buran | 438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8

Analysis

max time kernel
151s
max time network
134s
platform
windows7_x64
resource
win7v20201028
submitted
12-12-2020 14:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

202010121236.scr
Size

449KB
MD5

574f031251f67bcc6ea9168364d2fbfd
SHA1

f5d6140140829eaa550d2ef57b3ca8281b3d79bb
SHA256

438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8
SHA512

d7234b117aabb6a50e8619d4bc3a6d283c53d7a7ee396a67f73985d6e09156ab2fc89ec52bddbd949d9236ecde081cc0123719a474b12966a5beaf910de8a15b

Score

10^/10

buran persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: yongloun@tutanota.com and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: wiruxa@airmail.cc Reserved email: anygrishevich@yandex.ru Your personal ID: 128-806-0EA Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

wiruxa@airmail.cc

anygrishevich@yandex.ru

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

spoolsv.exespoolsv.exe

pid process

1460 spoolsv.exe
1580 spoolsv.exe
Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

1648 notepad.exe
Loads dropped DLL 2 IoCs

Processes:

202010121236.scrspoolsv.exe

pid process

1368 202010121236.scr
1460 spoolsv.exe

pid	process
1648	notepad.exe

pid	process
1368	202010121236.scr
1460	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

202010121236.scr

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	202010121236.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\spoolsv.exe\" -start"	202010121236.scr

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spoolsv.exe

description	ioc	process
File opened (read-only)	\??\M:	spoolsv.exe
File opened (read-only)	\??\H:	spoolsv.exe
File opened (read-only)	\??\E:	spoolsv.exe
File opened (read-only)	\??\X:	spoolsv.exe
File opened (read-only)	\??\W:	spoolsv.exe
File opened (read-only)	\??\V:	spoolsv.exe
File opened (read-only)	\??\T:	spoolsv.exe
File opened (read-only)	\??\B:	spoolsv.exe
File opened (read-only)	\??\A:	spoolsv.exe
File opened (read-only)	\??\Z:	spoolsv.exe
File opened (read-only)	\??\U:	spoolsv.exe
File opened (read-only)	\??\R:	spoolsv.exe
File opened (read-only)	\??\P:	spoolsv.exe
File opened (read-only)	\??\N:	spoolsv.exe
File opened (read-only)	\??\L:	spoolsv.exe
File opened (read-only)	\??\K:	spoolsv.exe
File opened (read-only)	\??\G:	spoolsv.exe
File opened (read-only)	\??\Y:	spoolsv.exe
File opened (read-only)	\??\S:	spoolsv.exe
File opened (read-only)	\??\Q:	spoolsv.exe
File opened (read-only)	\??\O:	spoolsv.exe
File opened (read-only)	\??\J:	spoolsv.exe
File opened (read-only)	\??\I:	spoolsv.exe
File opened (read-only)	\??\F:	spoolsv.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 geoiptool.com

flow	ioc
6	geoiptool.com

Drops file in Program Files directory 13760 IoCs

Processes:

spoolsv.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Maceio.128-806-0EA	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00564_.WMF	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215718.WMF.128-806-0EA	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\attention.gif.128-806-0EA	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\GostTitle.XSL.128-806-0EA	spoolsv.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt.128-806-0EA	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR25F.GIF.128-806-0EA	spoolsv.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Khartoum.128-806-0EA	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00038_.GIF.128-806-0EA	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199307.WMF.128-806-0EA	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Angles.eftx.128-806-0EA	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Track Issues.fdt.128-806-0EA	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe.128-806-0EA	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02957_.WMF	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00191_.WMF.128-806-0EA	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01239_.GIF.128-806-0EA	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RCLRPT.CFG.128-806-0EA	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic.zh_CN_5.5.0.165303.jar	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD00146_.WMF	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00050_.WMF	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF.128-806-0EA	spoolsv.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt.128-806-0EA	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Rangoon.128-806-0EA	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME35.CSS	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactLow.jpg	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14831_.GIF.128-806-0EA	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEIRM.XML	spoolsv.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-next-static.png	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-loaders.xml	spoolsv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\extensions\VLSub.luac	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02386_.WMF	spoolsv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\vlc.mo	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107734.WMF	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21343_.GIF	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDREQ.CFG	spoolsv.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DISTLSTL.ICO	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rio_Branco.128-806-0EA	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-impl.xml	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Bishkek	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107302.WMF.128-806-0EA	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04323_.WMF.128-806-0EA	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18231_.WMF.128-806-0EA	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs_5.5.0.165303.jar	spoolsv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\equalizer_window.html.128-806-0EA	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe.128-806-0EA	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME20.CSS.128-806-0EA	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Author2String.XSL	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCDRESPS.ICO	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Hiring Requisition.fdt.128-806-0EA	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\org-openide-util-lookup.jar.128-806-0EA	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153047.WMF.128-806-0EA	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187921.WMF.128-806-0EA	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0296288.WMF	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR45B.GIF	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01839_.GIF.128-806-0EA	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_FormsHomePage.gif.128-806-0EA	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Cape_Verde.128-806-0EA	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Rome	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CalendarToolIconImages.jpg.128-806-0EA	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Athens	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01461_.WMF.128-806-0EA	spoolsv.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1148 vssadmin.exe
1892 vssadmin.exe

