Overview

overview

10

Static

static

10

spoolsv.exe

windows7-x64

10

spoolsv.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-12-2024 14:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    spoolsv.exe

  • Size

    135KB

  • MD5

    fcfae4fdcc273f8a46c51d49fa8a4a03

  • SHA1

    3a0e314b7bbdf5467df8b92a348c1b464fd502b0

  • SHA256

    49ff687dbb13ed84815f3f57c660a0a4fc5cb21c82b605ce53338538a864586d

  • SHA512

    50e6960d98dbc8d63975b0514deb6e9f7266a054e129902ac2ecf7c8500c84e5125d4896c9ec54a4187971832abfe2c575fd4c166baea39712b35f2f35e000f7

  • SSDEEP

    3072:pG+KeZW7bSWaWDbkDOrZBRHQbPRyZ2pPYU:pU17buWDbkiBR8AZ2

Score
10/10
redlinexworml3monlogsdiscoveryexecutioninfostealerpersistenceransomwareratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

78.70.235.238:7000

f8terat.ddns.net:7000
Attributes
  • Install_directory

    %Temp%

  • install_file

    spoolsv.exe

  • telegram

    https://api.telegram.org/bot7742194912:AAGSH51C4BpkbbvEQlO-cv-lDoJZMVxqyN4/sendMessage?chat_id=5456205643

Extracted

Family

redline

Botnet

l3monlogs

C2

78.70.235.238:1912

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload 1 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\spoolsv.exe
    "C:\Users\Admin\AppData\Local\Temp\spoolsv.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Sets desktop wallpaper using registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:916
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\spoolsv.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1516
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'spoolsv.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1496
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\spoolsv.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2640
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'spoolsv.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1512
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "spoolsv" /tr "C:\Users\Admin\AppData\Local\Temp\spoolsv.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1900
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4424
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff374a46f8,0x7fff374a4708,0x7fff374a4718
        3⤵
          PID:1548
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,8666919775905449649,7667465553708692983,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
          3⤵
            PID:1516
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,8666919775905449649,7667465553708692983,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:3
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:1512
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,8666919775905449649,7667465553708692983,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:8
            3⤵
              PID:2184
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8666919775905449649,7667465553708692983,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
              3⤵
                PID:2896
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8666919775905449649,7667465553708692983,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
                3⤵
                  PID:1848
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,8666919775905449649,7667465553708692983,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
                  3⤵
                    PID:3492
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,8666919775905449649,7667465553708692983,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
                    3⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2792
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8666919775905449649,7667465553708692983,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
                    3⤵
                      PID:3420
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8666919775905449649,7667465553708692983,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1
                      3⤵
                        PID:2188
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8666919775905449649,7667465553708692983,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
                        3⤵
                          PID:4228
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8666919775905449649,7667465553708692983,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
                          3⤵
                            PID:944
                        • C:\Users\Admin\AppData\Local\Temp\jrrjiw.exe
                          "C:\Users\Admin\AppData\Local\Temp\jrrjiw.exe"
                          2⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1192
                      • C:\Windows\System32\CompPkgSrv.exe
                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                        1⤵
                          PID:1800
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:2452
                          • C:\Users\Admin\AppData\Local\Temp\spoolsv.exe
                            C:\Users\Admin\AppData\Local\Temp\spoolsv.exe
                            1⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2032
                          • C:\Users\Admin\AppData\Local\Temp\spoolsv.exe
                            C:\Users\Admin\AppData\Local\Temp\spoolsv.exe
                            1⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1440

                          Network

                          MITRE ATT&CK Enterprise v15

                          Reconnaissance

                          Resource Development

                          Initial Access

                          Execution

                          Command and Scripting Interpreter

                          1
                          T1059

                          PowerShell

                          1
                          T1059.001

                          Scheduled Task/Job

                          1
                          T1053

                          Scheduled Task

                          1
                          T1053.005

                          Persistence

                          Boot or Logon Autostart Execution

                          1
                          T1547

                          Registry Run Keys / Startup Folder

                          1
                          T1547.001

                          Scheduled Task/Job

                          1
                          T1053

                          Scheduled Task

                          1
                          T1053.005

                          Privilege Escalation

                          Boot or Logon Autostart Execution

                          1
                          T1547

                          Registry Run Keys / Startup Folder

                          1
                          T1547.001

                          Scheduled Task/Job

                          1
                          T1053

                          Scheduled Task

                          1
                          T1053.005

                          Defense Evasion

                          Modify Registry

                          2
                          T1112

                          Credential Access

                          Credentials from Password Stores

                          1
                          T1555

                          Credentials from Web Browsers

                          1
                          T1555.003

                          Unsecured Credentials

                          2
                          T1552

                          Credentials In Files

                          2
                          T1552.001

                          Discovery

                          Browser Information Discovery

                          1
                          T1217

                          Query Registry

                          4
                          T1012

                          System Information Discovery

                          3
                          T1082

                          System Location Discovery

                          1
                          T1614

                          System Language Discovery

                          1
                          T1614.001

                          Lateral Movement

                          Collection

                          Data from Local System

                          2
                          T1005

                          Command and Control

                          Exfiltration

                          Impact

                          Defacement

                          1
                          T1491

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                            Filesize

