f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb

Resubmissions

08-06-2024 15:19

240608-sqmvesch2s 10

06-11-2020 15:33

201106-nz68d98cw2 10

Analysis

max time kernel
155s
max time network
138s
platform
windows7_x64
resource
win7v20201028
submitted
06-11-2020 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.bin.exe
Size

212KB
MD5

723825ad69a5d55a1e5ed3d1ee831f0d
SHA1

7e082df63c3de0f8bf9d38edf72ba5268078275a
SHA256

f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb
SHA512

dbd1fd80c8e1224c79ecea419919df3590186c95bfd2f606d6573d759374bc54db8331478207e3b543114431c2ed8eede83b7eca74d4313e7dee16bd527c2c78

Score

10^/10

persistence ransomware

Malware Config

Extracted

Path

C:\RECOVERY DATA INFORMATION.TXT

Ransom Note

Hello! If you see this message - this means your files are now encrypted and are in a non-working state! Now only we can help you recover. If you are ready to restore the work - send us an email to the address [email protected] In the letter, specify your personal identifier, which you will see below. In the reply letter we will inform you the cost of decrypting your files. Also from your servers files, documents, databases SQL, PDF were uploaded to our cloud storage After we agree, you will receive a decryption program, as well as all your files on our server will be deleted. Otherwise, they will fall into the open access of the Internet! Before payment you can send us 1-2 files for test decryption. We will decrypt the files you requested and send you back. This ensures that we own the key to recover your data. The total file size should be no more than 3 MB, the files should not contain valuable information (databases, backups, large Excel spreadsheets ...). Please be sure that we will find common languge. We will restore all the data. Email to contact us - [email protected] Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. Your personal ID: 342-09B-CF1

Emails

[email protected]

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

spoolsv.exespoolsv.exe

pid process

1836 spoolsv.exe
1524 spoolsv.exe

pid	process
1836	spoolsv.exe
1524	spoolsv.exe

Loads dropped DLL 3 IoCs

Processes:

f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.bin.exespoolsv.exe

pid	process
1816	f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.bin.exe
1816	f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.bin.exe
1836	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.bin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.bin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\spoolsv.exe\" -start"	f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.bin.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spoolsv.exe

description	ioc	process
File opened (read-only)	\??\N:	spoolsv.exe
File opened (read-only)	\??\K:	spoolsv.exe
File opened (read-only)	\??\H:	spoolsv.exe
File opened (read-only)	\??\U:	spoolsv.exe
File opened (read-only)	\??\R:	spoolsv.exe
File opened (read-only)	\??\M:	spoolsv.exe
File opened (read-only)	\??\L:	spoolsv.exe
File opened (read-only)	\??\I:	spoolsv.exe
File opened (read-only)	\??\A:	spoolsv.exe
File opened (read-only)	\??\Z:	spoolsv.exe
File opened (read-only)	\??\X:	spoolsv.exe
File opened (read-only)	\??\W:	spoolsv.exe
File opened (read-only)	\??\T:	spoolsv.exe
File opened (read-only)	\??\S:	spoolsv.exe
File opened (read-only)	\??\P:	spoolsv.exe
File opened (read-only)	\??\F:	spoolsv.exe
File opened (read-only)	\??\B:	spoolsv.exe
File opened (read-only)	\??\Y:	spoolsv.exe
File opened (read-only)	\??\Q:	spoolsv.exe
File opened (read-only)	\??\O:	spoolsv.exe
File opened (read-only)	\??\J:	spoolsv.exe
File opened (read-only)	\??\G:	spoolsv.exe
File opened (read-only)	\??\E:	spoolsv.exe
File opened (read-only)	\??\V:	spoolsv.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 geoiptool.com

flow	ioc
6	geoiptool.com

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Drops file in Program Files directory 4253 IoCs

Processes:

spoolsv.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Hebron	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Azores	spoolsv.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html.342-09B-CF1	spoolsv.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\RECOVERY DATA INFORMATION.TXT	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macGrey.png	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fontconfig.properties.src.342-09B-CF1	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Port_of_Spain	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_zh_4.4.0.v20140623020002.jar.342-09B-CF1	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\updater.jar.342-09B-CF1	spoolsv.exe
File opened for modification	C:\Program Files\InitializeGrant.exe	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png.342-09B-CF1	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPTSFrame.png	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-io.xml	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-javahelp.xml.342-09B-CF1	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.shell_0.10.0.v201212101605.jar	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.RSA.342-09B-CF1	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser.zh_CN_5.5.0.165303.jar.342-09B-CF1	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\rjmx.jar	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png.342-09B-CF1	spoolsv.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\RECOVERY DATA INFORMATION.TXT	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\dblook.342-09B-CF1	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\core.jar.342-09B-CF1	spoolsv.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationLeft_ButtonGraphic.png	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-queries.jar	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\HST10	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\ECLIPSE_.RSA	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-attach_zh_CN.jar.342-09B-CF1	spoolsv.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground_PAL.wmv	spoolsv.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\RECOVERY DATA INFORMATION.TXT	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_zh_CN.jar.342-09B-CF1	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe.342-09B-CF1	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Hobart	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-windows.jar.342-09B-CF1	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-api_zh_CN.jar	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-uihandler_ja.jar.342-09B-CF1	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sa.jar.342-09B-CF1	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tashkent.342-09B-CF1	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Antigua.342-09B-CF1	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guayaquil	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-visual.xml	spoolsv.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt.342-09B-CF1	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Winamac.342-09B-CF1	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-5.342-09B-CF1	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.zh_CN_5.5.0.165303.jar	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-explorer.xml.342-09B-CF1	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_ja.jar	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiler_zh_CN.jar.342-09B-CF1	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Efate	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\uarrow.gif.342-09B-CF1	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler.xml.342-09B-CF1	spoolsv.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Port_Moresby	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-ui.xml.342-09B-CF1	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Tegucigalpa.342-09B-CF1	spoolsv.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	spoolsv.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\DVDMaker.exe.mui	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	spoolsv.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

2008 vssadmin.exe
932 vssadmin.exe

pid	process
2008	vssadmin.exe
932	vssadmin.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

spoolsv.exef247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.bin.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.bin.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.bin.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.bin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	spoolsv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 83 IoCs

Processes:

