Overview

overview

10

Static

static

10

spoolsv.exe

windows7-x64

10

spoolsv.exe

windows10-2004-x64

10

spoolsv.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    08-12-2024 14:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    spoolsv.exe

  • Size

    125KB

  • MD5

    02201ab0ffca3905fbf110296fd58298

  • SHA1

    4068eb4c09f6e09637588ee3cf62bf7229a25faa

  • SHA256

    4d0f2f8fd89fec7e4f1348b5b6a0ea528d2b391f48e69df140b91845c0989abe

  • SHA512

    4f2d86d8dbdb6946bdd982b7c48aea803eccd99c51ddbd6edcb1f7301f9a8f255953210b5b47ecd6e6a8f1bf93269bb519b3a83548f7d3ea63ded3980bef3705

  • SSDEEP

    1536:Rn7TvjnE1RowM/gZbgjx1LAYivy6sDOsyrXdtyVt3A7HPd4n+lbeRZIbSQPYU:RHovoX/0bgAoORHyHQbPRyZ2pPYU

Score
10/10
redlinestormkittyxworml3monlogsdiscoveryexecutioninfostealerpersistenceransomwareratspywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

l3monlogs

C2

78.70.235.238:1912

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload 2 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Stormkitty family
    stormkitty
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\spoolsv.exe
    "C:\Users\Admin\AppData\Local\Temp\spoolsv.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Sets desktop wallpaper using registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1412
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\spoolsv.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2212
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'spoolsv.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2832
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\spoolsv.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2172
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'spoolsv.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2312
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "spoolsv" /tr "C:\Users\Admin\AppData\Roaming\spoolsv.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1992
    • C:\Users\Admin\AppData\Local\Temp\adofvc.exe
      "C:\Users\Admin\AppData\Local\Temp\adofvc.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4652
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1600
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ffdcc493cb8,0x7ffdcc493cc8,0x7ffdcc493cd8
        3⤵
          PID:3348
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,8290767359090939404,11629224320914986162,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2
          3⤵
            PID:2492
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,8290767359090939404,11629224320914986162,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:3424
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,8290767359090939404,11629224320914986162,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2584 /prefetch:8
            3⤵
              PID:856
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,8290767359090939404,11629224320914986162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3044 /prefetch:1
              3⤵
                PID:1556
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,8290767359090939404,11629224320914986162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3052 /prefetch:1
                3⤵
                  PID:3112
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,8290767359090939404,11629224320914986162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1
                  3⤵
                    PID:3232
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,8290767359090939404,11629224320914986162,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
                    3⤵
                      PID:4700
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,8290767359090939404,11629224320914986162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:1
                      3⤵
                        PID:2024
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,8290767359090939404,11629224320914986162,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
                        3⤵
                          PID:3008
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,8290767359090939404,11629224320914986162,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 /prefetch:8
                          3⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:4608
                        • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,8290767359090939404,11629224320914986162,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5784 /prefetch:8
                          3⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:1372
                    • C:\Users\Admin\AppData\Roaming\spoolsv.exe
                      C:\Users\Admin\AppData\Roaming\spoolsv.exe
                      1⤵
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1840
                    • C:\Users\Admin\AppData\Roaming\spoolsv.exe
                      C:\Users\Admin\AppData\Roaming\spoolsv.exe
                      1⤵
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3220
                    • C:\Windows\System32\CompPkgSrv.exe
                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                      1⤵
                        PID:1948
                      • C:\Windows\System32\CompPkgSrv.exe
                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                        1⤵
                          PID:952
                        • C:\Users\Admin\AppData\Roaming\spoolsv.exe
                          C:\Users\Admin\AppData\Roaming\spoolsv.exe
                          1⤵
                          • Executes dropped EXE
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1592