                            2KB

                            MD5

                            a43e653ffb5ab07940f4bdd9cc8fade4

                            SHA1

                            af43d04e3427f111b22dc891c5c7ee8a10ac4123

                            SHA256

                            c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe

                            SHA512

                            62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log
                            Filesize

                            654B

                            MD5

                            2ff39f6c7249774be85fd60a8f9a245e

                            SHA1

                            684ff36b31aedc1e587c8496c02722c6698c1c4e

                            SHA256

                            e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

                            SHA512

                            1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                            Filesize

                            152B

                            MD5

                            a0486d6f8406d852dd805b66ff467692

                            SHA1

                            77ba1f63142e86b21c951b808f4bc5d8ed89b571

                            SHA256

                            c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

                            SHA512

                            065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                            Filesize

                            152B

                            MD5

                            dc058ebc0f8181946a312f0be99ed79c

                            SHA1

                            0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

                            SHA256

                            378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

                            SHA512

                            36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                            Filesize

                            5KB

                            MD5

                            f123d62b443d0f3e2a3c654889bc8218

                            SHA1

                            d3f6f77967cc367ee05500d0e05a25596b5ed330

                            SHA256

                            0a0f54657e40beea16c6c6863e79a81ada6a549302af2e6aeb2566c4d3fd26b8

                            SHA512

                            b64621aaca4f7eeddf51a6064ad420ef01ea3118f4e0c77bb451be7c9d8b776ebfb4816b5a8ef3ebad85b261de6b5a40d2b5a8450fdb1c08808ebc520ce33000

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                            Filesize

                            6KB

                            MD5

                            362e090a900d9b385a205b23537aa09f

                            SHA1

                            77cfc30db9ab32689ae9cbc4f1a8b42961acffa1

                            SHA256

                            cd8d665d11e76f2cce5765fa1dde497d3100e2643a4a20c66ef922acabdb9b6d

                            SHA512

                            73aa976bdcf81d3ed11911c4506ba46394ef06bf019f814577801cf91b7348abe731a84c5c7c19bacce87e50610a3192eba1a2cc9b8c9382a7225b72dd790627

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                            Filesize

                            16B

                            MD5

                            6752a1d65b201c13b62ea44016eb221f

                            SHA1

                            58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                            SHA256

                            0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                            SHA512

                            9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                            Filesize

                            11KB

                            MD5

                            1b66a43d24bf5d95c9b5019dfffcc42d

                            SHA1

                            52c244868331eaad74a780840d811d3721241e32

                            SHA256

                            560d3eec4be38c5d16398929e33df1bfbd1447640a86d34d04645024722e3daa

                            SHA512

                            d4ce82c88ea62d08659bc0e9910dcddd4bab81467d8442bd9123c071c65016524722f4ec8af950d17a9e4cc63ef21d3ce6ca7693a574e8c5b048ee3898a91355

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                            Filesize

                            10KB

                            MD5

                            f5c9b94c69055d4e4075c272295a7998

                            SHA1

                            266323a2606a8dca597f2db5ac79ccf9f83f891f

                            SHA256

                            b46e34809d0ae9f85efdebe5fb395c1d63b9c9ad40981175f2611853ed0b922c

                            SHA512

                            f260b35de4fa8386ab3211c9848e644ef9c3c363a05ed5d39899a845fc34fd73ecc47e5235c1bc42aa524954b883e8c67b0a8b4dc79c16e095d4b96995c69e90

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            944B

                            MD5

                            20facdc59d6af53a06c681d7b5a6ea61

                            SHA1

                            5c9504eee397780dfba2937818b713a2636d2581

                            SHA256

                            48af54c77587784dfe95b9d61043e90b14f4f9f11d4d4cfd5f73df647cf58a03

                            SHA512

                            b292fc1e8d041bb6c9299a0dc0136ae78b9a931f7dbfb2739b7a717ee347cdee20f9f54c3d108f64ad4d4272698862015ba4f26d63e00b60848d61f74f034ff4

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            944B

                            MD5

                            993af531f0b57e8128ec273731c3a8e2

                            SHA1

                            a42ea55876f4f390837dd2c95fb7ff2344b6e9e1

                            SHA256

                            fff934d70d813381536d272c5b8ac6ad70acd054267b13592da767c9bd1dda62

                            SHA512

                            bdf5970ff2ee314dc297fce5c0f44765e77acbf269cd9ad9e7448a391d5f80d66a0c5426f99bc3480851e8763413aa180b3b3b6b22ef0e86a365450cb8c334e4

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            944B

                            MD5

                            34f595487e6bfd1d11c7de88ee50356a

                            SHA1

                            4caad088c15766cc0fa1f42009260e9a02f953bb

                            SHA256

                            0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

                            SHA512

                            10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jiwm5sdl.12r.ps1
                            Filesize

                            60B

                            MD5

                            d17fe0a3f47be24a6453e9ef58c94641

                            SHA1

                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                            SHA256

                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                            SHA512

                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\jrrjiw.exe
                            Filesize

                            300KB

                            MD5

                            dfefdd2e554fd23f3b87f68c3e0f9622

                            SHA1

                            8be107d3c7e0aba6346ccdac289e29e3a8127af2

                            SHA256

                            f47c2bb84ce619d0d69445b0a1dce760482f2dd508815ba2667bab5c3a3541e9

                            SHA512

                            8f11525da059c6aa655d5ad2c41f89ce535ebb7a2bd4d7ce197c2ea244f28947e2338b1f97378130179490e49fd73402ee3dcdc507901f48b41ce9acf79ca182

                            Download Submit

                          • C:\Users\Admin\Desktop\How To Decrypt My Files.html
                            Filesize

                            639B

                            MD5

                            d2dbbc3383add4cbd9ba8e1e35872552

                            SHA1

                            020abbc821b2fe22c4b2a89d413d382e48770b6f

                            SHA256

                            5ca82cbc4d582a4a425ae328ad12fd198095e2854f4f87b27a4b09e91173a3be

                            SHA512

                            bb5e1bbf28c10c077644136b98d8d02bfec3b3e49c0829b4d4570b30e0aea0276eb748f749a491587a5e70141a7653be1d03c463a22e44efecde2e5a6c6e5e66

                            Download Submit

                          • C:\Users\Admin\Desktop\UndoRename.docx.ENC
                            Filesize

                            15KB

                            MD5

                            ae4276a2250ad577227b0e67d7a65d1c

                            SHA1

                            9bebed79dc768e2450bf0bc7b8088cb18aa3a2b8

                            SHA256

                            30ffd1205a43b08278f895cd5fdc6aed1a2202b67505063c933a6332218bce67

                            SHA512

                            b34ece299dcf269df181d228dce36fc096f4a9b3bfc0a0d919a6095f6cae358c6f55361e9cf0846737a9c5d39a5ef6cb8aa0c2dae7a5c4e0de8513714de2ff6d

                            Download Submit

                          • C:\Users\Admin\Documents\LockReset.docm.ENC
                            Filesize

                            173KB

                            MD5

                            014027b9db0e85b3dbb70d9c76b898bd

                            SHA1

                            5ec4596e71d49af533aa1f9bd2f0d1c53ec2ceb7

                            SHA256

                            9337965b131d7b9614fc4e4651e97617f36aa96968a0a090d3f357b57f1301fd

                            SHA512

                            ffea680e5a6a6d7b509e7896bbf0944d8aa0510f12bf67bd7b9104782f1085a398687505428c4dd963eb91c92bbd8d182bb13c85198448d9f98c58f504508f1a

                            Download Submit

                          • C:\Users\Admin\Documents\OptimizeUnregister.docx.ENC
                            Filesize

                            14KB

                            MD5

                            4135e27afc6b2459c09ddf6d87564823

                            SHA1

                            700958592302938a93a4b118fc6692c51df8376e

                            SHA256

                            607cb7c3cec7284a04b8805a7976b02f05231d348ccbd6fea04ad1eb2627657e

                            SHA512

                            417862154e815f754bc08821a2009b7519e3ee31024adc76bce72fdc3b48549581ba62fb4ba647c429caacb5706a1c08af8685b1ab126fc297be2a91144ad70d

                            Download Submit

                          • C:\Users\Admin\Documents\ReadExpand.docm.ENC
                            Filesize

                            395KB

                            MD5

                            e97ee2e6496cc98ad3a44e9f15329f23

                            SHA1

                            4dc5e17c1b5b0fb4d5431981507bfe13d06143b1

                            SHA256

                            33eaa92a02d2d54175dfe041f1507b8f8831b369e08697c62e7330829f57d3be

                            SHA512

                            7da3ae5e069f084cf0b83f319b08e618dd0807d38e54c2eac04cdb21cecf3bec42b43c6d7392bce24a4d1f21ab559c796eed122f35251d0efab1fe203619b25e

                            Download Submit

                          • C:\Users\Admin\Documents\TestUnprotect.docx.ENC
                            Filesize

                            284KB

                            MD5

                            05a8ecc6d2dd0166b206ba293d4257c1

                            SHA1

                            83b0e6e90eb40498b53e0dfbe09441962f29319a

                            SHA256

                            797b3652292211e7c53b9437b9a54ad2c75fa53c36441320d3275828473f65fb

                            SHA512

                            77d9b35fb9b5868950a5a3b56648e592939f0d978560aacacaed45489e3ce87fc1d1659205decc6de565dad8271b74824b324b45befae5a741cedcd0bc79daae

                            Download Submit

                          • C:\Users\Admin\Documents\UnprotectRequest.docx.ENC
                            Filesize

                            18KB

                            MD5

                            352f88d279201527161f30a0f705e577

                            SHA1

                            bab57b93a859531c1864853deb3f8b4ee4a46ff1

                            SHA256

                            740729ce9f8a08a2d1d26c87e5a3ca620a8fab88ed68bc74b09c8dde2a3567e3

                            SHA512

                            1e6718078a8196254784d70288b6157b243548e5c1815cf7540eadbbbef90f9cb07f952b7da8b27b4b45c13f8826c3617a8f63af35569d78dda9873c7f9d7179

                            Download Submit

                          • C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC
                            Filesize

                            16B

                            MD5

                            de3020618d72a952b930f10bd4dc3905

                            SHA1

                            0dbf5d2e4db5a420358586cc7ec31ef18ad579c7

                            SHA256

                            551e03fdf31664b4ff20712e828c717422fa1372855d9baa61fd615f6a52f993

                            SHA512

                            07486557ef8b6706ddbc4bf817d529a833d742e32e3ef9d01ad7d809ff4012872c4fa3f42eb90e80267643ce09df21b8e74ef12bea95a2deb5c79b70c69608be

                            Download Submit

                          • memory/916-1-0x00000000003B0000-0x00000000003D8000-memory.dmp

                            Filesize

                            160KB

                            Download

                          • memory/916-0-0x00007FFF3DBE3000-0x00007FFF3DBE5000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/916-295-0x00000000023A0000-0x00000000023AE000-memory.dmp

                            Filesize

                            56KB

                            Download

                          • memory/916-2-0x00007FFF3DBE0000-0x00007FFF3E6A1000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/916-56-0x0000000000AA0000-0x0000000000AAC000-memory.dmp

                            Filesize

                            48KB

                            Download

                          • memory/916-55-0x00007FFF3DBE0000-0x00007FFF3E6A1000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/916-54-0x00007FFF3DBE3000-0x00007FFF3DBE5000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/1192-337-0x0000000005530000-0x00000000055C2000-memory.dmp

                            Filesize

                            584KB

                            Download

                          • memory/1192-336-0x0000000005AE0000-0x0000000006084000-memory.dmp

                            Filesize

                            5.6MB

                            Download

                          • memory/1192-339-0x00000000066B0000-0x0000000006CC8000-memory.dmp

                            Filesize

                            6.1MB

                            Download

                          • memory/1192-340-0x00000000058B0000-0x00000000059BA000-memory.dmp

                            Filesize

                            1.0MB

                            Download

                          • memory/1192-341-0x0000000005670000-0x0000000005682000-memory.dmp

                            Filesize

                            72KB

                            Download

                          • memory/1192-342-0x00000000057E0000-0x000000000581C000-memory.dmp

                            Filesize

                            240KB

                            Download

                          • memory/1192-343-0x0000000005820000-0x000000000586C000-memory.dmp

                            Filesize

                            304KB

                            Download

                          • memory/1192-344-0x0000000006090000-0x00000000060F6000-memory.dmp

                            Filesize

                            408KB

                            Download

                          • memory/1192-345-0x0000000006FA0000-0x0000000006FF0000-memory.dmp

                            Filesize

                            320KB

                            Download

                          • memory/1192-338-0x00000000054F0000-0x00000000054FA000-memory.dmp

                            Filesize

                            40KB

                            Download

                          • memory/1192-335-0x0000000000A80000-0x0000000000AD2000-memory.dmp

                            Filesize

                            328KB

                            Download

                          • memory/1192-353-0x0000000008200000-0x000000000872C000-memory.dmp

                            Filesize

                            5.2MB

                            Download

                          • memory/1192-352-0x00000000073D0000-0x0000000007592000-memory.dmp

                            Filesize

                            1.8MB

                            Download

                          • memory/1516-14-0x00007FFF3DBE0000-0x00007FFF3E6A1000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/1516-15-0x00007FFF3DBE0000-0x00007FFF3E6A1000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/1516-13-0x00007FFF3DBE0000-0x00007FFF3E6A1000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/1516-12-0x0000027777050000-0x0000027777072000-memory.dmp

                            Filesize

                            136KB

                            Download

                          • memory/1516-18-0x00007FFF3DBE0000-0x00007FFF3E6A1000-memory.dmp

                            Filesize

                            10.8MB

                            Download