WMIC.exeWMIC.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1880	WMIC.exe
Token: SeSecurityPrivilege	1880	WMIC.exe
Token: SeTakeOwnershipPrivilege	1880	WMIC.exe
Token: SeLoadDriverPrivilege	1880	WMIC.exe
Token: SeSystemProfilePrivilege	1880	WMIC.exe
Token: SeSystemtimePrivilege	1880	WMIC.exe
Token: SeProfSingleProcessPrivilege	1880	WMIC.exe
Token: SeIncBasePriorityPrivilege	1880	WMIC.exe
Token: SeCreatePagefilePrivilege	1880	WMIC.exe
Token: SeBackupPrivilege	1880	WMIC.exe
Token: SeRestorePrivilege	1880	WMIC.exe
Token: SeShutdownPrivilege	1880	WMIC.exe
Token: SeDebugPrivilege	1880	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1880	WMIC.exe
Token: SeRemoteShutdownPrivilege	1880	WMIC.exe
Token: SeUndockPrivilege	1880	WMIC.exe
Token: SeManageVolumePrivilege	1880	WMIC.exe
Token: 33	1880	WMIC.exe
Token: SeIncreaseQuotaPrivilege	112	WMIC.exe
Token: 34	1880	WMIC.exe
Token: SeSecurityPrivilege	112	WMIC.exe
Token: 35	1880	WMIC.exe
Token: SeTakeOwnershipPrivilege	112	WMIC.exe
Token: SeLoadDriverPrivilege	112	WMIC.exe
Token: SeSystemProfilePrivilege	112	WMIC.exe
Token: SeSystemtimePrivilege	112	WMIC.exe
Token: SeProfSingleProcessPrivilege	112	WMIC.exe
Token: SeIncBasePriorityPrivilege	112	WMIC.exe
Token: SeCreatePagefilePrivilege	112	WMIC.exe
Token: SeBackupPrivilege	112	WMIC.exe
Token: SeRestorePrivilege	112	WMIC.exe
Token: SeShutdownPrivilege	112	WMIC.exe
Token: SeDebugPrivilege	112	WMIC.exe
Token: SeSystemEnvironmentPrivilege	112	WMIC.exe
Token: SeRemoteShutdownPrivilege	112	WMIC.exe
Token: SeUndockPrivilege	112	WMIC.exe
Token: SeManageVolumePrivilege	112	WMIC.exe
Token: 33	112	WMIC.exe
Token: 34	112	WMIC.exe
Token: 35	112	WMIC.exe
Token: SeBackupPrivilege	1616	vssvc.exe
Token: SeRestorePrivilege	1616	vssvc.exe
Token: SeAuditPrivilege	1616	vssvc.exe
Token: SeIncreaseQuotaPrivilege	112	WMIC.exe
Token: SeSecurityPrivilege	112	WMIC.exe
Token: SeTakeOwnershipPrivilege	112	WMIC.exe
Token: SeLoadDriverPrivilege	112	WMIC.exe
Token: SeSystemProfilePrivilege	112	WMIC.exe
Token: SeSystemtimePrivilege	112	WMIC.exe
Token: SeProfSingleProcessPrivilege	112	WMIC.exe
Token: SeIncBasePriorityPrivilege	112	WMIC.exe
Token: SeCreatePagefilePrivilege	112	WMIC.exe
Token: SeBackupPrivilege	112	WMIC.exe
Token: SeRestorePrivilege	112	WMIC.exe
Token: SeShutdownPrivilege	112	WMIC.exe
Token: SeDebugPrivilege	112	WMIC.exe
Token: SeSystemEnvironmentPrivilege	112	WMIC.exe
Token: SeRemoteShutdownPrivilege	112	WMIC.exe
Token: SeUndockPrivilege	112	WMIC.exe
Token: SeManageVolumePrivilege	112	WMIC.exe
Token: 33	112	WMIC.exe
Token: 34	112	WMIC.exe
Token: 35	112	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1880	WMIC.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.bin.exespoolsv.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1816 wrote to memory of 1836	1816	f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.bin.exe	spoolsv.exe
PID 1816 wrote to memory of 1836	1816	f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.bin.exe	spoolsv.exe
PID 1816 wrote to memory of 1836	1816	f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.bin.exe	spoolsv.exe
PID 1816 wrote to memory of 1836	1816	f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.bin.exe	spoolsv.exe
PID 1836 wrote to memory of 1680	1836	spoolsv.exe	cmd.exe
PID 1836 wrote to memory of 1680	1836	spoolsv.exe	cmd.exe
PID 1836 wrote to memory of 1680	1836	spoolsv.exe	cmd.exe
PID 1836 wrote to memory of 1680	1836	spoolsv.exe	cmd.exe
PID 1836 wrote to memory of 1652	1836	spoolsv.exe	cmd.exe
PID 1836 wrote to memory of 1652	1836	spoolsv.exe	cmd.exe
PID 1836 wrote to memory of 1652	1836	spoolsv.exe	cmd.exe
PID 1836 wrote to memory of 1652	1836	spoolsv.exe	cmd.exe
PID 1836 wrote to memory of 1520	1836	spoolsv.exe	cmd.exe
PID 1836 wrote to memory of 1520	1836	spoolsv.exe	cmd.exe
PID 1836 wrote to memory of 1520	1836	spoolsv.exe	cmd.exe
PID 1836 wrote to memory of 1520	1836	spoolsv.exe	cmd.exe
PID 1836 wrote to memory of 1708	1836	spoolsv.exe	cmd.exe
PID 1836 wrote to memory of 1708	1836	spoolsv.exe	cmd.exe
PID 1836 wrote to memory of 1708	1836	spoolsv.exe	cmd.exe
PID 1836 wrote to memory of 1708	1836	spoolsv.exe	cmd.exe
PID 1836 wrote to memory of 944	1836	spoolsv.exe	cmd.exe
PID 1836 wrote to memory of 944	1836	spoolsv.exe	cmd.exe
PID 1836 wrote to memory of 944	1836	spoolsv.exe	cmd.exe
PID 1836 wrote to memory of 944	1836	spoolsv.exe	cmd.exe
PID 1836 wrote to memory of 1424	1836	spoolsv.exe	cmd.exe
PID 1836 wrote to memory of 1424	1836	spoolsv.exe	cmd.exe
PID 1836 wrote to memory of 1424	1836	spoolsv.exe	cmd.exe
PID 1836 wrote to memory of 1424	1836	spoolsv.exe	cmd.exe
PID 1836 wrote to memory of 1524	1836	spoolsv.exe	spoolsv.exe
PID 1836 wrote to memory of 1524	1836	spoolsv.exe	spoolsv.exe
PID 1836 wrote to memory of 1524	1836	spoolsv.exe	spoolsv.exe
PID 1836 wrote to memory of 1524	1836	spoolsv.exe	spoolsv.exe
PID 944 wrote to memory of 2008	944	cmd.exe	vssadmin.exe
PID 944 wrote to memory of 2008	944	cmd.exe	vssadmin.exe
PID 944 wrote to memory of 2008	944	cmd.exe	vssadmin.exe
PID 944 wrote to memory of 2008	944	cmd.exe	vssadmin.exe
PID 1680 wrote to memory of 1880	1680	cmd.exe	WMIC.exe
PID 1680 wrote to memory of 1880	1680	cmd.exe	WMIC.exe
PID 1680 wrote to memory of 1880	1680	cmd.exe	WMIC.exe
PID 1680 wrote to memory of 1880	1680	cmd.exe	WMIC.exe
PID 1424 wrote to memory of 112	1424	cmd.exe	WMIC.exe
PID 1424 wrote to memory of 112	1424	cmd.exe	WMIC.exe
PID 1424 wrote to memory of 112	1424	cmd.exe	WMIC.exe
PID 1424 wrote to memory of 112	1424	cmd.exe	WMIC.exe
PID 1424 wrote to memory of 932	1424	cmd.exe	vssadmin.exe
PID 1424 wrote to memory of 932	1424	cmd.exe	vssadmin.exe
PID 1424 wrote to memory of 932	1424	cmd.exe	vssadmin.exe
PID 1424 wrote to memory of 932	1424	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.bin.exe
"C:\Users\Admin\AppData\Local\Temp\f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.bin.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1816

