eternity | hxxps://oxy[.]st/d/qiQh

System Information Discovery

persistence privilege_escalation

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	AgentsavesRuntime.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	AgentsavesRuntime.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	GUI sub.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	AgentsavesRuntime.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe

Executes dropped EXE 15 IoCs

pid	Process
5996	Setup.exe
4044	DRG module.exe
5392	Microsoft picture manager.exe
6088	GUI sub.exe
5084	WIN helper.exe
4976	AgentsavesRuntime.exe
464	StartMenuExperienceHost.exe
5272	StartMenuExperienceHost.exe
3928	AgentsavesRuntime.exe
3136	AgentsavesRuntime.exe
5456	AgentsavesRuntime.exe
392	StartMenuExperienceHost.exe
4696	AgentsavesRuntime.exe
2732	AgentsavesRuntime.exe
2372	AgentsavesRuntime.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	WIN helper.exe
Key opened	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	WIN helper.exe
Key opened	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	WIN helper.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\All Users\\Templates\\unsecapp.exe\""	AgentsavesRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\fr-FR\\sysmon.exe\""	AgentsavesRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Users\\Default\\Start Menu\\StartMenuExperienceHost.exe\""	AgentsavesRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AgentsavesRuntime = "\"C:\\portContainerServer\\AgentsavesRuntime.exe\""	AgentsavesRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AgentsavesRuntime = "\"C:\\portContainerServer\\AgentsavesRuntime.exe\""	AgentsavesRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Recovery\\WindowsRE\\TextInputHost.exe\""	AgentsavesRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\WindowsRE\\Idle.exe\""	AgentsavesRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\WindowsRE\\Idle.exe\""	AgentsavesRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Users\\Default\\Start Menu\\StartMenuExperienceHost.exe\""	AgentsavesRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Recovery\\WindowsRE\\TextInputHost.exe\""	AgentsavesRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\All Users\\Templates\\unsecapp.exe\""	AgentsavesRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\fr-FR\\sysmon.exe\""	AgentsavesRuntime.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
389	pastebin.com
388	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
380	ip-api.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC5EFD8DE45F664EE9BD46DCC864F1DFA3.TMP	csc.exe
File created	\??\c:\Windows\System32\h920ln.exe	csc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\fr-FR\sysmon.exe	AgentsavesRuntime.exe
File created	C:\Windows\fr-FR\121e5b5079f7c0	AgentsavesRuntime.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GUI sub.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2992	PING.EXE
5256	PING.EXE
5820	PING.EXE
2948	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2644	netsh.exe
5352	cmd.exe
5072	netsh.exe
5356	cmd.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	WIN helper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WIN helper.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	AgentsavesRuntime.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	AgentsavesRuntime.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	GUI sub.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	AgentsavesRuntime.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
5256	PING.EXE
5820	PING.EXE
2948	PING.EXE
2992	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
744	schtasks.exe
3168	schtasks.exe
5624	schtasks.exe
5740	schtasks.exe
5448	schtasks.exe
4464	schtasks.exe
4564	schtasks.exe
2676	schtasks.exe
1916	schtasks.exe
5100	schtasks.exe
840	schtasks.exe
468	schtasks.exe
1932	schtasks.exe
2112	schtasks.exe
1596	schtasks.exe
2148	schtasks.exe
4748	schtasks.exe
3840	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4880	msedge.exe
4880	msedge.exe
4760	msedge.exe
4760	msedge.exe
2992	identity_helper.exe
2992	identity_helper.exe
4376	msedge.exe
4376	msedge.exe
5084	WIN helper.exe
5084	WIN helper.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe
4976	AgentsavesRuntime.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 34 IoCs

