Analysis
-
max time kernel
1800s -
max time network
1806s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
03-11-2024 20:58
General
-
Target
bot.exe
-
Size
3.2MB
-
MD5
d9f7208d0116dcde22ece5048ac6c37d
-
SHA1
f9b23d695bb875f032292983fe537c48bc02a657
-
SHA256
15ba1de7e069b6615cc13a43cc2b50426065e92e018066b0e3a3af43bba522ee
-
SHA512
152289834cfcf4fc78bd0799a78752587b06dd1c839ee46e050a03c99e1d527de995bd9430fbaee6da3d999293f00dbaa1d07736137e08c7740d5edb7263b114
-
SSDEEP
49152:ubA3j4Ovfe+uuyV5rPOf82wtPXbGuTVHXZiyF3U5zKY7SeVZ9:ubSvfmV5kjwVbLXq5zKY9VZ9
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3172 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3000 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2532 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5608 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5560 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4760 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1104 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5308 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4564 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5276 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4456 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2372 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2432 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5228 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5244 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3916 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5800 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3160 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1804 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2264 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3856 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 820 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5236 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4840 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2596 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5684 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4016 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1944 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2396 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2252 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1696 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3220 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1412 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1408 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5760 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2324 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3156 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3532 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2876 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1296 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5072 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1200 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5060 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5344 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6016 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5996 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4756 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4152 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1568 1772 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5656 1772 schtasks.exe 86 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Containerreview.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Containerreview.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Containerreview.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe -
resource yara_rule behavioral1/files/0x00280000000450e2-13.dat dcrat behavioral1/memory/5456-16-0x0000000000220000-0x0000000000500000-memory.dmp dcrat behavioral1/files/0x00280000000451cb-73.dat dcrat behavioral1/files/0x002a0000000451cd-88.dat dcrat behavioral1/files/0x00290000000451d0-111.dat dcrat behavioral1/files/0x002a00000004514f-119.dat dcrat behavioral1/files/0x002f00000004516c-143.dat dcrat behavioral1/files/0x002800000004519b-151.dat dcrat behavioral1/files/0x002b0000000451a0-159.dat dcrat behavioral1/files/0x00290000000451af-166.dat dcrat behavioral1/files/0x002b0000000451ac-174.dat dcrat behavioral1/files/0x002a0000000451b2-182.dat dcrat behavioral1/files/0x00290000000451bc-197.dat dcrat behavioral1/memory/2768-210-0x00000000009C0000-0x0000000000CA0000-memory.dmp dcrat behavioral1/memory/1700-498-0x0000000000330000-0x0000000000610000-memory.dmp dcrat behavioral1/files/0x002a0000000451b5-508.dat dcrat behavioral1/memory/3076-510-0x0000000000880000-0x0000000000B60000-memory.dmp dcrat behavioral1/files/0x0029000000045106-511.dat dcrat behavioral1/memory/2744-513-0x0000000000AE0000-0x0000000000DC0000-memory.dmp dcrat behavioral1/memory/3848-518-0x0000000000940000-0x0000000000C20000-memory.dmp dcrat behavioral1/memory/4940-521-0x0000000000BA0000-0x0000000000E80000-memory.dmp dcrat behavioral1/files/0x002a000000045110-535.dat