buran | 0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6

Analysis

max time kernel
4294213s
max time network
123s
platform
windows7_x64
resource
win7-20220311-en
submitted
28-03-2022 18:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6.exe
Size

423KB
MD5

b8546e288ba47f4be8615e73d26f2215
SHA1

0204fc6d8f011efc4ba2fafe5bf5ba7bbb2be50e
SHA256

0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6
SHA512

29f91d6b359eb9115414726d2444187864f13904efd0653a8500dfd608a9598b08b3cee86503dd2fee507f6e3aff98773b5c46bab14dbfa880c5aa47c79e32f4

Score

10^/10

buran persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: F0D-028-47E Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 2 IoCs

pid	Process
1980	spoolsv.exe
1076	spoolsv.exe

Deletes itself 1 IoCs

pid	Process
1480	notepad.exe

Loads dropped DLL 2 IoCs

pid	Process
1832	0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6.exe
1980	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run	0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\spoolsv.exe\" -start"	0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	spoolsv.exe
File opened (read-only)	\??\N:	spoolsv.exe
File opened (read-only)	\??\K:	spoolsv.exe
File opened (read-only)	\??\B:	spoolsv.exe
File opened (read-only)	\??\F:	spoolsv.exe
File opened (read-only)	\??\Z:	spoolsv.exe
File opened (read-only)	\??\X:	spoolsv.exe
File opened (read-only)	\??\P:	spoolsv.exe
File opened (read-only)	\??\H:	spoolsv.exe
File opened (read-only)	\??\O:	spoolsv.exe
File opened (read-only)	\??\M:	spoolsv.exe
File opened (read-only)	\??\L:	spoolsv.exe
File opened (read-only)	\??\J:	spoolsv.exe
File opened (read-only)	\??\Y:	spoolsv.exe
File opened (read-only)	\??\U:	spoolsv.exe
File opened (read-only)	\??\T:	spoolsv.exe
File opened (read-only)	\??\R:	spoolsv.exe
File opened (read-only)	\??\I:	spoolsv.exe
File opened (read-only)	\??\G:	spoolsv.exe
File opened (read-only)	\??\A:	spoolsv.exe
File opened (read-only)	\??\W:	spoolsv.exe
File opened (read-only)	\??\S:	spoolsv.exe
File opened (read-only)	\??\Q:	spoolsv.exe
File opened (read-only)	\??\E:	spoolsv.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	geoiptool.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe.F0D-028-47E	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\YST9YDT.F0D-028-47E	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA.F0D-028-47E	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\de-DE\Minesweeper.exe.mui.F0D-028-47E	spoolsv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\README.txt	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CLASSIC1.WMF	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\jmxremote.access.F0D-028-47E	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.zh_CN_5.5.0.165303.jar.F0D-028-47E	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins.nl_zh_4.4.0.v20140623020002.jar.F0D-028-47E	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif.F0D-028-47E	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.win32.nl_zh_4.4.0.v20140623020002.jar	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\ZoneInfoMappings.F0D-028-47E	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\shvlzm.exe.mui.F0D-028-47E	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe.F0D-028-47E	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\sound.properties.F0D-028-47E	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Andorra	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre7\lib\net.properties.F0D-028-47E	spoolsv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png	spoolsv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\controllers.js	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\ct.sym	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html.F0D-028-47E	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_ja.jar.F0D-028-47E	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Blanc-Sablon	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\chkrzm.exe.mui.F0D-028-47E	spoolsv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\vlc.mo	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Abidjan.F0D-028-47E	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-applemenu_ja.jar	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\SpiderSolitaire.exe.mui.F0D-028-47E	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe.F0D-028-47E	