pid	process
1148	vssadmin.exe
1892	vssadmin.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

202010121236.scrspoolsv.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	202010121236.scr
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	202010121236.scr
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	202010121236.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	spoolsv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 1183 IoCs

Processes:

spoolsv.exe

pid	process
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe
1460	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 85 IoCs

Processes:

202010121236.scrWMIC.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1368	202010121236.scr
Token: SeDebugPrivilege	1368	202010121236.scr
Token: SeIncreaseQuotaPrivilege	588	WMIC.exe
Token: SeSecurityPrivilege	588	WMIC.exe
Token: SeTakeOwnershipPrivilege	588	WMIC.exe
Token: SeLoadDriverPrivilege	588	WMIC.exe
Token: SeSystemProfilePrivilege	588	WMIC.exe
Token: SeSystemtimePrivilege	588	WMIC.exe
Token: SeProfSingleProcessPrivilege	588	WMIC.exe
Token: SeIncBasePriorityPrivilege	588	WMIC.exe
Token: SeCreatePagefilePrivilege	588	WMIC.exe
Token: SeBackupPrivilege	588	WMIC.exe
Token: SeRestorePrivilege	588	WMIC.exe
Token: SeShutdownPrivilege	588	WMIC.exe
Token: SeDebugPrivilege	588	WMIC.exe
Token: SeSystemEnvironmentPrivilege	588	WMIC.exe
Token: SeRemoteShutdownPrivilege	588	WMIC.exe
Token: SeUndockPrivilege	588	WMIC.exe
Token: SeManageVolumePrivilege	588	WMIC.exe
Token: 33	588	WMIC.exe
Token: 34	588	WMIC.exe
Token: 35	588	WMIC.exe
Token: SeIncreaseQuotaPrivilege	828	WMIC.exe
Token: SeSecurityPrivilege	828	WMIC.exe
Token: SeTakeOwnershipPrivilege	828	WMIC.exe
Token: SeLoadDriverPrivilege	828	WMIC.exe
Token: SeSystemProfilePrivilege	828	WMIC.exe
Token: SeSystemtimePrivilege	828	WMIC.exe
Token: SeProfSingleProcessPrivilege	828	WMIC.exe
Token: SeIncBasePriorityPrivilege	828	WMIC.exe
Token: SeCreatePagefilePrivilege	828	WMIC.exe
Token: SeBackupPrivilege	828	WMIC.exe
Token: SeRestorePrivilege	828	WMIC.exe
Token: SeShutdownPrivilege	828	WMIC.exe
Token: SeDebugPrivilege	828	WMIC.exe
Token: SeSystemEnvironmentPrivilege	828	WMIC.exe
Token: SeRemoteShutdownPrivilege	828	WMIC.exe
Token: SeUndockPrivilege	828	WMIC.exe
Token: SeManageVolumePrivilege	828	WMIC.exe
Token: 33	828	WMIC.exe
Token: 34	828	WMIC.exe
Token: 35	828	WMIC.exe
Token: SeBackupPrivilege	956	vssvc.exe
Token: SeRestorePrivilege	956	vssvc.exe
Token: SeAuditPrivilege	956	vssvc.exe
Token: SeIncreaseQuotaPrivilege	828	WMIC.exe
Token: SeSecurityPrivilege	828	WMIC.exe
Token: SeTakeOwnershipPrivilege	828	WMIC.exe
Token: SeLoadDriverPrivilege	828	WMIC.exe
Token: SeSystemProfilePrivilege	828	WMIC.exe
Token: SeSystemtimePrivilege	828	WMIC.exe
Token: SeProfSingleProcessPrivilege	828	WMIC.exe
Token: SeIncBasePriorityPrivilege	828	WMIC.exe
Token: SeCreatePagefilePrivilege	828	WMIC.exe
Token: SeBackupPrivilege	828	WMIC.exe
Token: SeRestorePrivilege	828	WMIC.exe
Token: SeShutdownPrivilege	828	WMIC.exe
Token: SeDebugPrivilege	828	WMIC.exe
Token: SeSystemEnvironmentPrivilege	828	WMIC.exe
Token: SeRemoteShutdownPrivilege	828	WMIC.exe
Token: SeUndockPrivilege	828	WMIC.exe
Token: SeManageVolumePrivilege	828	WMIC.exe
Token: 33	828	WMIC.exe
Token: 34	828	WMIC.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

