hxxps://drive[.]google[.]com/file/d/193FqxNYd31TIsQu0VlDJ1ToNrv2u6cLZ/view?pli=1

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	silhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	silhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Serverhostmonitor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Serverhostmonitor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 8 IoCs

pid	Process
6120	silhost.exe
5780	silhost.exe
4392	Serverhostmonitor.exe
412	Serverhostmonitor.exe
6028	Serverhostmonitor.exe
5784	csrss.exe
4736	Serverhostmonitor.exe
2700	Idle.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\ContainerWebSavescommon\\taskhostw.exe\""	Serverhostmonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\ContainerWebSavescommon\\RuntimeBroker.exe\""	Serverhostmonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\cmd.exe\""	Serverhostmonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Idle.exe\""	Serverhostmonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\dotnet\\swidtag\\cmd.exe\""	Serverhostmonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\dotnet\\swidtag\\cmd.exe\""	Serverhostmonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\L2Schemas\\System.exe\""	Serverhostmonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\ContainerWebSavescommon\\taskhostw.exe\""	Serverhostmonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Serverhostmonitor = "\"C:\\ContainerWebSavescommon\\Serverhostmonitor.exe\""	Serverhostmonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\ContainerWebSavescommon\\WmiPrvSE.exe\""	Serverhostmonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Serverhostmonitor = "\"C:\\ContainerWebSavescommon\\Serverhostmonitor.exe\""	Serverhostmonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\csrss.exe\""	Serverhostmonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files\\Uninstall Information\\backgroundTaskHost.exe\""	Serverhostmonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files\\Uninstall Information\\backgroundTaskHost.exe\""	Serverhostmonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Serverhostmonitor = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\7zOCB740268\\Serverhostmonitor.exe\""	Serverhostmonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\ContainerWebSavescommon\\WmiPrvSE.exe\""	Serverhostmonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\ContainerWebSavescommon\\RuntimeBroker.exe\""	Serverhostmonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\Microsoft Office\\Office16\\WmiPrvSE.exe\""	Serverhostmonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\Microsoft Office\\Office16\\WmiPrvSE.exe\""	Serverhostmonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Serverhostmonitor = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\7zOCB740268\\Serverhostmonitor.exe\""	Serverhostmonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\cmd.exe\""	Serverhostmonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Idle.exe\""	Serverhostmonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\L2Schemas\\System.exe\""	Serverhostmonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\csrss.exe\""	Serverhostmonitor.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	drive.google.com
5	drive.google.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCAA8C775D8AD5451F92526D90532C82E0.TMP	csc.exe
File created	\??\c:\Windows\System32\s_kgxh.exe	csc.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	\??\c:\Program Files\Uninstall Information\CSCE87498C9745D482C86CBD1BFB15C264A.TMP	csc.exe
File opened for modification	C:\Program Files\Uninstall Information\backgroundTaskHost.exe	Serverhostmonitor.exe
File created	C:\Program Files\Microsoft Office\Office16\WmiPrvSE.exe	Serverhostmonitor.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\6ccacd8608530f	Serverhostmonitor.exe
File created	\??\c:\Program Files (x86)\MSBuild\Microsoft\CSC5F25D53824A45B2BAF54F71FD8BB54.TMP	csc.exe
File created	\??\c:\Program Files\Microsoft Office\Office16\CSCED3B9A41E2FD4E2197D841B755B6A756.TMP	csc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\csrss.exe	Serverhostmonitor.exe
File created	C:\Program Files\dotnet\swidtag\cmd.exe	Serverhostmonitor.exe
File opened for modification	C:\Program Files\dotnet\swidtag\cmd.exe	Serverhostmonitor.exe
File created	C:\Program Files\dotnet\swidtag\ebf1f9fa8afd6d	Serverhostmonitor.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\cmd.exe	Serverhostmonitor.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\ebf1f9fa8afd6d	Serverhostmonitor.exe
File created	\??\c:\Program Files (x86)\MSBuild\Microsoft\csrss.exe	csc.exe
File created	\??\c:\Program Files\Microsoft Office\Office16\WmiPrvSE.exe	csc.exe
File created	C:\Program Files\Uninstall Information\backgroundTaskHost.exe	Serverhostmonitor.exe
File created	C:\Program Files\Uninstall Information\eddb19405b7ce1	Serverhostmonitor.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\886983d96e3d3e	Serverhostmonitor.exe
File created	C:\Program Files\Microsoft Office\Office16\24dbde2999530e	Serverhostmonitor.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\Idle.exe	Serverhostmonitor.exe
File created	\??\c:\Program Files\Uninstall Information\backgroundTaskHost.exe	csc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\L2Schemas\27d1bcfc3c54e0	Serverhostmonitor.exe
File created	\??\c:\Windows\L2Schemas\CSC7A0E37B2492046EF90DF437DD5D998C2.TMP	csc.exe
File created	\??\c:\Windows\L2Schemas\System.exe	csc.exe
File created	C:\Windows\L2Schemas\System.exe	Serverhostmonitor.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	silhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	silhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5772	PING.EXE
3108	PING.EXE

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	Serverhostmonitor.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	Serverhostmonitor.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	silhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	silhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7zFM.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
5772	PING.EXE
3108	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
5612	schtasks.exe
3852	schtasks.exe
5568	schtasks.exe
5656	schtasks.exe
668	schtasks.exe
6032	schtasks.exe
3516	schtasks.exe
2420	schtasks.exe
5748	schtasks.exe
5856	schtasks.exe
5488	schtasks.exe
5208	schtasks.exe
5508	schtasks.exe
5568	schtasks.exe
5392	schtasks.exe
5904	schtasks.exe
4420	schtasks.exe
5404	schtasks.exe
5452	schtasks.exe
4056	schtasks.exe
3152	schtasks.exe
5180	schtasks.exe
4396	schtasks.exe
1348	schtasks.exe
5624	schtasks.exe
6060	schtasks.exe
4084	schtasks.exe
3560	schtasks.exe
2740	schtasks.exe
5384	schtasks.exe
4592	schtasks.exe
4796	schtasks.exe
5856	schtasks.exe
4056	schtasks.exe
6052	schtasks.exe
2628	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3396	msedge.exe
3396	msedge.exe
2440	msedge.exe
2440	msedge.exe
812	identity_helper.exe
812	identity_helper.exe
5576	msedge.exe
5576	msedge.exe
5944	7zFM.exe
5944	7zFM.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe
4392	Serverhostmonitor.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5944	7zFM.exe
6076	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeRestorePrivilege	5944	7zFM.exe
Token: 35	5944	7zFM.exe
Token: SeSecurityPrivilege	5944	7zFM.exe
Token: SeSecurityPrivilege	5944	7zFM.exe
Token: SeRestorePrivilege	6076	7zFM.exe
Token: 35	6076	7zFM.exe
Token: SeSecurityPrivilege	6076	7zFM.exe
Token: SeDebugPrivilege	4392	Serverhostmonitor.exe
Token: SeSecurityPrivilege	6076	7zFM.exe
Token: SeSecurityPrivilege	6076	7zFM.exe
Token: SeDebugPrivilege	412	Serverhostmonitor.exe
Token: SeDebugPrivilege	4516	powershell.exe
Token: SeDebugPrivilege	1360	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	396	powershell.exe
Token: SeDebugPrivilege	1132	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	6028	Serverhostmonitor.exe
Token: SeDebugPrivilege	5784	csrss.exe
Token: SeDebugPrivilege	5752	taskmgr.exe
Token: SeSystemProfilePrivilege	5752	taskmgr.exe
Token: SeCreateGlobalPrivilege	5752	taskmgr.exe
Token: SeDebugPrivilege	5412	powershell.exe
Token: SeDebugPrivilege	6108	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	3204	powershell.exe
Token: SeDebugPrivilege	4472	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	4736	Serverhostmonitor.exe
Token: SeDebugPrivilege	2700	Idle.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
5944	7zFM.exe
5944	7zFM.exe
5944	7zFM.exe
6076	7zFM.exe
6076	7zFM.exe
6076	7zFM.exe
6076	7zFM.exe
6076	7zFM.exe
5752	taskmgr.exe
5752	taskmgr.exe
5752	taskmgr.exe
5752	taskmgr.exe
5752	taskmgr.exe
5752	taskmgr.exe
5752	taskmgr.exe
5752	taskmgr.exe
5752	taskmgr.exe
5752	taskmgr.exe
5752	taskmgr.exe
5752	taskmgr.exe
5752	taskmgr.exe
5752	taskmgr.exe
5752	taskmgr.exe
5752	taskmgr.exe
5752	taskmgr.exe
5752	taskmgr.exe
5752	taskmgr.exe
5752	taskmgr.exe
5752	taskmgr.exe
5752	taskmgr.exe
5752	taskmgr.exe

