610878205l.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\service.exe N/A
File opened for modification C:\Windows\SysWOW64\440610878205l.exe C:\Windows\M13616\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\X84667go\Z440610cie.cmd C:\Windows\M13616\EmangEloh.exe N/A
File opened for modification C:\Windows\SysWOW64\440610878205l.exe C:\Windows\M13616\EmangEloh.exe N/A
File created C:\Windows\SysWOW64\440610878205l.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\Data DosenKu .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\service.exe N/A
File created \??\c:\Program Files (x86)\Google\Update\Download\Titip Folder Jangan DiHapus .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\service.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\Titip Folder Jangan DiHapus .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\service.exe N/A
File opened for modification \??\c:\Program Files\DVD Maker\Shared\Windows Vista setup .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\service.exe N/A
File created C:\Program Files\Common Files\System\symsrv.dll C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
File created \??\c:\Program Files\Common Files\Microsoft Shared\Blink 182 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\service.exe N/A
File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Blink 182 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\service.exe N/A
File created \??\c:\Program Files\Windows Sidebar\Shared Gadgets\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\service.exe N/A
File opened for modification \??\c:\Program Files\Windows Sidebar\Shared Gadgets\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\service.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\Titip Folder Jangan DiHapus .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\service.exe N/A
File created \??\c:\Program Files\DVD Maker\Shared\Windows Vista setup .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\service.exe N/A
File created \??\c:\Program Files (x86)\Common Files\microsoft shared\Data DosenKu .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\service.exe N/A
File opened for modification \??\c:\Program Files (x86)\Google\Update\Download\Titip Folder Jangan DiHapus .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\service.exe N/A
File created \??\c:\Program Files (x86)\Windows Sidebar\Shared Gadgets\New mp3 BaraT !! .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\service.exe N/A
File opened for modification \??\c:\Program Files (x86)\Windows Sidebar\Shared Gadgets\New mp3 BaraT !! .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\service.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
File opened for modification C:\Windows\Ti878205ta.exe C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
File created C:\Windows\sa-188511.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\service.exe N/A
File created C:\Windows\M13616\EmangEloh.exe C:\Windows\M13616\smss.exe N/A
File created C:\Windows\sa-188511.exe C:\Windows\M13616\EmangEloh.exe N/A
File created C:\Windows\M13616\EmangEloh.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
File created C:\Windows\M13616\EmangEloh.exe C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
File created C:\Windows\Ti878205ta.exe C:\Windows\M13616\smss.exe N/A
File opened for modification C:\Windows\[TheMoonlight].txt C:\Windows\M13616\EmangEloh.exe N/A
File opened for modification C:\Windows\M13616\Ja280153bLay.com C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
File opened for modification C:\Windows\sa-188511.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
File created C:\Windows\M13616\Ja280153bLay.com C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
File created \??\c:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\Love Song .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\service.exe N/A
File opened for modification C:\Windows\M13616\Ja280153bLay.com C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
File created C:\Windows\M13616\smss.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\service.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\M13616\smss.exe N/A
File created C:\Windows\M13616\smss.exe C:\Windows\M13616\smss.exe N/A
File created C:\Windows\[TheMoonlight].txt C:\Windows\M13616\smss.exe N/A
File opened for modification C:\Windows\M13616\EmangEloh.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
File created C:\Windows\M13616\Ja280153bLay.com C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\service.exe N/A
File opened for modification C:\Windows\Ti878205ta.exe C:\Windows\M13616\smss.exe N/A
File opened for modification C:\Windows\M13616\Ja280153bLay.com C:\Windows\M13616\smss.exe N/A
File opened for modification C:\Windows\M13616 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
File opened for modification C:\Windows\M13616\EmangEloh.exe C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
File opened for modification C:\Windows\M13616 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\service.exe N/A
File opened for modification C:\Windows\sa-188511.exe C:\Windows\M13616\EmangEloh.exe N/A
File opened for modification C:\Windows\sa-188511.exe C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
File created C:\Windows\Ti878205ta.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\service.exe N/A
File opened for modification C:\Windows\M13616 C:\Windows\M13616\smss.exe N/A
File opened for modification C:\Windows\M13616\Ja280153bLay.com C:\Windows\M13616\EmangEloh.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
File created C:\Windows\M13616\smss.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
File opened for modification C:\Windows\Ti878205ta.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\service.exe N/A
File created C:\Windows\Ti878205ta.exe C:\Windows\M13616\EmangEloh.exe N/A
File opened for modification \??\c:\Windows\Downloaded Program Files\THe Best Ungu .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\service.exe N/A
File created \??\c:\Windows\Downloaded Program Files\THe Best Ungu .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\service.exe N/A
File opened for modification \??\c:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\Love Song .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\service.exe N/A
File created C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
File opened for modification C:\Windows\M13616 C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
File created C:\Windows\Ti878205ta.exe C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
File created C:\Windows\M13616\Ja280153bLay.com C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
File opened for modification C:\Windows\M13616\EmangEloh.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\service.exe N/A