202010121236.scrspoolsv.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1368 wrote to memory of 1460	1368	202010121236.scr	spoolsv.exe
PID 1368 wrote to memory of 1460	1368	202010121236.scr	spoolsv.exe
PID 1368 wrote to memory of 1460	1368	202010121236.scr	spoolsv.exe
PID 1368 wrote to memory of 1460	1368	202010121236.scr	spoolsv.exe
PID 1368 wrote to memory of 1648	1368	202010121236.scr	notepad.exe
PID 1368 wrote to memory of 1648	1368	202010121236.scr	notepad.exe
PID 1368 wrote to memory of 1648	1368	202010121236.scr	notepad.exe
PID 1368 wrote to memory of 1648	1368	202010121236.scr	notepad.exe
PID 1368 wrote to memory of 1648	1368	202010121236.scr	notepad.exe
PID 1368 wrote to memory of 1648	1368	202010121236.scr	notepad.exe
PID 1368 wrote to memory of 1648	1368	202010121236.scr	notepad.exe
PID 1460 wrote to memory of 1700	1460	spoolsv.exe	cmd.exe
PID 1460 wrote to memory of 1700	1460	spoolsv.exe	cmd.exe
PID 1460 wrote to memory of 1700	1460	spoolsv.exe	cmd.exe
PID 1460 wrote to memory of 1700	1460	spoolsv.exe	cmd.exe
PID 1460 wrote to memory of 1592	1460	spoolsv.exe	cmd.exe
PID 1460 wrote to memory of 1592	1460	spoolsv.exe	cmd.exe
PID 1460 wrote to memory of 1592	1460	spoolsv.exe	cmd.exe
PID 1460 wrote to memory of 1592	1460	spoolsv.exe	cmd.exe
PID 1460 wrote to memory of 268	1460	spoolsv.exe	cmd.exe
PID 1460 wrote to memory of 268	1460	spoolsv.exe	cmd.exe
PID 1460 wrote to memory of 268	1460	spoolsv.exe	cmd.exe
PID 1460 wrote to memory of 268	1460	spoolsv.exe	cmd.exe
PID 1460 wrote to memory of 1636	1460	spoolsv.exe	cmd.exe
PID 1460 wrote to memory of 1636	1460	spoolsv.exe	cmd.exe
PID 1460 wrote to memory of 1636	1460	spoolsv.exe	cmd.exe
PID 1460 wrote to memory of 1636	1460	spoolsv.exe	cmd.exe
PID 1460 wrote to memory of 1796	1460	spoolsv.exe	cmd.exe
PID 1460 wrote to memory of 1796	1460	spoolsv.exe	cmd.exe
PID 1460 wrote to memory of 1796	1460	spoolsv.exe	cmd.exe
PID 1460 wrote to memory of 1796	1460	spoolsv.exe	cmd.exe
PID 1460 wrote to memory of 576	1460	spoolsv.exe	cmd.exe
PID 1460 wrote to memory of 576	1460	spoolsv.exe	cmd.exe
PID 1460 wrote to memory of 576	1460	spoolsv.exe	cmd.exe
PID 1460 wrote to memory of 576	1460	spoolsv.exe	cmd.exe
PID 1460 wrote to memory of 1580	1460	spoolsv.exe	spoolsv.exe
PID 1460 wrote to memory of 1580	1460	spoolsv.exe	spoolsv.exe
PID 1460 wrote to memory of 1580	1460	spoolsv.exe	spoolsv.exe
PID 1460 wrote to memory of 1580	1460	spoolsv.exe	spoolsv.exe
PID 1796 wrote to memory of 1148	1796	cmd.exe	vssadmin.exe
PID 1796 wrote to memory of 1148	1796	cmd.exe	vssadmin.exe
PID 1796 wrote to memory of 1148	1796	cmd.exe	vssadmin.exe
PID 1796 wrote to memory of 1148	1796	cmd.exe	vssadmin.exe
PID 1700 wrote to memory of 588	1700	cmd.exe	WMIC.exe
PID 1700 wrote to memory of 588	1700	cmd.exe	WMIC.exe
PID 1700 wrote to memory of 588	1700	cmd.exe	WMIC.exe
PID 1700 wrote to memory of 588	1700	cmd.exe	WMIC.exe
PID 576 wrote to memory of 828	576	cmd.exe	WMIC.exe
PID 576 wrote to memory of 828	576	cmd.exe	WMIC.exe
PID 576 wrote to memory of 828	576	cmd.exe	WMIC.exe
PID 576 wrote to memory of 828	576	cmd.exe	WMIC.exe
PID 576 wrote to memory of 1892	576	cmd.exe	vssadmin.exe
PID 576 wrote to memory of 1892	576	cmd.exe	vssadmin.exe
PID 576 wrote to memory of 1892	576	cmd.exe	vssadmin.exe
PID 576 wrote to memory of 1892	576	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\202010121236.scr
"C:\Users\Admin\AppData\Local\Temp\202010121236.scr" /S
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -start
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
3⤵
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:588