                        Network

                        MITRE ATT&CK Enterprise v15

                        Reconnaissance

                        Resource Development

                        Initial Access

                        Execution

                        Command and Scripting Interpreter

                        1
                        T1059

                        PowerShell

                        1
                        T1059.001

                        Scheduled Task/Job

                        1
                        T1053

                        Scheduled Task

                        1
                        T1053.005

                        Persistence

                        Boot or Logon Autostart Execution

                        1
                        T1547

                        Registry Run Keys / Startup Folder

                        1
                        T1547.001

                        Scheduled Task/Job

                        1
                        T1053

                        Scheduled Task

                        1
                        T1053.005

                        Privilege Escalation

                        Boot or Logon Autostart Execution

                        1
                        T1547

                        Registry Run Keys / Startup Folder

                        1
                        T1547.001

                        Scheduled Task/Job

                        1
                        T1053

                        Scheduled Task

                        1
                        T1053.005

                        Defense Evasion

                        Modify Registry

                        2
                        T1112

                        Credential Access

                        Credentials from Password Stores

                        1
                        T1555

                        Credentials from Web Browsers

                        1
                        T1555.003

                        Unsecured Credentials

                        2
                        T1552

                        Credentials In Files

                        2
                        T1552.001

                        Discovery

                        Browser Information Discovery

                        1
                        T1217

                        Query Registry

                        3
                        T1012

                        System Information Discovery

                        2
                        T1082

                        System Location Discovery

                        1
                        T1614

                        System Language Discovery

                        1
                        T1614.001

                        Lateral Movement

                        Collection

                        Data from Local System

                        2
                        T1005

                        Command and Control

                        Exfiltration

                        Impact

                        Defacement

                        1
                        T1491

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                          Filesize

                          2KB

                          MD5

                          627073ee3ca9676911bee35548eff2b8

                          SHA1

                          4c4b68c65e2cab9864b51167d710aa29ebdcff2e

                          SHA256

                          85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

                          SHA512

                          3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log
                          Filesize

                          654B

                          MD5

                          2cbbb74b7da1f720b48ed31085cbd5b8

                          SHA1

                          79caa9a3ea8abe1b9c4326c3633da64a5f724964

                          SHA256

                          e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

                          SHA512

                          ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                          Filesize

                          152B

                          MD5

                          051a939f60dced99602add88b5b71f58

                          SHA1

                          a71acd61be911ff6ff7e5a9e5965597c8c7c0765

                          SHA256

                          2cff121889a0a77f49cdc4564bdd1320cf588c9dcd36012dbc3669cf73015d10

                          SHA512

                          a9c72ed43b895089a9e036aba6da96213fedd2f05f0a69ae8d1fa07851ac8263e58af86c7103ce4b4f9cfe92f9c9d0a46085c066a54ce825ef53505fdb988d1f

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                          Filesize

                          152B

                          MD5

                          003b92b33b2eb97e6c1a0929121829b8

                          SHA1

                          6f18e96c7a2e07fb5a80acb3c9916748fd48827a

                          SHA256

                          8001f251d5932a62bfe17b0ba3686ce255ecf9adb95a06ecb954faa096be3e54

                          SHA512

                          18005c6c07475e6dd1ec310fe511353381cf0f15d086cf20dc6ed8825c872944185c767f80306e56fec9380804933aa37a8f12c720398b4b3b42cb216b41cf77

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                          Filesize

                          5KB

                          MD5

                          e0d3d5e4952c8c7ef61af0dbaad39d5d

                          SHA1

                          24811e24aa1cfa2572138571afd13018ae40f61d

                          SHA256

                          1ff2775eb33b6700149f5517c88e0be97aba89b41bc4fdca4b8f77b97ae6d2fd

                          SHA512

                          d32093ce8ee1b47b486da310709a3f637c207940741412f4e043d8733d150c8c82004301b49403359a8bd1bd154eb8c8ca31104c5764bf13607844451b7c35b2

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                          Filesize

                          5KB

                          MD5

                          8c8827e6820ddc2f024a66e5296cfdb0

                          SHA1

                          0730fe0532ffe3a2ad3f3ed53eed8b608a581ac3

                          SHA256

                          0f87b95c9335787631804f4cf4fd408688e6bbd09cbdd1cad29beea693315da3

                          SHA512

                          d4debd889de03957227cea3c91675d74192031ab0301eeca98170431703f63a7bcd40f3c5d4c13c4e42d44a6e0a8c374ebaecf8dc59f42f48956693a88d5f51d

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                          Filesize

                          16B

                          MD5

                          46295cac801e5d4857d09837238a6394

                          SHA1

                          44e0fa1b517dbf802b18faf0785eeea6ac51594b

                          SHA256

                          0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                          SHA512

                          8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                          Filesize

                          16B

                          MD5

                          206702161f94c5cd39fadd03f4014d98

                          SHA1

                          bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                          SHA256

                          1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                          SHA512

                          0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                          Filesize