pid	Process
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe

Suspicious use of AdjustPrivilegeToken 62 IoCs

description	pid	Process
Token: SeRestorePrivilege	1596	7zG.exe
Token: 35	1596	7zG.exe
Token: SeSecurityPrivilege	1596	7zG.exe
Token: SeSecurityPrivilege	1596	7zG.exe
Token: SeDebugPrivilege	5392	Microsoft picture manager.exe
Token: SeDebugPrivilege	4044	DRG module.exe
Token: SeIncreaseQuotaPrivilege	3552	wmic.exe
Token: SeSecurityPrivilege	3552	wmic.exe
Token: SeTakeOwnershipPrivilege	3552	wmic.exe
Token: SeLoadDriverPrivilege	3552	wmic.exe
Token: SeSystemProfilePrivilege	3552	wmic.exe
Token: SeSystemtimePrivilege	3552	wmic.exe
Token: SeProfSingleProcessPrivilege	3552	wmic.exe
Token: SeIncBasePriorityPrivilege	3552	wmic.exe
Token: SeCreatePagefilePrivilege	3552	wmic.exe
Token: SeBackupPrivilege	3552	wmic.exe
Token: SeRestorePrivilege	3552	wmic.exe
Token: SeShutdownPrivilege	3552	wmic.exe
Token: SeDebugPrivilege	3552	wmic.exe
Token: SeSystemEnvironmentPrivilege	3552	wmic.exe
Token: SeRemoteShutdownPrivilege	3552	wmic.exe
Token: SeUndockPrivilege	3552	wmic.exe
Token: SeManageVolumePrivilege	3552	wmic.exe
Token: 33	3552	wmic.exe
Token: 34	3552	wmic.exe
Token: 35	3552	wmic.exe
Token: 36	3552	wmic.exe
Token: SeDebugPrivilege	5084	WIN helper.exe
Token: SeIncreaseQuotaPrivilege	3552	wmic.exe
Token: SeSecurityPrivilege	3552	wmic.exe
Token: SeTakeOwnershipPrivilege	3552	wmic.exe
Token: SeLoadDriverPrivilege	3552	wmic.exe
Token: SeSystemProfilePrivilege	3552	wmic.exe
Token: SeSystemtimePrivilege	3552	wmic.exe
Token: SeProfSingleProcessPrivilege	3552	wmic.exe
Token: SeIncBasePriorityPrivilege	3552	wmic.exe
Token: SeCreatePagefilePrivilege	3552	wmic.exe
Token: SeBackupPrivilege	3552	wmic.exe
Token: SeRestorePrivilege	3552	wmic.exe
Token: SeShutdownPrivilege	3552	wmic.exe
Token: SeDebugPrivilege	3552	wmic.exe
Token: SeSystemEnvironmentPrivilege	3552	wmic.exe
Token: SeRemoteShutdownPrivilege	3552	wmic.exe
Token: SeUndockPrivilege	3552	wmic.exe
Token: SeManageVolumePrivilege	3552	wmic.exe
Token: 33	3552	wmic.exe
Token: 34	3552	wmic.exe
Token: 35	3552	wmic.exe
Token: 36	3552	wmic.exe
Token: SeDebugPrivilege	4976	AgentsavesRuntime.exe
Token: SeDebugPrivilege	464	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	5272	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	3928	AgentsavesRuntime.exe
Token: SeDebugPrivilege	3136	AgentsavesRuntime.exe
Token: SeDebugPrivilege	5456	AgentsavesRuntime.exe
Token: SeDebugPrivilege	3812	taskmgr.exe
Token: SeSystemProfilePrivilege	3812	taskmgr.exe
Token: SeCreateGlobalPrivilege	3812	taskmgr.exe
Token: SeDebugPrivilege	392	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	4696	AgentsavesRuntime.exe
Token: SeDebugPrivilege	2732	AgentsavesRuntime.exe
Token: SeDebugPrivilege	2372	AgentsavesRuntime.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
1596	7zG.exe
4760	msedge.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe
3812	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 828	4760	msedge.exe	83
PID 4760 wrote to memory of 828	4760	msedge.exe	83
PID 4760 wrote to memory of 3704	4760	msedge.exe	84
PID 4760 wrote to memory of 3704	4760	msedge.exe	84
PID 4760 wrote to memory of 3704	4760	msedge.exe	84
PID 4760 wrote to memory of 3704	4760	msedge.exe	84
PID 4760 wrote to memory of 3704	4760	msedge.exe	84
PID 4760 wrote to memory of 3704	4760	msedge.exe	84
PID 4760 wrote to memory of 3704	4760	msedge.exe	84
PID 4760 wrote to memory of 3704	4760	msedge.exe	84
PID 4760 wrote to memory of 3704	4760	msedge.exe	84
PID 4760 wrote to memory of 3704	4760	msedge.exe	84
PID 4760 wrote to memory of 3704	4760	msedge.exe	84
PID 4760 wrote to memory of 3704	4760	msedge.exe	84
PID 4760 wrote to memory of 3704	4760	msedge.exe	84
PID 4760 wrote to memory of 3704	4760	msedge.exe	84
PID 4760 wrote to memory of 3704	4760	msedge.exe	84
PID 4760 wrote to memory of 3704	4760	msedge.exe	84
PID 4760 wrote to memory of 3704	4760	msedge.exe	84
PID 4760 wrote to memory of 3704	4760	msedge.exe	84
PID 4760 wrote to memory of 3704	4760	msedge.exe	84
PID 4760 wrote to memory of 3704	4760	msedge.exe	84
PID 4760 wrote to memory of 3704	4760	msedge.exe	84
PID 4760 wrote to memory of 3704	4760	msedge.exe	84
PID 4760 wrote to memory of 3704	4760	msedge.exe	84
PID 4760 wrote to memory of 3704	4760	msedge.exe	84
PID 4760 wrote to memory of 3704	4760	msedge.exe	84
PID 4760 wrote to memory of 3704	4760	msedge.exe	84
PID 4760 wrote to memory of 3704	4760	msedge.exe	84
PID 4760 wrote to memory of 3704	4760	msedge.exe	84
PID 4760 wrote to memory of 3704	4760	msedge.exe	84
PID 4760 wrote to memory of 3704	4760	msedge.exe	84
PID 4760 wrote to memory of 3704	4760	msedge.exe	84
PID 4760 wrote to memory of 3704	4760	msedge.exe	84
PID 4760 wrote to memory of 3704	4760	msedge.exe	84
PID 4760 wrote to memory of 3704	4760	msedge.exe	84
PID 4760 wrote to memory of 3704	4760	msedge.exe	84
PID 4760 wrote to memory of 3704	4760	msedge.exe	84
PID 4760 wrote to memory of 3704	4760	msedge.exe	84
PID 4760 wrote to memory of 3704	4760	msedge.exe	84
PID 4760 wrote to memory of 3704	4760	msedge.exe	84
PID 4760 wrote to memory of 3704	4760	msedge.exe	84
PID 4760 wrote to memory of 4880	4760	msedge.exe	85
PID 4760 wrote to memory of 4880	4760	msedge.exe	85
PID 4760 wrote to memory of 2360	4760	msedge.exe	86
PID 4760 wrote to memory of 2360	4760	msedge.exe	86
PID 4760 wrote to memory of 2360	4760	msedge.exe	86
PID 4760 wrote to memory of 2360	4760	msedge.exe	86
PID 4760 wrote to memory of 2360	4760	msedge.exe	86
PID 4760 wrote to memory of 2360	4760	msedge.exe	86
PID 4760 wrote to memory of 2360	4760	msedge.exe	86
PID 4760 wrote to memory of 2360	4760	msedge.exe	86
PID 4760 wrote to memory of 2360	4760	msedge.exe	86
PID 4760 wrote to memory of 2360	4760	msedge.exe	86
PID 4760 wrote to memory of 2360	4760	msedge.exe	86
PID 4760 wrote to memory of 2360	4760	msedge.exe	86
PID 4760 wrote to memory of 2360	4760	msedge.exe	86
PID 4760 wrote to memory of 2360	4760	msedge.exe	86
PID 4760 wrote to memory of 2360	4760	msedge.exe	86
PID 4760 wrote to memory of 2360	4760	msedge.exe	86
PID 4760 wrote to memory of 2360	4760	msedge.exe	86
PID 4760 wrote to memory of 2360	4760	msedge.exe	86
PID 4760 wrote to memory of 2360	4760	msedge.exe	86
PID 4760 wrote to memory of 2360	4760	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	WIN helper.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	WIN helper.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://oxy.st/d/qiQh
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x40,0x108,0x7ff9835546f8,0x7ff983554708,0x7ff983554718
  2⤵
  PID:828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,18340979666752757711,9233899775183182441,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
  2⤵
  PID:3704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,18340979666752757711,9233899775183182441,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,18340979666752757711,9233899775183182441,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2960 /prefetch:8
  2⤵
  PID:2360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,18340979666752757711,9233899775183182441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,18340979666752757711,9233899775183182441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:2464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,18340979666752757711,9233899775183182441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
  2⤵
  PID:2536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,18340979666752757711,9233899775183182441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:3060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,18340979666752757711,9233899775183182441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,18340979666752757711,9233899775183182441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,18340979666752757711,9233899775183182441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:1
  2⤵
  PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,18340979666752757711,9233899775183182441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,18340979666752757711,9233899775183182441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6620 /prefetch:1
  2⤵
  PID:620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,18340979666752757711,9233899775183182441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:1
  2⤵
  PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,18340979666752757711,9233899775183182441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6952 /prefetch:1
  2⤵