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -start
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
3⤵
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
3⤵
PID:1652

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:1520

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
PID:1708

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:2008

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:112

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:932

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -agent 0
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1524

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1616

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
94b4ad73963959e339923ddcabf6b331

SHA1
aa2c6af08dd5478d326c90ef2146c3ee2a7b55b2

SHA256
8945240c6d037d35d6124ac4b9815a8d74d785fa30c2c4b2fd54ed2fb68f58f4

SHA512
aefafb7d184e5564bdc65311e52619950f603fb89259de2af3b8f9fa05c346bf9e3f33b9cbe05a01389ef97642c7e37299ce8b9b4f3cb9f6d4e9a6877c537126

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
3208da0c038576623565b095fcea4ad1

SHA1
bc421f8eb4b9c6100aa444edece988c01dd63b26

SHA256
16ca708624c0f83871bbb8349e31fba20e5591f298ee91ddf08faf2919041f4b

SHA512
17fd810bdb400ce06167d6009a23cbdafdeb5eb0cb5c18456ec3a833546ad050429b003bdec753aa591d5b370cbb1290633abc1cc71f3ae29e81d58c56b8408c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
c6f27d5d1ee450d3400bf13e0804fce6

SHA1
2d0505f90eca6a49ca15b742aa5ef9ef01c7af41

SHA256
2c01ba329cfb39b6141b3c98d662ba24eb458e051fb7de79f975e681e8b4327a

SHA512
75687ddffd7021a033d19049f0cc05bbccd97a1433c06738a04590ed660996f669838514fe9f3b7c4b2eb494cf8a594f54bab1446cc915da4a042c3a327adc3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
2b8543d7ed94b03fd40958ef8378b8ad

SHA1
91e164d0d5090b639b9b15332e7cbb6778ef324b

SHA256
dd83b32ee7c14b065c965fd0a51f9e1f954080e8dfd863c45da3233e2983baf2

SHA512
9b45c9ebf3cb3d9c6a14154bcdb38de3f17adf4cea32f463294d04124b604114c2e372415b2967cd1482587090cf4d0ebb1839b7fd7109cd312257c45a3231fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
4e821a1ad005656bacc49481361fe41a

SHA1
761d37ba990fe6433332fc6d9c4835c48f9d84aa

SHA256
db42788325c0a1d0ec8c651b474eb0b3a1539cff9724826d162ea46077d83f90

SHA512
4ded13bad6d11316471aeeed3cd7f81d1a312a9f33142f8b25835049f18058b639ab851dd6c50e41fdf78c8657e95670f9f9342210bcc25fa97090ed8165d6da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
e8ca5d5ac9c39d0f8eeb46320cce8132

SHA1
36b4770964ab88ea17dc0830af92594a143c42bf

SHA256
6c67965c5142445e42b15da1f88a8b8e1342a3348b41e1db01c0dfe98c44d8ba

SHA512
380b9f9ca7a5f27958a2fbd9c1de20940d0cdf500b5c2107590321be7b530493620669f9988bf5cf0330acd0866b60e9ce4e7a1d704f102a4ce0f74e9a4d21e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
1658aa9ebbc8abddcbbe7e34800695d5