                          10KB

                          MD5

                          c2c727b75c2496d94b19afe8e0e83f96

                          SHA1

                          af87193118e216551f491954f921b31871a709ec

                          SHA256

                          99774ff2d2275e9a6db01a7619c82c829b45935edea3e98ea94a088a5345e498

                          SHA512

                          77d85c127935d108050d7c711404249da25b6c1dbef681f47cc9e3dc559dbd4f21f9b6826b16bf317a654398c20ea5ac69c8369e2e5fab7baf3456767ec14906

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                          Filesize

                          10KB

                          MD5

                          5dd83db98a8361121e894e3c4dc49e39

                          SHA1

                          6cc2926b3d6baa917b4bca331a6120d2d41e9f90

                          SHA256

                          f125364c47d0e4ff6cdaf565ab12de54f015a47550a947a876030b55bd2d6184

                          SHA512

                          d24eb8c2a0cb0bf26675bb804e8d8d0becc0f1c6e223258e50af1ec114f45d7b02e8d9119076ad592d8e19ef4c1f013cdfcfd0336d6a7f7c5c8c6918726012b3

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          944B

                          MD5

                          e3840d9bcedfe7017e49ee5d05bd1c46

                          SHA1

                          272620fb2605bd196df471d62db4b2d280a363c6

                          SHA256

                          3ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f

                          SHA512

                          76adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          944B

                          MD5

                          0176453f1fef559ae37af83dc87aa474

                          SHA1

                          7130557502d1733c8a330351fce5001312ad51d8

                          SHA256

                          57249ae210e2076711ac8e0756ce91b9fdb241833b6bb1cddb592a7db23ff0ba

                          SHA512

                          dc021a0d33cbe3117ad830ad99bfc65cb6f23bf73fa0a19efb1176b15459c28e4f1033cb1fb0761a7ff69c865634c433009802b9aed65d8140598c441c8a06fd

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          944B

                          MD5

                          5943cc66aa7731d40f420f3299d5eb28

                          SHA1

                          424c2ff157a71fa65b0728be6af3b9d46bbf2f09

                          SHA256

                          e56deb05de226ceedd986a099773d7d20cc8f47c529170f5e2bc54254b6ea255

                          SHA512

                          b9aaf102b5237da79cebee1c8a3bd5ea3cfb2a2bcc59e1ecff0bf251978922bdfe1a69c9001f3f90957c8c69dcaa4b8b88286ff8af154bb9a335acb6aa0ff06a

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kujo3quz.di0.ps1
                          Filesize

                          60B

                          MD5

                          d17fe0a3f47be24a6453e9ef58c94641

                          SHA1

                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                          SHA256

                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                          SHA512

                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\adofvc.exe
                          Filesize

                          300KB

                          MD5

                          dfefdd2e554fd23f3b87f68c3e0f9622

                          SHA1

                          8be107d3c7e0aba6346ccdac289e29e3a8127af2

                          SHA256

                          f47c2bb84ce619d0d69445b0a1dce760482f2dd508815ba2667bab5c3a3541e9

                          SHA512

                          8f11525da059c6aa655d5ad2c41f89ce535ebb7a2bd4d7ce197c2ea244f28947e2338b1f97378130179490e49fd73402ee3dcdc507901f48b41ce9acf79ca182

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\spoolsv.exe
                          Filesize

                          125KB

                          MD5

                          02201ab0ffca3905fbf110296fd58298

                          SHA1

                          4068eb4c09f6e09637588ee3cf62bf7229a25faa

                          SHA256

                          4d0f2f8fd89fec7e4f1348b5b6a0ea528d2b391f48e69df140b91845c0989abe

                          SHA512

                          4f2d86d8dbdb6946bdd982b7c48aea803eccd99c51ddbd6edcb1f7301f9a8f255953210b5b47ecd6e6a8f1bf93269bb519b3a83548f7d3ea63ded3980bef3705

                          Download Submit

                        • C:\Users\Admin\Desktop\How To Decrypt My Files.html
                          Filesize

                          639B

                          MD5

                          d2dbbc3383add4cbd9ba8e1e35872552

                          SHA1

                          020abbc821b2fe22c4b2a89d413d382e48770b6f

                          SHA256

                          5ca82cbc4d582a4a425ae328ad12fd198095e2854f4f87b27a4b09e91173a3be

                          SHA512

                          bb5e1bbf28c10c077644136b98d8d02bfec3b3e49c0829b4d4570b30e0aea0276eb748f749a491587a5e70141a7653be1d03c463a22e44efecde2e5a6c6e5e66

