Analysis Overview
SHA256
ec3c0afccfef11f753a408c859d98bbba4841e87f7f1a48573270c0d82252b03
Threat Level: Known bad
The file ec3c0afccfef11f753a408c859d98bbba4841e87f7f1a48573270c0d82252b03 was found to be: Known bad.
Malicious Activity Summary
SaintBot
Suspicious use of NtCreateProcessExOtherParentProcess
SaintBot Payload
Executes dropped EXE
Deletes itself
Drops startup file
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Checks installed software on the system
Maps connected drives based on registry
Drops file in System32 directory
Enumerates physical storage devices
Program crash
Checks processor information in registry
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-03-03 17:38
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-28 03:12
Reported
2022-02-28 03:16
Platform
win7-en-20211208
Max time kernel
120s
Max time network
131s
Command Line
Signatures
SaintBot
SaintBot Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\45013.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\45013.exe | C:\Users\Admin\AppData\Local\Temp\ec3c0afccfef11f753a408c859d98bbba4841e87f7f1a48573270c0d82252b03.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\45013.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\45013.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ec3c0afccfef11f753a408c859d98bbba4841e87f7f1a48573270c0d82252b03.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ec3c0afccfef11f753a408c859d98bbba4841e87f7f1a48573270c0d82252b03.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\45013.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\EhStorAuthn.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\z_Admin\\Admin.vbs" | C:\Windows\SysWOW64\EhStorAuthn.exe | N/A |
Checks installed software on the system
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum | C:\Users\Admin\AppData\Local\Temp\ec3c0afccfef11f753a408c859d98bbba4841e87f7f1a48573270c0d82252b03.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\ec3c0afccfef11f753a408c859d98bbba4841e87f7f1a48573270c0d82252b03.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\45013.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\45013.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum | C:\Windows\SysWOW64\EhStorAuthn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Windows\SysWOW64\EhStorAuthn.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\EhStorAuthn.exe | C:\Windows\SysWOW64\EhStorAuthn.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\EhStorAuthn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\EhStorAuthn.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\45013.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ec3c0afccfef11f753a408c859d98bbba4841e87f7f1a48573270c0d82252b03.exe
"C:\Users\Admin\AppData\Local\Temp\ec3c0afccfef11f753a408c859d98bbba4841e87f7f1a48573270c0d82252b03.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\45013.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\45013.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\del.bat
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 3
C:\Windows\SysWOW64\cmd.exe
cmd /c del "C:\Users\Admin\AppData\Roaming\del.bat"
C:\Windows\SysWOW64\EhStorAuthn.exe
"C:\Windows\System32\EhStorAuthn.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 5 /tn "Maintenance" /tr "C:\Users\%USERNAME%\AppData\Local\z_%USERNAME%\%USERNAME%.vbs" /F
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | smm2021.net | udp |
| FR | 193.70.26.190:80 | smm2021.net | tcp |
Files
memory/1620-55-0x0000000000B9B000-0x0000000000BA2000-memory.dmp
memory/1620-56-0x0000000000B9B000-0x0000000000BA2000-memory.dmp
memory/1620-57-0x0000000000220000-0x0000000000229000-memory.dmp
memory/1620-58-0x0000000076641000-0x0000000076643000-memory.dmp
memory/1620-59-0x0000000000400000-0x000000000040B000-memory.dmp
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\45013.exe
| MD5 | 247951ff7b519fa8d39ef07d33e0ba5b |
| SHA1 | cf4587b6015d2a00c26a369339504595a266401f |
| SHA256 | ec3c0afccfef11f753a408c859d98bbba4841e87f7f1a48573270c0d82252b03 |
| SHA512 | 6185aeae2dbb154ba4fef27eb7dc71a1e6a8ba7e1ca69cbbe5aeb9588b29d95608e32e9f46f8d60183584903f3bbffbd5a603f5717a84f18ad81bb5088ee7bd7 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\45013.exe