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-progress.xml.F0D-028-47E	spoolsv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\vlc.mo.F0D-028-47E	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp.F0D-028-47E	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-loaders.jar	spoolsv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01216_.WMF	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\javafx.properties	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jmx.xml.F0D-028-47E	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\chkrzm.exe.mui	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Checkers.api.F0D-028-47E	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyrun.jar.F0D-028-47E	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding_1.4.2.v20140729-1044.jar.F0D-028-47E	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands.nl_ja_4.4.0.v20140623020002.jar.F0D-028-47E	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-7	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00139_.GIF.F0D-028-47E	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Cape_Verde	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_ja.jar	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Yakutat	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS01634_.WMF	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations_2.4.0.v20131119-0908.jar.F0D-028-47E	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-remote_ja.jar	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\MANIFEST.MF.F0D-028-47E	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations_2.4.0.v20131119-0908.jar	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\bckgRes.dll.mui	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS01080_.WMF.F0D-028-47E	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Montevideo.F0D-028-47E	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Singapore.F0D-028-47E	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\en-US\MoreGames.dll.mui.F0D-028-47E	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.war	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cambridge_Bay	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_ja_4.4.0.v20140623020002.jar.F0D-028-47E	spoolsv.exe
File created	C:\Program Files\Java\jre7\lib\security\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+9.F0D-028-47E	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1320	vssadmin.exe
1416	vssadmin.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	spoolsv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1832	0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6.exe
Token: SeDebugPrivilege	1832	0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6.exe
Token: SeIncreaseQuotaPrivilege	904	WMIC.exe
Token: SeSecurityPrivilege	904	WMIC.exe
Token: SeTakeOwnershipPrivilege	904	WMIC.exe
Token: SeLoadDriverPrivilege	904	WMIC.exe
Token: SeSystemProfilePrivilege	904	WMIC.exe
Token: SeSystemtimePrivilege	904	WMIC.exe
Token: SeProfSingleProcessPrivilege	904	WMIC.exe
Token: SeIncBasePriorityPrivilege	904	WMIC.exe
Token: SeCreatePagefilePrivilege	904	WMIC.exe
Token: SeBackupPrivilege	904	WMIC.exe
Token: SeRestorePrivilege	904	WMIC.exe
Token: SeShutdownPrivilege	904	WMIC.exe
Token: SeDebugPrivilege	904	WMIC.exe
Token: SeSystemEnvironmentPrivilege	904	WMIC.exe
Token: SeRemoteShutdownPrivilege	904	WMIC.exe
Token: SeUndockPrivilege	904	WMIC.exe
Token: SeManageVolumePrivilege	904	WMIC.exe
Token: 33	904	WMIC.exe
Token: 34	904	WMIC.exe
Token: 35	904	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1728	WMIC.exe
Token: SeSecurityPrivilege	1728	WMIC.exe
Token: SeTakeOwnershipPrivilege	1728	WMIC.exe
Token: SeLoadDriverPrivilege	1728	WMIC.exe
Token: SeSystemProfilePrivilege	1728	WMIC.exe
Token: SeSystemtimePrivilege	1728	WMIC.exe
Token: SeProfSingleProcessPrivilege	1728	WMIC.exe
Token: SeIncBasePriorityPrivilege	1728	WMIC.exe
Token: SeCreatePagefilePrivilege	1728	WMIC.exe
Token: SeBackupPrivilege	1728	WMIC.exe
Token: SeRestorePrivilege	1728	WMIC.exe
Token: SeShutdownPrivilege	1728	WMIC.exe
Token: SeDebugPrivilege	1728	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1728	WMIC.exe
Token: SeRemoteShutdownPrivilege	1728	WMIC.exe
Token: SeUndockPrivilege	1728	WMIC.exe
Token: SeManageVolumePrivilege	1728	WMIC.exe
Token: 33	1728	WMIC.exe