dcrat behavioral1/files/0x0027000000045198-537.dat dcrat behavioral1/memory/4476-538-0x0000000000840000-0x0000000000B20000-memory.dmp dcrat behavioral1/memory/732-540-0x0000000000E90000-0x0000000001170000-memory.dmp dcrat behavioral1/files/0x00280000000451d2-543.dat dcrat behavioral1/memory/5208-545-0x0000000000D20000-0x0000000001000000-memory.dmp dcrat behavioral1/memory/4288-548-0x00000000005D0000-0x00000000008B0000-memory.dmp dcrat behavioral1/memory/4724-555-0x0000000000B10000-0x0000000000DF0000-memory.dmp dcrat behavioral1/files/0x0029000000045146-562.dat dcrat behavioral1/memory/756-560-0x00000000000F0000-0x00000000003D0000-memory.dmp dcrat behavioral1/memory/5440-563-0x0000000000720000-0x0000000000A00000-memory.dmp dcrat behavioral1/memory/2668-566-0x00000000008B0000-0x0000000000B90000-memory.dmp dcrat behavioral1/memory/5408-576-0x0000000000360000-0x0000000000640000-memory.dmp dcrat -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation bot.exe Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation Containerreview.exe Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe -
Executes dropped EXE 43 IoCs
pid Process 5456 Containerreview.exe 2768 WmiPrvSE.exe 1700 Containerreview.exe 3076 services.exe 2744 dwm.exe 3848 smss.exe 4940 sysmon.exe 4476 sihost.exe 732 conhost.exe 5208 fontdrvhost.exe 4288 TextInputHost.exe 5836 Containerreview.exe 4412 WmiPrvSE.exe 4724 explorer.exe 756 taskhostw.exe 5440 dllhost.exe 2668 csrss.exe 3188 services.exe 5612 dwm.exe 5408 spoolsv.exe 4792 smss.exe 3364 sysmon.exe 5208 sihost.exe 6120 Containerreview.exe 5160 conhost.exe 1844 services.exe 748 dwm.exe 1484 fontdrvhost.exe 2032 TextInputHost.exe 5720 smss.exe 1100 Containerreview.exe 2268 WmiPrvSE.exe 5900 sysmon.exe 3864 explorer.exe 4772 taskhostw.exe 1560 dllhost.exe 1600 csrss.exe 1556 sihost.exe 6012 conhost.exe 5916 services.exe 5176 spoolsv.exe 5408 dwm.exe 3344 Containerreview.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Containerreview.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Containerreview.exe -
Drops file in Program Files directory 32 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\Edge\RCX5F2.tmp Containerreview.exe File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\en-US\sysmon.exe Containerreview.exe File opened for modification C:\Program Files\Windows Portable Devices\smss.exe Containerreview.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\e7ed6e98-679d-4b15-a172-80d7272ad716.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241103210140.pma setup.exe File created C:\Program Files (x86)\Microsoft\Edge\dllhost.exe Containerreview.exe File created C:\Program Files\Windows Defender Advanced Threat Protection\de-DE\5b884080fd4f94 Containerreview.exe File created C:\Program Files\Windows Portable Devices\smss.exe Containerreview.exe File opened for modification C:\Program Files\Internet Explorer\es-ES\RCX10D7.tmp Containerreview.exe File opened for modification C:\Program Files\Windows Security\BrowserCore\en-US\RCX2400.tmp Containerreview.exe File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\en-US\RCXB06.tmp Containerreview.exe File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\en-US\RCXB84.tmp Containerreview.exe File opened for modification C:\Program Files\Windows Defender Advanced Threat Protection\de-DE\RCXDA7.tmp Containerreview.exe File opened for modification C:\Program Files\Windows Portable Devices\RCX20EF.tmp Containerreview.exe File opened for modification C:\Program Files\Windows Portable Devices\RCX216D.tmp Containerreview.exe File created C:\Program Files\Windows Defender Advanced Threat Protection\de-DE\fontdrvhost.exe Containerreview.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\dllhost.exe Containerreview.exe File created C:\Program Files\Internet Explorer\es-ES\conhost.exe Containerreview.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\RCX574.tmp Containerreview.exe File opened for modification C:\Program Files\Windows Defender Advanced Threat Protection\de-DE\RCXE45.tmp Containerreview.exe File opened for modification C:\Program Files\Internet Explorer\es-ES\RCX1059.tmp Containerreview.exe File opened for modification C:\Program Files\Internet Explorer\es-ES\conhost.exe Containerreview.exe File created C:\Program Files\Internet Explorer\es-ES\088424020bedd6 Containerreview.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\services.exe Containerreview.exe File opened for modification C:\Program Files\Windows Security\BrowserCore\en-US\RCX2382.tmp Containerreview.exe File created C:\Program Files (x86)\Microsoft\Edge\5940a34987c991 Containerreview.exe File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\sysmon.exe Containerreview.exe File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\121e5b5079f7c0 Containerreview.exe File created C:\Program Files\Windows Portable Devices\69ddcba757bf72 Containerreview.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\c5b4cb5e9653cc Containerreview.exe File opened for modification C:\Program Files\Windows Defender Advanced Threat Protection\de-DE\fontdrvhost.exe Containerreview.exe File opened for modification C:\Program Files\Windows Security\BrowserCore\en-US\services.exe Containerreview.exe -