  PID:3872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,18340979666752757711,9233899775183182441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7040 /prefetch:1
  2⤵
  PID:1512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,18340979666752757711,9233899775183182441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7228 /prefetch:1
  2⤵
  PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,18340979666752757711,9233899775183182441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7008 /prefetch:1
  2⤵
  PID:3780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,18340979666752757711,9233899775183182441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7556 /prefetch:1
  2⤵
  PID:760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,18340979666752757711,9233899775183182441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7760 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,18340979666752757711,9233899775183182441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7928 /prefetch:1
  2⤵
  PID:1940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,18340979666752757711,9233899775183182441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7984 /prefetch:1
  2⤵
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,18340979666752757711,9233899775183182441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:1
  2⤵
  PID:5372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,18340979666752757711,9233899775183182441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6716 /prefetch:1
  2⤵
  PID:5460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,18340979666752757711,9233899775183182441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
  2⤵
  PID:5744
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,18340979666752757711,9233899775183182441,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 /prefetch:8
  2⤵
  PID:6080
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,18340979666752757711,9233899775183182441,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,18340979666752757711,9233899775183182441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:1832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,18340979666752757711,9233899775183182441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:1800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,18340979666752757711,9233899775183182441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
  2⤵
  PID:4276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,18340979666752757711,9233899775183182441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7476 /prefetch:1
  2⤵
  PID:5236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,18340979666752757711,9233899775183182441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:5240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,18340979666752757711,9233899775183182441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,18340979666752757711,9233899775183182441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8020 /prefetch:1
  2⤵
  PID:5252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,18340979666752757711,9233899775183182441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7332 /prefetch:1
  2⤵
  PID:1912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,18340979666752757711,9233899775183182441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7864 /prefetch:1
  2⤵
  PID:3996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,18340979666752757711,9233899775183182441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:1
  2⤵
  PID:672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,18340979666752757711,9233899775183182441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:1
  2⤵
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,18340979666752757711,9233899775183182441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
  2⤵
  PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2044,18340979666752757711,9233899775183182441,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5448 /prefetch:8
  2⤵
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,18340979666752757711,9233899775183182441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2044,18340979666752757711,9233899775183182441,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4376