Token: 34	1728	WMIC.exe
Token: 35	1728	WMIC.exe
Token: SeIncreaseQuotaPrivilege	904	WMIC.exe
Token: SeSecurityPrivilege	904	WMIC.exe
Token: SeTakeOwnershipPrivilege	904	WMIC.exe
Token: SeLoadDriverPrivilege	904	WMIC.exe
Token: SeSystemProfilePrivilege	904	WMIC.exe
Token: SeSystemtimePrivilege	904	WMIC.exe
Token: SeProfSingleProcessPrivilege	904	WMIC.exe
Token: SeIncBasePriorityPrivilege	904	WMIC.exe
Token: SeCreatePagefilePrivilege	904	WMIC.exe
Token: SeBackupPrivilege	904	WMIC.exe
Token: SeRestorePrivilege	904	WMIC.exe
Token: SeShutdownPrivilege	904	WMIC.exe
Token: SeDebugPrivilege	904	WMIC.exe
Token: SeSystemEnvironmentPrivilege	904	WMIC.exe
Token: SeRemoteShutdownPrivilege	904	WMIC.exe
Token: SeUndockPrivilege	904	WMIC.exe
Token: SeManageVolumePrivilege	904	WMIC.exe
Token: 33	904	WMIC.exe
Token: 34	904	WMIC.exe
Token: 35	904	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1728	WMIC.exe
Token: SeSecurityPrivilege	1728	WMIC.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 1980	1832	0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6.exe	29
PID 1832 wrote to memory of 1980	1832	0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6.exe	29
PID 1832 wrote to memory of 1980	1832	0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6.exe	29
PID 1832 wrote to memory of 1980	1832	0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6.exe	29
PID 1832 wrote to memory of 1480	1832	0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6.exe	30
PID 1832 wrote to memory of 1480	1832	0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6.exe	30
PID 1832 wrote to memory of 1480	1832	0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6.exe	30
PID 1832 wrote to memory of 1480	1832	0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6.exe	30
PID 1832 wrote to memory of 1480	1832	0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6.exe	30
PID 1832 wrote to memory of 1480	1832	0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6.exe	30
PID 1832 wrote to memory of 1480	1832	0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6.exe	30
PID 1980 wrote to memory of 1132	1980	spoolsv.exe	34
PID 1980 wrote to memory of 1132	1980	spoolsv.exe	34
PID 1980 wrote to memory of 1132	1980	spoolsv.exe	34
PID 1980 wrote to memory of 1132	1980	spoolsv.exe	34
PID 1980 wrote to memory of 1656	1980	spoolsv.exe	36
PID 1980 wrote to memory of 1656	1980	spoolsv.exe	36
PID 1980 wrote to memory of 1656	1980	spoolsv.exe	36
PID 1980 wrote to memory of 1656	1980	spoolsv.exe	36
PID 1980 wrote to memory of 1052	1980	spoolsv.exe	38
PID 1980 wrote to memory of 1052	1980	spoolsv.exe	38
PID 1980 wrote to memory of 1052	1980	spoolsv.exe	38
PID 1980 wrote to memory of 1052	1980	spoolsv.exe	38
PID 1980 wrote to memory of 1812	1980	spoolsv.exe	41
PID 1980 wrote to memory of 1812	1980	spoolsv.exe	41
PID 1980 wrote to memory of 1812	1980	spoolsv.exe	41
PID 1980 wrote to memory of 1812	1980	spoolsv.exe	41
PID 1132 wrote to memory of 904	1132	cmd.exe	40
PID 1132 wrote to memory of 904	1132	cmd.exe	40
PID 1132 wrote to memory of 904	1132	cmd.exe	40
PID 1132 wrote to memory of 904	1132	cmd.exe	40
PID 1980 wrote to memory of 2020	1980	spoolsv.exe	43
PID 1980 wrote to memory of 2020	1980	spoolsv.exe	43
PID 1980 wrote to memory of 2020	1980	spoolsv.exe	43
PID 1980 wrote to memory of 2020	1980	spoolsv.exe	43
PID 1980 wrote to memory of 1152	1980	spoolsv.exe	44
PID 1980 wrote to memory of 1152	1980	spoolsv.exe	44
PID 1980 wrote to memory of 1152	1980	spoolsv.exe	44
PID 1980 wrote to memory of 1152	1980	spoolsv.exe	44
PID 1980 wrote to memory of 1076	1980	spoolsv.exe	47
PID 1980 wrote to memory of 1076	1980	spoolsv.exe	47
PID 1980 wrote to memory of 1076	1980	spoolsv.exe	47
PID 1980 wrote to memory of 1076	1980	spoolsv.exe	47
PID 2020 wrote to memory of 1320	2020	cmd.exe	49
PID 2020 wrote to memory of 1320	2020	cmd.exe	49
PID 2020 wrote to memory of 1320	2020	cmd.exe	49
PID 2020 wrote to memory of 1320	2020	cmd.exe	49
PID 1152 wrote to memory of 1728	1152	cmd.exe	48
PID 1152 wrote to memory of 1728	1152	cmd.exe	48
PID 1152 wrote to memory of 1728	1152	cmd.exe	48
PID 1152 wrote to memory of 1728	1152	cmd.exe	48
PID 1152 wrote to memory of 1416	1152	cmd.exe	52
PID 1152 wrote to memory of 1416	1152	cmd.exe	52
PID 1152 wrote to memory of 1416	1152	cmd.exe	52
PID 1152 wrote to memory of 1416	1152	cmd.exe	52

C:\Users\Admin\AppData\Local\Temp\0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6.exe
"C:\Users\Admin\AppData\Local\Temp\0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -start
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1132
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:904
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:1656
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:1052
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:1812
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1320
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1152
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1728
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1416
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:1076
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  - Deletes itself
  PID:1480

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
728B

MD5
a115ab8dafff2ba9ef773c5c4c282723

SHA1
c0391d76dbba79176905fdffdd865053e7892ac7

SHA256
2b14412e5c2bed1e3c8a3414a403366a9ad377d228434d147ab16aba1124cbd4

SHA512
d7df5525ee4b6ee6796f005c1146634f122043183e6bf901d5575f82197f6d876bb01e29c02c7d7171cdddb1fa96ed5b15bcbb32b78d7c780d7cf0b0dec70599

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_8AE57F9FAAC778EA4099F469BEEE4C46

Filesize
472B

MD5
451c60aee59ebd445876be838648d763

SHA1
8b14d0202ca7666f6419ebec052777632880d15c

SHA256
3aead2c16852aa9b1307ee68ebf5579c568c0f776bae0a0262b42b8b1056dc44

SHA512
80d955ef97db08f8cb5d073600fc725fe9c2b65753b299430de2a2acee9aa8573772418e0a3f3908b05f3e5d45ffed399ec3012cb424378a2d45f96ba102a486

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
471B

MD5
ddb0f5f29483e3a5e3a152893bc363a9

SHA1
36c603ad11d23f33041039d3bd9eee47db013768

SHA256
4fab56d7bc76e0393be1bca6d52b7cb778424bf99e1efbc1725b44cdd557764b

SHA512
580401ebbe4eab757884badb51e5f650ec558bc09b2ae92cc47669061c13f9389a9a951ead537a79382b13d066515ced1c3a8557da6a8d287fc1bb16ee23a9bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
398B

MD5
b11984e19895d7c97338c687924d3687

SHA1
0096f52de299fea64a2d0c8778d2bc56de1d799b

SHA256
11f43506a4250df89448f5b64bbe782b7770c38393e8bbc3f60949b63c82d2bb

SHA512
358ef86102952b65b938c88c77f235e8627c2133f6c61dfaee0f031b900feff513ad277bdac64f383d80e1d2c2c88c63b97eb47c3a8c22fe85813b4681cc6a1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_8AE57F9FAAC778EA4099F469BEEE4C46

Filesize
402B

MD5
b1f0cf81d17bd27fc297a44f41e13266

SHA1
91153ea9842c3f8358b9b7868c55592dcb83b815

SHA256
f22013182236372d4aa2034155d357ab225361ebbc2ee77029439728037f6637

SHA512
2d34191461135b68fcbbbca59d7489bdbf99e1337b3500eb0ebc2830c647c9f844ce44069b5d5107f40cfa062dace1a4489688cbbefe0cbe4cde2a75a45033ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e39db9b75b5a84ba99d79c9910303942

SHA1
b8927a7ad42f255794b29fd58e536feab4df61ce

SHA256
a104211036d942dcdb7e664ee0b109bedaa9c034bb3172c3001d12733ef73cc3

SHA512
857aec3789cb982a1fccdf19effaf82a284e98765b6a785afb7dbd288bd949f0ff5b1496789c04250e773b4523e6b23b1daad00827904703a37d8b380021a15d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
396B

MD5
2b515eb5a452197a8ff0f0d2d1bb0887

SHA1
c72066af41a7b5c61b5ef99f8a158365f7f4de09

SHA256
b0700f715d718b8d102d7ce22ce9a2fa80e4049ff7c45fd90c580ed7c1abce8f

SHA512
dfdeb79a3e56fda793642d264abfb8a96d2c1208b66f686bb1f8017dc98c7882225e8caa5591598124f31f5876fec0bde45b4d8b951a89bda004f7bdf60c2517

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GC0VJYYE\6QXYC6F1.htm

Filesize
184B

MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VWB6EIWR\5GLNQV13.htm

Filesize
18KB

MD5
6b17a59cec1a7783febae9aa55c56556

SHA1
01d4581e2b3a6348679147a915a0b22b2a66643a

SHA256
66987b14b90d41632be98836f9601b12e7f329ffab05595887889c9c5716fbeb

SHA512
3337efd12b9c06b7768eb928a78caae243b75257c5aabe7a49e908a2f735af55f7257a40bd2330dc13865ead18ed805b54a6c5105740fdcbbaccacf7997bcbc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat

Filesize
406B

MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe

Filesize
423KB

MD5
b8546e288ba47f4be8615e73d26f2215

SHA1
0204fc6d8f011efc4ba2fafe5bf5ba7bbb2be50e

SHA256
0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6

SHA512
29f91d6b359eb9115414726d2444187864f13904efd0653a8500dfd608a9598b08b3cee86503dd2fee507f6e3aff98773b5c46bab14dbfa880c5aa47c79e32f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe

Filesize
423KB

MD5
b8546e288ba47f4be8615e73d26f2215

SHA1
0204fc6d8f011efc4ba2fafe5bf5ba7bbb2be50e

SHA256
0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6

SHA512
29f91d6b359eb9115414726d2444187864f13904efd0653a8500dfd608a9598b08b3cee86503dd2fee507f6e3aff98773b5c46bab14dbfa880c5aa47c79e32f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe

Filesize
423KB

MD5
b8546e288ba47f4be8615e73d26f2215

SHA1
0204fc6d8f011efc4ba2fafe5bf5ba7bbb2be50e

SHA256
0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6

SHA512
29f91d6b359eb9115414726d2444187864f13904efd0653a8500dfd608a9598b08b3cee86503dd2fee507f6e3aff98773b5c46bab14dbfa880c5aa47c79e32f4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe

Filesize
423KB

MD5
b8546e288ba47f4be8615e73d26f2215

SHA1
0204fc6d8f011efc4ba2fafe5bf5ba7bbb2be50e

SHA256
0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6

SHA512
29f91d6b359eb9115414726d2444187864f13904efd0653a8500dfd608a9598b08b3cee86503dd2fee507f6e3aff98773b5c46bab14dbfa880c5aa47c79e32f4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe

Filesize
423KB

MD5
b8546e288ba47f4be8615e73d26f2215

SHA1
0204fc6d8f011efc4ba2fafe5bf5ba7bbb2be50e

SHA256
0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6

SHA512
29f91d6b359eb9115414726d2444187864f13904efd0653a8500dfd608a9598b08b3cee86503dd2fee507f6e3aff98773b5c46bab14dbfa880c5aa47c79e32f4

Download Submit
memory/1076-96-0x0000000001DD0000-0x0000000001F7A000-memory.dmp

Filesize
1.7MB

Download
memory/1076-97-0x0000000000400000-0x00000000005B0000-memory.dmp

Filesize
1.7MB

Download
memory/1480-61-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1832-55-0x00000000020D0000-0x000000000227A000-memory.dmp

Filesize
1.7MB

Download
memory/1832-56-0x0000000000400000-0x00000000005B0000-memory.dmp

Filesize
1.7MB

Download
memory/1832-54-0x00000000759B1000-0x00000000759B3000-memory.dmp

Filesize
8KB

Download
memory/1980-69-0x0000000001E50000-0x0000000001FFA000-memory.dmp

Filesize
1.7MB

Download
memory/1980-71-0x0000000000400000-0x00000000005B0000-memory.dmp

Filesize
1.7MB

Download