Drops file in Windows directory 15 IoCs
description ioc Process File created C:\Windows\en-US\6cb0b6c459d5d3 Containerreview.exe File created C:\Windows\twain_32\taskhostw.exe Containerreview.exe File created C:\Windows\twain_32\ea9f0e6c9e2dcd Containerreview.exe File opened for modification C:\Windows\en-US\RCXFC56.tmp Containerreview.exe File opened for modification C:\Windows\en-US\dwm.exe Containerreview.exe File opened for modification C:\Windows\twain_32\RCXFFA3.tmp Containerreview.exe File opened for modification C:\Windows\twain_32\taskhostw.exe Containerreview.exe File created C:\Windows\en-US\dwm.exe Containerreview.exe File opened for modification C:\Windows\TAPI\RCX1EEB.tmp Containerreview.exe File opened for modification C:\Windows\TAPI\explorer.exe Containerreview.exe File created C:\Windows\TAPI\7a0fd90576e088 Containerreview.exe File opened for modification C:\Windows\twain_32\RCX6F.tmp Containerreview.exe File created C:\Windows\TAPI\explorer.exe Containerreview.exe File opened for modification C:\Windows\en-US\RCXFCE3.tmp Containerreview.exe File opened for modification C:\Windows\TAPI\RCX1E6D.tmp Containerreview.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings Containerreview.exe Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings WmiPrvSE.exe Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings bot.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 6132 reg.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2532 schtasks.exe 1804 schtasks.exe 3532 schtasks.exe 6016 schtasks.exe 1408 schtasks.exe 2324 schtasks.exe 1296 schtasks.exe 3000 schtasks.exe 3856 schtasks.exe 820 schtasks.exe 2596 schtasks.exe 1696 schtasks.exe 5072 schtasks.exe 4152 schtasks.exe 2876 schtasks.exe 5276 schtasks.exe 2432 schtasks.exe 2788 schtasks.exe 4016 schtasks.exe 2252 schtasks.exe 2396 schtasks.exe 3172 schtasks.exe 5608 schtasks.exe 5560 schtasks.exe 4760 schtasks.exe 4564 schtasks.exe 1944 schtasks.exe 3220 schtasks.exe 1412 schtasks.exe 1200 schtasks.exe 3156 schtasks.exe 4756 schtasks.exe 5656 schtasks.exe 1104 schtasks.exe 2372 schtasks.exe 5244 schtasks.exe 2264 schtasks.exe 5684 schtasks.exe 4456 schtasks.exe 5236 schtasks.exe 5060 schtasks.exe 5344 schtasks.exe 1568 schtasks.exe 4840 schtasks.exe 5760 schtasks.exe 5996 schtasks.exe 5308 schtasks.exe 5228 schtasks.exe 3916 schtasks.exe 5800 schtasks.exe 3160 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe 5456 Containerreview.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2768 WmiPrvSE.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
pid Process 2788 msedge.exe 2788 msedge.exe 2788 msedge.exe 2788 msedge.exe 2788 msedge.exe 2788 msedge.exe 2788 msedge.exe 2788 msedge.exe 2788 msedge.exe 2788 msedge.exe 2788 msedge.exe 2788 msedge.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 5456 Containerreview.exe Token: SeDebugPrivilege 2768 WmiPrvSE.exe Token: SeBackupPrivilege 6048 vssvc.exe Token: SeRestorePrivilege 6048 vssvc.exe Token: SeAuditPrivilege 6048 vssvc.exe Token: SeDebugPrivilege 1700 Containerreview.exe Token: SeDebugPrivilege 3076 services.exe Token: SeDebugPrivilege 2744 dwm.exe Token: SeDebugPrivilege 3848 smss.exe Token: SeDebugPrivilege 4940 sysmon.exe Token: SeDebugPrivilege 4476 sihost.exe Token: SeDebugPrivilege 732 conhost.exe Token: SeDebugPrivilege 5208 fontdrvhost.exe Token: SeDebugPrivilege 4288 TextInputHost.exe Token: SeDebugPrivilege 5836 Containerreview.exe Token: SeDebugPrivilege 4412 WmiPrvSE.exe Token: SeDebugPrivilege 4724 explorer.exe Token: SeDebugPrivilege 5440 dllhost.exe Token: SeDebugPrivilege 756 taskhostw.exe Token: SeDebugPrivilege 2668 csrss.exe Token: SeDebugPrivilege 3188 services.exe Token: SeDebugPrivilege 5612 dwm.exe Token: SeDebugPrivilege 5408 spoolsv.exe Token: SeDebugPrivilege 4792 smss.exe Token: SeDebugPrivilege 3364 sysmon.exe Token: SeDebugPrivilege 5208 sihost.exe Token: SeDebugPrivilege 6120 Containerreview.exe Token: SeDebugPrivilege 5160 conhost.exe Token: SeDebugPrivilege 1844 services.exe Token: SeDebugPrivilege 748 dwm.exe Token: SeDebugPrivilege 1484 fontdrvhost.exe Token: SeDebugPrivilege 2032 TextInputHost.exe Token: SeDebugPrivilege 5720 smss.exe Token: SeDebugPrivilege 1100 Containerreview.exe Token: SeDebugPrivilege 2268 WmiPrvSE.exe Token: SeDebugPrivilege 5900 sysmon.exe Token: SeDebugPrivilege 3864 explorer.exe Token: SeDebugPrivilege 4772 taskhostw.exe Token: SeDebugPrivilege 1560 dllhost.exe Token: SeDebugPrivilege 1600 csrss.exe Token: SeDebugPrivilege 1556 sihost.exe Token: SeDebugPrivilege 6012 conhost.exe Token: SeDebugPrivilege 5916 services.exe Token: SeDebugPrivilege 5176 spoolsv.exe Token: SeDebugPrivilege 5408 dwm.exe Token: SeDebugPrivilege 3344 Containerreview.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2788 msedge.exe 2788 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2768 WmiPrvSE.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5304 wrote to memory of 1160 5304 bot.exe 81 PID 5304 wrote to memory of 1160 5304 bot.exe 81 PID 5304 wrote to memory of 1160 5304 bot.exe 81 PID 1160 wrote to memory of 5008 1160 WScript.exe 88 PID 1160 wrote to memory of 5008 1160 WScript.exe 88 PID 1160 wrote to memory of 5008 1160 WScript.exe 88 PID 5008 wrote to memory of 5456 5008 cmd.exe 90 PID 5008 wrote to memory of 5456 5008 cmd.exe 90 PID 5456 wrote to memory of 4044 5456 Containerreview.exe 144 PID 5456 wrote to memory of 4044 5456 Containerreview.exe 144 PID 5008 wrote to memory of 6132 5008 cmd.exe 146 PID 5008 wrote to memory of 6132 5008 cmd.exe 146 PID 5008 wrote to memory of 6132 5008 cmd.exe 146 PID 4044 wrote to memory of 4228 4044 cmd.exe 147 PID 4044 wrote to memory of 4228 4044 cmd.exe 147 PID 4044 wrote to memory of 2768 4044 cmd.exe 149 PID 4044 wrote to memory of 2768 4044 cmd.exe 149 PID 2768 wrote to memory of 5040 2768 WmiPrvSE.exe 150 PID 2768 wrote to memory of 5040 2768 WmiPrvSE.exe 150 PID 2768 wrote to memory of 5944 2768 WmiPrvSE.exe 151 PID 2768 wrote to memory of 5944 2768 WmiPrvSE.exe 151 PID 2768 wrote to memory of 2788 2768 WmiPrvSE.exe 157 PID 2768 wrote to memory of 2788 2768 WmiPrvSE.exe 157 PID 2788 wrote to memory of 4444 2788 msedge.exe 158 PID 2788 wrote to memory of 4444 2788 msedge.exe 158 PID 2788 wrote to memory of 3100 2788 msedge.exe 159 PID 2788 wrote to memory of 3100 2788 msedge.exe 159 PID 2788 wrote to memory of 3100 2788 msedge.exe 159 PID 2788 wrote to memory of 3100 2788 msedge.exe 159 PID 2788 wrote to memory of 3100 2788 msedge.exe 159 PID 2788 wrote to memory of 3100 2788 msedge.exe 159 PID 2788 wrote to memory of 3100 2788 msedge.exe 159 PID 2788 wrote to memory of 3100 2788 msedge.exe 159 PID 2788 wrote to memory of 3100 2788 msedge.exe 159 PID 2788 wrote to memory of 3100 2788 msedge.exe 159 PID 2788 wrote to memory of 3100 2788 msedge.exe 159 PID 2788 wrote to memory of 3100 2788 msedge.exe 159 PID 2788 wrote to memory of 3100 2788 msedge.exe 159 PID 2788 wrote to memory of 3100 2788 msedge.exe 159 PID 2788 wrote to memory of 3100 2788 msedge.exe 159 PID 2788 wrote to memory of 3100 2788 msedge.exe 159 PID 2788 wrote to memory of 3100 2788 msedge.exe 159 PID 2788 wrote to memory of 3100 2788 msedge.exe 159 PID 2788 wrote to memory of 3100 2788 msedge.exe 159 PID 2788 wrote to memory of 3100 2788 msedge.exe 159 PID 2788 wrote to memory of 3100 2788 msedge.exe 159 PID 2788 wrote to memory of 3100 2788 msedge.exe 159 PID 2788 wrote to memory of 3100 2788 msedge.exe 159 PID 2788 wrote to memory of 3100 2788 msedge.exe 159 PID 2788 wrote to memory of 3100 2788 msedge.exe 159 PID 2788 wrote to memory of 3100 2788 msedge.exe 159 PID 2788 wrote to memory of 3100 2788 msedge.exe 159 PID 2788 wrote to memory of 3100 2788 msedge.exe 159 PID 2788 wrote to memory of 3100 2788 msedge.exe 159 PID 2788 wrote to memory of 3100 2788 msedge.exe 159 PID 2788 wrote to memory of 3100 2788 msedge.exe 159 PID 2788 wrote to memory of 3100 2788 msedge.exe 159 PID 2788 wrote to memory of 3100 2788 msedge.exe 159 PID 2788 wrote to memory of 3100 2788 msedge.exe 159 PID 2788 wrote to memory of 3100 2788 msedge.exe 159 PID 2788 wrote to memory of 3100 2788 msedge.exe 159 PID 2788 wrote to memory of 3100 2788 msedge.exe 159 PID 2788 wrote to memory of 3100 2788 msedge.exe 159 PID 2788 wrote to memory of 3100 2788 msedge.exe 159 -
System policy modification 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Containerreview.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Containerreview.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Containerreview.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\bot.exe"C:\Users\Admin\AppData\Local\Temp\bot.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5304 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\BridgeagentFont\E1OrDChd6wfhvlLu9Zc8rvL1kfwV.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\BridgeagentFont\LMbhEUlzAGhXQ88TEAwD9DBna.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Users\Admin\AppData\Roaming\BridgeagentFont\Containerreview.exe"C:\Users\Admin\AppData\Roaming\BridgeagentFont\Containerreview.exe"4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5456 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\g8OmkPCg94.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:4228
-
-
C:\Users\Public\Downloads\WmiPrvSE.exe"C:\Users\Public\Downloads\WmiPrvSE.exe"6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2768 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4006af5-44eb-4125-bc45-efa280e0d481.vbs"7⤵PID:5040
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b97db559-b74a-47df-83f2-a316bb976443.vbs"7⤵PID:5944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://localhost:12941/7⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffdd04746f8,0x7ffdd0474708,0x7ffdd04747188⤵PID:4444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:28⤵PID:3100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:38⤵PID:3352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:88⤵PID:3716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:18⤵PID:4472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:18⤵PID:1480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:18⤵PID:4460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:18⤵PID:4348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:88⤵PID:4828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings8⤵
