Malware Analysis Report

2025-08-06 01:42

Sample ID 241108-2trr8atrfm
Target 5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a
SHA256 5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a
Tags
discovery evasion persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a

Threat Level: Known bad

The file 5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer

Modifies visibility of file extensions in Explorer

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Event Triggered Execution: Image File Execution Options Injection

Disables RegEdit via registry modification

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Drops startup file

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-08 22:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-08 22:52

Reported

2024-11-08 22:55

Platform

win7-20240903-en

Max time kernel

150s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O42524Z\\TuxO42524Z.exe\"" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M13616\\Ja634608bLay.com\"" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O42524Z\\TuxO42524Z.exe\"" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M13616\\Ja634608bLay.com\"" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O42524Z\\TuxO42524Z.exe\"" C:\Windows\M13616\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M13616\\Ja634608bLay.com\"" C:\Windows\M13616\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O42524Z\\TuxO42524Z.exe\"" C:\Windows\M13616\EmangEloh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M13616\\Ja634608bLay.com\"" C:\Windows\M13616\EmangEloh.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\M13616\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\M13616\EmangEloh.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\M13616\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\M13616\EmangEloh.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\M13616\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\M13616\EmangEloh.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\M13616\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" C:\Windows\M13616\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\M13616\EmangEloh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\M13616\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" C:\Windows\M13616\EmangEloh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe" C:\Windows\M13616\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\M13616\EmangEloh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe" C:\Windows\M13616\EmangEloh.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd C:\Windows\M13616\smss.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd C:\Windows\M13616\EmangEloh.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\winlogon.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\T1136065TT4 = "C:\\Windows\\system32\\805165423741l.exe" C:\Windows\M13616\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\T24Z051 = "C:\\Windows\\sa-643065.exe" C:\Windows\M13616\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\T1136065TT4 = "C:\\Windows\\system32\\805165423741l.exe" C:\Windows\M13616\EmangEloh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\T24Z051 = "C:\\Windows\\sa-643065.exe" C:\Windows\M13616\EmangEloh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\T1136065TT4 = "C:\\Windows\\system32\\805165423741l.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\T24Z051 = "C:\\Windows\\sa-643065.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\T1136065TT4 = "C:\\Windows\\system32\\805165423741l.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\T24Z051 = "C:\\Windows\\sa-643065.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\p: C:\Windows\M13616\smss.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\winlogon.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File opened (read-only) \??\r: C:\Windows\M13616\EmangEloh.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\winlogon.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File opened (read-only) \??\h: C:\Windows\M13616\smss.exe N/A
File opened (read-only) \??\h: C:\Windows\M13616\EmangEloh.exe N/A
File opened (read-only) \??\l: C:\Windows\M13616\EmangEloh.exe N/A
File opened (read-only) \??\q: C:\Windows\M13616\EmangEloh.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File opened (read-only) \??\g: C:\Windows\M13616\smss.exe N/A
File opened (read-only) \??\w: C:\Windows\M13616\EmangEloh.exe N/A
File opened (read-only) \??\y: C:\Windows\M13616\EmangEloh.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\winlogon.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File opened (read-only) \??\q: C:\Windows\M13616\smss.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\winlogon.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\winlogon.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\winlogon.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\winlogon.exe N/A
File opened (read-only) \??\o: C:\Windows\M13616\smss.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\winlogon.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File opened (read-only) \??\s: C:\Windows\M13616\EmangEloh.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File opened (read-only) \??\i: C:\Windows\M13616\EmangEloh.exe N/A
File opened (read-only) \??\x: C:\Windows\M13616\EmangEloh.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\winlogon.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\winlogon.exe N/A
File opened (read-only) \??\u: C:\Windows\M13616\smss.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\winlogon.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\winlogon.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\winlogon.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File opened (read-only) \??\j: C:\Windows\M13616\smss.exe N/A
File opened (read-only) \??\k: C:\Windows\M13616\smss.exe N/A
File opened (read-only) \??\s: C:\Windows\M13616\smss.exe N/A
File opened (read-only) \??\m: C:\Windows\M13616\EmangEloh.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\winlogon.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\winlogon.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File opened (read-only) \??\N: C:\Windows\M13616\smss.exe N/A
File opened (read-only) \??\y: C:\Windows\M13616\smss.exe N/A
File opened (read-only) \??\z: C:\Windows\M13616\smss.exe N/A
File opened (read-only) \??\e: C:\Windows\M13616\EmangEloh.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File opened (read-only) \??\r: C:\Windows\M13616\smss.exe N/A
File opened (read-only) \??\o: C:\Windows\M13616\EmangEloh.exe N/A
File opened (read-only) \??\p: C:\Windows\M13616\EmangEloh.exe N/A
File opened (read-only) \??\v: C:\Windows\M13616\EmangEloh.exe N/A
File opened (read-only) \??\j: C:\Windows\M13616\EmangEloh.exe N/A
File opened (read-only) \??\N: C:\Windows\M13616\EmangEloh.exe N/A
