d01b6d2461b4616969a7e688acf91fdc20ae37b51c0b67fed700e0a42365ccda

Analysis

max time kernel
150s
max time network
123s
platform
windows10_x64
resource
win10v20210410
submitted
18-04-2021 10:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Variant.Graftor.941749.26444.23114.exe
Size

215KB
MD5

9487de43f88f7e89bb5d3999f58bff15
SHA1

22a28e5379c3ae3da581cf4f1412cc8b73557c5c
SHA256

d01b6d2461b4616969a7e688acf91fdc20ae37b51c0b67fed700e0a42365ccda
SHA512

f68ea1054503f149c209117344cc4f2ab2304acf33bbc092815eb6082e8e1fd7cb2658396a41f9524f8a4aef128f692c9ffb926f53c5677907c53a2ba23273b4

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

51196.exefileDL821.exefileDL821.exefileDL821.exe

pid process

3784 51196.exe
3808 fileDL821.exe
3408 fileDL821.exe
3468 fileDL821.exe

Drops startup file 2 IoCs

Processes:

SecuriteInfo.com.Variant.Graftor.941749.26444.23114.exe51196.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\51196.exe	SecuriteInfo.com.Variant.Graftor.941749.26444.23114.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\51196.exe	51196.exe

Loads dropped DLL 2 IoCs

Processes:

51196.exeEhStorAuthn.exe

pid process

3784 51196.exe
3948 EhStorAuthn.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

EhStorAuthn.exefileDL821.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\z_Admin\\Admin.vbs"	EhStorAuthn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\syscheck = "C:\\ProgramData\\fileDL821.exe"	fileDL821.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

19 ip-api.com

flow	ioc
19	ip-api.com

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SecuriteInfo.com.Variant.Graftor.941749.26444.23114.exe51196.exeEhStorAuthn.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	SecuriteInfo.com.Variant.Graftor.941749.26444.23114.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	SecuriteInfo.com.Variant.Graftor.941749.26444.23114.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	51196.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	51196.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	EhStorAuthn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	EhStorAuthn.exe

Drops file in System32 directory 1 IoCs

Processes:

EhStorAuthn.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\EhStorAuthn.exe EhStorAuthn.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\EhStorAuthn.exe	EhStorAuthn.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EhStorAuthn.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	EhStorAuthn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EhStorAuthn.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1956 schtasks.exe
768 schtasks.exe

pid	process
1956	schtasks.exe
768	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

Processes:

fileDL821.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\fileDL821.vshost.exe = "11001"	fileDL821.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\fileDL821.vshost.exe = "11001"	fileDL821.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Admin.exe = "11001"	fileDL821.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Admin.exe = "11"	fileDL821.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Admin.vshost.exe = "11"	fileDL821.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Admin.vshost.exe = "11"	fileDL821.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\fileDL821.exe = "11001"	fileDL821.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\fileDL821.exe = "11001"	fileDL821.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Admin.exe = "11001"	fileDL821.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Admin.vshost.exe = "11001"	fileDL821.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Admin.vshost.exe = "11001"	fileDL821.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Admin.exe = "11"	fileDL821.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4008 PING.EXE

pid	process
4008	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

51196.exefileDL821.exe

pid	process
3784	51196.exe
3784	51196.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe
3808	fileDL821.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

fileDL821.exe

description pid process

Token: SeDebugPrivilege 3808 fileDL821.exe
Token: SeDebugPrivilege 3808 fileDL821.exe

description	pid	process
Token: SeDebugPrivilege	3808	fileDL821.exe
Token: SeDebugPrivilege	3808	fileDL821.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

SecuriteInfo.com.Variant.Graftor.941749.26444.23114.execmd.exe51196.exeEhStorAuthn.exefileDL821.exe

description	pid	process	target process
PID 2204 wrote to memory of 3784	2204	SecuriteInfo.com.Variant.Graftor.941749.26444.23114.exe	51196.exe
PID 2204 wrote to memory of 3784	2204	SecuriteInfo.com.Variant.Graftor.941749.26444.23114.exe	51196.exe
PID 2204 wrote to memory of 3784	2204	SecuriteInfo.com.Variant.Graftor.941749.26444.23114.exe	51196.exe
PID 2204 wrote to memory of 1296	2204	SecuriteInfo.com.Variant.Graftor.941749.26444.23114.exe	cmd.exe
PID 2204 wrote to memory of 1296	2204	SecuriteInfo.com.Variant.Graftor.941749.26444.23114.exe	cmd.exe
PID 2204 wrote to memory of 1296	2204	SecuriteInfo.com.Variant.Graftor.941749.26444.23114.exe	cmd.exe
PID 1296 wrote to memory of 4008	1296	cmd.exe	PING.EXE
PID 1296 wrote to memory of 4008	1296	cmd.exe	PING.EXE
PID 1296 wrote to memory of 4008	1296	cmd.exe	PING.EXE
PID 1296 wrote to memory of 4076	1296	cmd.exe	cmd.exe
PID 1296 wrote to memory of 4076	1296	cmd.exe	cmd.exe
PID 1296 wrote to memory of 4076	1296	cmd.exe	cmd.exe
PID 3784 wrote to memory of 3948	3784	51196.exe	EhStorAuthn.exe
PID 3784 wrote to memory of 3948	3784	51196.exe	EhStorAuthn.exe
PID 3784 wrote to memory of 3948	3784	51196.exe	EhStorAuthn.exe
PID 3784 wrote to memory of 3948	3784	51196.exe	EhStorAuthn.exe
PID 3948 wrote to memory of 1956	3948	EhStorAuthn.exe	schtasks.exe
PID 3948 wrote to memory of 1956	3948	EhStorAuthn.exe	schtasks.exe
PID 3948 wrote to memory of 1956	3948	EhStorAuthn.exe	schtasks.exe
PID 3948 wrote to memory of 3808	3948	EhStorAuthn.exe	fileDL821.exe
PID 3948 wrote to memory of 3808	3948	EhStorAuthn.exe	fileDL821.exe
PID 3948 wrote to memory of 3808	3948	EhStorAuthn.exe	fileDL821.exe
PID 3808 wrote to memory of 768	3808	fileDL821.exe	schtasks.exe
PID 3808 wrote to memory of 768	3808	fileDL821.exe	schtasks.exe
PID 3808 wrote to memory of 768	3808	fileDL821.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Graftor.941749.26444.23114.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Graftor.941749.26444.23114.exe"
1⤵
- Drops startup file
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
PID:2204

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\51196.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\51196.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3784

C:\Windows\SysWOW64\EhStorAuthn.exe
"C:\Windows\System32\EhStorAuthn.exe"
3⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3948

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 5 /tn "Maintenance" /tr "C:\Users\%USERNAME%\AppData\Local\z_%USERNAME%\%USERNAME%.vbs" /F
4⤵
- Creates scheduled task(s)
PID:1956

C:\ProgramData\fileDL821.exe
"C:\ProgramData\fileDL821.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3808

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /sc minute /mo 1 /tn "DecAdmin" /tr "C:\ProgramData\fileDL821.exe"
5⤵
- Creates scheduled task(s)
PID:768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\del.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 3
3⤵
- Runs ping.exe
PID:4008

C:\Windows\SysWOW64\cmd.exe
cmd /c del "C:\Users\Admin\AppData\Roaming\del.bat"
3⤵
PID:4076

C:\ProgramData\fileDL821.exe
C:\ProgramData\fileDL821.exe
1⤵
- Executes dropped EXE
PID:3408

C:\ProgramData\fileDL821.exe
C:\ProgramData\fileDL821.exe
1⤵
- Executes dropped EXE
PID:3468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\fileDL821.exe
MD5
775029e6ac5944e85432fe39daf93ad7

SHA1
430398ff667aa4576a3f8273e0317ad7d6a4c870

SHA256
27e1bf195d2ecf398aa03f64a1f77c94f0a3d9ce9ec882ca2ea80742b73ec92b

SHA512
53946a952896ebbd0b77d20196408aa4da3ee33c718dd219a3f71e07e99691eb7659de45f3f072a813669b9df6c0547465981b4e6a25bd276746add3758e5210

Download Submit
C:\ProgramData\fileDL821.exe
MD5
775029e6ac5944e85432fe39daf93ad7

SHA1
430398ff667aa4576a3f8273e0317ad7d6a4c870

SHA256
27e1bf195d2ecf398aa03f64a1f77c94f0a3d9ce9ec882ca2ea80742b73ec92b

SHA512
53946a952896ebbd0b77d20196408aa4da3ee33c718dd219a3f71e07e99691eb7659de45f3f072a813669b9df6c0547465981b4e6a25bd276746add3758e5210

Download Submit
C:\ProgramData\fileDL821.exe
MD5
775029e6ac5944e85432fe39daf93ad7

SHA1
430398ff667aa4576a3f8273e0317ad7d6a4c870

SHA256
27e1bf195d2ecf398aa03f64a1f77c94f0a3d9ce9ec882ca2ea80742b73ec92b

SHA512
53946a952896ebbd0b77d20196408aa4da3ee33c718dd219a3f71e07e99691eb7659de45f3f072a813669b9df6c0547465981b4e6a25bd276746add3758e5210

Download Submit
C:\ProgramData\fileDL821.exe
MD5
775029e6ac5944e85432fe39daf93ad7

SHA1
430398ff667aa4576a3f8273e0317ad7d6a4c870

SHA256
27e1bf195d2ecf398aa03f64a1f77c94f0a3d9ce9ec882ca2ea80742b73ec92b

SHA512
53946a952896ebbd0b77d20196408aa4da3ee33c718dd219a3f71e07e99691eb7659de45f3f072a813669b9df6c0547465981b4e6a25bd276746add3758e5210

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\fileDL821.exe.log
MD5
6e1b08ede4d07113f8a126abbf6db2a8

SHA1
6aa7bfa1133ff30d8367507595d1a89550a7b279

SHA256
45e7b1100a2d79e789bb3e10fba2af5381f7651cbf32eb188d1dd625bbe7095e

SHA512
330bee9d8d285898686cea5e052ff50b07f358d6508e5337dda804d7caeca24d6b7aebad68ba3f53803519a8b74bb92542fcf8db1838944ef55181587bbec38b

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb37AC.tmp
MD5
6ec701ca4746fe93b6610e41ca09f949

SHA1
c9bd06d55ae2827d73f2750f4f49426e0449d900

SHA256
6c73389236d16c617162534ea7dc9fb830cdf88a7d478bfb3199248e4c98fa7d

SHA512
32f5f71c593b8457ab928259e3138d86e14e53294eb41dac73459631d900044db7ba89273519d77d1525ee8ada709afb51c9c6c078338d85371cb37e5ea9e62c

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb37CC.tmp
MD5
6ec701ca4746fe93b6610e41ca09f949

SHA1
c9bd06d55ae2827d73f2750f4f49426e0449d900

SHA256
6c73389236d16c617162534ea7dc9fb830cdf88a7d478bfb3199248e4c98fa7d

SHA512
32f5f71c593b8457ab928259e3138d86e14e53294eb41dac73459631d900044db7ba89273519d77d1525ee8ada709afb51c9c6c078338d85371cb37e5ea9e62c

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb37FC.tmp
MD5
6ec701ca4746fe93b6610e41ca09f949

SHA1
c9bd06d55ae2827d73f2750f4f49426e0449d900

SHA256
6c73389236d16c617162534ea7dc9fb830cdf88a7d478bfb3199248e4c98fa7d

SHA512
32f5f71c593b8457ab928259e3138d86e14e53294eb41dac73459631d900044db7ba89273519d77d1525ee8ada709afb51c9c6c078338d85371cb37e5ea9e62c

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb71FA.tmp
MD5
6ec701ca4746fe93b6610e41ca09f949

SHA1
c9bd06d55ae2827d73f2750f4f49426e0449d900

SHA256
6c73389236d16c617162534ea7dc9fb830cdf88a7d478bfb3199248e4c98fa7d

SHA512
32f5f71c593b8457ab928259e3138d86e14e53294eb41dac73459631d900044db7ba89273519d77d1525ee8ada709afb51c9c6c078338d85371cb37e5ea9e62c

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb720B.tmp
MD5
6ec701ca4746fe93b6610e41ca09f949

SHA1
c9bd06d55ae2827d73f2750f4f49426e0449d900

SHA256
6c73389236d16c617162534ea7dc9fb830cdf88a7d478bfb3199248e4c98fa7d

SHA512
32f5f71c593b8457ab928259e3138d86e14e53294eb41dac73459631d900044db7ba89273519d77d1525ee8ada709afb51c9c6c078338d85371cb37e5ea9e62c

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb721C.tmp
MD5
6ec701ca4746fe93b6610e41ca09f949

SHA1
c9bd06d55ae2827d73f2750f4f49426e0449d900

SHA256
6c73389236d16c617162534ea7dc9fb830cdf88a7d478bfb3199248e4c98fa7d

SHA512
32f5f71c593b8457ab928259e3138d86e14e53294eb41dac73459631d900044db7ba89273519d77d1525ee8ada709afb51c9c6c078338d85371cb37e5ea9e62c

Download Submit
C:\Users\Admin\AppData\Local\z_Admin\wallpaper.mp4
MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\51196.exe
MD5
9487de43f88f7e89bb5d3999f58bff15

SHA1
22a28e5379c3ae3da581cf4f1412cc8b73557c5c

SHA256
d01b6d2461b4616969a7e688acf91fdc20ae37b51c0b67fed700e0a42365ccda

SHA512
f68ea1054503f149c209117344cc4f2ab2304acf33bbc092815eb6082e8e1fd7cb2658396a41f9524f8a4aef128f692c9ffb926f53c5677907c53a2ba23273b4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\51196.exe
MD5
9487de43f88f7e89bb5d3999f58bff15

SHA1
22a28e5379c3ae3da581cf4f1412cc8b73557c5c

SHA256
d01b6d2461b4616969a7e688acf91fdc20ae37b51c0b67fed700e0a42365ccda

SHA512
f68ea1054503f149c209117344cc4f2ab2304acf33bbc092815eb6082e8e1fd7cb2658396a41f9524f8a4aef128f692c9ffb926f53c5677907c53a2ba23273b4

Download Submit
C:\Users\Admin\AppData\Roaming\del.bat
MD5
4dfcfe7e645f22c7d94c15a545e039b1

SHA1
9acebcdac98cea209d15b582d6680cbb503dd24d

SHA256
e3cff07167a88ab608d74e1efa95646fe44dccadaa064ad5dc6cd491447c3c75

SHA512
f61d0e772d9b3958ea36d3d105aff067265559c565763cb50962cc2d78b40b992b4f92f483b69766a2563b0c34a08c583173b079b70c7f1034da2d5bebff920c

Download Submit
\Users\Admin\AppData\Local\z_Admin\wallpaper.mp4
MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
\Users\Admin\AppData\Local\z_Admin\wallpaper.mp4
MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
memory/768-139-0x0000000000000000-mapping.dmp

Download
memory/1296-119-0x0000000000000000-mapping.dmp

Download
memory/1956-129-0x0000000000000000-mapping.dmp

Download
memory/2204-114-0x0000000003FD0000-0x0000000003FD9000-memory.dmp

Filesize
36KB

Download
memory/2204-115-0x0000000000400000-0x0000000003D9C000-memory.dmp

Filesize
57.6MB

Download
memory/3408-152-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/3468-163-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/3784-123-0x0000000000400000-0x0000000003D9C000-memory.dmp

Filesize
57.6MB

Download
memory/3784-116-0x0000000000000000-mapping.dmp

Download
memory/3808-133-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/3808-143-0x0000000000A18000-0x0000000000A19000-memory.dmp

Filesize
4KB

Download
memory/3808-142-0x0000000000A17000-0x0000000000A18000-memory.dmp

Filesize
4KB

Download
memory/3808-141-0x0000000000A16000-0x0000000000A17000-memory.dmp

Filesize
4KB

Download
memory/3808-140-0x0000000000A15000-0x0000000000A16000-memory.dmp

Filesize
4KB

Download
memory/3808-138-0x0000000000A13000-0x0000000000A15000-memory.dmp

Filesize
8KB

Download
memory/3808-153-0x0000000000A19000-0x0000000000A1A000-memory.dmp

Filesize
4KB

Download
memory/3808-137-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/3808-134-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/3808-130-0x0000000000000000-mapping.dmp

Download
memory/3948-127-0x0000000002750000-0x000000000275B000-memory.dmp

Filesize
44KB

Download
memory/4008-121-0x0000000000000000-mapping.dmp

Download
memory/4076-124-0x0000000000000000-mapping.dmp

Download