File created C:\Windows\Ti878205ta.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
File created C:\Windows\sa-188511.exe C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\service.exe N/A
File created C:\Windows\M13616\Ja280153bLay.com C:\Windows\M13616\smss.exe N/A
File created C:\Windows\M13616\Ja280153bLay.com C:\Windows\M13616\EmangEloh.exe N/A
File created C:\Windows\M13616\smss.exe C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
File opened for modification C:\Windows\M13616 C:\Windows\M13616\EmangEloh.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\M13616\EmangEloh.exe N/A
File created C:\Windows\M13616\smss.exe C:\Windows\M13616\EmangEloh.exe N/A
File opened for modification C:\Windows\M13616\EmangEloh.exe C:\Windows\M13616\EmangEloh.exe N/A
File created C:\Windows\M13616\EmangEloh.exe C:\Windows\M13616\EmangEloh.exe N/A
File opened for modification C:\Windows\[TheMoonlight].txt C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
File created \??\c:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\Gallery .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\service.exe N/A
File opened for modification C:\Windows\M13616\Ja280153bLay.com C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\service.exe N/A
File opened for modification C:\Windows\sa-188511.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\service.exe N/A
File created C:\Windows\sa-188511.exe C:\Windows\M13616\smss.exe N/A
File opened for modification C:\Windows\Ti878205ta.exe C:\Windows\M13616\EmangEloh.exe N/A
File created C:\Windows\sa-188511.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
File opened for modification C:\Windows\Ti878205ta.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
File opened for modification \??\c:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\Gallery .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\service.exe N/A
File created C:\Windows\M13616\EmangEloh.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\service.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile C:\Windows\M13616\EmangEloh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" C:\Windows\M13616\EmangEloh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile C:\Windows\M13616\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" C:\Windows\M13616\smss.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\M13616\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\M13616\EmangEloh.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\service.exe N/A
N/A N/A C:\Windows\M13616\smss.exe N/A
N/A N/A C:\Windows\M13616\EmangEloh.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2652 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 2652 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 2652 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 2652 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 2652 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 2652 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 2652 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 2652 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 2652 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 2652 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 2652 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 2652 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 2652 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 2652 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 2652 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 2652 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 2652 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 2652 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 2652 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 2652 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 2652 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 2652 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 2652 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 2652 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 2652 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 2652 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 2652 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 2652 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 2652 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 2652 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 2652 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 2652 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 2652 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 2652 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 2652 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 2652 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 2652 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\system32\taskhost.exe
PID 2652 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\system32\Dwm.exe
PID 2652 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\Explorer.EXE
PID 2652 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\system32\DllHost.exe
PID 2652 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 2652 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 2652 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\SysWOW64\arp.exe
PID 2652 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\system32\conhost.exe
PID 2652 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\system32\conhost.exe
PID 2652 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\service.exe
PID 2652 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\service.exe
PID 2652 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\service.exe
PID 2652 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\service.exe
PID 2652 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\M13616\smss.exe
PID 2652 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\M13616\smss.exe
PID 2652 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\M13616\smss.exe
PID 2652 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\M13616\smss.exe
PID 2652 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\M13616\EmangEloh.exe
PID 2652 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\M13616\EmangEloh.exe
PID 2652 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\M13616\EmangEloh.exe
PID 2652 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Windows\M13616\EmangEloh.exe
PID 2652 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe
PID 2652 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe
PID 2652 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe
PID 2652 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe
PID 1120 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe C:\Windows\system32\taskhost.exe
PID 1120 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe C:\Windows\system32\Dwm.exe
PID 1120 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe

"C:\Users\Admin\AppData\Local\Temp\e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8.exe"

C:\Windows\SysWOW64\arp.exe

arp -a

C:\Windows\SysWOW64\arp.exe

arp -s 10.127.0.1 be-b2-7e-1d-57-8b

C:\Windows\SysWOW64\arp.exe

arp -s 10.127.255.255 de-c9-76-aa-59-92

C:\Windows\SysWOW64\arp.exe

arp -s 37.27.61.184 d9-24-0b-1c-ce-df

C:\Windows\SysWOW64\arp.exe

arp -s 224.0.0.22 db-03-d6-40-8e-ad

C:\Windows\SysWOW64\arp.exe

arp -s 224.0.0.251 28-8f-7b-f8-f0-a9

C:\Windows\SysWOW64\arp.exe

arp -s 224.0.0.252 15-b0-8f-1c-a7-d2

C:\Windows\SysWOW64\arp.exe

arp -s 239.255.255.250 6d-17-12-28-b8-fb

C:\Windows\SysWOW64\arp.exe

arp -s 255.255.255.255 03-37-a1-a5-d1-2e

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-14732478342046142248744744302076204450-2074029076955283456-1868120462-1528491443"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "507591753-1761185055283889539-79021206-145429128517316022161442077844-1198980199"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\service.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\service.exe"

C:\Windows\M13616\smss.exe

"C:\Windows\M13616\smss.exe"

C:\Windows\M13616\EmangEloh.exe

"C:\Windows\M13616\EmangEloh.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O41524Z\winlogon.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 5isohu.com udp
US 8.8.8.8:53 www.aieov.com udp
US 72.14.178.174:80 www.aieov.com tcp

Files

\Program Files\Common Files\System\symsrv.dll

MD5 4fcd7574537cebec8e75b4e646996643
SHA1 efa59bb9050fb656b90d5d40c942fb2a304f2a8b
SHA256 8ea3b17e4b783ffc0bc387b81b823bf87af0d57da74541d88ba85314bb232a5d
SHA512 7f1a7ef64d332a735db82506b47d84853af870785066d29ccaf4fdeab114079a9f0db400e01ba574776a0d652a248658fe1e8f9659cdced19ad6eea09644ea3e

memory/2652-4-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2652-3-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2652-6-0x00000000028F0000-0x000000000397E000-memory.dmp

memory/2652-9-0x00000000028F0000-0x000000000397E000-memory.dmp

memory/2652-10-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/2652-43-0x0000000000402000-0x0000000000405000-memory.dmp

memory/1248-14-0x0000000001F10000-0x0000000001F12000-memory.dmp

C:\Windows\M13616\EmangEloh.exe

MD5 ec953ec76ac11945eac9411f9a9e236f
SHA1 f07b89285cb1b6e5eb30dcd91e0bb15148d56299
SHA256 e1b1283697a715c4503814487483090f5ec3462a3926340200ada9894a5145d8
SHA512 e4fe63e4290a4d7a5d12aabe606e02989b707a725e6e0db069fd23c6aa4144300cefd5a8290c80cc664e072f3cae59927a8087a2e9e3e904e8f568b542578a28