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
3⤵
PID:1592

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:268

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
PID:1636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:828

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1892

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -agent 0
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1580

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1148

C:\Windows\SysWOW64\notepad.exe
notepad.exe
2⤵
- Deletes itself
PID:1648

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
85934f14cc9248f76c58dc21180b4f15

SHA1
5ae41d9bea1cd413260de621f2302febd1e00323

SHA256
0d0b47c2e46b455f2d5b2bc0893585790da8a86e36f4a45311bf0a579a5efe58

SHA512
8496972fcf149a5df72b1a9aef3865c27fe0b9cba9e3af03b0a562c8b64a89d8834a3c18008d1610fab0741decadfdb1c14f9c1b9d1307bbb23a0b6a148b5e88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
4bddfe3851f7aa064be1b88af5e4516d

SHA1
2619398420a8e45f8f68c7c02ff2fd8c5ae3f18a

SHA256
1427416bef65c2419a8fc224206c5131d6d7b391bc74faae87859640ce0fc3dc

SHA512
1874f93cc946fe5a1f1852f0bb740247cb8835993d7cd217e1347af794b6f606c9ad9c1b6b0604c229296d170961c88d0b31824b9f854d326fe8b10557e84040

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
a54e6020d8dade29e93e679d7d067676

SHA1
1ff53fa146566b3dc7a4dc43c91650a89b0bca5f

SHA256
3762d5141f299aa6d5bb5197aa8459d1741a4602c875a14531b77ebc861c7bbb

SHA512
87da29500b7ca80c15eea68253298c50073e2c643aae474b700ddd8117f7eac6bd53fc9a5358aa2bebe513e2041ca101337a13f21f0ef16450607ecc7f57b43d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
e701dced7f71531010737b88f0aae2ae

SHA1
2b681bc734b3b3fadb6bd72fdf358d710dffbd67

SHA256
661e189327784fc1cbbc426d063482ab68f7eaf4f01e4c34256d3d1df70ab2df

SHA512
db233914794efe239b55c5f9005ca5e04410111fe4bbd76f8a45fed7d608310905c6646c689fa2603a48768df765fdc4152a5f7fd1b19daff89a1a7b2df6ebc1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
0ab9b1924797144ddb10af6b1885a010

SHA1
351ff7400e78ff4a5b4345ec8648592b61477ee6

SHA256
3c0e5fedfa7fb056e5f9f99e6a768e9ca129638928f2f293071dd8a61f0dea12

SHA512
28a08537055ab9b30b1168171c845da4c3231254d1f1cbdc94dbc85f18226e3ecabf40e9d8dba70018000f607830f826110a97300d8f738b3c327e2e02665753