SHA1
b2f8bc5b5184ceda4fbf6935dd38c8237b1422d2

SHA256
cb85251174ab9abdf5105bc263758021e88e208a7f7f8f0999180cf6ca8cfb9a

SHA512
5fc45424d18ab9d5c0409e71955284e2e599659c6f9540fb106e795f59bfd5e750755d3ede7aa95a797be715f12c36fa02e684ed96760e1a16fe2d2980bb6d80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3O0J2C38\Y8N9TH45.htm
MD5
8615e70875c2cc0b9db16027b9adf11d

SHA1
4ed62cf405311c0ff562a3c59334a15ddc4f1bf9

SHA256
da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d

SHA512
cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7ISB2KAC\LHL1WXN2.htm
MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat
MD5
78215698f8f9dc7941c9c287642bd02c

SHA1
633cd0a6c76f080cdb6e0c98034b0b5dd7283a47

SHA256
dc94e21e80522b2cee097064c31a7720d70a02d0c55f290d59030fd0c995cac5

SHA512
c0a05f8cc400855c40b8e8eb3e7f027b06553cc592eb2ab6ad0a8c33ed2d196c7eda358977edc3f34ce1fdbff30efe288725eb10ea463e622ee9eb8085e48f7d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
MD5
723825ad69a5d55a1e5ed3d1ee831f0d

SHA1
7e082df63c3de0f8bf9d38edf72ba5268078275a

SHA256
f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb

SHA512
dbd1fd80c8e1224c79ecea419919df3590186c95bfd2f606d6573d759374bc54db8331478207e3b543114431c2ed8eede83b7eca74d4313e7dee16bd527c2c78

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
MD5
723825ad69a5d55a1e5ed3d1ee831f0d

SHA1
7e082df63c3de0f8bf9d38edf72ba5268078275a

SHA256
f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb

SHA512
dbd1fd80c8e1224c79ecea419919df3590186c95bfd2f606d6573d759374bc54db8331478207e3b543114431c2ed8eede83b7eca74d4313e7dee16bd527c2c78

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
MD5
723825ad69a5d55a1e5ed3d1ee831f0d

SHA1
7e082df63c3de0f8bf9d38edf72ba5268078275a

SHA256
f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb

SHA512
dbd1fd80c8e1224c79ecea419919df3590186c95bfd2f606d6573d759374bc54db8331478207e3b543114431c2ed8eede83b7eca74d4313e7dee16bd527c2c78

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
MD5
723825ad69a5d55a1e5ed3d1ee831f0d

SHA1
7e082df63c3de0f8bf9d38edf72ba5268078275a

SHA256
f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb

SHA512
dbd1fd80c8e1224c79ecea419919df3590186c95bfd2f606d6573d759374bc54db8331478207e3b543114431c2ed8eede83b7eca74d4313e7dee16bd527c2c78

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
MD5
723825ad69a5d55a1e5ed3d1ee831f0d

SHA1
7e082df63c3de0f8bf9d38edf72ba5268078275a

SHA256
f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb

SHA512
dbd1fd80c8e1224c79ecea419919df3590186c95bfd2f606d6573d759374bc54db8331478207e3b543114431c2ed8eede83b7eca74d4313e7dee16bd527c2c78

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
MD5
723825ad69a5d55a1e5ed3d1ee831f0d

SHA1
7e082df63c3de0f8bf9d38edf72ba5268078275a

SHA256
f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb

SHA512
dbd1fd80c8e1224c79ecea419919df3590186c95bfd2f606d6573d759374bc54db8331478207e3b543114431c2ed8eede83b7eca74d4313e7dee16bd527c2c78

Download Submit
memory/112-27-0x0000000000000000-mapping.dmp

Download
memory/932-28-0x0000000000000000-mapping.dmp

Download
memory/944-18-0x0000000000000000-mapping.dmp

Download
memory/1424-19-0x0000000000000000-mapping.dmp

Download
memory/1520-16-0x0000000000000000-mapping.dmp

Download
memory/1524-22-0x0000000000000000-mapping.dmp

Download
memory/1652-15-0x0000000000000000-mapping.dmp

Download
memory/1668-0-0x000007FEF79D0000-0x000007FEF7C4A000-memory.dmp

Filesize
2.5MB

Download
memory/1680-14-0x0000000000000000-mapping.dmp

Download
memory/1708-17-0x0000000000000000-mapping.dmp

Download
memory/1836-3-0x0000000000000000-mapping.dmp

Download
memory/1880-25-0x0000000000000000-mapping.dmp

Download
memory/2008-24-0x0000000000000000-mapping.dmp

Download