memory/2652-13-0x00000000028F0000-0x000000000397E000-memory.dmp

memory/2816-41-0x0000000000180000-0x0000000000182000-memory.dmp

memory/2652-45-0x00000000028F0000-0x000000000397E000-memory.dmp

memory/2652-42-0x00000000028F0000-0x000000000397E000-memory.dmp

memory/2816-34-0x0000000000190000-0x0000000000191000-memory.dmp

memory/2652-47-0x00000000028F0000-0x000000000397E000-memory.dmp

memory/2652-70-0x00000000028F0000-0x000000000397E000-memory.dmp

memory/2652-44-0x00000000028F0000-0x000000000397E000-memory.dmp

memory/2652-31-0x0000000002830000-0x0000000002832000-memory.dmp

memory/2652-27-0x00000000028A0000-0x00000000028A1000-memory.dmp

memory/2652-25-0x00000000028A0000-0x00000000028A1000-memory.dmp

memory/2652-24-0x0000000002830000-0x0000000002832000-memory.dmp

memory/2652-12-0x00000000028F0000-0x000000000397E000-memory.dmp

memory/2652-46-0x00000000028F0000-0x000000000397E000-memory.dmp

memory/2652-99-0x0000000005EC0000-0x0000000005EF0000-memory.dmp

memory/2652-87-0x0000000005EC0000-0x0000000005ED0000-memory.dmp

\Users\Admin\AppData\Local\Temp\A1D26E2\906ABCA5C.tmp

MD5 33c124ea157d4b4d0908771222b64382
SHA1 2118218f888c9ec1c84573ea08a3206adc3b0ca2
SHA256 6622fb695321c3c4f92f4a92e1b4ab7bb1f58bdcca3b3385b883ad8ed7ae39f2
SHA512 59aa85775c166a5fe080e2d9399bdd47a8a4d0f20a5ec714a9447f6be357a58dbc506fed55dd2e1d6c23358f2115e29b13b4e774a53ce73a31a9de4b2e219451

memory/2816-79-0x0000000000180000-0x0000000000182000-memory.dmp

memory/1948-125-0x0000000010000000-0x0000000010033000-memory.dmp

C:\Windows\system\msvbvm60.dll

MD5 5343a19c618bc515ceb1695586c6c137
SHA1 4dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA256 2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512 708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

memory/2652-147-0x00000000028F0000-0x000000000397E000-memory.dmp

memory/596-156-0x0000000010000000-0x0000000010033000-memory.dmp

memory/596-155-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2652-154-0x0000000006A50000-0x0000000006A80000-memory.dmp

memory/2652-153-0x0000000006A50000-0x0000000006A80000-memory.dmp

memory/2652-165-0x0000000002830000-0x0000000002832000-memory.dmp

memory/2652-148-0x00000000028F0000-0x000000000397E000-memory.dmp

memory/2652-190-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2652-163-0x0000000010000000-0x0000000010033000-memory.dmp

memory/2652-189-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\[TheMoonlight].txt

MD5 68c7836c8ff19e87ca33a7959a2bdff5
SHA1 cc5d0205bb71c10bbed22fe47e59b1f6817daab7
SHA256 883b19ec550f7ddb1e274a83d58d66c771ab10fefd136bab79483f2eb84e7fec
SHA512 3656005148788ed7ac8f5b5f8f6f4736c2dc4a94771291170e61666beb81e63be2a1a0f2913233b0e3f12ddfa7f1e89da9cd8323306413395ee78b2ece7fbfe8

memory/2652-191-0x00000000028F0000-0x000000000397E000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 d513148ed9eaacae662e6cccf3e7d5e2
SHA1 19dfca46fdcd4f47c2ba4f8149815570e0784b7c
SHA256 5807c86cdf21d5c95684301f41540834509b277323016e2105909eb32ed1dcdc
SHA512 d666d63bdaa8001fe4b4b968540ba28f08d6f9f0f59100550a5afc6facee69ba1b0c48b7cca2af654c48b247f9b11071e3a3e42d049825773156eb009f24752b

memory/1120-192-0x0000000002960000-0x00000000039EE000-memory.dmp

memory/1120-194-0x0000000002960000-0x00000000039EE000-memory.dmp

memory/1120-195-0x0000000002960000-0x00000000039EE000-memory.dmp

memory/2380-364-0x0000000010000000-0x0000000010033000-memory.dmp

memory/1948-394-0x0000000010000000-0x0000000010033000-memory.dmp

memory/596-434-0x0000000010000000-0x0000000010033000-memory.dmp

memory/1120-491-0x0000000010000000-0x0000000010033000-memory.dmp