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
91236466d1cd77743c5ae5ab0510f08c

SHA1
65928c8697e72d0175d7c94981b835f083042a19

SHA256
fedce7da5b18bc0bb1347c627064ad334952abdf35d1be18a7d2d357a1b802f7

SHA512
f7f8e8a57336b593081297da88c938a10bcd9a0ca364e0a435e0defee00e943f56fd9823544cf80dcd26c57c9d5663f7d916583ad644db4c2b8f6aeefc1ed37f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
8c80560d5ee82439c063eae42f31984f

SHA1
93498285e878572647b471bb09988ef8c3e04b41

SHA256
34528b3d20c173076a1dd7ec5a0133e022f9866c15e22bd5813b0b0240818064

SHA512
770f1c7d4252b6be2e64fa15fe8a73c9d07d9166fd264fa5c57afc253a2c914851c3a023186769099e138645937075c672e7cb6521c28d7bc2d8f0f837b05359

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3O0J2C38\QRJVIHYQ.htm
MD5
8615e70875c2cc0b9db16027b9adf11d

SHA1
4ed62cf405311c0ff562a3c59334a15ddc4f1bf9

SHA256
da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d

SHA512
cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7ISB2KAC\E3M1F9WA.htm
MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat
MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
MD5
574f031251f67bcc6ea9168364d2fbfd

SHA1
f5d6140140829eaa550d2ef57b3ca8281b3d79bb

SHA256
438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8

SHA512
d7234b117aabb6a50e8619d4bc3a6d283c53d7a7ee396a67f73985d6e09156ab2fc89ec52bddbd949d9236ecde081cc0123719a474b12966a5beaf910de8a15b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
MD5
574f031251f67bcc6ea9168364d2fbfd

SHA1
f5d6140140829eaa550d2ef57b3ca8281b3d79bb

SHA256
438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8

SHA512
d7234b117aabb6a50e8619d4bc3a6d283c53d7a7ee396a67f73985d6e09156ab2fc89ec52bddbd949d9236ecde081cc0123719a474b12966a5beaf910de8a15b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
MD5
574f031251f67bcc6ea9168364d2fbfd

SHA1
f5d6140140829eaa550d2ef57b3ca8281b3d79bb

SHA256
438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8

SHA512
d7234b117aabb6a50e8619d4bc3a6d283c53d7a7ee396a67f73985d6e09156ab2fc89ec52bddbd949d9236ecde081cc0123719a474b12966a5beaf910de8a15b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
MD5
574f031251f67bcc6ea9168364d2fbfd

SHA1
f5d6140140829eaa550d2ef57b3ca8281b3d79bb

SHA256
438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8

SHA512
d7234b117aabb6a50e8619d4bc3a6d283c53d7a7ee396a67f73985d6e09156ab2fc89ec52bddbd949d9236ecde081cc0123719a474b12966a5beaf910de8a15b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
MD5
574f031251f67bcc6ea9168364d2fbfd

SHA1
f5d6140140829eaa550d2ef57b3ca8281b3d79bb

SHA256
438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8

SHA512
d7234b117aabb6a50e8619d4bc3a6d283c53d7a7ee396a67f73985d6e09156ab2fc89ec52bddbd949d9236ecde081cc0123719a474b12966a5beaf910de8a15b

Download Submit
memory/268-19-0x0000000000000000-mapping.dmp

Download
memory/576-22-0x0000000000000000-mapping.dmp

Download
memory/588-28-0x0000000000000000-mapping.dmp

Download
memory/828-30-0x0000000000000000-mapping.dmp

Download
memory/1148-27-0x0000000000000000-mapping.dmp

Download
memory/1460-4-0x0000000000000000-mapping.dmp

Download
memory/1576-2-0x000007FEF7800000-0x000007FEF7A7A000-memory.dmp

Filesize
2.5MB

Download
memory/1580-25-0x0000000000000000-mapping.dmp

Download
memory/1592-18-0x0000000000000000-mapping.dmp

Download
memory/1636-20-0x0000000000000000-mapping.dmp

Download
memory/1648-6-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1648-7-0x0000000000000000-mapping.dmp

Download
memory/1700-17-0x0000000000000000-mapping.dmp

Download
memory/1796-21-0x0000000000000000-mapping.dmp

Download
memory/1892-31-0x0000000000000000-mapping.dmp

Download