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2924

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1836

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3944

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Setup\" -spe -an -ai#7zMap19184:72:7zEvent9312
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1596

C:\Users\Admin\Downloads\Setup\Setup.exe
"C:\Users\Admin\Downloads\Setup\Setup.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5996
- C:\Users\Admin\AppData\Local\Temp\DRG module.exe
  "C:\Users\Admin\AppData\Local\Temp\DRG module.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4044
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3552
- C:\Users\Admin\AppData\Local\Temp\Microsoft picture manager.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft picture manager.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5392
- C:\Users\Admin\AppData\Local\Temp\GUI sub.exe
  "C:\Users\Admin\AppData\Local\Temp\GUI sub.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:6088
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\portContainerServer\bpmdutc0M3cJEN2bLwLmjIrQzt9Evn2rH8angtBVEaFmTOq1CfF52scTNAX.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    PID:4380
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\portContainerServer\PvszTCanD9rbZND.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:4600
    - - C:\portContainerServer\AgentsavesRuntime.exe
        
        "C:\portContainerServer/AgentsavesRuntime.exe"
        5⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4976
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mflka1n1\mflka1n1.cmdline"
        6⤵
        Drops file in System32 directory
        
        PID:760
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA582.tmp" "c:\Windows\System32\CSC5EFD8DE45F664EE9BD46DCC864F1DFA3.TMP"
        7⤵
        
        PID:3532
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VsdVNTW6f8.bat"
        6⤵
        
        PID:3188
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2540
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:4888
        
        C:\Users\Default\Start Menu\StartMenuExperienceHost.exe
        
        "C:\Users\Default\Start Menu\StartMenuExperienceHost.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:464
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jpLz1yvSlu.bat"
        8⤵
        
        PID:5908
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:5972
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5256
        
        C:\Users\Default\Start Menu\StartMenuExperienceHost.exe
        
        "C:\Users\Default\Start Menu\StartMenuExperienceHost.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5272
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ibWrXDwbZz.bat"
        10⤵
        
        PID:3264
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:5804
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5820
        
        C:\Users\Default\Start Menu\StartMenuExperienceHost.exe
        
        "C:\Users\Default\Start Menu\StartMenuExperienceHost.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:392
- C:\Users\Admin\AppData\Local\Temp\WIN helper.exe
  "C:\Users\Admin\AppData\Local\Temp\WIN helper.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:5084
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:5356
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:3460
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2644
  - - C:\Windows\system32\findstr.exe
      findstr All
      4⤵
      PID:2316
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:5352
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:744
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile name="65001" key=clear
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:5072
  - - C:\Windows\system32\findstr.exe
      findstr Key
      4⤵
      PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Templates\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\All Users\Templates\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Templates\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Windows\fr-FR\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\fr-FR\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Windows\fr-FR\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Start Menu\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Start Menu\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "AgentsavesRuntimeA" /sc MINUTE /mo 6 /tr "'C:\portContainerServer\AgentsavesRuntime.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "AgentsavesRuntime" /sc ONLOGON /tr "'C:\portContainerServer\AgentsavesRuntime.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "AgentsavesRuntimeA" /sc MINUTE /mo 13 /tr "'C:\portContainerServer\AgentsavesRuntime.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4464

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\portContainerServer\bpmdutc0M3cJEN2bLwLmjIrQzt9Evn2rH8angtBVEaFmTOq1CfF52scTNAX.vbe"
1⤵
- Checks computer location settings
PID:5244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\portContainerServer\PvszTCanD9rbZND.bat" "
  2⤵
  PID:6012
- - C:\portContainerServer\AgentsavesRuntime.exe
    "C:\portContainerServer/AgentsavesRuntime.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2372

C:\portContainerServer\AgentsavesRuntime.exe
"C:\portContainerServer\AgentsavesRuntime.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3928
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N21q8QyzlD.bat"
  2⤵
  PID:5104
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2552
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2948
- - C:\portContainerServer\AgentsavesRuntime.exe
    "C:\portContainerServer\AgentsavesRuntime.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4696

C:\portContainerServer\AgentsavesRuntime.exe
"C:\portContainerServer\AgentsavesRuntime.exe" C:\portContainerServer\bpmdutc0M3cJEN2bLwLmjIrQzt9Evn2rH8angtBVEaFmTOq1CfF52scTNAX.vbe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3136
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ghJDzcD21F.bat"
  2⤵
  PID:672
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:6052
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2992
- - C:\portContainerServer\AgentsavesRuntime.exe
    "C:\portContainerServer\AgentsavesRuntime.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2732

C:\portContainerServer\AgentsavesRuntime.exe
"C:\portContainerServer\AgentsavesRuntime.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5456

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery