Analysis

  • max time kernel
    75s
  • max time network
    77s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-06-2024 20:46

General

  • Target

    https://www.mediafire.com/file/nux68zw3jsheeek/ValiantSpooferPaid.rar/file

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 39 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Disables Task Manager via registry modification
  • Checks computer location settings 2 TTPs 14 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 13 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 8 IoCs
  • Modifies registry key 1 TTPs 5 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/nux68zw3jsheeek/ValiantSpooferPaid.rar/file
    1⤵
      PID:1624
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4376,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=3896 /prefetch:1
      1⤵
        PID:4784
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=3856,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=4600 /prefetch:1
        1⤵
          PID:4276
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5300,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=5328 /prefetch:8
          1⤵
            PID:2324
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5348,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=5388 /prefetch:8
            1⤵
              PID:3860
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5804,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=5980 /prefetch:8
              1⤵
                PID:4992
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=5796,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=6100 /prefetch:1
                1⤵
                  PID:3956
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=6108,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=6008 /prefetch:1
                  1⤵
                    PID:2328
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=6036,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=6332 /prefetch:1
                    1⤵
                      PID:1088
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=6360,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=6476 /prefetch:1
                      1⤵
                        PID:4664
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=6664,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=6688 /prefetch:1
                        1⤵
                          PID:4812
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=6876,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=6940 /prefetch:1
                          1⤵
                            PID:3408
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --field-trial-handle=7064,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=7196 /prefetch:1
                            1⤵
                              PID:5000
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --field-trial-handle=7392,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=7248 /prefetch:1
                              1⤵
                                PID:948
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --field-trial-handle=7396,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=7488 /prefetch:1
                                1⤵
                                  PID:2068
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --field-trial-handle=7620,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=7636 /prefetch:1
                                  1⤵
                                    PID:4548
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --field-trial-handle=7760,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=7640 /prefetch:1
                                    1⤵
                                      PID:4856
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --field-trial-handle=7772,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=7928 /prefetch:1
                                      1⤵
                                        PID:3636
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --field-trial-handle=7776,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=8052 /prefetch:1
                                        1⤵
                                          PID:2288
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --field-trial-handle=8116,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=8108 /prefetch:1
                                          1⤵
                                            PID:4844
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --field-trial-handle=8220,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=8308 /prefetch:1
                                            1⤵
                                              PID:4972
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --field-trial-handle=8436,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=8476 /prefetch:1
                                              1⤵
                                                PID:2392
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --field-trial-handle=8520,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=8604 /prefetch:1
                                                1⤵
                                                  PID:884
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --field-trial-handle=8660,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=8632 /prefetch:1
                                                  1⤵
                                                    PID:5124
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --field-trial-handle=8640,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=8912 /prefetch:1
                                                    1⤵
                                                      PID:5136
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --field-trial-handle=9236,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=9508 /prefetch:8
                                                      1⤵
                                                        PID:5824
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --field-trial-handle=9308,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=9556 /prefetch:1
                                                        1⤵
                                                          PID:5832
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --field-trial-handle=9664,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=8300 /prefetch:1
                                                          1⤵
                                                            PID:5892
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --field-trial-handle=9960,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=9136 /prefetch:1
                                                            1⤵
                                                              PID:5908
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --field-trial-handle=10096,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=10092 /prefetch:1
                                                              1⤵
                                                                PID:6008
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --field-trial-handle=10236,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=10180 /prefetch:1
                                                                1⤵
                                                                  PID:6072
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --field-trial-handle=10368,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=10332 /prefetch:8
                                                                  1⤵
                                                                  • Drops file in Program Files directory
                                                                  PID:6084
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --field-trial-handle=10516,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=10480 /prefetch:1
                                                                  1⤵
                                                                    PID:6120
                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --field-trial-handle=10176,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=10748 /prefetch:1
                                                                    1⤵
                                                                      PID:6128
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --field-trial-handle=7148,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=9160 /prefetch:1
                                                                      1⤵
                                                                        PID:6240
                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=10732,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=10948 /prefetch:8
                                                                        1⤵
                                                                          PID:6248
                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --field-trial-handle=9440,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=9796 /prefetch:1
                                                                          1⤵
                                                                            PID:6348
                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --field-trial-handle=8924,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=10088 /prefetch:1
                                                                            1⤵
                                                                              PID:6684
                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --field-trial-handle=10072,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=10364 /prefetch:1
                                                                              1⤵
                                                                                PID:6696
                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --field-trial-handle=6888,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=7004 /prefetch:1
                                                                                1⤵
                                                                                  PID:6704
                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --field-trial-handle=9056,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=8680 /prefetch:1
                                                                                  1⤵
                                                                                    PID:7004
                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --field-trial-handle=9876,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=9924 /prefetch:1
                                                                                    1⤵
                                                                                      PID:7012
                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --field-trial-handle=10256,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=11084 /prefetch:1
                                                                                      1⤵
                                                                                        PID:7068
                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --field-trial-handle=8300,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=10300 /prefetch:1
                                                                                        1⤵
                                                                                          PID:7084
                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --field-trial-handle=10464,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=11004 /prefetch:1
                                                                                          1⤵
                                                                                            PID:7092
                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --field-trial-handle=7000,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=6976 /prefetch:1
                                                                                            1⤵
                                                                                              PID:7148
                                                                                            • C:\Windows\System32\rundll32.exe
                                                                                              C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                                              1⤵
                                                                                                PID:6540
                                                                                              • C:\Program Files\7-Zip\7zG.exe
                                                                                                "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\ValiantSpooferPaid\" -spe -an -ai#7zMap7654:98:7zEvent2033
                                                                                                1⤵
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                • Suspicious use of FindShellTrayWindow
                                                                                                PID:5984
                                                                                              • C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe
                                                                                                "C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe"
                                                                                                1⤵
                                                                                                • Checks computer location settings
                                                                                                • Executes dropped EXE
                                                                                                • Modifies registry class
                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                • Suspicious use of WriteProcessMemory
                                                                                                PID:5576
                                                                                                • C:\Windows\SysWOW64\WScript.exe
                                                                                                  "C:\Windows\System32\WScript.exe" "C:\msAgentServer\sFM4S27zDOBzhYps42TIAnTFMK8Zul.vbe"
                                                                                                  2⤵
                                                                                                  • Checks computer location settings
                                                                                                  • Suspicious use of WriteProcessMemory
                                                                                                  PID:6616
                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\msAgentServer\7Hr4JaIGGzbo4YnxbteHZfQH0TIt.bat" "
                                                                                                    3⤵
                                                                                                    • Suspicious use of WriteProcessMemory
                                                                                                    PID:6772
                                                                                                    • C:\msAgentServer\Windrivercrt.exe
                                                                                                      "C:\msAgentServer\Windrivercrt.exe"
                                                                                                      4⤵
                                                                                                      • UAC bypass
                                                                                                      • Checks computer location settings
                                                                                                      • Executes dropped EXE
                                                                                                      • Checks whether UAC is enabled
                                                                                                      • Drops file in Program Files directory
                                                                                                      • Drops file in Windows directory
                                                                                                      • Modifies registry class
                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      • Suspicious use of WriteProcessMemory
                                                                                                      • System policy modification
                                                                                                      PID:6956
                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N2kvYgGXaz.bat"
                                                                                                        5⤵
                                                                                                        • Suspicious use of WriteProcessMemory
                                                                                                        PID:1552
                                                                                                        • C:\Windows\system32\w32tm.exe
                                                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                          6⤵
                                                                                                            PID:5992
                                                                                                          • C:\Windows\Vss\Writers\msedge.exe
                                                                                                            "C:\Windows\Vss\Writers\msedge.exe"
                                                                                                            6⤵
                                                                                                            • UAC bypass
                                                                                                            • Checks computer location settings
                                                                                                            • Executes dropped EXE
                                                                                                            • Checks whether UAC is enabled
                                                                                                            • Modifies registry class
                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            • Suspicious use of WriteProcessMemory
                                                                                                            • System policy modification
                                                                                                            PID:6636
                                                                                                            • C:\Windows\System32\WScript.exe
                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a95e41f4-e9f2-461e-bc97-edbe74c69a00.vbs"
                                                                                                              7⤵
                                                                                                                PID:4576
                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c53e1cd-0b14-4089-b381-1276ebbef57f.vbs"
                                                                                                                7⤵
                                                                                                                  PID:5752
                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                            reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                                                                                                            4⤵
                                                                                                            • Modifies registry key
                                                                                                            PID:5232
                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\AccountPictures\conhost.exe'" /f
                                                                                                      1⤵
                                                                                                      • Process spawned unexpected child process
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:5756
                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                      schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\conhost.exe'" /rl HIGHEST /f
                                                                                                      1⤵
                                                                                                      • Process spawned unexpected child process
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:7124
                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\AccountPictures\conhost.exe'" /rl HIGHEST /f
                                                                                                      1⤵
                                                                                                      • Process spawned unexpected child process
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:7112
                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\RuntimeBroker.exe'" /f
                                                                                                      1⤵
                                                                                                      • Process spawned unexpected child process
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:7156
                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\RuntimeBroker.exe'" /rl HIGHEST /f
                                                                                                      1⤵
                                                                                                      • Process spawned unexpected child process
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:1184
                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\RuntimeBroker.exe'" /rl HIGHEST /f
                                                                                                      1⤵
                                                                                                      • Process spawned unexpected child process
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:6512
                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                      schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\taskhostw.exe'" /f
                                                                                                      1⤵
                                                                                                      • Process spawned unexpected child process
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:5744
                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                      schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f
                                                                                                      1⤵
                                                                                                      • Process spawned unexpected child process
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:5716
                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                      schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f
                                                                                                      1⤵
                                                                                                      • Process spawned unexpected child process
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:5216
                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                      schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 5 /tr "'C:\Windows\twain_32\MoUsoCoreWorker.exe'" /f
                                                                                                      1⤵
                                                                                                      • Process spawned unexpected child process
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:4576
                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                      schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Windows\twain_32\MoUsoCoreWorker.exe'" /rl HIGHEST /f
                                                                                                      1⤵
                                                                                                      • Process spawned unexpected child process
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:1552
                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                      schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 13 /tr "'C:\Windows\twain_32\MoUsoCoreWorker.exe'" /rl HIGHEST /f
                                                                                                      1⤵
                                                                                                      • Process spawned unexpected child process
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:540
                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                      schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\msedge.exe'" /f
                                                                                                      1⤵
                                                                                                      • Process spawned unexpected child process
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:5236
                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                      schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\msedge.exe'" /rl HIGHEST /f
                                                                                                      1⤵
                                                                                                      • Process spawned unexpected child process
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:2272
                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                      schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\msedge.exe'" /rl HIGHEST /f
                                                                                                      1⤵
                                                                                                      • Process spawned unexpected child process
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:5968
                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\msAgentServer\WmiPrvSE.exe'" /f
                                                                                                      1⤵
                                                                                                      • Process spawned unexpected child process
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:5220
                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                      schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\msAgentServer\WmiPrvSE.exe'" /rl HIGHEST /f
                                                                                                      1⤵
                                                                                                      • Process spawned unexpected child process
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:4324
                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\msAgentServer\WmiPrvSE.exe'" /rl HIGHEST /f
                                                                                                      1⤵
                                                                                                      • Process spawned unexpected child process
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:3468
                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                      schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\Windows\Setup\State\msedge.exe'" /f
                                                                                                      1⤵
                                                                                                      • Process spawned unexpected child process
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:6076
                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                      schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Windows\Setup\State\msedge.exe'" /rl HIGHEST /f
                                                                                                      1⤵
                                                                                                      • Process spawned unexpected child process
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:6184
                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                      schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\Windows\Setup\State\msedge.exe'" /rl HIGHEST /f
                                                                                                      1⤵
                                                                                                      • Process spawned unexpected child process
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:6072
                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                      schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 10 /tr "'C:\msAgentServer\TrustedInstaller.exe'" /f
                                                                                                      1⤵
                                                                                                      • Process spawned unexpected child process
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:5568
                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                      schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\msAgentServer\TrustedInstaller.exe'" /rl HIGHEST /f
                                                                                                      1⤵
                                                                                                      • Process spawned unexpected child process
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:5576
                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                      schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 7 /tr "'C:\msAgentServer\TrustedInstaller.exe'" /rl HIGHEST /f
                                                                                                      1⤵
                                                                                                      • Process spawned unexpected child process
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:6636
                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                      schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /f
                                                                                                      1⤵
                                                                                                      • Process spawned unexpected child process
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:6656
                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                      schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f
                                                                                                      1⤵
                                                                                                      • Process spawned unexpected child process
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:6796
                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                      schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f
                                                                                                      1⤵
                                                                                                      • Process spawned unexpected child process
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:6940
                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\msAgentServer\RuntimeBroker.exe'" /f
                                                                                                      1⤵
                                                                                                      • Process spawned unexpected child process
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:6856
                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\msAgentServer\RuntimeBroker.exe'" /rl HIGHEST /f
                                                                                                      1⤵
                                                                                                      • Process spawned unexpected child process
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:6876
                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\msAgentServer\RuntimeBroker.exe'" /rl HIGHEST /f
                                                                                                      1⤵
                                                                                                      • Process spawned unexpected child process
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:7088
                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
                                                                                                      1⤵
                                                                                                      • Process spawned unexpected child process
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:7104
                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                      schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
                                                                                                      1⤵
                                                                                                      • Process spawned unexpected child process
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:7108
                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
                                                                                                      1⤵
                                                                                                      • Process spawned unexpected child process
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:7140
                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                      schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Windows\Vss\Writers\msedge.exe'" /f
                                                                                                      1⤵
                                                                                                      • Process spawned unexpected child process
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:5720
                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                      schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\msedge.exe'" /rl HIGHEST /f
                                                                                                      1⤵
                                                                                                      • Process spawned unexpected child process
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:7068
                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                      schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 5 /tr "'C:\Windows\Vss\Writers\msedge.exe'" /rl HIGHEST /f
                                                                                                      1⤵
                                                                                                      • Process spawned unexpected child process
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:6540
                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                      schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 10 /tr "'C:\msAgentServer\msedge.exe'" /f
                                                                                                      1⤵
                                                                                                      • Process spawned unexpected child process
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:6012
                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                      schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\msAgentServer\msedge.exe'" /rl HIGHEST /f
                                                                                                      1⤵
                                                                                                      • Process spawned unexpected child process
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:3292
                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                      schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 11 /tr "'C:\msAgentServer\msedge.exe'" /rl HIGHEST /f
                                                                                                      1⤵
                                                                                                      • Process spawned unexpected child process
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:5148
                                                                                                    • C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe
                                                                                                      "C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe"
                                                                                                      1⤵
                                                                                                      • Checks computer location settings
                                                                                                      • Executes dropped EXE
                                                                                                      • Modifies registry class
                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                      • Suspicious use of WriteProcessMemory
                                                                                                      PID:4324
                                                                                                      • C:\Windows\SysWOW64\WScript.exe
                                                                                                        "C:\Windows\System32\WScript.exe" "C:\msAgentServer\sFM4S27zDOBzhYps42TIAnTFMK8Zul.vbe"
                                                                                                        2⤵
                                                                                                        • Checks computer location settings
                                                                                                        • Suspicious use of WriteProcessMemory
                                                                                                        PID:6160
                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                          C:\Windows\system32\cmd.exe /c ""C:\msAgentServer\7Hr4JaIGGzbo4YnxbteHZfQH0TIt.bat" "
                                                                                                          3⤵
                                                                                                          • Suspicious use of WriteProcessMemory
                                                                                                          PID:6876
                                                                                                          • C:\msAgentServer\Windrivercrt.exe
                                                                                                            "C:\msAgentServer\Windrivercrt.exe"
                                                                                                            4⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            PID:7072
                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                            reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                                                                                                            4⤵
                                                                                                            • Modifies registry key
                                                                                                            PID:2500
                                                                                                    • C:\Windows\system32\vssvc.exe
                                                                                                      C:\Windows\system32\vssvc.exe
                                                                                                      1⤵
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:4612
                                                                                                    • C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe
                                                                                                      "C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe"
                                                                                                      1⤵
                                                                                                      • Checks computer location settings
                                                                                                      • Executes dropped EXE
                                                                                                      • Modifies registry class
                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                      • Suspicious use of WriteProcessMemory
                                                                                                      PID:6836
                                                                                                      • C:\Windows\SysWOW64\WScript.exe
                                                                                                        "C:\Windows\System32\WScript.exe" "C:\msAgentServer\sFM4S27zDOBzhYps42TIAnTFMK8Zul.vbe"
                                                                                                        2⤵
                                                                                                        • Checks computer location settings
                                                                                                        • Suspicious use of WriteProcessMemory
                                                                                                        PID:6140
                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                          C:\Windows\system32\cmd.exe /c ""C:\msAgentServer\7Hr4JaIGGzbo4YnxbteHZfQH0TIt.bat" "
                                                                                                          3⤵
                                                                                                          • Suspicious use of WriteProcessMemory
                                                                                                          PID:972
                                                                                                          • C:\msAgentServer\Windrivercrt.exe
                                                                                                            "C:\msAgentServer\Windrivercrt.exe"
                                                                                                            4⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            PID:7156
                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                            reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                                                                                                            4⤵
                                                                                                            • Modifies registry key
                                                                                                            PID:6944
                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=5536,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=5636 /prefetch:8
                                                                                                      1⤵
                                                                                                        PID:6276
                                                                                                      • C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe
                                                                                                        "C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe"
                                                                                                        1⤵
                                                                                                        • Checks computer location settings
                                                                                                        • Executes dropped EXE
                                                                                                        • Modifies registry class
                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                        • Suspicious use of WriteProcessMemory
                                                                                                        PID:280
                                                                                                        • C:\Windows\SysWOW64\WScript.exe
                                                                                                          "C:\Windows\System32\WScript.exe" "C:\msAgentServer\sFM4S27zDOBzhYps42TIAnTFMK8Zul.vbe"
                                                                                                          2⤵
                                                                                                          • Checks computer location settings
                                                                                                          • Suspicious use of WriteProcessMemory
                                                                                                          PID:5880
                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /c ""C:\msAgentServer\7Hr4JaIGGzbo4YnxbteHZfQH0TIt.bat" "
                                                                                                            3⤵
                                                                                                            • Suspicious use of WriteProcessMemory
                                                                                                            PID:1200
                                                                                                            • C:\msAgentServer\Windrivercrt.exe
                                                                                                              "C:\msAgentServer\Windrivercrt.exe"
                                                                                                              4⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                              PID:3488
                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                              reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                                                                                                              4⤵
                                                                                                              • Modifies registry key
                                                                                                              PID:5884
                                                                                                      • C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe
                                                                                                        "C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe"
                                                                                                        1⤵
                                                                                                        • Checks computer location settings
                                                                                                        • Executes dropped EXE
                                                                                                        • Modifies registry class
                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                        • Suspicious use of WriteProcessMemory
                                                                                                        PID:7124
                                                                                                        • C:\Windows\SysWOW64\WScript.exe
                                                                                                          "C:\Windows\System32\WScript.exe" "C:\msAgentServer\sFM4S27zDOBzhYps42TIAnTFMK8Zul.vbe"
                                                                                                          2⤵
                                                                                                          • Checks computer location settings
                                                                                                          • Suspicious use of WriteProcessMemory
                                                                                                          PID:6788
                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /c ""C:\msAgentServer\7Hr4JaIGGzbo4YnxbteHZfQH0TIt.bat" "
                                                                                                            3⤵
                                                                                                            • Suspicious use of WriteProcessMemory
                                                                                                            PID:3152
                                                                                                            • C:\msAgentServer\Windrivercrt.exe
                                                                                                              "C:\msAgentServer\Windrivercrt.exe"
                                                                                                              4⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                              PID:5148
                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                              reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                                                                                                              4⤵
                                                                                                              • Modifies registry key
                                                                                                              PID:6320
                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=9468,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=9272 /prefetch:8
                                                                                                        1⤵
                                                                                                          PID:4668
                                                                                                        • C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe
                                                                                                          "C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe"
                                                                                                          1⤵
                                                                                                          • Checks computer location settings
                                                                                                          • Executes dropped EXE
                                                                                                          • Modifies registry class
                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                          PID:6828
                                                                                                          • C:\Windows\SysWOW64\WScript.exe
                                                                                                            "C:\Windows\System32\WScript.exe" "C:\msAgentServer\sFM4S27zDOBzhYps42TIAnTFMK8Zul.vbe"
                                                                                                            2⤵
                                                                                                            • Checks computer location settings
                                                                                                            PID:5884
                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                              C:\Windows\system32\cmd.exe /c ""C:\msAgentServer\7Hr4JaIGGzbo4YnxbteHZfQH0TIt.bat" "
                                                                                                              3⤵
                                                                                                                PID:1824
                                                                                                                • C:\msAgentServer\Windrivercrt.exe
                                                                                                                  "C:\msAgentServer\Windrivercrt.exe"
                                                                                                                  4⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                  PID:5148

                                                                                                          Network

                                                                                                          MITRE ATT&CK Enterprise v15

                                                                                                          Replay Monitor

                                                                                                          Loading Replay Monitor...

                                                                                                          Downloads

                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Windrivercrt.exe.log
                                                                                                            Filesize

                                                                                                            1KB

                                                                                                            MD5

                                                                                                            bbb951a34b516b66451218a3ec3b0ae1

                                                                                                            SHA1

                                                                                                            7393835a2476ae655916e0a9687eeaba3ee876e9

                                                                                                            SHA256

                                                                                                            eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

                                                                                                            SHA512

                                                                                                            63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

                                                                                                          • C:\Users\Admin\AppData\Local\Temp\6c53e1cd-0b14-4089-b381-1276ebbef57f.vbs
                                                                                                            Filesize

                                                                                                            485B

                                                                                                            MD5

                                                                                                            6af0004dc7b894ed9bc161e5c129dc5a

                                                                                                            SHA1

                                                                                                            567d65792f0dbf31a35ec0a60a94676e87c48d76

                                                                                                            SHA256

                                                                                                            b7346fe2e5d2b752a680d6824ddf873a9af357ac4b567361b8d3a2f048b89a4f

                                                                                                            SHA512

                                                                                                            0295a143d5844c0933753c14861433c85ec574a43b0adb64e32f88a0f5b528190258c1136337b64a66f252eb5ae7041cfee685429d7259c235659593d0f1609e

                                                                                                          • C:\Users\Admin\AppData\Local\Temp\N2kvYgGXaz.bat
                                                                                                            Filesize

                                                                                                            198B

                                                                                                            MD5

                                                                                                            8c3b13d359bb173bb5ab1a3f0e64ce4a

                                                                                                            SHA1

                                                                                                            7be96cd1b1ecce693241c94451e50cef78669782

                                                                                                            SHA256

                                                                                                            c3cfc036cb03ba918900264a958892434d0ec34d296275f129230a5d79de53c5

                                                                                                            SHA512

                                                                                                            d2b11049081878f90fc9f1cc7e8c2170d5b547bdfa5f940752dd059cb63160de27b0131221c3d9422d44c6c9b3a8265f9c5bc9f7766fee76f1579c3b61ff9fb9

                                                                                                          • C:\Users\Admin\AppData\Local\Temp\a95e41f4-e9f2-461e-bc97-edbe74c69a00.vbs
                                                                                                            Filesize

                                                                                                            709B

                                                                                                            MD5

                                                                                                            8ecbeb29643548c6d49cfcbae2c5e681

                                                                                                            SHA1

                                                                                                            59ed891b200f1cd678ec02c2ebd7c67244c6cc4f

                                                                                                            SHA256

                                                                                                            0481c32b420db2b67230872548832bce5e2a173b6dba47dfb7734df607956176

                                                                                                            SHA512

                                                                                                            34342885467a97f91435dd83e5d82ae0aa54916f4af9bb64b0c26a67f5e765df3de4fe85b72c77d62518d15ea28a5cd1db2f432e9bbf33422cbc541c7026fdb1

                                                                                                          • C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe
                                                                                                            Filesize

                                                                                                            1.9MB

                                                                                                            MD5

                                                                                                            957ba1a651b750713d78d437ed8a3c7a

                                                                                                            SHA1

                                                                                                            14fdc69fc21dc9516931f5227d5d66ac1598c69a

                                                                                                            SHA256

                                                                                                            7b6a4e1d88e9c477ac1b77f3255a9daa54c083830ad81687cd45b2f237b8237c

                                                                                                            SHA512

                                                                                                            c1ee2c80192b3f6a501d9958f49565111bdd7ee962fd05e5aab6af5fffc8bb41fb11f56ad590d60915271ecf2e9f774dd58472b6431b9cbebebfc9596efc85b5

                                                                                                          • C:\msAgentServer\7Hr4JaIGGzbo4YnxbteHZfQH0TIt.bat
                                                                                                            Filesize

                                                                                                            147B

                                                                                                            MD5

                                                                                                            e1f65135829b69dd7821d59410d13e2a

                                                                                                            SHA1

                                                                                                            24b0c9b6360afd46c770aec60807e4796bcd31fa

                                                                                                            SHA256

                                                                                                            addde1c2adf45d57e91d73e20f95087a07ef6f1b0287894a207f54ce57b841a7

                                                                                                            SHA512

                                                                                                            020241921bd533ef833ccc34a34f4404e2278e586168dc064b74827abf125640783e6b9d00318a955f4a525236d2540a26775b1a980c5be5f4137b79ba1aa985

                                                                                                          • C:\msAgentServer\Windrivercrt.exe
                                                                                                            Filesize

                                                                                                            1.6MB

                                                                                                            MD5

                                                                                                            cc022adec49e3a4e30ef5a2574f06349

                                                                                                            SHA1

                                                                                                            2eb9f31932785a8c31bf505daff842749a34692a

                                                                                                            SHA256

                                                                                                            a931aa10f393de1169f4616686b3f02c3323f064be3edb69d160dc3e0fe67759

                                                                                                            SHA512

                                                                                                            7146be48b4ead35d0d1e150784ac2acfaaf14c7c04690f8059ad61787a0eec2bdd04ab84f45f76a5498c5aed80d14a244a7ca4f1781ba0424d8a5f828f80aef0

                                                                                                          • C:\msAgentServer\sFM4S27zDOBzhYps42TIAnTFMK8Zul.vbe
                                                                                                            Filesize

                                                                                                            218B

                                                                                                            MD5

                                                                                                            1ec6b23ee71cd4838514f2984cfbec8f

                                                                                                            SHA1

                                                                                                            0bdf20ddab114712d7b846535896ac7865a48401

                                                                                                            SHA256

                                                                                                            d1aebe6120e77195acccb1a39d91e079c83128b54b200d8aaf55e38c852a27ab

                                                                                                            SHA512

                                                                                                            d673e5ec51cc6ba73289bcc0d126653ce0e650f79bd119e83d68ddae012be40c4dd3793fa6e897b078365c0ce3c4f6efb1c331736ebd2f3b6873a662978dc736

                                                                                                          • memory/6956-24-0x000000001BB50000-0x000000001BB5C000-memory.dmp
                                                                                                            Filesize

                                                                                                            48KB

                                                                                                          • memory/6956-32-0x000000001C460000-0x000000001C46C000-memory.dmp
                                                                                                            Filesize

                                                                                                            48KB

                                                                                                          • memory/6956-22-0x000000001BB60000-0x000000001BB70000-memory.dmp
                                                                                                            Filesize

                                                                                                            64KB

                                                                                                          • memory/6956-23-0x000000001BB40000-0x000000001BB4A000-memory.dmp
                                                                                                            Filesize

                                                                                                            40KB

                                                                                                          • memory/6956-20-0x000000001BB20000-0x000000001BB30000-memory.dmp
                                                                                                            Filesize

                                                                                                            64KB

                                                                                                          • memory/6956-25-0x000000001BB70000-0x000000001BB82000-memory.dmp
                                                                                                            Filesize

                                                                                                            72KB

                                                                                                          • memory/6956-26-0x000000001C740000-0x000000001CC68000-memory.dmp
                                                                                                            Filesize

                                                                                                            5.2MB

                                                                                                          • memory/6956-27-0x000000001C210000-0x000000001C21C000-memory.dmp
                                                                                                            Filesize

                                                                                                            48KB

                                                                                                          • memory/6956-28-0x000000001C220000-0x000000001C22C000-memory.dmp
                                                                                                            Filesize

                                                                                                            48KB

                                                                                                          • memory/6956-21-0x000000001BB30000-0x000000001BB38000-memory.dmp
                                                                                                            Filesize

                                                                                                            32KB

                                                                                                          • memory/6956-31-0x000000001C350000-0x000000001C358000-memory.dmp
                                                                                                            Filesize

                                                                                                            32KB

                                                                                                          • memory/6956-30-0x000000001C340000-0x000000001C34E000-memory.dmp
                                                                                                            Filesize

                                                                                                            56KB

                                                                                                          • memory/6956-29-0x000000001C330000-0x000000001C33A000-memory.dmp
                                                                                                            Filesize

                                                                                                            40KB

                                                                                                          • memory/6956-19-0x0000000002FE0000-0x0000000002FE8000-memory.dmp
                                                                                                            Filesize

                                                                                                            32KB

                                                                                                          • memory/6956-18-0x000000001C1C0000-0x000000001C210000-memory.dmp
                                                                                                            Filesize

                                                                                                            320KB

                                                                                                          • memory/6956-17-0x0000000002FC0000-0x0000000002FDC000-memory.dmp
                                                                                                            Filesize

                                                                                                            112KB

                                                                                                          • memory/6956-16-0x0000000000D60000-0x0000000000EFE000-memory.dmp
                                                                                                            Filesize

                                                                                                            1.6MB