- Drops file in Program Files directory
PID:516 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x2a8,0x2ac,0x2b0,0x284,0x2b4,0x7ff70bb55460,0x7ff70bb55470,0x7ff70bb554809⤵PID:5756
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:88⤵PID:928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:18⤵PID:5424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:18⤵PID:544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:18⤵PID:3200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:18⤵PID:3516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:18⤵PID:1400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1800 /prefetch:18⤵PID:1072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3040 /prefetch:28⤵PID:3816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:18⤵PID:1600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:18⤵PID:552
-
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:6132
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\en-US\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\en-US\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\en-US\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Windows\twain_32\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\twain_32\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Windows\twain_32\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\Edge\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft\Edge\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Public\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\de-DE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\de-DE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\de-DE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\es-ES\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\es-ES\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\es-ES\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Downloads\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Downloads\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Downloads\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\TAPI\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\TAPI\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\TAPI\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ContainerreviewC" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Containerreview.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Containerreview" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Containerreview.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ContainerreviewC" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Containerreview.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5656
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6048
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2104
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4688
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:3628
-
C:\Recovery\WindowsRE\Containerreview.exe"C:\Recovery\WindowsRE\Containerreview.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1700
-
C:\Program Files\Windows Security\BrowserCore\en-US\services.exe"C:\Program Files\Windows Security\BrowserCore\en-US\services.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3076
-
C:\Windows\en-US\dwm.exe"C:\Windows\en-US\dwm.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
C:\Program Files\Windows Portable Devices\smss.exe"C:\Program Files\Windows Portable Devices\smss.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3848
-
C:\Recovery\WindowsRE\sysmon.exe"C:\Recovery\WindowsRE\sysmon.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4940
-
C:\Recovery\WindowsRE\sihost.exe"C:\Recovery\WindowsRE\sihost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4476
-
C:\Program Files\Internet Explorer\es-ES\conhost.exe"C:\Program Files\Internet Explorer\es-ES\conhost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:732
-
C:\Program Files\Windows Defender Advanced Threat Protection\de-DE\fontdrvhost.exe"C:\Program Files\Windows Defender Advanced Threat Protection\de-DE\fontdrvhost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5208
-
C:\Recovery\WindowsRE\TextInputHost.exe"C:\Recovery\WindowsRE\TextInputHost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4288
-
C:\Recovery\WindowsRE\Containerreview.exe"C:\Recovery\WindowsRE\Containerreview.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5836
-
C:\Users\Public\Downloads\WmiPrvSE.exe"C:\Users\Public\Downloads\WmiPrvSE.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4412
-
C:\Windows\TAPI\explorer.exe"C:\Windows\TAPI\explorer.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4724
-