                          Download Submit

                        • C:\Users\Admin\NTUSER.DAT{2fa72cf3-34ca-11ed-acae-cbf1edc82a99}.TMContainer00000000000000000001.regtrans-ms.ENC
                          Filesize

                          16B

                          MD5

                          5996663565634720cde914eba490d792

                          SHA1

                          751751add08831365eb66140fdd3280d7079c4e4

                          SHA256

                          d8e5ce294c2848c693e24be6de592318b2d8fbefa4d69ade2ea8586145e3ecc0

                          SHA512

                          dd1f0b4fe0a9c8dd54aae32f0520259ad0556d47617f4916e66f8e079586267e9b9d69dde8bc2a311bb8c6ddd9966f65ddfa71d00443ea9397fc9c7fa85fda2b

                          Download Submit

                        • memory/1412-129-0x000000001BB10000-0x000000001BB1C000-memory.dmp

                          Filesize

                          48KB

                          Download

                        • memory/1412-119-0x0000000002F40000-0x0000000002F4E000-memory.dmp

                          Filesize

                          56KB

                          Download

                        • memory/1412-1-0x0000000000DC0000-0x0000000000DE6000-memory.dmp

                          Filesize

                          152KB

                          Download

                        • memory/1412-73-0x000000001DC00000-0x000000001DD20000-memory.dmp

                          Filesize

                          1.1MB

                          Download

                        • memory/1412-2-0x00007FFDD1B50000-0x00007FFDD2612000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/1412-59-0x000000001CD10000-0x000000001CD1E000-memory.dmp

                          Filesize

                          56KB

                          Download

                        • memory/1412-55-0x00007FFDD1B50000-0x00007FFDD2612000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/1412-120-0x000000001E9F0000-0x000000001ED40000-memory.dmp

                          Filesize

                          3.3MB

                          Download

                        • memory/1412-0-0x00007FFDD1B53000-0x00007FFDD1B55000-memory.dmp

                          Filesize

                          8KB

                          Download

                        • memory/2212-15-0x00007FFDD1B50000-0x00007FFDD2612000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/2212-14-0x00007FFDD1B50000-0x00007FFDD2612000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/2212-13-0x00007FFDD1B50000-0x00007FFDD2612000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/2212-16-0x00007FFDD1B50000-0x00007FFDD2612000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/2212-19-0x00007FFDD1B50000-0x00007FFDD2612000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/2212-3-0x000001F3636D0000-0x000001F3636F2000-memory.dmp

                          Filesize

                          136KB

                          Download

                        • memory/2212-4-0x00007FFDD1B50000-0x00007FFDD2612000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/4652-78-0x0000000005A20000-0x0000000005A5C000-memory.dmp

                          Filesize

                          240KB

                          Download

                        • memory/4652-70-0x0000000000C20000-0x0000000000C72000-memory.dmp

                          Filesize

                          328KB

                          Download

                        • memory/4652-124-0x0000000007550000-0x00000000075A0000-memory.dmp

                          Filesize

                          320KB

                          Download

                        • memory/4652-123-0x0000000007A80000-0x0000000007FAC000-memory.dmp

                          Filesize

                          5.2MB

                          Download

                        • memory/4652-122-0x0000000007380000-0x0000000007542000-memory.dmp

                          Filesize

                          1.8MB

                          Download

                        • memory/4652-121-0x00000000063E0000-0x0000000006446000-memory.dmp

                          Filesize

                          408KB

                          Download

                        • memory/4652-79-0x0000000005BB0000-0x0000000005BFC000-memory.dmp

                          Filesize

                          304KB

                          Download

                        • memory/4652-71-0x0000000005CC0000-0x0000000006266000-memory.dmp

                          Filesize

                          5.6MB

                          Download

                        • memory/4652-77-0x00000000059C0000-0x00000000059D2000-memory.dmp

                          Filesize

                          72KB

                          Download

                        • memory/4652-76-0x0000000005AA0000-0x0000000005BAA000-memory.dmp

                          Filesize

                          1.0MB

                          Download

                        • memory/4652-75-0x0000000006890000-0x0000000006EA8000-memory.dmp

                          Filesize

                          6.1MB

                          Download

                        • memory/4652-74-0x0000000005740000-0x000000000574A000-memory.dmp

                          Filesize

                          40KB

                          Download

                        • memory/4652-72-0x00000000057B0000-0x0000000005842000-memory.dmp

                          Filesize

                          584KB

                          Download