| MD5 | 247951ff7b519fa8d39ef07d33e0ba5b |
| SHA1 | cf4587b6015d2a00c26a369339504595a266401f |
| SHA256 | ec3c0afccfef11f753a408c859d98bbba4841e87f7f1a48573270c0d82252b03 |
| SHA512 | 6185aeae2dbb154ba4fef27eb7dc71a1e6a8ba7e1ca69cbbe5aeb9588b29d95608e32e9f46f8d60183584903f3bbffbd5a603f5717a84f18ad81bb5088ee7bd7 |
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\45013.exe
| MD5 | 247951ff7b519fa8d39ef07d33e0ba5b |
| SHA1 | cf4587b6015d2a00c26a369339504595a266401f |
| SHA256 | ec3c0afccfef11f753a408c859d98bbba4841e87f7f1a48573270c0d82252b03 |
| SHA512 | 6185aeae2dbb154ba4fef27eb7dc71a1e6a8ba7e1ca69cbbe5aeb9588b29d95608e32e9f46f8d60183584903f3bbffbd5a603f5717a84f18ad81bb5088ee7bd7 |
memory/648-63-0x00000000002EB000-0x00000000002F2000-memory.dmp
memory/648-66-0x00000000001B0000-0x00000000001B9000-memory.dmp
memory/648-65-0x00000000002EB000-0x00000000002F2000-memory.dmp
C:\Users\Admin\AppData\Roaming\del.bat
| MD5 | 9b1143ff58ed5cb62d5217076eaf0964 |
| SHA1 | f67b957fbfd107aeaed1f48733e13c3dc7d6b1af |
| SHA256 | 5e2151e781bf9cf36e4fc6a6d13d4686fa6375edfbe7143b1a3a40e0a4415556 |
| SHA512 | 7f63336f33ea624a04984855b8d9e541a75c18dea067b92d153a79750c23716743e112f198dc65ba2ca1ddc5a7ad7bb5eb0076de54fbdba27862592b16cbc095 |
C:\Users\Admin\AppData\Local\z_Admin\wallpaper.mp4
| MD5 | d124f55b9393c976963407dff51ffa79 |
| SHA1 | 2c7bbedd79791bfb866898c85b504186db610b5d |
| SHA256 | ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef |
| SHA512 | 278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06 |
\Users\Admin\AppData\Local\z_Admin\wallpaper.mp4
| MD5 | d124f55b9393c976963407dff51ffa79 |
| SHA1 | 2c7bbedd79791bfb866898c85b504186db610b5d |
| SHA256 | ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef |
| SHA512 | 278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\45013.exe
| MD5 | 247951ff7b519fa8d39ef07d33e0ba5b |
| SHA1 | cf4587b6015d2a00c26a369339504595a266401f |
| SHA256 | ec3c0afccfef11f753a408c859d98bbba4841e87f7f1a48573270c0d82252b03 |
| SHA512 | 6185aeae2dbb154ba4fef27eb7dc71a1e6a8ba7e1ca69cbbe5aeb9588b29d95608e32e9f46f8d60183584903f3bbffbd5a603f5717a84f18ad81bb5088ee7bd7 |
memory/452-72-0x0000000000080000-0x000000000008B000-memory.dmp
\Users\Admin\AppData\Local\z_Admin\wallpaper.mp4
| MD5 | d124f55b9393c976963407dff51ffa79 |
| SHA1 | 2c7bbedd79791bfb866898c85b504186db610b5d |
| SHA256 | ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef |
| SHA512 | 278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-28 03:12
Reported
2022-02-28 03:16
Platform
win10v2004-en-20220113
Max time kernel
130s
Max time network
136s
Command Line
Signatures
SaintBot
SaintBot Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateProcessExOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4996 created 1996 | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\ec3c0afccfef11f753a408c859d98bbba4841e87f7f1a48573270c0d82252b03.exe |
| PID 2008 created 2756 | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\42850.exe |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\42850.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ec3c0afccfef11f753a408c859d98bbba4841e87f7f1a48573270c0d82252b03.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\42850.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\42850.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\42850.exe | C:\Users\Admin\AppData\Local\Temp\ec3c0afccfef11f753a408c859d98bbba4841e87f7f1a48573270c0d82252b03.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\42850.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\EhStorAuthn.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\z_Admin\\Admin.vbs" | C:\Windows\SysWOW64\EhStorAuthn.exe | N/A |
Checks installed software on the system
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Windows\SysWOW64\EhStorAuthn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum | C:\Users\Admin\AppData\Local\Temp\ec3c0afccfef11f753a408c859d98bbba4841e87f7f1a48573270c0d82252b03.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\ec3c0afccfef11f753a408c859d98bbba4841e87f7f1a48573270c0d82252b03.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\42850.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\42850.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum | C:\Windows\SysWOW64\EhStorAuthn.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\EhStorAuthn.exe | C:\Windows\SysWOW64\EhStorAuthn.exe | N/A |