File opened (read-only) \??\z: C:\Windows\M13616\EmangEloh.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\winlogon.exe N/A
File opened (read-only) \??\e: C:\Windows\M13616\smss.exe N/A
File opened (read-only) \??\t: C:\Windows\M13616\smss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\805165423741l.exe C:\Windows\M13616\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\M13616\EmangEloh.exe N/A
File opened for modification C:\Windows\SysWOW64\X38113go\Z805165cie.cmd C:\Windows\M13616\EmangEloh.exe N/A
File created C:\Windows\SysWOW64\805165423741l.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\winlogon.exe N/A
File created \??\c:\Windows\SysWOW64\IME\shared\Gallery .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe N/A
File created C:\Windows\SysWOW64\805165423741l.exe C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\M13616\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\X38113go\Z805165cie.cmd C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File created C:\Windows\SysWOW64\805165423741l.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File opened for modification C:\Windows\SysWOW64\805165423741l.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\X38113go\Z805165cie.cmd C:\Windows\M13616\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\805165423741l.exe C:\Windows\M13616\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\winlogon.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\IME\shared\Gallery .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File created \??\c:\Windows\SysWOW64\IME\shared\RaHasIA .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File opened for modification C:\Windows\SysWOW64\805165423741l.exe C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File opened for modification C:\Windows\SysWOW64\805165423741l.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File opened for modification C:\Windows\SysWOW64\X38113go\Z805165cie.cmd C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\winlogon.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\IME\shared\RaHasIA .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File created C:\Windows\SysWOW64\X38113go\Z805165cie.cmd C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe N/A
File created C:\Windows\SysWOW64\805165423741l.exe C:\Windows\M13616\EmangEloh.exe N/A
File opened for modification C:\Windows\SysWOW64\805165423741l.exe C:\Windows\M13616\EmangEloh.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files\DVD Maker\Shared\Blink 182 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File created \??\c:\Program Files (x86)\Common Files\microsoft shared\Windows Vista setup .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\Windows Vista setup .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\Titip Folder Jangan DiHapus .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File opened for modification \??\c:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Data DosenKu .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File created \??\c:\Program Files\Common Files\Microsoft Shared\Titip Folder Jangan DiHapus .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Titip Folder Jangan DiHapus .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File opened for modification \??\c:\Program Files\DVD Maker\Shared\Blink 182 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File created \??\c:\Program Files\Windows Sidebar\Shared Gadgets\RaHasIA .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File opened for modification \??\c:\Program Files\Windows Sidebar\Shared Gadgets\RaHasIA .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\Titip Folder Jangan DiHapus .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File created \??\c:\Program Files (x86)\Google\Update\Download\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File opened for modification \??\c:\Program Files (x86)\Google\Update\Download\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File created \??\c:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Data DosenKu .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\Windows\winsxs\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_d8216ed3d8746200\Data DosenKu .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File created \??\c:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3b85bcbe4734e96a\Norman virus Control 5.18 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File created C:\Windows\M13616\smss.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\winlogon.exe N/A
File opened for modification C:\Windows\M13616 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\M13616\EmangEloh.exe N/A
File opened for modification \??\c:\Windows\ServiceProfiles\NetworkService\Downloads\New mp3 BaraT !! .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File created \??\c:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\Norman virus Control 5.18 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File created \??\c:\Windows\winsxs\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_1412267f4b3bb985\Love Song .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File created \??\c:\Windows\SoftwareDistribution\Download\Norman virus Control 5.18 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File created \??\c:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c6fc5a7aa8c435d\THe Best Ungu .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File created \??\c:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8d9f242de8497d58\Windows Vista setup .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File created \??\c:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ddab3bcb3a4ffb45\Blink 182 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File created \??\c:\Windows\winsxs\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_664dbffec8693dfe\New mp3 BaraT !! .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File created C:\Windows\sa-643065.exe C:\Windows\M13616\smss.exe N/A
File created C:\Windows\M13616\smss.exe C:\Windows\M13616\EmangEloh.exe N/A
File created \??\c:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\Gallery .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File created \??\c:\Windows\ServiceProfiles\LocalService\Downloads\Data DosenKu .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File opened for modification \??\c:\Windows\ServiceProfiles\LocalService\Downloads\Data DosenKu .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File opened for modification C:\Windows\[TheMoonlight].txt C:\Windows\M13616\EmangEloh.exe N/A
File created C:\Windows\sa-643065.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\winlogon.exe N/A
File created \??\c:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File created \??\c:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aea650787d30ed8a\Norman virus Control 5.18 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File created C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe N/A
File opened for modification C:\Windows\M13616\Ja634608bLay.com C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File created \??\c:\Windows\winsxs\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_d81c96999f75bd77\Data DosenKu .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File created \??\c:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a3772de7111797da\Love Song .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File opened for modification C:\Windows\M13616 C:\Windows\M13616\EmangEloh.exe N/A
File created \??\c:\Windows\Downloaded Program Files\New mp3 BaraT !! .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File created C:\Windows\Ti423741ta.exe C:\Windows\M13616\EmangEloh.exe N/A
File created \??\c:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\Data DosenKu .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File opened for modification \??\c:\Windows\SoftwareDistribution\Download\Norman virus Control 5.18 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File created \??\c:\Windows\winsxs\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_9498b282333b64ec\Windows Vista setup .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File created \??\c:\Windows\winsxs\x86_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_b7f38afb92de484f\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File created C:\Windows\sa-643065.exe C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe N/A
File opened for modification C:\Windows\Ti423741ta.exe C:\Windows\M13616\smss.exe N/A
File opened for modification \??\c:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File opened for modification \??\c:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\Data DosenKu .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File opened for modification C:\Windows\M13616\Ja634608bLay.com C:\Windows\M13616\EmangEloh.exe N/A
File opened for modification C:\Windows\sa-643065.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\winlogon.exe N/A
File created \??\c:\Windows\winsxs\x86_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_965db382b6fef5cb\Blink 182 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File created \??\c:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aedaf3947d09fbe5\Love Song .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File created \??\c:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File created \??\c:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6208b91f46896156\Windows Vista setup .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File created C:\Windows\M13616\EmangEloh.exe C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe N/A
File created \??\c:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00225053e03f4c04\Titip Folder Jangan DiHapus .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File created C:\Windows\M13616\EmangEloh.exe C:\Windows\M13616\smss.exe N/A
File created \??\c:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File created \??\c:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_es-es_00bfb7e81e458178\THe Best Ungu .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File created \??\c:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_97a45841ff925aa0\Gallery .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File created \??\c:\Windows\winsxs\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_dba3691c6002e10e\Love Song .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File created C:\Windows\Ti423741ta.exe C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe N/A
File created C:\Windows\Ti423741ta.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File opened for modification C:\Windows\M13616\EmangEloh.exe C:\Windows\M13616\smss.exe N/A
File created C:\Windows\[TheMoonlight].txt C:\Windows\M13616\smss.exe N/A
File opened for modification C:\Windows\M13616\EmangEloh.exe C:\Windows\M13616\EmangEloh.exe N/A
File opened for modification C:\Windows\Ti423741ta.exe C:\Windows\M13616\EmangEloh.exe N/A
File created \??\c:\Windows\winsxs\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_99b74194b7347cab\RaHasIA .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File created \??\c:\Windows\winsxs\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_6.1.7600.16385_none_6377027f0030a06a\THe Best Ungu .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File opened for modification C:\Windows\Ti423741ta.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File created C:\Windows\M13616\smss.exe C:\Windows\M13616\smss.exe N/A
File created \??\c:\Windows\winsxs\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_4d274741486b900c\Love Song .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
File created C:\Windows\sa-643065.exe C:\Windows\M13616\EmangEloh.exe N/A
File opened for modification C:\Windows\M13616 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\winlogon.exe N/A
File created \??\c:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5d9f7d70ed4643fd\RaHasIA .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\M13616\EmangEloh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\M13616\smss.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" C:\Windows\M13616\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile C:\Windows\M13616\EmangEloh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" C:\Windows\M13616\EmangEloh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile C:\Windows\M13616\smss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1448 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe
PID 1448 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe
PID 1448 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe
PID 1448 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe
PID 1448 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe C:\Windows\M13616\smss.exe
PID 1448 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe C:\Windows\M13616\smss.exe
PID 1448 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe C:\Windows\M13616\smss.exe
PID 1448 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe C:\Windows\M13616\smss.exe
PID 1448 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe C:\Windows\M13616\EmangEloh.exe
PID 1448 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe C:\Windows\M13616\EmangEloh.exe
PID 1448 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe C:\Windows\M13616\EmangEloh.exe
PID 1448 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe C:\Windows\M13616\EmangEloh.exe
PID 1448 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\winlogon.exe
PID 1448 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\winlogon.exe
PID 1448 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\winlogon.exe
PID 1448 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\winlogon.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe

"C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\service.exe"

C:\Windows\M13616\smss.exe

"C:\Windows\M13616\smss.exe"

C:\Windows\M13616\EmangEloh.exe

"C:\Windows\M13616\EmangEloh.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\winlogon.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O42524Z\winlogon.exe"

Network

N/A

Files

memory/1448-1-0x0000000000020000-0x0000000000022000-memory.dmp

memory/1448-0-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\M13616\EmangEloh.exe

MD5 0356b7bb07355265f73cbb010ae45041
SHA1 9223d100e366a21ae395c9a7b64b13ddb236c389
SHA256 5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a
SHA512 9d5b7177b162135338946ba1bb90d264c646e799c7980f9355973585a73d94010a95b2f8704293d60919639bb142ae7a66205bb1c2927b88b52ff1b4c9a1ea43

memory/1448-33-0x0000000002580000-0x0000000002590000-memory.dmp

C:\Windows\system\msvbvm60.dll

MD5 5343a19c618bc515ceb1695586c6c137
SHA1 4dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA256 2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512 708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

memory/1448-42-0x0000000003870000-0x00000000038A5000-memory.dmp

memory/2884-58-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2748-52-0x0000000000020000-0x0000000000022000-memory.dmp

memory/1448-51-0x0000000003870000-0x00000000038A5000-memory.dmp

memory/2748-50-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1448-49-0x0000000003870000-0x00000000038A5000-memory.dmp

memory/1900-93-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2272-109-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\[TheMoonlight].txt

MD5 68c7836c8ff19e87ca33a7959a2bdff5
SHA1 cc5d0205bb71c10bbed22fe47e59b1f6817daab7
SHA256 883b19ec550f7ddb1e274a83d58d66c771ab10fefd136bab79483f2eb84e7fec
SHA512 3656005148788ed7ac8f5b5f8f6f4736c2dc4a94771291170e61666beb81e63be2a1a0f2913233b0e3f12ddfa7f1e89da9cd8323306413395ee78b2ece7fbfe8

memory/1448-106-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1448-92-0x0000000004220000-0x0000000004255000-memory.dmp

memory/1448-91-0x0000000004220000-0x0000000004255000-memory.dmp

memory/2272-179-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1900-178-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2884-177-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2748-176-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\[TheMoonlight].txt

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2748-182-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2272-185-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2748-186-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1900-188-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2272-189-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2884-191-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1900-192-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2272-193-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2272-197-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2272-201-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2272-205-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2272-209-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2272-210-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2272-214-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2272-218-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2272-222-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2272-226-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2748-227-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2272-230-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2884-232-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2272-234-0x0000000000400000-0x0000000000435000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-08 22:52

Reported

2024-11-08 22:55

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O64746Z\\TuxO64746Z.exe\"" C:\Windows\M36838\EmangEloh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M36838\\Ja56831bLay.com\"" C:\Windows\M36838\EmangEloh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O64746Z\\TuxO64746Z.exe\"" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M36838\\Ja56831bLay.com\"" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O64746Z\\TuxO64746Z.exe\"" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M36838\\Ja56831bLay.com\"" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O64746Z\\TuxO64746Z.exe\"" C:\Windows\M36838\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M36838\\Ja56831bLay.com\"" C:\Windows\M36838\smss.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\M36838\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\M36838\EmangEloh.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\M36838\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\M36838\EmangEloh.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\M36838\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\M36838\EmangEloh.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" C:\Windows\M36838\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\M36838\EmangEloh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\M36838\EmangEloh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" C:\Windows\M36838\EmangEloh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe" C:\Windows\M36838\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe" C:\Windows\M36838\EmangEloh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\M36838\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\M36838\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd C:\Windows\M36838\EmangEloh.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\winlogon.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd C:\Windows\M36838\smss.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\T1368388TT4 = "C:\\Windows\\system32\\127387645063l.exe" C:\Windows\M36838\EmangEloh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\T46Z273 = "C:\\Windows\\sa-865388.exe" C:\Windows\M36838\EmangEloh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\T1368388TT4 = "C:\\Windows\\system32\\127387645063l.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\T46Z273 = "C:\\Windows\\sa-865388.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\T1368388TT4 = "C:\\Windows\\system32\\127387645063l.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\T46Z273 = "C:\\Windows\\sa-865388.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\T1368388TT4 = "C:\\Windows\\system32\\127387645063l.exe" C:\Windows\M36838\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\T46Z273 = "C:\\Windows\\sa-865388.exe" C:\Windows\M36838\smss.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\l: C:\Windows\M36838\smss.exe N/A
File opened (read-only) \??\p: C:\Windows\M36838\smss.exe N/A
File opened (read-only) \??\o: C:\Windows\M36838\EmangEloh.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened (read-only) \??\x: C:\Windows\M36838\EmangEloh.exe N/A
File opened (read-only) \??\y: C:\Windows\M36838\EmangEloh.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\winlogon.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened (read-only) \??\u: C:\Windows\M36838\smss.exe N/A
File opened (read-only) \??\y: C:\Windows\M36838\smss.exe N/A
File opened (read-only) \??\h: C:\Windows\M36838\EmangEloh.exe N/A
File opened (read-only) \??\j: C:\Windows\M36838\EmangEloh.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\winlogon.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\winlogon.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened (read-only) \??\v: C:\Windows\M36838\smss.exe N/A
File opened (read-only) \??\v: C:\Windows\M36838\EmangEloh.exe N/A
File opened (read-only) \??\w: C:\Windows\M36838\EmangEloh.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\winlogon.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\winlogon.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened (read-only) \??\m: C:\Windows\M36838\smss.exe N/A
File opened (read-only) \??\r: C:\Windows\M36838\EmangEloh.exe N/A
File opened (read-only) \??\t: C:\Windows\M36838\EmangEloh.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\winlogon.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened (read-only) \??\N: C:\Windows\M36838\smss.exe N/A
File opened (read-only) \??\e: C:\Windows\M36838\EmangEloh.exe N/A
File opened (read-only) \??\l: C:\Windows\M36838\EmangEloh.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\winlogon.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\winlogon.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\winlogon.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened (read-only) \??\e: C:\Windows\M36838\smss.exe N/A
File opened (read-only) \??\o: C:\Windows\M36838\smss.exe N/A
File opened (read-only) \??\w: C:\Windows\M36838\smss.exe N/A
File opened (read-only) \??\i: C:\Windows\M36838\EmangEloh.exe N/A
File opened (read-only) \??\k: C:\Windows\M36838\EmangEloh.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened (read-only) \??\h: C:\Windows\M36838\smss.exe N/A
File opened (read-only) \??\x: C:\Windows\M36838\smss.exe N/A
File opened (read-only) \??\p: C:\Windows\M36838\EmangEloh.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened (read-only) \??\j: C:\Windows\M36838\smss.exe N/A
File opened (read-only) \??\N: C:\Windows\M36838\EmangEloh.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\winlogon.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\winlogon.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\winlogon.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened (read-only) \??\r: C:\Windows\M36838\smss.exe N/A
File opened (read-only) \??\q: C:\Windows\M36838\EmangEloh.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\winlogon.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\winlogon.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened (read-only) \??\g: C:\Windows\M36838\smss.exe N/A
File opened (read-only) \??\i: C:\Windows\M36838\smss.exe N/A
File opened (read-only) \??\s: C:\Windows\M36838\smss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\X61345go\Z127387cie.cmd C:\Windows\M36838\smss.exe N/A
File created C:\Windows\SysWOW64\127387645063l.exe C:\Windows\M36838\EmangEloh.exe N/A
File created C:\Windows\SysWOW64\127387645063l.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\winlogon.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\IME\SHARED\RaHasIA .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File created \??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File created C:\Windows\SysWOW64\X61345go\Z127387cie.cmd C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe N/A
File opened for modification C:\Windows\SysWOW64\X61345go\Z127387cie.cmd C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\winlogon.exe N/A
File created C:\Windows\SysWOW64\127387645063l.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File created \??\c:\Windows\SysWOW64\IME\SHARED\RaHasIA .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened for modification C:\Windows\SysWOW64\127387645063l.exe C:\Windows\M36838\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\127387645063l.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File created \??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\Windows Vista setup .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\Windows Vista setup .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe N/A
File created C:\Windows\SysWOW64\127387645063l.exe C:\Windows\M36838\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\X61345go\Z127387cie.cmd C:\Windows\M36838\EmangEloh.exe N/A
File created \??\c:\Windows\SysWOW64\IME\SHARED\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\THe Best Ungu .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened for modification C:\Windows\SysWOW64\X61345go\Z127387cie.cmd C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\winlogon.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\Norman virus Control 5.18 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File created \??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\THe Best Ungu .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\M36838\EmangEloh.exe N/A
File created \??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\Norman virus Control 5.18 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File created C:\Windows\SysWOW64\127387645063l.exe C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe N/A
File opened for modification C:\Windows\SysWOW64\127387645063l.exe C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\M36838\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\127387645063l.exe C:\Windows\M36838\EmangEloh.exe N/A
File opened for modification C:\Windows\SysWOW64\127387645063l.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\winlogon.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\IME\SHARED\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files\Common Files\microsoft shared\THe Best Ungu .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Gallery .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\RaHasIA .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened for modification \??\c:\Program Files\Windows Sidebar\Shared Gadgets\RaHasIA .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File created \??\c:\Program Files\dotnet\shared\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File created \??\c:\Program Files\Microsoft Office\Updates\Download\Love Song .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File created \??\c:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Norman virus Control 5.18 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File created \??\c:\Program Files (x86)\Windows Sidebar\Shared Gadgets\New mp3 BaraT !! .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\RaHasIA .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened for modification \??\c:\Program Files (x86)\Google\Update\Download\Love Song .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened for modification \??\c:\Program Files\Common Files\microsoft shared\THe Best Ungu .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File created \??\c:\Program Files (x86)\Google\Update\Download\Love Song .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened for modification \??\c:\Program Files\dotnet\shared\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\Microsoft Shared\New mp3 BaraT !! .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\Updates\Download\Love Song .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File created \??\c:\Program Files\Windows Sidebar\Shared Gadgets\RaHasIA .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File created \??\c:\Program Files (x86)\Common Files\Microsoft Shared\New mp3 BaraT !! .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File created \??\c:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Gallery .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened for modification \??\c:\Program Files (x86)\Windows Sidebar\Shared Gadgets\New mp3 BaraT !! .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe N/A
File created C:\Windows\M36838\smss.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\winlogon.exe N/A
File created C:\Windows\M36838\Ja56831bLay.com C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\winlogon.exe N/A
File created \??\c:\Windows\SoftwareDistribution\Download\SharedFileCache\Data DosenKu .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\Blink 182 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened for modification C:\Windows\Ti645063ta.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened for modification C:\Windows\sa-865388.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File created C:\Windows\Ti645063ta.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\winlogon.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-u..ell-sharedutilities_31bf3856ad364e35_10.0.19041.546_none_a93e4a2569276206\New mp3 BaraT !! .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened for modification C:\Windows\[TheMoonlight].txt C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\winlogon.exe N/A
File opened for modification \??\c:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\Norman virus Control 5.18 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File created C:\Windows\sa-865388.exe C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe N/A
File created C:\Windows\M36838\smss.exe C:\Windows\M36838\smss.exe N/A
File opened for modification C:\Windows\M36838\EmangEloh.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\M36838\EmangEloh.exe N/A
File created \??\c:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\Windows Vista setup .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_8c0b126c198fcf70\Love Song .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_fd7349c396c417ae\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened for modification C:\Windows\M36838\Ja56831bLay.com C:\Windows\M36838\EmangEloh.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\THe Best Ungu .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_5abbd3c4a3f2014c\Data DosenKu .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File created C:\Windows\Ti645063ta.exe C:\Windows\M36838\EmangEloh.exe N/A
File opened for modification \??\c:\Windows\ServiceProfiles\LocalService\Downloads\Love Song .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File created C:\Windows\M36838\EmangEloh.exe C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe N/A
File created \??\c:\Windows\InputMethod\SHARED\Data DosenKu .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\Titip Folder Jangan DiHapus .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened for modification C:\Windows\[TheMoonlight].txt C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened for modification C:\Windows\Ti645063ta.exe C:\Windows\M36838\smss.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.1_none_6e0e425bd0e83959\Norman virus Control 5.18 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.746_none_aaeae146be52e178\Love Song .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_10.0.19041.1_none_359f84f8e5af60e2\Norman virus Control 5.18 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_07787dd7ae0cf4f6\Gallery .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-sx-shared_31bf3856ad364e35_10.0.19041.1_none_f8e978b0ed48a6bb\RaHasIA .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File created C:\Windows\M36838\smss.exe C:\Windows\M36838\EmangEloh.exe N/A
File created \??\c:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\Titip Folder Jangan DiHapus .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\New mp3 BaraT !! .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_10.0.19041.1_none_ee94ce5eb8e7e4c0\RaHasIA .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened for modification C:\Windows\M36838 C:\Windows\M36838\smss.exe N/A
File created \??\c:\Windows\SoftwareDistribution\Download\New mp3 BaraT !! .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-u..tyvm-sysprep-shared_31bf3856ad364e35_10.0.19041.1_none_3ba048793ab5eb3f\Titip Folder Jangan DiHapus .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_b597a55b603b537d\Blink 182 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File created \??\c:\Windows\ServiceProfiles\LocalService\Downloads\Love Song .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\Gallery .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_de-de_bc04d4fbcc35e12a\THe Best Ungu .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened for modification C:\Windows\M36838\EmangEloh.exe C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe N/A
File opened for modification C:\Windows\sa-865388.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\winlogon.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-sharedrealitysvc_31bf3856ad364e35_10.0.19041.1_none_5a23b464e1e0b15e\Norman virus Control 5.18 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File created C:\Windows\sa-865388.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened for modification C:\Windows\M36838\Ja56831bLay.com C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\Blink 182 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened for modification C:\Windows\M36838\Ja056831bLay.com C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe N/A
File created \??\c:\Windows\WinSxS\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_10.0.19041.1_none_1c68775f06732f08\New mp3 BaraT !! .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_b6514808f7d87b1a\Love Song .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File created C:\Windows\Ti645063ta.exe C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_it-it_f1a0741e853eda74\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File created \??\c:\Windows\WinSxS\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_10.0.19041.1_none_15ba23b7f1e2b81b\RaHasIA .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File created C:\Windows\M36838\Ja56831bLay.com C:\Windows\M36838\EmangEloh.exe N/A
File created \??\c:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\New mp3 BaraT !! .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened for modification C:\Windows\M36838\EmangEloh.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\winlogon.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\Data DosenKu .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1_none_97e9c0335b4cd39a\Norman virus Control 5.18 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
File opened for modification C:\Windows\sa-865388.exe C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\M36838\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\M36838\EmangEloh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\winlogon.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" C:\Windows\M36838\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" C:\Windows\M36838\EmangEloh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile C:\Windows\M36838\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile C:\Windows\M36838\EmangEloh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\winlogon.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3844 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe
PID 3844 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe
PID 3844 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe
PID 3844 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe C:\Windows\M36838\smss.exe
PID 3844 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe C:\Windows\M36838\smss.exe
PID 3844 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe C:\Windows\M36838\smss.exe
PID 3844 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe C:\Windows\M36838\EmangEloh.exe
PID 3844 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe C:\Windows\M36838\EmangEloh.exe
PID 3844 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe C:\Windows\M36838\EmangEloh.exe
PID 3844 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\winlogon.exe
PID 3844 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\winlogon.exe
PID 3844 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\winlogon.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe

"C:\Users\Admin\AppData\Local\Temp\5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe"

C:\Windows\M36838\smss.exe

"C:\Windows\M36838\smss.exe"

C:\Windows\M36838\EmangEloh.exe

"C:\Windows\M36838\EmangEloh.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\winlogon.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\winlogon.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp

Files

memory/3844-0-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3844-1-0x00000000001C0000-0x00000000001C2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64746Z\service.exe

MD5 0356b7bb07355265f73cbb010ae45041
SHA1 9223d100e366a21ae395c9a7b64b13ddb236c389
SHA256 5433c04586cf1ffbacad3b5cb1ed5694f0185035823a582b68adc6020c4c779a
SHA512 9d5b7177b162135338946ba1bb90d264c646e799c7980f9355973585a73d94010a95b2f8704293d60919639bb142ae7a66205bb1c2927b88b52ff1b4c9a1ea43

memory/2184-56-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2184-58-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3320-57-0x00000000001C0000-0x00000000001C2000-memory.dmp

C:\Windows\system\msvbvm60.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2536-116-0x00000000001C0000-0x00000000001C2000-memory.dmp

memory/2536-115-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\[TheMoonlight].txt

MD5 68c7836c8ff19e87ca33a7959a2bdff5
SHA1 cc5d0205bb71c10bbed22fe47e59b1f6817daab7
SHA256 883b19ec550f7ddb1e274a83d58d66c771ab10fefd136bab79483f2eb84e7fec
SHA512 3656005148788ed7ac8f5b5f8f6f4736c2dc4a94771291170e61666beb81e63be2a1a0f2913233b0e3f12ddfa7f1e89da9cd8323306413395ee78b2ece7fbfe8

memory/560-130-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\system\msvbvm60.dll

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

memory/3844-144-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3320-233-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2184-234-0x0000000000400000-0x0000000000435000-memory.dmp

memory/560-236-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2536-235-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3320-237-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3320-241-0x0000000000400000-0x0000000000435000-memory.dmp

memory/560-244-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3320-247-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2184-248-0x0000000000400000-0x0000000000435000-memory.dmp

memory/560-250-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2536-249-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3320-251-0x0000000000400000-0x0000000000435000-memory.dmp

memory/560-254-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2536-257-0x0000000000400000-0x0000000000435000-memory.dmp

memory/560-258-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2536-261-0x0000000000400000-0x0000000000435000-memory.dmp

memory/560-262-0x0000000000400000-0x0000000000435000-memory.dmp

memory/560-266-0x0000000000400000-0x0000000000435000-memory.dmp

memory/560-267-0x0000000000400000-0x0000000000435000-memory.dmp

memory/560-271-0x0000000000400000-0x0000000000435000-memory.dmp

memory/560-279-0x0000000000400000-0x0000000000435000-memory.dmp

memory/560-287-0x0000000000400000-0x0000000000435000-memory.dmp

memory/560-291-0x0000000000400000-0x0000000000435000-memory.dmp