C:\Windows\twain_32\taskhostw.exe"C:\Windows\twain_32\taskhostw.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:756
-
C:\Program Files (x86)\Microsoft\Edge\dllhost.exe"C:\Program Files (x86)\Microsoft\Edge\dllhost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5440
-
C:\Recovery\WindowsRE\csrss.exe"C:\Recovery\WindowsRE\csrss.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2668
-
C:\Program Files\Windows Security\BrowserCore\en-US\services.exe"C:\Program Files\Windows Security\BrowserCore\en-US\services.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3188
-
C:\Windows\en-US\dwm.exe"C:\Windows\en-US\dwm.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5612
-
C:\Users\Public\spoolsv.exe"C:\Users\Public\spoolsv.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5408
-
C:\Program Files\Windows Portable Devices\smss.exe"C:\Program Files\Windows Portable Devices\smss.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4792
-
C:\Recovery\WindowsRE\sysmon.exe"C:\Recovery\WindowsRE\sysmon.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3364
-
C:\Recovery\WindowsRE\sihost.exe"C:\Recovery\WindowsRE\sihost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5208
-
C:\Recovery\WindowsRE\Containerreview.exe"C:\Recovery\WindowsRE\Containerreview.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6120
-
C:\Program Files\Internet Explorer\es-ES\conhost.exe"C:\Program Files\Internet Explorer\es-ES\conhost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5160
-
C:\Program Files\Windows Security\BrowserCore\en-US\services.exe"C:\Program Files\Windows Security\BrowserCore\en-US\services.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1844
-
C:\Windows\en-US\dwm.exe"C:\Windows\en-US\dwm.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:748
-
C:\Program Files\Windows Defender Advanced Threat Protection\de-DE\fontdrvhost.exe"C:\Program Files\Windows Defender Advanced Threat Protection\de-DE\fontdrvhost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1484
-
C:\Recovery\WindowsRE\TextInputHost.exe"C:\Recovery\WindowsRE\TextInputHost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2032
-
C:\Program Files\Windows Portable Devices\smss.exe"C:\Program Files\Windows Portable Devices\smss.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5720
-
C:\Recovery\WindowsRE\Containerreview.exe"C:\Recovery\WindowsRE\Containerreview.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1100
-
C:\Users\Public\Downloads\WmiPrvSE.exe"C:\Users\Public\Downloads\WmiPrvSE.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
C:\Recovery\WindowsRE\sysmon.exe"C:\Recovery\WindowsRE\sysmon.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5900
-
C:\Windows\TAPI\explorer.exe"C:\Windows\TAPI\explorer.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3864
-
C:\Windows\twain_32\taskhostw.exe"C:\Windows\twain_32\taskhostw.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4772
-
C:\Program Files (x86)\Microsoft\Edge\dllhost.exe"C:\Program Files (x86)\Microsoft\Edge\dllhost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1560
-
C:\Recovery\WindowsRE\csrss.exe"C:\Recovery\WindowsRE\csrss.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1600
-
C:\Recovery\WindowsRE\sihost.exe"C:\Recovery\WindowsRE\sihost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1556
-
C:\Program Files\Internet Explorer\es-ES\conhost.exe"C:\Program Files\Internet Explorer\es-ES\conhost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6012
-
C:\Program Files\Windows Security\BrowserCore\en-US\services.exe"C:\Program Files\Windows Security\BrowserCore\en-US\services.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5916
-
C:\Users\Public\spoolsv.exe"C:\Users\Public\spoolsv.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5176
-
C:\Windows\en-US\dwm.exe"C:\Windows\en-US\dwm.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5408
-
C:\Recovery\WindowsRE\Containerreview.exe"C:\Recovery\WindowsRE\Containerreview.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3344
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.8MB
MD55bef2af57cbc13bb14d4498de54173ba
SHA1c936a7fcf0c9c5f57914017e20faffc893a978fc
SHA25683a62f59a57c32b11c4fa2c05271e2d81af82f64d0d857d9f41a4fcfd8c77fc1
SHA51236dcc541654646808e1388901c8595aff30507c98fa18db2e5de4ad66d6d8ac86141662fec9b371602a81662aeb289dab4ae3b7a42e2b35311f5023a049c84d7
-
Filesize
2.8MB
MD53b1ca38feef0aba734a8759adae7433d
SHA19223483960c9556af38eceb9679a58185cfc6e5f
SHA256282136f623a6c80c52bc7ac230865dc4b385614c18d35b0c6c5f9f5cee4e48f6
SHA5126cb15edc12b1425a36511ee6a8fb20c27212d1f4ffef0e367fa8708b95efc44e9bb3f02455cfd8365253fadcf5df4f8fae73ba048b9eee1d770bcebcb262d6ef
-
Filesize
2.8MB
MD566cad8cbc6782679a4c02a5cc0437c7f
SHA136f78a60efc2ba1e0ab28fba6c137def67eee69b
SHA2560db3435ec83d02950ad22c3f413f6f7878724ac5a02ebf233f63f8174aa47d9d
SHA5123e19bfaeb1bd147c6e2d45c5cb80ed714d29c4b8ed89cb570e2359d63f754f27585329cb80ab94dbe7ae1f245e4e983f6a50680b4f53a42e88fb84c53d6ce617
-
Filesize
2.8MB
MD5b83ff437fd78d56e4049bc3cb68f4c84
SHA1e05748a07c1d058e95a8ee49978696c582cb3791
SHA256eb952a94f5da8c8a8462d8707fb2c2c128094ae27d09c92fd7c91fd16b6624ed
SHA51281ce975853548f04fae1b04f1e6c58539fddf6b660838c9c4c3b713e5f17c5a9bb1b017e8905b4705e37c596585abd33c89f7efb2003c7a58521254e24e6944d
-
Filesize
2.8MB
MD5d044ad04da4d5b5941a9f360a90e5d3d
SHA1cce7a89e37381c2067a4c065fe699e9b822414a6
SHA256fb2aeeb85a5a64b433556ead01d7be5197fa7df444d0f693ea39a05905b6fa6e
SHA512a0412a2bd174230d285e8b6440a37e98bed8a82293440ceaf6c9ea408259fbdb0e0fda994b41d494acb98cb6721d13a1cc082a47ab70bf9c06200adc47ca1692
-
Filesize
2.8MB
MD5d0e75858f62d9eafb6eeb76c7ca0d4ab
SHA17722eee1e451cff3fb33f5c1cc6c91a1730b82d8
SHA2567b2c8e0377bf5e017c68500f1fb19b52b5304f64fca9b664dfa27bc400560a17
SHA5121a2f1c0f036baf40137528dd26f3c8612731847434daedb953cdc41222866a8bd48452e4125162af7aa8b8bc1908a2d15a65fd898a10a9606d0887ea88b2745f
-
Filesize
2.8MB
MD5634359d7d2831979d76fab1f366131c0
SHA1543c00e6fd1799d967c16882cf2ada6527d417d7
SHA256071d9ad46543ddbe6df0570d114de7a0e3acda1d6c149d4747eb75c890d7b7ae
SHA5121e613c584bcaa48cc4350afde7bb779b5a79e67256fb52c4db782190178d646a000a0b57a4a35b97ba3c0d0eca3abb45754eb26ca60bd9d0045981dc06b32e1c
-
Filesize
2.8MB
MD508fbe97a9b1cad8f38092a6dbd5fc7d4
SHA1004709286843abecbe41faadfb7a3c5c018bde15
SHA256f77e98afc6a6a9ff98c08815fc8aa32da3b5f669f3cac2a7e859c1d08a2f2ff7
SHA512f25c66d01efae91316370bba7a8acc90312565c2c7df79c380a0f8a37efe0caa47ff2f4c0b8e2d3fc2561766fa1513095c5c67a02407b0758cedf1bd3b0bd380
-
Filesize
2.8MB
MD588fa8885cc5fc045d193857ac957d453
SHA17340703773267db18f45bd0d2923e22e7877405f
SHA2568c5fdcf63f124670e5f9c8910b22f776a9bc8635d6bf034253587744ace42c35
SHA512a33f0cf31c74b48619d1134e18cee174346e7db9af3078fb1c9130dd02c7974f415267c82975e0fc9a9db975bc520e8c9425c51a07d958a94dbf01be56a51e8d
-
Filesize
2.8MB
MD586d15cd6a08dbf072f314995124db7dd
SHA1ac0935513fcc1a2559c32e9b2658518e3812f434
SHA256354e4735b5325911bcfcdb99daf07cb577f222c2437fb810ed02adf69cd705ee
SHA512f04c1254288c63be4a29612a3ef46ea63a3f59a542284a949ee3dc02ce82c197f92c54dfdff82a81f4d3138acd67295ecf3e04e56a45ca4bd02fdc673531b3f3
-
Filesize
2.8MB
MD5cedfcfdc086a6986071042ad7301f6f0
SHA150592dff8936a7c23968bfcf0d152d5d8d280004
SHA256176c714c5c89a926aa2eef847e5df346d665a3e32975f4ffa98faf49ba5ad939
SHA512a45eb4c04ecfcc77e657e77a3ef973d1563e1fdee0e751927d805a3dd148b26e8a5203eb948ef67ea47f6fc7d529ae565fee36c23e3c8982793f2f59b2359cc5
-
Filesize
2.8MB
MD5d15dbe43c6f1bf6a410c2998b67fb321
SHA11b564c1170ab5b3390333cb87cde670afab08000
SHA25672f61fc4f1295d2cfb7e9234c5c13ebe4d64496f41bc5e0d1338b817921709f7
SHA5128353362b620464cce30d587a04059ae94b4d5dfe71d7957b9068b1d34a8af65be88c8a3cf0faaebfef58b71774f8a35dcaaf9238ae82b984c2631b728763d02a
-
Filesize
1KB
MD5340f7d929ebbc3218c7c80bb773799de
SHA1d6246e1ec0a00c25283d12ca60108f6c8888bb1c
SHA256818c3b409a489f80f5ebc50338ea66ea8a4d90d3d35c4f41d37861dfdbd3da04
SHA512083198c6adc0b14dc6cc3ab9235450aa7ca3b49b5342949771d216f6cd2a82187f02665a803e9ad88064797b78aafdd1aac11f8da1442bfabb0ee72454841d56
-
Filesize
1KB
MD5b08c36ce99a5ed11891ef6fc6d8647e9
SHA1db95af417857221948eb1882e60f98ab2914bf1d
SHA256cc9248a177495f45ec70b86c34fc5746c56730af36ace98ac7eb365dbafda674
SHA51207e62581eace395b0a9699d727761648103180c21155d84ea09140f9e1c9690705c419118545aa67a564334bbde32710225fe3aa92b0b4b4210cb91f0058b1ea
-
Filesize
152B
MD5f6126b3cef466f7479c4f176528a9348
SHA187855913d0bfe2c4559dd3acb243d05c6d7e4908
SHA256588138bf57e937e1dec203a5073c3edb1e921c066779e893342e79e3d160e0b4
SHA512ef622b26c8cee1f767def355b2d7bffb2b28e7a653c09b7e2d33f6468a453fff39fd120cacbffd79ce35722592af0f3fb7d5054e2dca06310e44dc460533f3d8
-
Filesize
152B
MD56dda6e078b56bc17505e368f3e845302
SHA145fbd981fbbd4f961bf72f0ac76308fc18306cba
SHA256591bf3493eb620a3851c0cd65bff79758a09c61e9a22ea113fa0480404a38b15
SHA5129e460013fd043cee9bdbcdaf96ac2f7e21a08e88ddb754dddbd8378ee2288d50271e66b42092d84a12e726469465185be11a6fafab6ed4236a244524bd60f502
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
5KB
MD5498b30933946213f89b464edc96803e3
SHA10c706076cc4e9dbea4e7bde8ce7134c9357cb5a9
SHA25693c343c50743b259b42c95470647b5121a587f695be14dd7bb1098842f1bfd5c
SHA51260087876298fc3354d8600b5f2d7b19e0cfa0b3fe48a1e5005dd1fb9002ef4155223c4ae28ed3a985c1ed9ed41dbb07e9fed353c0afa7c360d18bc33a458187a
-
Filesize
5KB
MD563d51bccf9216c2d15e15a38c09157b2
SHA1c82db2078b94e5b77c3b192554e5d4d3d250dfc2
SHA25605d04e53f2cbdd0000d5d5b2be6faaf071d581bc7663461fcf971b62830194bf
SHA5126b752ea79237dfc84c1b3403bcc5ccd5941c0e42a30e047c80de79c96f8fa37d7aac6dbf287e24707896e86e9792518010aef2b2171f18b24b4f6dfaef2f2405
-
Filesize
5KB
MD5fea22d873f70905b1bf29680c3fa2e16
SHA116da06444188a71122938e0fa025383fd4043f68
SHA256d34d72f17310cfdaafb2363fc6a6fea75fba18ee0d0007c243d0e518b376a9aa
SHA512ccd91d0a9b9e0313f8bee0c46270523bcf09c4dadd784679ac67ee865e54778505f5da8c57e8aaef33ec61cfa56a976563bd75e9ce60f5e8503df9c96368333b
-
Filesize
24KB
MD590cc75707c7f427e9bbc8e0553500b46
SHA19034bdd7e7259406811ec8b5b7ce77317b6a2b7e
SHA256f5d76f8630779de1fe82f8802d6d144861e3487171e4b32e3f8fffd2a57725fb
SHA5127ad692bce11aee08bf65bb7c578b89a4a3024211ee1deaf671c925d65cc016943f2caad3d57b365e16d1764c78c36cae35c3c45cef0928dd611a565b0313e511
-
Filesize
24KB
MD50d8c8c98295f59eade1d8c5b0527a5c2
SHA1038269c6a2c432c6ecb5b236d08804502e29cde0
SHA2569148e2a2ba2a3b765c088dc8a1bdcc9b07b129e5e48729a61ebc321cb7b8b721
SHA512885a734a97a6f8c4a8fb5f0efa9fe55742f0685210472ed376466e67f928e82ddf91ba1211389d9c55dd1e03dc064aa7a81d1fca3cf429fbaf8f60db8b1348c6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c06f75c1-c396-433e-8646-fbf660e374cf.tmp
Filesize4KB
MD5c7dd907e69e89c42a821a6c7c3a25317
SHA10db15015c820092b4487de3acdcdf9b7a1b69727
SHA256b075ac643bc8b21d18068cd3a8aa10ee24795f3ddefb976c0517ff1d2b5aa5f3
SHA512da4eadd0888f2ff4ad039d3ca677520d2df1bb15d7df52de86f6d12efe58a3e8e1781ff1ae6e6f5e3911cb51acc55e14bc47a9d678f862396db7574964afd572
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d124cd4a-7996-4f96-8114-23ffc5254306.tmp
Filesize5KB
MD5694b6d0434ccdf1fa81bd43bcc48ff9b
SHA16d10d53b1c84b54b43dd9d4d1bd5622490b60827
SHA256764229ab3139f21b766eb886b866b0625fed3354dce1cf492c82d07c8a9f32ba
SHA5121ecce7d1d2c72cf85a16d3a0c96137ff4fa77971711b70696412cbf09d0cb62291c812107c523f2196430f790b2720bbeaae878dc6dc23706fab2cff0413df1e
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
8KB
MD57023fd7082495bed121f88219bb33313
SHA12cfd3463080b106345c613d2aab21950d8feb39a
SHA256c50e5a49af9b006fd645fd5249a0c18d6813a55df0015b5f64f1b054c3e8dc55
SHA512612e3a890de555910eaaa350d299b0e4777fdbf46fcaa853ecd2534349099c4e972a6a11edf186889e50727b73c332b564be17b7002ae619cdd34021175742b9
-
Filesize
490B
MD5ea0929d3405052d8d7edd8cee593f52d
SHA1b9ecb359b62fac2cbe84c3e8c509cc086c308675
SHA256441840af30cd8c8aa4b348e38c4d3673d1a6115b6da3a0ea452ae3e07a934b43
SHA512fb109c22b28dbf31c944d2c864e2029838a08cad4b6ec18388bbcaeca32c42f13d67249b96df0481bdc573250ea332b16e060c39a6c3bd708cde8906006a4494
-
Filesize
714B
MD5e0841374114f72d15bd6746c386480fd
SHA197b5007646d919eb7f90a8f383b6aa42666fa6b8
SHA25629314dd682c81307291a6e0cb08dd8ccf694319e4a2864d51845db3a4255a6a1
SHA5127d8b42d3a283ed0e74909e4078b362cbaad8635881331177c54f09bf9094821ff8f68f38c6939d7d9b5fbb7a078c5e7aa2ff8a385b6e85ae848b90fa8f585a6a
-
Filesize
203B
MD5a9783b37c204301b977bc106f1e4ecdb
SHA1869c54ca4414acfb03dcdf4f614d6e7fb8351500
SHA25675a8d0fd4670b8010edaba8c717db0e742670b67c2ecb700c1adf85dc3dfe557
SHA512b1814e6a54c0379fc8f734fbccf33319dcda653d93206ba9a46f3d2a12d1c7196a4931f9e3e3a8b37c53158973af7ad6c5655e7de7bf146aefaeb3a5cbdfd73b
-
Filesize
2.8MB
MD5e5cc3d0de29f576e27666e7c6738a584
SHA129bb5d5edfa88565a2ef1b30ca3921167e5fb637
SHA256eec25bbb0c3ea26e79b4162e8b1a1aa42b9f6b83d2fc710865001cf8750fe24b
SHA512dfd555f50e1dbf31dfce1f95167911697409b4586a25cf4fb88cda430ffc5ac2d2273e12678a7f9cdf26b4909f1d6022497d8c351ea0ba94b34f1085c53bc8fa
-
Filesize
224B
MD5980b8c4323c6a30adefa83e5889189eb
SHA1da4a52e22d8f64ac9e7b86a48100af08aed9ba6b
SHA25620b473780053528b67968274f63a4fd23cbf74e019b7532e0acb5d5b9fdaa2d4
SHA5122c82f4449d8aad3b41eea51771149b6b7f2eb64f995b7589f8f195274d3c1faa05fcb179c5bb1fc3f0589d4f4725d78cd63f33b55fe173c10137ee5b3dcc837d
-
Filesize
159B
MD53765c22496f7fd5eabd91a49ef3156dd
SHA1d4f01e65b1f02fa044042350660cf7786fb708b8
SHA25621bced2882fcd08eddd626fcfd74964fb4387ce489d6a42d382c016f05b36564
SHA5127d74455d1b9ce74efb82be9c1b8ca1b0c4d887a0a7c3afe1b2a39652c2fe1331ac16d564c0e4bf2ce6c5b0fb3650b9a5506c9fb322cbb069f30b1a09d0889a00
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD562ac46fcb3887294e8ca254304c2e82a
SHA165cbc85565774a8735c195c6a1ba8e80e4de5c95
SHA256dc0d719fe93d638f574acece05f8501b06629ec83a84169ead0717a865a1a6e7
SHA51292f6fd926dace1ef21dd8723a16d63e3f1b7425cb058cc3d8f75718072655a24c2f4a30fcf81b71ed2b9f3370c46cdfff91ffae9f9c7d172026a239197ce39dc
-
Filesize
2.8MB
MD5f916e44f77e2952fabc6541f5d3b9166
SHA18f8e12cc856bbcf0ad8879dfc7048a65de24c542
SHA2565a9007bf1f34853635047668b8e45108a0a5466c47ea2dab679547e32ed530d3
SHA512e0cc1933625e01b9375bea14a19284d2fcc257ed545953717e86050bae10ae9243db8d825fb7f1f3320c4b720cde96e7d69c847c5a3e0fa306ca4b274e70cebd
-
Filesize
2.8MB
MD53870e789c691b75f814ba02cce4850ac
SHA145552ee885e50c662321675295eaba36e5e485e3
SHA256733c4d081abf997bd21da095cf6583dad6947579e2780898b951b55c2388dea8
SHA512fa3f6ee90be00979114185f2912cbad43f2a632998b4bad0d3db91158037a27ade5d988b6935c96d4339047b1852bd00f74c646fc843a93c0277a68714098847
-
Filesize
2.8MB
MD5329c70803b821ed052b1d76af85946d2
SHA15dc1e75b38c49117142ffc278119b75ec52346e5
SHA25656fd84508d5dd1e95e283ea27ee123b3bc08b98b21d527769dc55d76fbe6fe18
SHA512dec7c6ef6c1c31100b8ae237054eca39c1783c793caa3b2760758326cb646b599700ce66fafea2e31fa36f45308026c79f8815dcf0530333ebd3924a3786fa5a
-
Filesize
2.8MB
MD5db8231dc1ea5d2f4d338aaa361f71000
SHA1867dca202548b6fc3cea188fee02948c522df996
SHA256f90ac8d9d9614dd017cb16d3bc659033c040deef0452237c1c5475e822b00927
SHA51245692c2f7dbb97ec34aa78b394de360140b692dc74f0bae68c082b51c98e6c9718494e80ee9c28521ea428f31b690dfd42e2a5758f3e5e6b6e54b48e5ade9c80
-
Filesize
2.8MB
MD5ce73e58739721618a64eb5f5b2fa5eae
SHA1b69852ea44d02049af75d27bb3515de7920c7726
SHA256d61c8831023871285907c2d687d134d970767a2b22e7a85dc98c43bb23df91b7
SHA5123e3142d81b9d621233914cf2e1d7f447fd669b6ce244c4419170061ffae515226fb1fb011e5f805eb8e20f18485afb1f8850910e19d63e606478d656d37bd41a