Malware Analysis Report

2024-12-07 16:23

Sample ID 241113-zdcx1sygmk
Target 275ae465f6f8daf44e9fed507aacdb05dca19c5d3790c5f8a44ecefc8db4529b
SHA256 275ae465f6f8daf44e9fed507aacdb05dca19c5d3790c5f8a44ecefc8db4529b
Tags
upx defense_evasion discovery evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

275ae465f6f8daf44e9fed507aacdb05dca19c5d3790c5f8a44ecefc8db4529b

Threat Level: Known bad

The file 275ae465f6f8daf44e9fed507aacdb05dca19c5d3790c5f8a44ecefc8db4529b was found to be: Known bad.

Malicious Activity Summary

upx defense_evasion discovery evasion persistence trojan

Windows security bypass

Boot or Logon Autostart Execution: Active Setup

Event Triggered Execution: Image File Execution Options Injection

Windows security modification

Executes dropped EXE

Loads dropped DLL

Modifies WinLogon

Indicator Removal: Clear Persistence

Drops file in System32 directory

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 20:35

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 20:35

Reported

2024-11-13 20:38

Platform

win7-20241010-en

Max time kernel

149s

Max time network

126s

Command Line

winlogon.exe

Signatures

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "24064" C:\Windows\SysWOW64\eammoabab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "24064" C:\Windows\SysWOW64\eammoabab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "24064" C:\Windows\SysWOW64\eammoabab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "24064" C:\Windows\SysWOW64\eammoabab.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42435852-4a46-4b45-4243-58524A464b45}\StubPath = "C:\\Windows\\system32\\arloatud-udoab.exe" C:\Windows\SysWOW64\eammoabab.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42435852-4a46-4b45-4243-58524A464b45} C:\Windows\SysWOW64\eammoabab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42435852-4a46-4b45-4243-58524A464b45}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" C:\Windows\SysWOW64\eammoabab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42435852-4a46-4b45-4243-58524A464b45}\IsInstalled = "1" C:\Windows\SysWOW64\eammoabab.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe C:\Windows\SysWOW64\eammoabab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" C:\Windows\SysWOW64\eammoabab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\apniheav.exe" C:\Windows\SysWOW64\eammoabab.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "24064" C:\Windows\SysWOW64\eammoabab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "24064" C:\Windows\SysWOW64\eammoabab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "24064" C:\Windows\SysWOW64\eammoabab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "24064" C:\Windows\SysWOW64\eammoabab.exe N/A

Indicator Removal: Clear Persistence

defense_evasion
Description Indicator Process Target
Delete value \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger C:\Windows\SysWOW64\eammoabab.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} C:\Windows\SysWOW64\eammoabab.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify C:\Windows\SysWOW64\eammoabab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" C:\Windows\SysWOW64\eammoabab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\udkesos-xum.dll" C:\Windows\SysWOW64\eammoabab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" C:\Windows\SysWOW64\eammoabab.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\aset32.exe C:\Windows\SysWOW64\eammoabab.exe N/A
File opened for modification C:\Windows\SysWOW64\ntdbg.exe C:\Windows\SysWOW64\eammoabab.exe N/A
File opened for modification C:\Windows\SysWOW64\rmass.exe C:\Windows\SysWOW64\eammoabab.exe N/A
File opened for modification C:\Windows\SysWOW64\ahuy.exe C:\Windows\SysWOW64\eammoabab.exe N/A
File opened for modification C:\Windows\SysWOW64\RECOVER32.DLL C:\Windows\SysWOW64\eammoabab.exe N/A
File created C:\Windows\SysWOW64\udkesos-xum.dll C:\Windows\SysWOW64\eammoabab.exe N/A
File opened for modification C:\Windows\SysWOW64\eammoabab.exe C:\Users\Admin\AppData\Local\Temp\275ae465f6f8daf44e9fed507aacdb05dca19c5d3790c5f8a44ecefc8db4529b.exe N/A
File created C:\Windows\SysWOW64\arloatud-udoab.exe C:\Windows\SysWOW64\eammoabab.exe N/A
File opened for modification C:\Windows\SysWOW64\udkesos-xum.dll C:\Windows\SysWOW64\eammoabab.exe N/A
File opened for modification C:\Windows\SysWOW64\arloatud-udoab.exe C:\Windows\SysWOW64\eammoabab.exe N/A
File opened for modification C:\Windows\SysWOW64\winrnt.exe C:\Windows\SysWOW64\eammoabab.exe N/A
File opened for modification C:\Windows\SysWOW64\idbg32.exe C:\Windows\SysWOW64\eammoabab.exe N/A
File opened for modification C:\Windows\SysWOW64\gymspzd.dll C:\Windows\SysWOW64\eammoabab.exe N/A
File opened for modification C:\Windows\SysWOW64\eammoabab.exe C:\Windows\SysWOW64\eammoabab.exe N/A
File created C:\Windows\SysWOW64\eammoabab.exe C:\Users\Admin\AppData\Local\Temp\275ae465f6f8daf44e9fed507aacdb05dca19c5d3790c5f8a44ecefc8db4529b.exe N/A
File opened for modification C:\Windows\SysWOW64\apniheav.exe C:\Windows\SysWOW64\eammoabab.exe N/A
File created C:\Windows\SysWOW64\apniheav.exe C:\Windows\SysWOW64\eammoabab.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\System\rmass.exe C:\Windows\SysWOW64\eammoabab.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\aset32.exe C:\Windows\SysWOW64\eammoabab.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\ahuy.exe C:\Windows\SysWOW64\eammoabab.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\idbg32.exe C:\Windows\SysWOW64\eammoabab.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\ntdbg.exe C:\Windows\SysWOW64\eammoabab.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\RECOVER32.DLL C:\Windows\SysWOW64\eammoabab.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\gymspzd.dll C:\Windows\SysWOW64\eammoabab.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\winrnt.exe C:\Windows\SysWOW64\eammoabab.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\275ae465f6f8daf44e9fed507aacdb05dca19c5d3790c5f8a44ecefc8db4529b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\eammoabab.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\275ae465f6f8daf44e9fed507aacdb05dca19c5d3790c5f8a44ecefc8db4529b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\eammoabab.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1064 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\275ae465f6f8daf44e9fed507aacdb05dca19c5d3790c5f8a44ecefc8db4529b.exe C:\Windows\SysWOW64\eammoabab.exe
PID 1064 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\275ae465f6f8daf44e9fed507aacdb05dca19c5d3790c5f8a44ecefc8db4529b.exe C:\Windows\SysWOW64\eammoabab.exe
PID 1064 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\275ae465f6f8daf44e9fed507aacdb05dca19c5d3790c5f8a44ecefc8db4529b.exe C:\Windows\SysWOW64\eammoabab.exe
PID 1064 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\275ae465f6f8daf44e9fed507aacdb05dca19c5d3790c5f8a44ecefc8db4529b.exe C:\Windows\SysWOW64\eammoabab.exe
PID 2444 wrote to memory of 420 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\system32\winlogon.exe
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 2796 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\SysWOW64\eammoabab.exe
PID 2444 wrote to memory of 2796 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\SysWOW64\eammoabab.exe
PID 2444 wrote to memory of 2796 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\SysWOW64\eammoabab.exe
PID 2444 wrote to memory of 2796 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\SysWOW64\eammoabab.exe
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 2444 wrote to memory of 1256 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\275ae465f6f8daf44e9fed507aacdb05dca19c5d3790c5f8a44ecefc8db4529b.exe

"C:\Users\Admin\AppData\Local\Temp\275ae465f6f8daf44e9fed507aacdb05dca19c5d3790c5f8a44ecefc8db4529b.exe"

C:\Windows\SysWOW64\eammoabab.exe

"C:\Windows\system32\eammoabab.exe"

C:\Windows\SysWOW64\eammoabab.exe

--k33p

Network

Country Destination Domain Proto
US 8.8.8.8:53 yvgxmom.mp udp
US 8.8.8.8:53 yvgxmom.mp udp

Files

memory/1064-0-0x0000000000400000-0x0000000000418000-memory.dmp

\Windows\SysWOW64\eammoabab.exe

MD5 263bdd6fbaa7dd34d5ee56b97e2a3cb5
SHA1 0e1d446308189ddf8cd9d0719415721b69aa7b67
SHA256 275ae465f6f8daf44e9fed507aacdb05dca19c5d3790c5f8a44ecefc8db4529b
SHA512 b860bab9c045bac958fb92f51d564379235f0fbe398fc164b736406466f3483cf493e220380361da6345e537c5554add7b5dc950ed95edfe572dcd1117b3c3ce

memory/1064-10-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Windows\SysWOW64\udkesos-xum.dll

MD5 c8521a5fdd1c9387d536f599d850b195
SHA1 a543080665107b7e32bcc1ed19dbfbc1d2931356
SHA256 fa8f77b6daf775d66de9d27c1d896168a792057358e518c00e72b8964b966ca5
SHA512 541500e2cd502852a007d29badc1a1848d187245f78ec272281bab290cc6e308f0ae6d1b96863e0c30a176b16c6cf7e63e08a8de81a84615e4710e7164a805cd

C:\Windows\SysWOW64\apniheav.exe

MD5 dd0a988c954b0959603c62fd5b18d903
SHA1 3e23addc824862312cbc5e60c50492ceca94bc8d
SHA256 0695d7bc594772ef3939a64e4eb4840569e6b0c0fd460741e5727746f1878ee9
SHA512 89c5e8a21bf2caec987a933424bbeaba1ea427d36202bb4341bd2b594294f1c44c1c7e1caf03d94c040cf9e203b2a26e085f43a4e59d434adb0ce78ea0fd58f5

C:\Windows\SysWOW64\arloatud-udoab.exe

MD5 12e499ed1c2256b6e5afcee57c7c099d
SHA1 327e2a58a13f63c3859c1434b873680e5b86cd5c
SHA256 4b5f7f8a5817249c25aee24e23833aa15e06a900d56224e9059e4c64ccf1c3f8
SHA512 1607457bc46414538824bed9721c14d0255cccdb92167fd6334f6f3a41b99c1806558b29cd0d5f8b5e35a6c7247b6626d66627cf9a267b39f3bb4fb8bc7d478b

memory/2444-47-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2796-54-0x0000000000400000-0x0000000000418000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 20:35

Reported

2024-11-13 20:38

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

winlogon.exe

Signatures

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "24064" C:\Windows\SysWOW64\eammoabab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "24064" C:\Windows\SysWOW64\eammoabab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "24064" C:\Windows\SysWOW64\eammoabab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "24064" C:\Windows\SysWOW64\eammoabab.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5951524C-4b59-4f4e-5951-524C4B594f4e}\StubPath = "C:\\Windows\\system32\\arloatud-udoab.exe" C:\Windows\SysWOW64\eammoabab.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5951524C-4b59-4f4e-5951-524C4B594f4e} C:\Windows\SysWOW64\eammoabab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5951524C-4b59-4f4e-5951-524C4B594f4e}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" C:\Windows\SysWOW64\eammoabab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5951524C-4b59-4f4e-5951-524C4B594f4e}\IsInstalled = "1" C:\Windows\SysWOW64\eammoabab.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe C:\Windows\SysWOW64\eammoabab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" C:\Windows\SysWOW64\eammoabab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\apniheav.exe" C:\Windows\SysWOW64\eammoabab.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "24064" C:\Windows\SysWOW64\eammoabab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "24064" C:\Windows\SysWOW64\eammoabab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "24064" C:\Windows\SysWOW64\eammoabab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "24064" C:\Windows\SysWOW64\eammoabab.exe N/A

Indicator Removal: Clear Persistence

defense_evasion
Description Indicator Process Target
Delete value \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger C:\Windows\SysWOW64\eammoabab.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} C:\Windows\SysWOW64\eammoabab.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify C:\Windows\SysWOW64\eammoabab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" C:\Windows\SysWOW64\eammoabab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\udkesos-xum.dll" C:\Windows\SysWOW64\eammoabab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" C:\Windows\SysWOW64\eammoabab.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\udkesos-xum.dll C:\Windows\SysWOW64\eammoabab.exe N/A
File created C:\Windows\SysWOW64\udkesos-xum.dll C:\Windows\SysWOW64\eammoabab.exe N/A
File opened for modification C:\Windows\SysWOW64\rmass.exe C:\Windows\SysWOW64\eammoabab.exe N/A
File opened for modification C:\Windows\SysWOW64\ahuy.exe C:\Windows\SysWOW64\eammoabab.exe N/A
File opened for modification C:\Windows\SysWOW64\gymspzd.dll C:\Windows\SysWOW64\eammoabab.exe N/A
File created C:\Windows\SysWOW64\apniheav.exe C:\Windows\SysWOW64\eammoabab.exe N/A
File created C:\Windows\SysWOW64\eammoabab.exe C:\Users\Admin\AppData\Local\Temp\275ae465f6f8daf44e9fed507aacdb05dca19c5d3790c5f8a44ecefc8db4529b.exe N/A
File opened for modification C:\Windows\SysWOW64\arloatud-udoab.exe C:\Windows\SysWOW64\eammoabab.exe N/A
File opened for modification C:\Windows\SysWOW64\winrnt.exe C:\Windows\SysWOW64\eammoabab.exe N/A
File opened for modification C:\Windows\SysWOW64\aset32.exe C:\Windows\SysWOW64\eammoabab.exe N/A
File opened for modification C:\Windows\SysWOW64\idbg32.exe C:\Windows\SysWOW64\eammoabab.exe N/A
File opened for modification C:\Windows\SysWOW64\eammoabab.exe C:\Users\Admin\AppData\Local\Temp\275ae465f6f8daf44e9fed507aacdb05dca19c5d3790c5f8a44ecefc8db4529b.exe N/A
File opened for modification C:\Windows\SysWOW64\eammoabab.exe C:\Windows\SysWOW64\eammoabab.exe N/A
File created C:\Windows\SysWOW64\arloatud-udoab.exe C:\Windows\SysWOW64\eammoabab.exe N/A
File opened for modification C:\Windows\SysWOW64\ntdbg.exe C:\Windows\SysWOW64\eammoabab.exe N/A
File opened for modification C:\Windows\SysWOW64\RECOVER32.DLL C:\Windows\SysWOW64\eammoabab.exe N/A
File opened for modification C:\Windows\SysWOW64\apniheav.exe C:\Windows\SysWOW64\eammoabab.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\System\aset32.exe C:\Windows\SysWOW64\eammoabab.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\ahuy.exe C:\Windows\SysWOW64\eammoabab.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\idbg32.exe C:\Windows\SysWOW64\eammoabab.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\ntdbg.exe C:\Windows\SysWOW64\eammoabab.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\RECOVER32.DLL C:\Windows\SysWOW64\eammoabab.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\gymspzd.dll C:\Windows\SysWOW64\eammoabab.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\winrnt.exe C:\Windows\SysWOW64\eammoabab.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\rmass.exe C:\Windows\SysWOW64\eammoabab.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\275ae465f6f8daf44e9fed507aacdb05dca19c5d3790c5f8a44ecefc8db4529b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\eammoabab.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\eammoabab.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A
N/A N/A C:\Windows\SysWOW64\eammoabab.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\275ae465f6f8daf44e9fed507aacdb05dca19c5d3790c5f8a44ecefc8db4529b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\eammoabab.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3600 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\275ae465f6f8daf44e9fed507aacdb05dca19c5d3790c5f8a44ecefc8db4529b.exe C:\Windows\SysWOW64\eammoabab.exe
PID 3600 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\275ae465f6f8daf44e9fed507aacdb05dca19c5d3790c5f8a44ecefc8db4529b.exe C:\Windows\SysWOW64\eammoabab.exe
PID 3600 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\275ae465f6f8daf44e9fed507aacdb05dca19c5d3790c5f8a44ecefc8db4529b.exe C:\Windows\SysWOW64\eammoabab.exe
PID 760 wrote to memory of 620 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\system32\winlogon.exe
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 2796 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\SysWOW64\eammoabab.exe
PID 760 wrote to memory of 2796 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\SysWOW64\eammoabab.exe
PID 760 wrote to memory of 2796 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\SysWOW64\eammoabab.exe
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE
PID 760 wrote to memory of 3460 N/A C:\Windows\SysWOW64\eammoabab.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\275ae465f6f8daf44e9fed507aacdb05dca19c5d3790c5f8a44ecefc8db4529b.exe

"C:\Users\Admin\AppData\Local\Temp\275ae465f6f8daf44e9fed507aacdb05dca19c5d3790c5f8a44ecefc8db4529b.exe"

C:\Windows\SysWOW64\eammoabab.exe

"C:\Windows\system32\eammoabab.exe"

C:\Windows\SysWOW64\eammoabab.exe

--k33p

Network

Country Destination Domain Proto
US 8.8.8.8:53 goricobsssemo.mp udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 goricobsssemo.mp udp
US 8.8.8.8:53 102.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 68.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/3600-0-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Windows\SysWOW64\eammoabab.exe

MD5 263bdd6fbaa7dd34d5ee56b97e2a3cb5
SHA1 0e1d446308189ddf8cd9d0719415721b69aa7b67
SHA256 275ae465f6f8daf44e9fed507aacdb05dca19c5d3790c5f8a44ecefc8db4529b
SHA512 b860bab9c045bac958fb92f51d564379235f0fbe398fc164b736406466f3483cf493e220380361da6345e537c5554add7b5dc950ed95edfe572dcd1117b3c3ce

memory/3600-6-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2796-17-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Windows\SysWOW64\arloatud-udoab.exe

MD5 fb3cbc2175ffca23f22f180e4e802924
SHA1 e73c929a2aca73267287b2949084deebdbc15e67
SHA256 c876cad69aa62d8103792b6cb0a23fd065b57268903c391c13de5bbb9e74dd07
SHA512 e67fdada6bbdd589d334f7d84ca316c7434d844a5f3b132b433191258392bd58794a53ceffa3db66eb371830808f593d2a60d5170c7a1bc89acdbee08fcb804d

C:\Windows\SysWOW64\apniheav.exe

MD5 e9c15295a50169e715261b9ba063a2a3
SHA1 dfd45ac161702a22ef5bbb7564360619d79c95ac
SHA256 f3268c62540e769646a3e05fadaaae9f549b8e1f0250d6d62fbacec3503261e8
SHA512 ffa7b8bf1904d1972a8d3c9bd101ef1985f6f19c0e91187b46e7b6a5f51d5bb6744ea71800f136dc59050241ef37c41a6c4f1669cd8804a9ee20649c0f62d865

C:\Windows\SysWOW64\udkesos-xum.dll

MD5 c8521a5fdd1c9387d536f599d850b195
SHA1 a543080665107b7e32bcc1ed19dbfbc1d2931356
SHA256 fa8f77b6daf775d66de9d27c1d896168a792057358e518c00e72b8964b966ca5
SHA512 541500e2cd502852a007d29badc1a1848d187245f78ec272281bab290cc6e308f0ae6d1b96863e0c30a176b16c6cf7e63e08a8de81a84615e4710e7164a805cd

memory/760-42-0x0000000000400000-0x0000000000418000-memory.dmp