Suspicious use of SendNotifyMessage 52 IoCs

pid	Process
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
5752	taskmgr.exe
5752	taskmgr.exe
5752	taskmgr.exe
5752	taskmgr.exe
5752	taskmgr.exe
5752	taskmgr.exe
5752	taskmgr.exe
5752	taskmgr.exe
5752	taskmgr.exe
5752	taskmgr.exe
5752	taskmgr.exe
5752	taskmgr.exe
5752	taskmgr.exe
5752	taskmgr.exe
5752	taskmgr.exe
5752	taskmgr.exe
5752	taskmgr.exe
5752	taskmgr.exe
5752	taskmgr.exe
5752	taskmgr.exe
5752	taskmgr.exe
5752	taskmgr.exe
5752	taskmgr.exe
5752	taskmgr.exe
5752	taskmgr.exe
5752	taskmgr.exe
5752	taskmgr.exe
5752	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 4504	2440	msedge.exe	86
PID 2440 wrote to memory of 4504	2440	msedge.exe	86
PID 2440 wrote to memory of 4020	2440	msedge.exe	87
PID 2440 wrote to memory of 4020	2440	msedge.exe	87
PID 2440 wrote to memory of 4020	2440	msedge.exe	87
PID 2440 wrote to memory of 4020	2440	msedge.exe	87
PID 2440 wrote to memory of 4020	2440	msedge.exe	87
PID 2440 wrote to memory of 4020	2440	msedge.exe	87
PID 2440 wrote to memory of 4020	2440	msedge.exe	87
PID 2440 wrote to memory of 4020	2440	msedge.exe	87
PID 2440 wrote to memory of 4020	2440	msedge.exe	87
PID 2440 wrote to memory of 4020	2440	msedge.exe	87
PID 2440 wrote to memory of 4020	2440	msedge.exe	87
PID 2440 wrote to memory of 4020	2440	msedge.exe	87
PID 2440 wrote to memory of 4020	2440	msedge.exe	87
PID 2440 wrote to memory of 4020	2440	msedge.exe	87
PID 2440 wrote to memory of 4020	2440	msedge.exe	87
PID 2440 wrote to memory of 4020	2440	msedge.exe	87
PID 2440 wrote to memory of 4020	2440	msedge.exe	87
PID 2440 wrote to memory of 4020	2440	msedge.exe	87
PID 2440 wrote to memory of 4020	2440	msedge.exe	87
PID 2440 wrote to memory of 4020	2440	msedge.exe	87
PID 2440 wrote to memory of 4020	2440	msedge.exe	87
PID 2440 wrote to memory of 4020	2440	msedge.exe	87
PID 2440 wrote to memory of 4020	2440	msedge.exe	87
PID 2440 wrote to memory of 4020	2440	msedge.exe	87
PID 2440 wrote to memory of 4020	2440	msedge.exe	87
PID 2440 wrote to memory of 4020	2440	msedge.exe	87
PID 2440 wrote to memory of 4020	2440	msedge.exe	87
PID 2440 wrote to memory of 4020	2440	msedge.exe	87
PID 2440 wrote to memory of 4020	2440	msedge.exe	87
PID 2440 wrote to memory of 4020	2440	msedge.exe	87
PID 2440 wrote to memory of 4020	2440	msedge.exe	87
PID 2440 wrote to memory of 4020	2440	msedge.exe	87
PID 2440 wrote to memory of 4020	2440	msedge.exe	87
PID 2440 wrote to memory of 4020	2440	msedge.exe	87
PID 2440 wrote to memory of 4020	2440	msedge.exe	87
PID 2440 wrote to memory of 4020	2440	msedge.exe	87
PID 2440 wrote to memory of 4020	2440	msedge.exe	87
PID 2440 wrote to memory of 4020	2440	msedge.exe	87
PID 2440 wrote to memory of 4020	2440	msedge.exe	87
PID 2440 wrote to memory of 4020	2440	msedge.exe	87
PID 2440 wrote to memory of 3396	2440	msedge.exe	88
PID 2440 wrote to memory of 3396	2440	msedge.exe	88
PID 2440 wrote to memory of 3512	2440	msedge.exe	89
PID 2440 wrote to memory of 3512	2440	msedge.exe	89
PID 2440 wrote to memory of 3512	2440	msedge.exe	89
PID 2440 wrote to memory of 3512	2440	msedge.exe	89
PID 2440 wrote to memory of 3512	2440	msedge.exe	89
PID 2440 wrote to memory of 3512	2440	msedge.exe	89
PID 2440 wrote to memory of 3512	2440	msedge.exe	89
PID 2440 wrote to memory of 3512	2440	msedge.exe	89
PID 2440 wrote to memory of 3512	2440	msedge.exe	89
PID 2440 wrote to memory of 3512	2440	msedge.exe	89
PID 2440 wrote to memory of 3512	2440	msedge.exe	89
PID 2440 wrote to memory of 3512	2440	msedge.exe	89
PID 2440 wrote to memory of 3512	2440	msedge.exe	89
PID 2440 wrote to memory of 3512	2440	msedge.exe	89
PID 2440 wrote to memory of 3512	2440	msedge.exe	89
PID 2440 wrote to memory of 3512	2440	msedge.exe	89
PID 2440 wrote to memory of 3512	2440	msedge.exe	89
PID 2440 wrote to memory of 3512	2440	msedge.exe	89
PID 2440 wrote to memory of 3512	2440	msedge.exe	89
PID 2440 wrote to memory of 3512	2440	msedge.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/file/d/193FqxNYd31TIsQu0VlDJ1ToNrv2u6cLZ/view?pli=1
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff83b1346f8,0x7ff83b134708,0x7ff83b134718
  2⤵
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,1637872724181749799,16908904830586899341,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2
  2⤵
  PID:4020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2228,1637872724181749799,16908904830586899341,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2228,1637872724181749799,16908904830586899341,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
  2⤵
  PID:3512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,1637872724181749799,16908904830586899341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:1536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,1637872724181749799,16908904830586899341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:2884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,1637872724181749799,16908904830586899341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:1
  2⤵
  PID:980
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,1637872724181749799,16908904830586899341,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5560 /prefetch:8
  2⤵
  PID:3500
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,1637872724181749799,16908904830586899341,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5560 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,1637872724181749799,16908904830586899341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,1637872724181749799,16908904830586899341,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
  2⤵
  PID:1216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,1637872724181749799,16908904830586899341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:1
  2⤵
  PID:1976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,1637872724181749799,16908904830586899341,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
  2⤵
  PID:428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,1637872724181749799,16908904830586899341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
  2⤵
  PID:5392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2228,1637872724181749799,16908904830586899341,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5940 /prefetch:8
  2⤵
  PID:5512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,1637872724181749799,16908904830586899341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
  2⤵
  PID:5520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2228,1637872724181749799,16908904830586899341,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6292 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5576

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1924

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5852

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\билд фрега.rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5944
- C:\Users\Admin\AppData\Local\Temp\7zO837153B7\silhost.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO837153B7\silhost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:6120
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ContainerWebSavescommon\7nPP9UofNWY3VdmS.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    PID:4960
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\ContainerWebSavescommon\bsf7Bb31UeSOrbt66GjoXIWubS9wej.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1932
    - - C:\ContainerWebSavescommon\Serverhostmonitor.exe
        
        "C:\ContainerWebSavescommon/Serverhostmonitor.exe"
        5⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:6028
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lixs1fqd\lixs1fqd.cmdline"
        6⤵
        Drops file in Windows directory
        
        PID:1348
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7318.tmp" "c:\Windows\L2Schemas\CSC7A0E37B2492046EF90DF437DD5D998C2.TMP"
        7⤵
        
        PID:3560
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\udz3umfz\udz3umfz.cmdline"
        6⤵
        Drops file in Program Files directory
        
        PID:4840
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES73B4.tmp" "c:\Program Files (x86)\MSBuild\Microsoft\CSC5F25D53824A45B2BAF54F71FD8BB54.TMP"
        7⤵
        
        PID:3012
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nk1kntnm\nk1kntnm.cmdline"
        6⤵
        
        PID:5716
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES755A.tmp" "c:\ContainerWebSavescommon\CSC6252AA808AE342B4BCC4D776C164A03E.TMP"
        7⤵
        
        PID:980
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uyly3bzl\uyly3bzl.cmdline"
        6⤵
        Drops file in Program Files directory
        
        PID:4784
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7606.tmp" "c:\Program Files\Microsoft Office\Office16\CSCED3B9A41E2FD4E2197D841B755B6A756.TMP"
        7⤵
        
        PID:5540
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gdc4xjmx\gdc4xjmx.cmdline"
        6⤵
        Drops file in Program Files directory
        
        PID:6076
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES76C1.tmp" "c:\Program Files\Uninstall Information\CSCE87498C9745D482C86CBD1BFB15C264A.TMP"
        7⤵
        
        PID:780
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\moq5jhdf\moq5jhdf.cmdline"
        6⤵
        
        PID:1708
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES772F.tmp" "c:\Users\Admin\AppData\Local\Temp\7zOCB740268\CSC3CC5DF9436D74530A86F61B8B5DA0B5.TMP"
        7⤵
        
        PID:2716
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ContainerWebSavescommon\WmiPrvSE.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ContainerWebSavescommon\RuntimeBroker.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\cmd.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:6108
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\Idle.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3204
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\dotnet\swidtag\cmd.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5412
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ContainerWebSavescommon\Serverhostmonitor.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4472
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BZYbNI4249.bat"
        6⤵
        
        PID:5612
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2356
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3108
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\Idle.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\Idle.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700

C:\Users\Admin\Desktop\silhost.exe
"C:\Users\Admin\Desktop\silhost.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5780
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ContainerWebSavescommon\7nPP9UofNWY3VdmS.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\ContainerWebSavescommon\bsf7Bb31UeSOrbt66GjoXIWubS9wej.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2256
  - - C:\ContainerWebSavescommon\Serverhostmonitor.exe
      "C:\ContainerWebSavescommon/Serverhostmonitor.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4736

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\silhost.exe"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6076
- C:\Users\Admin\AppData\Local\Temp\7zOCB740268\Serverhostmonitor.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOCB740268\Serverhostmonitor.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4392
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\r5vvqgpm\r5vvqgpm.cmdline"
    3⤵
    - Drops file in System32 directory
    PID:5476
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES43DA.tmp" "c:\Windows\System32\CSCAA8C775D8AD5451F92526D90532C82E0.TMP"
      4⤵
      PID:2016
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\System.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1476
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1132
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ContainerWebSavescommon\taskhostw.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4516
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office16\WmiPrvSE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2828
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\backgroundTaskHost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:396
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7zOCB740268\Serverhostmonitor.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1360
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mO1FauOgcZ.bat"
    3⤵
    PID:5216
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2756
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:5772
  - - C:\Program Files (x86)\MSBuild\Microsoft\csrss.exe
      "C:\Program Files (x86)\MSBuild\Microsoft\csrss.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:5784
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7zOCB7C6E18\7nPP9UofNWY3VdmS.vbe"
  2⤵
  PID:6016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zOCB768A18\bsf7Bb31UeSOrbt66GjoXIWubS9wej.bat" "
  2⤵
  PID:5632
- - C:\ContainerWebSavescommon\Serverhostmonitor.exe
    "C:\ContainerWebSavescommon/Serverhostmonitor.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\L2Schemas\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\L2Schemas\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\L2Schemas\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\ContainerWebSavescommon\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\ContainerWebSavescommon\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\ContainerWebSavescommon\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Office16\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office16\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ServerhostmonitorS" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\7zOCB740268\Serverhostmonitor.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Serverhostmonitor" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\7zOCB740268\Serverhostmonitor.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ServerhostmonitorS" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\7zOCB740268\Serverhostmonitor.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\ContainerWebSavescommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\ContainerWebSavescommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\ContainerWebSavescommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3152

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\ContainerWebSavescommon\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\ContainerWebSavescommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\ContainerWebSavescommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files\dotnet\swidtag\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\dotnet\swidtag\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files\dotnet\swidtag\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ServerhostmonitorS" /sc MINUTE /mo 11 /tr "'C:\ContainerWebSavescommon\Serverhostmonitor.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Serverhostmonitor" /sc ONLOGON /tr "'C:\ContainerWebSavescommon\Serverhostmonitor.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ServerhostmonitorS" /sc MINUTE /mo 6 /tr "'C:\ContainerWebSavescommon\Serverhostmonitor.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery