Analysis
-
max time kernel
75s -
max time network
77s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 20:46
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.mediafire.com/file/nux68zw3jsheeek/ValiantSpooferPaid.rar/file
Resource
win10v2004-20240611-en
General
-
Target
https://www.mediafire.com/file/nux68zw3jsheeek/ValiantSpooferPaid.rar/file
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5756 5060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 7124 5060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 7112 5060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 7156 5060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1184 5060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6512 5060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5744 5060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5716 5060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5216 5060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4576 5060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 5060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 540 5060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5236 5060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2272 5060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5968 5060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5220 5060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4324 5060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3468 5060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6076 5060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6184 5060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6072 5060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5568 5060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5576 5060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6636 5060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6656 5060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6796 5060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6940 5060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6856 5060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6876 5060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 7088 5060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 7104 5060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 7108 5060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 7140 5060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5720 5060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 7068 5060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6540 5060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6012 5060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3292 5060 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5148 5060 schtasks.exe -
Processes:
msedge.exeWindrivercrt.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Windrivercrt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Windrivercrt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Windrivercrt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" msedge.exe -
Processes:
resource yara_rule C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe dcrat C:\msAgentServer\Windrivercrt.exe dcrat behavioral1/memory/6956-16-0x0000000000D60000-0x0000000000EFE000-memory.dmp dcrat -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Windrivercrt.exevaliantspooferpaid.exevaliantspooferpaid.exeWScript.exemsedge.exeWScript.exevaliantspooferpaid.exeWScript.exeWScript.exeWScript.exeWScript.exevaliantspooferpaid.exevaliantspooferpaid.exevaliantspooferpaid.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation Windrivercrt.exe Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation valiantspooferpaid.exe Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation valiantspooferpaid.exe Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation valiantspooferpaid.exe Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation valiantspooferpaid.exe Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation valiantspooferpaid.exe Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation valiantspooferpaid.exe -
Executes dropped EXE 13 IoCs
Processes:
valiantspooferpaid.exeWindrivercrt.exevaliantspooferpaid.exemsedge.exeWindrivercrt.exevaliantspooferpaid.exevaliantspooferpaid.exeWindrivercrt.exevaliantspooferpaid.exeWindrivercrt.exeWindrivercrt.exevaliantspooferpaid.exeWindrivercrt.exepid process 5576 valiantspooferpaid.exe 6956 Windrivercrt.exe 4324 valiantspooferpaid.exe 6636 msedge.exe 7072 Windrivercrt.exe 6836 valiantspooferpaid.exe 280 valiantspooferpaid.exe 7156 Windrivercrt.exe 7124 valiantspooferpaid.exe 3488 Windrivercrt.exe 5148 Windrivercrt.exe 6828 valiantspooferpaid.exe 5148 Windrivercrt.exe -
Processes:
Windrivercrt.exemsedge.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Windrivercrt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msedge.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Windrivercrt.exe -
Drops file in Program Files directory 5 IoCs
Processes:
msedge.exeWindrivercrt.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\valiantspooferpaid.exe msedge.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\RuntimeBroker.exe Windrivercrt.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\9e8d7a4ca61bd9 Windrivercrt.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\msedge.exe Windrivercrt.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\61a52ddc9dd915 Windrivercrt.exe -
Drops file in Windows directory 6 IoCs
Processes:
Windrivercrt.exedescription ioc process File created C:\Windows\Setup\State\msedge.exe Windrivercrt.exe File created C:\Windows\Setup\State\61a52ddc9dd915 Windrivercrt.exe File created C:\Windows\Vss\Writers\msedge.exe Windrivercrt.exe File created C:\Windows\Vss\Writers\61a52ddc9dd915 Windrivercrt.exe File created C:\Windows\twain_32\MoUsoCoreWorker.exe Windrivercrt.exe File created C:\Windows\twain_32\1f93f77a7f4778 Windrivercrt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 8 IoCs
Processes:
msedge.exevaliantspooferpaid.exevaliantspooferpaid.exevaliantspooferpaid.exevaliantspooferpaid.exevaliantspooferpaid.exeWindrivercrt.exevaliantspooferpaid.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings valiantspooferpaid.exe Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings valiantspooferpaid.exe Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings valiantspooferpaid.exe Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings valiantspooferpaid.exe Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings valiantspooferpaid.exe Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings Windrivercrt.exe Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings valiantspooferpaid.exe -
Modifies registry key 1 TTPs 5 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exepid process 5232 reg.exe 2500 reg.exe 6944 reg.exe 5884 reg.exe 6320 reg.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4576 schtasks.exe 5220 schtasks.exe 3468 schtasks.exe 6656 schtasks.exe 7088 schtasks.exe 5216 schtasks.exe 2272 schtasks.exe 4324 schtasks.exe 6876 schtasks.exe 7108 schtasks.exe 3292 schtasks.exe 7112 schtasks.exe 1184 schtasks.exe 5716 schtasks.exe 5148 schtasks.exe 5720 schtasks.exe 7124 schtasks.exe 6512 schtasks.exe 540 schtasks.exe 6072 schtasks.exe 5576 schtasks.exe 6796 schtasks.exe 6940 schtasks.exe 6012 schtasks.exe 5756 schtasks.exe 6636 schtasks.exe 7068 schtasks.exe 6184 schtasks.exe 5568 schtasks.exe 7104 schtasks.exe 6540 schtasks.exe 5744 schtasks.exe 1552 schtasks.exe 5236 schtasks.exe 6076 schtasks.exe 7140 schtasks.exe 7156 schtasks.exe 5968 schtasks.exe 6856 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Windrivercrt.exemsedge.exepid process 6956 Windrivercrt.exe 6956 Windrivercrt.exe 6956 Windrivercrt.exe 6956 Windrivercrt.exe 6956 Windrivercrt.exe 6956 Windrivercrt.exe 6956 Windrivercrt.exe 6956 Windrivercrt.exe 6956 Windrivercrt.exe 6956 Windrivercrt.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe 6636 msedge.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
7zG.exeWindrivercrt.exemsedge.exeWindrivercrt.exevssvc.exeWindrivercrt.exeWindrivercrt.exeWindrivercrt.exeWindrivercrt.exedescription pid process Token: SeRestorePrivilege 5984 7zG.exe Token: 35 5984 7zG.exe Token: SeSecurityPrivilege 5984 7zG.exe Token: SeSecurityPrivilege 5984 7zG.exe Token: SeDebugPrivilege 6956 Windrivercrt.exe Token: SeDebugPrivilege 6636 msedge.exe Token: SeDebugPrivilege 7072 Windrivercrt.exe Token: SeBackupPrivilege 4612 vssvc.exe Token: SeRestorePrivilege 4612 vssvc.exe Token: SeAuditPrivilege 4612 vssvc.exe Token: SeDebugPrivilege 7156 Windrivercrt.exe Token: SeDebugPrivilege 3488 Windrivercrt.exe Token: SeDebugPrivilege 5148 Windrivercrt.exe Token: SeDebugPrivilege 5148 Windrivercrt.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
7zG.exepid process 5984 7zG.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
valiantspooferpaid.exevaliantspooferpaid.exevaliantspooferpaid.exevaliantspooferpaid.exevaliantspooferpaid.exevaliantspooferpaid.exepid process 5576 valiantspooferpaid.exe 4324 valiantspooferpaid.exe 6836 valiantspooferpaid.exe 280 valiantspooferpaid.exe 7124 valiantspooferpaid.exe 6828 valiantspooferpaid.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
valiantspooferpaid.exeWScript.execmd.exeWindrivercrt.execmd.exevaliantspooferpaid.exeWScript.execmd.exemsedge.exevaliantspooferpaid.exevaliantspooferpaid.exeWScript.execmd.exevaliantspooferpaid.exeWScript.execmd.exeWScript.execmd.exedescription pid process target process PID 5576 wrote to memory of 6616 5576 valiantspooferpaid.exe WScript.exe PID 5576 wrote to memory of 6616 5576 valiantspooferpaid.exe WScript.exe PID 5576 wrote to memory of 6616 5576 valiantspooferpaid.exe WScript.exe PID 6616 wrote to memory of 6772 6616 WScript.exe cmd.exe PID 6616 wrote to memory of 6772 6616 WScript.exe cmd.exe PID 6616 wrote to memory of 6772 6616 WScript.exe cmd.exe PID 6772 wrote to memory of 6956 6772 cmd.exe Windrivercrt.exe PID 6772 wrote to memory of 6956 6772 cmd.exe Windrivercrt.exe PID 6956 wrote to memory of 1552 6956 Windrivercrt.exe cmd.exe PID 6956 wrote to memory of 1552 6956 Windrivercrt.exe cmd.exe PID 6772 wrote to memory of 5232 6772 cmd.exe reg.exe PID 6772 wrote to memory of 5232 6772 cmd.exe reg.exe PID 6772 wrote to memory of 5232 6772 cmd.exe reg.exe PID 1552 wrote to memory of 5992 1552 cmd.exe w32tm.exe PID 1552 wrote to memory of 5992 1552 cmd.exe w32tm.exe PID 4324 wrote to memory of 6160 4324 valiantspooferpaid.exe WScript.exe PID 4324 wrote to memory of 6160 4324 valiantspooferpaid.exe WScript.exe PID 4324 wrote to memory of 6160 4324 valiantspooferpaid.exe WScript.exe PID 1552 wrote to memory of 6636 1552 cmd.exe msedge.exe PID 1552 wrote to memory of 6636 1552 cmd.exe msedge.exe PID 6160 wrote to memory of 6876 6160 WScript.exe cmd.exe PID 6160 wrote to memory of 6876 6160 WScript.exe cmd.exe PID 6160 wrote to memory of 6876 6160 WScript.exe cmd.exe PID 6876 wrote to memory of 7072 6876 cmd.exe Windrivercrt.exe PID 6876 wrote to memory of 7072 6876 cmd.exe Windrivercrt.exe PID 6636 wrote to memory of 4576 6636 msedge.exe WScript.exe PID 6636 wrote to memory of 4576 6636 msedge.exe WScript.exe PID 6636 wrote to memory of 5752 6636 msedge.exe WScript.exe PID 6636 wrote to memory of 5752 6636 msedge.exe WScript.exe PID 6876 wrote to memory of 2500 6876 cmd.exe reg.exe PID 6876 wrote to memory of 2500 6876 cmd.exe reg.exe PID 6876 wrote to memory of 2500 6876 cmd.exe reg.exe PID 6836 wrote to memory of 6140 6836 valiantspooferpaid.exe WScript.exe PID 6836 wrote to memory of 6140 6836 valiantspooferpaid.exe WScript.exe PID 6836 wrote to memory of 6140 6836 valiantspooferpaid.exe WScript.exe PID 280 wrote to memory of 5880 280 valiantspooferpaid.exe WScript.exe PID 280 wrote to memory of 5880 280 valiantspooferpaid.exe WScript.exe PID 280 wrote to memory of 5880 280 valiantspooferpaid.exe WScript.exe PID 6140 wrote to memory of 972 6140 WScript.exe cmd.exe PID 6140 wrote to memory of 972 6140 WScript.exe cmd.exe PID 6140 wrote to memory of 972 6140 WScript.exe cmd.exe PID 972 wrote to memory of 7156 972 cmd.exe Windrivercrt.exe PID 972 wrote to memory of 7156 972 cmd.exe Windrivercrt.exe PID 7124 wrote to memory of 6788 7124 valiantspooferpaid.exe WScript.exe PID 7124 wrote to memory of 6788 7124 valiantspooferpaid.exe WScript.exe PID 7124 wrote to memory of 6788 7124 valiantspooferpaid.exe WScript.exe PID 5880 wrote to memory of 1200 5880 WScript.exe cmd.exe PID 5880 wrote to memory of 1200 5880 WScript.exe cmd.exe PID 5880 wrote to memory of 1200 5880 WScript.exe cmd.exe PID 1200 wrote to memory of 3488 1200 cmd.exe Windrivercrt.exe PID 1200 wrote to memory of 3488 1200 cmd.exe Windrivercrt.exe PID 6788 wrote to memory of 3152 6788 WScript.exe cmd.exe PID 6788 wrote to memory of 3152 6788 WScript.exe cmd.exe PID 6788 wrote to memory of 3152 6788 WScript.exe cmd.exe PID 3152 wrote to memory of 5148 3152 cmd.exe Windrivercrt.exe PID 3152 wrote to memory of 5148 3152 cmd.exe Windrivercrt.exe PID 972 wrote to memory of 6944 972 cmd.exe reg.exe PID 972 wrote to memory of 6944 972 cmd.exe reg.exe PID 972 wrote to memory of 6944 972 cmd.exe reg.exe PID 1200 wrote to memory of 5884 1200 cmd.exe reg.exe PID 1200 wrote to memory of 5884 1200 cmd.exe reg.exe PID 1200 wrote to memory of 5884 1200 cmd.exe reg.exe PID 3152 wrote to memory of 6320 3152 cmd.exe reg.exe PID 3152 wrote to memory of 6320 3152 cmd.exe reg.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
msedge.exeWindrivercrt.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Windrivercrt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Windrivercrt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Windrivercrt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/nux68zw3jsheeek/ValiantSpooferPaid.rar/file1⤵PID:1624
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4376,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=3896 /prefetch:11⤵PID:4784
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=3856,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=4600 /prefetch:11⤵PID:4276
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5300,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=5328 /prefetch:81⤵PID:2324
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5348,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=5388 /prefetch:81⤵PID:3860
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5804,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=5980 /prefetch:81⤵PID:4992
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=5796,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=6100 /prefetch:11⤵PID:3956
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=6108,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=6008 /prefetch:11⤵PID:2328
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=6036,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=6332 /prefetch:11⤵PID:1088
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=6360,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=6476 /prefetch:11⤵PID:4664
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=6664,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=6688 /prefetch:11⤵PID:4812
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=6876,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=6940 /prefetch:11⤵PID:3408
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --field-trial-handle=7064,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=7196 /prefetch:11⤵PID:5000
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --field-trial-handle=7392,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=7248 /prefetch:11⤵PID:948
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --field-trial-handle=7396,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=7488 /prefetch:11⤵PID:2068
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --field-trial-handle=7620,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=7636 /prefetch:11⤵PID:4548
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --field-trial-handle=7760,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=7640 /prefetch:11⤵PID:4856
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --field-trial-handle=7772,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=7928 /prefetch:11⤵PID:3636
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --field-trial-handle=7776,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=8052 /prefetch:11⤵PID:2288
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --field-trial-handle=8116,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=8108 /prefetch:11⤵PID:4844
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --field-trial-handle=8220,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=8308 /prefetch:11⤵PID:4972
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --field-trial-handle=8436,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=8476 /prefetch:11⤵PID:2392
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --field-trial-handle=8520,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=8604 /prefetch:11⤵PID:884
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --field-trial-handle=8660,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=8632 /prefetch:11⤵PID:5124
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --field-trial-handle=8640,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=8912 /prefetch:11⤵PID:5136
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --field-trial-handle=9236,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=9508 /prefetch:81⤵PID:5824
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --field-trial-handle=9308,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=9556 /prefetch:11⤵PID:5832
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --field-trial-handle=9664,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=8300 /prefetch:11⤵PID:5892
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --field-trial-handle=9960,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=9136 /prefetch:11⤵PID:5908
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --field-trial-handle=10096,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=10092 /prefetch:11⤵PID:6008
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --field-trial-handle=10236,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=10180 /prefetch:11⤵PID:6072
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --field-trial-handle=10368,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=10332 /prefetch:81⤵
- Drops file in Program Files directory
PID:6084
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --field-trial-handle=10516,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=10480 /prefetch:11⤵PID:6120
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --field-trial-handle=10176,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=10748 /prefetch:11⤵PID:6128
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --field-trial-handle=7148,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=9160 /prefetch:11⤵PID:6240
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=10732,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=10948 /prefetch:81⤵PID:6248
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --field-trial-handle=9440,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=9796 /prefetch:11⤵PID:6348
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --field-trial-handle=8924,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=10088 /prefetch:11⤵PID:6684
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --field-trial-handle=10072,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=10364 /prefetch:11⤵PID:6696
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --field-trial-handle=6888,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=7004 /prefetch:11⤵PID:6704
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --field-trial-handle=9056,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=8680 /prefetch:11⤵PID:7004
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --field-trial-handle=9876,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=9924 /prefetch:11⤵PID:7012
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --field-trial-handle=10256,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=11084 /prefetch:11⤵PID:7068
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --field-trial-handle=8300,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=10300 /prefetch:11⤵PID:7084
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --field-trial-handle=10464,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=11004 /prefetch:11⤵PID:7092
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --field-trial-handle=7000,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=6976 /prefetch:11⤵PID:7148
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:6540
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\ValiantSpooferPaid\" -spe -an -ai#7zMap7654:98:7zEvent20331⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5984
-
C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe"C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5576 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\msAgentServer\sFM4S27zDOBzhYps42TIAnTFMK8Zul.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:6616 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\msAgentServer\7Hr4JaIGGzbo4YnxbteHZfQH0TIt.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:6772 -
C:\msAgentServer\Windrivercrt.exe"C:\msAgentServer\Windrivercrt.exe"4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:6956 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N2kvYgGXaz.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:5992
-
C:\Windows\Vss\Writers\msedge.exe"C:\Windows\Vss\Writers\msedge.exe"6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:6636 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a95e41f4-e9f2-461e-bc97-edbe74c69a00.vbs"7⤵PID:4576
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c53e1cd-0b14-4089-b381-1276ebbef57f.vbs"7⤵PID:5752
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:5232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\AccountPictures\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:7124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\AccountPictures\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:7112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:7156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 5 /tr "'C:\Windows\twain_32\MoUsoCoreWorker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Windows\twain_32\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 13 /tr "'C:\Windows\twain_32\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\msedge.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\msAgentServer\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\msAgentServer\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\msAgentServer\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\Windows\Setup\State\msedge.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Windows\Setup\State\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\Windows\Setup\State\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 10 /tr "'C:\msAgentServer\TrustedInstaller.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\msAgentServer\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 7 /tr "'C:\msAgentServer\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\msAgentServer\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\msAgentServer\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\msAgentServer\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:7088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:7104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:7108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:7140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Windows\Vss\Writers\msedge.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:7068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 5 /tr "'C:\Windows\Vss\Writers\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 10 /tr "'C:\msAgentServer\msedge.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\msAgentServer\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 11 /tr "'C:\msAgentServer\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5148
-
C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe"C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\msAgentServer\sFM4S27zDOBzhYps42TIAnTFMK8Zul.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:6160 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\msAgentServer\7Hr4JaIGGzbo4YnxbteHZfQH0TIt.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:6876 -
C:\msAgentServer\Windrivercrt.exe"C:\msAgentServer\Windrivercrt.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:7072 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:2500
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4612
-
C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe"C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:6836 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\msAgentServer\sFM4S27zDOBzhYps42TIAnTFMK8Zul.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:6140 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\msAgentServer\7Hr4JaIGGzbo4YnxbteHZfQH0TIt.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:972 -
C:\msAgentServer\Windrivercrt.exe"C:\msAgentServer\Windrivercrt.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:7156 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:6944
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=5536,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=5636 /prefetch:81⤵PID:6276
-
C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe"C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:280 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\msAgentServer\sFM4S27zDOBzhYps42TIAnTFMK8Zul.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5880 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\msAgentServer\7Hr4JaIGGzbo4YnxbteHZfQH0TIt.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\msAgentServer\Windrivercrt.exe"C:\msAgentServer\Windrivercrt.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3488 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:5884
-
C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe"C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:7124 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\msAgentServer\sFM4S27zDOBzhYps42TIAnTFMK8Zul.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:6788 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\msAgentServer\7Hr4JaIGGzbo4YnxbteHZfQH0TIt.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\msAgentServer\Windrivercrt.exe"C:\msAgentServer\Windrivercrt.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5148 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:6320
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=9468,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=9272 /prefetch:81⤵PID:4668
-
C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe"C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6828 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\msAgentServer\sFM4S27zDOBzhYps42TIAnTFMK8Zul.vbe"2⤵
- Checks computer location settings
PID:5884 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\msAgentServer\7Hr4JaIGGzbo4YnxbteHZfQH0TIt.bat" "3⤵PID:1824
-
C:\msAgentServer\Windrivercrt.exe"C:\msAgentServer\Windrivercrt.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5148
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Windrivercrt.exe.logFilesize
1KB
MD5bbb951a34b516b66451218a3ec3b0ae1
SHA17393835a2476ae655916e0a9687eeaba3ee876e9
SHA256eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a
SHA51263bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f
-
C:\Users\Admin\AppData\Local\Temp\6c53e1cd-0b14-4089-b381-1276ebbef57f.vbsFilesize
485B
MD56af0004dc7b894ed9bc161e5c129dc5a
SHA1567d65792f0dbf31a35ec0a60a94676e87c48d76
SHA256b7346fe2e5d2b752a680d6824ddf873a9af357ac4b567361b8d3a2f048b89a4f
SHA5120295a143d5844c0933753c14861433c85ec574a43b0adb64e32f88a0f5b528190258c1136337b64a66f252eb5ae7041cfee685429d7259c235659593d0f1609e
-
C:\Users\Admin\AppData\Local\Temp\N2kvYgGXaz.batFilesize
198B
MD58c3b13d359bb173bb5ab1a3f0e64ce4a
SHA17be96cd1b1ecce693241c94451e50cef78669782
SHA256c3cfc036cb03ba918900264a958892434d0ec34d296275f129230a5d79de53c5
SHA512d2b11049081878f90fc9f1cc7e8c2170d5b547bdfa5f940752dd059cb63160de27b0131221c3d9422d44c6c9b3a8265f9c5bc9f7766fee76f1579c3b61ff9fb9
-
C:\Users\Admin\AppData\Local\Temp\a95e41f4-e9f2-461e-bc97-edbe74c69a00.vbsFilesize
709B
MD58ecbeb29643548c6d49cfcbae2c5e681
SHA159ed891b200f1cd678ec02c2ebd7c67244c6cc4f
SHA2560481c32b420db2b67230872548832bce5e2a173b6dba47dfb7734df607956176
SHA51234342885467a97f91435dd83e5d82ae0aa54916f4af9bb64b0c26a67f5e765df3de4fe85b72c77d62518d15ea28a5cd1db2f432e9bbf33422cbc541c7026fdb1
-
C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exeFilesize
1.9MB
MD5957ba1a651b750713d78d437ed8a3c7a
SHA114fdc69fc21dc9516931f5227d5d66ac1598c69a
SHA2567b6a4e1d88e9c477ac1b77f3255a9daa54c083830ad81687cd45b2f237b8237c
SHA512c1ee2c80192b3f6a501d9958f49565111bdd7ee962fd05e5aab6af5fffc8bb41fb11f56ad590d60915271ecf2e9f774dd58472b6431b9cbebebfc9596efc85b5
-
C:\msAgentServer\7Hr4JaIGGzbo4YnxbteHZfQH0TIt.batFilesize
147B
MD5e1f65135829b69dd7821d59410d13e2a
SHA124b0c9b6360afd46c770aec60807e4796bcd31fa
SHA256addde1c2adf45d57e91d73e20f95087a07ef6f1b0287894a207f54ce57b841a7
SHA512020241921bd533ef833ccc34a34f4404e2278e586168dc064b74827abf125640783e6b9d00318a955f4a525236d2540a26775b1a980c5be5f4137b79ba1aa985
-
C:\msAgentServer\Windrivercrt.exeFilesize
1.6MB
MD5cc022adec49e3a4e30ef5a2574f06349
SHA12eb9f31932785a8c31bf505daff842749a34692a
SHA256a931aa10f393de1169f4616686b3f02c3323f064be3edb69d160dc3e0fe67759
SHA5127146be48b4ead35d0d1e150784ac2acfaaf14c7c04690f8059ad61787a0eec2bdd04ab84f45f76a5498c5aed80d14a244a7ca4f1781ba0424d8a5f828f80aef0
-
C:\msAgentServer\sFM4S27zDOBzhYps42TIAnTFMK8Zul.vbeFilesize
218B
MD51ec6b23ee71cd4838514f2984cfbec8f
SHA10bdf20ddab114712d7b846535896ac7865a48401
SHA256d1aebe6120e77195acccb1a39d91e079c83128b54b200d8aaf55e38c852a27ab
SHA512d673e5ec51cc6ba73289bcc0d126653ce0e650f79bd119e83d68ddae012be40c4dd3793fa6e897b078365c0ce3c4f6efb1c331736ebd2f3b6873a662978dc736
-
memory/6956-24-0x000000001BB50000-0x000000001BB5C000-memory.dmpFilesize
48KB
-
memory/6956-32-0x000000001C460000-0x000000001C46C000-memory.dmpFilesize
48KB
-
memory/6956-22-0x000000001BB60000-0x000000001BB70000-memory.dmpFilesize
64KB
-
memory/6956-23-0x000000001BB40000-0x000000001BB4A000-memory.dmpFilesize
40KB
-
memory/6956-20-0x000000001BB20000-0x000000001BB30000-memory.dmpFilesize
64KB
-
memory/6956-25-0x000000001BB70000-0x000000001BB82000-memory.dmpFilesize
72KB
-
memory/6956-26-0x000000001C740000-0x000000001CC68000-memory.dmpFilesize
5.2MB
-
memory/6956-27-0x000000001C210000-0x000000001C21C000-memory.dmpFilesize
48KB
-
memory/6956-28-0x000000001C220000-0x000000001C22C000-memory.dmpFilesize
48KB
-
memory/6956-21-0x000000001BB30000-0x000000001BB38000-memory.dmpFilesize
32KB
-
memory/6956-31-0x000000001C350000-0x000000001C358000-memory.dmpFilesize
32KB
-
memory/6956-30-0x000000001C340000-0x000000001C34E000-memory.dmpFilesize
56KB
-
memory/6956-29-0x000000001C330000-0x000000001C33A000-memory.dmpFilesize
40KB
-
memory/6956-19-0x0000000002FE0000-0x0000000002FE8000-memory.dmpFilesize
32KB
-
memory/6956-18-0x000000001C1C0000-0x000000001C210000-memory.dmpFilesize
320KB
-
memory/6956-17-0x0000000002FC0000-0x0000000002FDC000-memory.dmpFilesize
112KB
-
memory/6956-16-0x0000000000D60000-0x0000000000EFE000-memory.dmpFilesize
1.6MB