Enumerates physical storage devices
Program crash
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\EhStorAuthn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\EhStorAuthn.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\42850.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\42850.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ec3c0afccfef11f753a408c859d98bbba4841e87f7f1a48573270c0d82252b03.exe
"C:\Users\Admin\AppData\Local\Temp\ec3c0afccfef11f753a408c859d98bbba4841e87f7f1a48573270c0d82252b03.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\42850.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\42850.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\del.bat
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 3
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1996 -ip 1996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 908
C:\Windows\SysWOW64\cmd.exe
cmd /c del "C:\Users\Admin\AppData\Roaming\del.bat"
C:\Windows\SysWOW64\EhStorAuthn.exe
"C:\Windows\System32\EhStorAuthn.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2756 -ip 2756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 632
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 5 /tn "Maintenance" /tr "C:\Users\%USERNAME%\AppData\Local\z_%USERNAME%\%USERNAME%.vbs" /F
Network
| Country | Destination | Domain | Proto |
| NL | 8.248.5.254:80 | tcp | |
| NL | 8.248.5.254:80 | tcp | |
| US | 8.8.8.8:53 | smm2021.net | udp |
| FR | 193.70.26.190:80 | smm2021.net | tcp |
Files
memory/1996-130-0x0000000000CFD000-0x0000000000D04000-memory.dmp
memory/1996-131-0x0000000000CFD000-0x0000000000D04000-memory.dmp
memory/1996-132-0x0000000000B60000-0x0000000000B69000-memory.dmp
memory/1996-133-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\42850.exe
| MD5 | 247951ff7b519fa8d39ef07d33e0ba5b |
| SHA1 | cf4587b6015d2a00c26a369339504595a266401f |
| SHA256 | ec3c0afccfef11f753a408c859d98bbba4841e87f7f1a48573270c0d82252b03 |
| SHA512 | 6185aeae2dbb154ba4fef27eb7dc71a1e6a8ba7e1ca69cbbe5aeb9588b29d95608e32e9f46f8d60183584903f3bbffbd5a603f5717a84f18ad81bb5088ee7bd7 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\42850.exe
| MD5 | 247951ff7b519fa8d39ef07d33e0ba5b |
| SHA1 | cf4587b6015d2a00c26a369339504595a266401f |
| SHA256 | ec3c0afccfef11f753a408c859d98bbba4841e87f7f1a48573270c0d82252b03 |
| SHA512 | 6185aeae2dbb154ba4fef27eb7dc71a1e6a8ba7e1ca69cbbe5aeb9588b29d95608e32e9f46f8d60183584903f3bbffbd5a603f5717a84f18ad81bb5088ee7bd7 |
C:\Users\Admin\AppData\Roaming\del.bat
| MD5 | 9b1143ff58ed5cb62d5217076eaf0964 |
| SHA1 | f67b957fbfd107aeaed1f48733e13c3dc7d6b1af |
| SHA256 | 5e2151e781bf9cf36e4fc6a6d13d4686fa6375edfbe7143b1a3a40e0a4415556 |
| SHA512 | 7f63336f33ea624a04984855b8d9e541a75c18dea067b92d153a79750c23716743e112f198dc65ba2ca1ddc5a7ad7bb5eb0076de54fbdba27862592b16cbc095 |
memory/2756-137-0x0000000000D3D000-0x0000000000D43000-memory.dmp
memory/2756-138-0x0000000000D3D000-0x0000000000D43000-memory.dmp
memory/2756-139-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\z_Admin\wallpaper.mp4
| MD5 | 4f3387277ccbd6d1f21ac5c07fe4ca68 |
| SHA1 | e16506f662dc92023bf82def1d621497c8ab5890 |
| SHA256 | 767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac |
| SHA512 | 9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219 |
C:\Users\Admin\AppData\Local\z_Admin\wallpaper.mp4
| MD5 | 4f3387277ccbd6d1f21ac5c07fe4ca68 |
| SHA1 | e16506f662dc92023bf82def1d621497c8ab5890 |
| SHA256 | 767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac |
| SHA512 | 9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219 |
memory/1724-142-0x0000000001290000-0x000000000129B000-memory.dmp
C:\Users\Admin\AppData\Local\z_Admin\wallpaper.mp4
| MD5 | 4f3387277ccbd6d1f21ac5c07fe4ca68 |
| SHA1 | e16506f662dc92023bf82def1d621497c8ab5890 |
| SHA256 | 767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac |
| SHA512 | 9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219 |