dcrat | 15ba1de7e069b6615cc13a43cc2b50426065e92e018066b0e3a3af43bba522ee

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Containerreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Containerreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Containerreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe

DCRat payload 34 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00280000000450e2-13.dat	dcrat
behavioral1/memory/5456-16-0x0000000000220000-0x0000000000500000-memory.dmp	dcrat
behavioral1/files/0x00280000000451cb-73.dat	dcrat
behavioral1/files/0x002a0000000451cd-88.dat	dcrat
behavioral1/files/0x00290000000451d0-111.dat	dcrat
behavioral1/files/0x002a00000004514f-119.dat	dcrat
behavioral1/files/0x002f00000004516c-143.dat	dcrat
behavioral1/files/0x002800000004519b-151.dat	dcrat
behavioral1/files/0x002b0000000451a0-159.dat	dcrat
behavioral1/files/0x00290000000451af-166.dat	dcrat
behavioral1/files/0x002b0000000451ac-174.dat	dcrat
behavioral1/files/0x002a0000000451b2-182.dat	dcrat
behavioral1/files/0x00290000000451bc-197.dat	dcrat
behavioral1/memory/2768-210-0x00000000009C0000-0x0000000000CA0000-memory.dmp	dcrat
behavioral1/memory/1700-498-0x0000000000330000-0x0000000000610000-memory.dmp	dcrat
behavioral1/files/0x002a0000000451b5-508.dat	dcrat
behavioral1/memory/3076-510-0x0000000000880000-0x0000000000B60000-memory.dmp	dcrat
behavioral1/files/0x0029000000045106-511.dat	dcrat
behavioral1/memory/2744-513-0x0000000000AE0000-0x0000000000DC0000-memory.dmp	dcrat
behavioral1/memory/3848-518-0x0000000000940000-0x0000000000C20000-memory.dmp	dcrat
behavioral1/memory/4940-521-0x0000000000BA0000-0x0000000000E80000-memory.dmp	dcrat
behavioral1/files/0x002a000000045110-535.dat	dcrat
behavioral1/files/0x0027000000045198-537.dat	dcrat
behavioral1/memory/4476-538-0x0000000000840000-0x0000000000B20000-memory.dmp	dcrat
behavioral1/memory/732-540-0x0000000000E90000-0x0000000001170000-memory.dmp	dcrat
behavioral1/files/0x00280000000451d2-543.dat	dcrat
behavioral1/memory/5208-545-0x0000000000D20000-0x0000000001000000-memory.dmp	dcrat
behavioral1/memory/4288-548-0x00000000005D0000-0x00000000008B0000-memory.dmp	dcrat
behavioral1/memory/4724-555-0x0000000000B10000-0x0000000000DF0000-memory.dmp	dcrat
behavioral1/files/0x0029000000045146-562.dat	dcrat
behavioral1/memory/756-560-0x00000000000F0000-0x00000000003D0000-memory.dmp	dcrat
behavioral1/memory/5440-563-0x0000000000720000-0x0000000000A00000-memory.dmp	dcrat
behavioral1/memory/2668-566-0x00000000008B0000-0x0000000000B90000-memory.dmp	dcrat
behavioral1/memory/5408-576-0x0000000000360000-0x0000000000640000-memory.dmp	dcrat

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	bot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	Containerreview.exe
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe

Executes dropped EXE 43 IoCs

pid	Process
5456	Containerreview.exe
2768	WmiPrvSE.exe
1700	Containerreview.exe
3076	services.exe
2744	dwm.exe
3848	smss.exe
4940	sysmon.exe
4476	sihost.exe
732	conhost.exe
5208	fontdrvhost.exe
4288	TextInputHost.exe
5836	Containerreview.exe
4412	WmiPrvSE.exe
4724	explorer.exe
756	taskhostw.exe
5440	dllhost.exe
2668	csrss.exe
3188	services.exe
5612	dwm.exe
5408	spoolsv.exe
4792	smss.exe
3364	sysmon.exe
5208	sihost.exe
6120	Containerreview.exe
5160	conhost.exe
1844	services.exe
748	dwm.exe
1484	fontdrvhost.exe
2032	TextInputHost.exe
5720	smss.exe
1100	Containerreview.exe
2268	WmiPrvSE.exe
5900	sysmon.exe
3864	explorer.exe
4772	taskhostw.exe
1560	dllhost.exe
1600	csrss.exe
1556	sihost.exe
6012	conhost.exe
5916	services.exe
5176	spoolsv.exe
5408	dwm.exe
3344	Containerreview.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Containerreview.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Containerreview.exe

Drops file in Program Files directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\RCX5F2.tmp	Containerreview.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\sysmon.exe	Containerreview.exe
File opened for modification	C:\Program Files\Windows Portable Devices\smss.exe	Containerreview.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\e7ed6e98-679d-4b15-a172-80d7272ad716.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241103210140.pma	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\dllhost.exe	Containerreview.exe
File created	C:\Program Files\Windows Defender Advanced Threat Protection\de-DE\5b884080fd4f94	Containerreview.exe
File created	C:\Program Files\Windows Portable Devices\smss.exe	Containerreview.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\RCX10D7.tmp	Containerreview.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\RCX2400.tmp	Containerreview.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\RCXB06.tmp	Containerreview.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\RCXB84.tmp	Containerreview.exe
File opened for modification	C:\Program Files\Windows Defender Advanced Threat Protection\de-DE\RCXDA7.tmp	Containerreview.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX20EF.tmp	Containerreview.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX216D.tmp	Containerreview.exe
File created	C:\Program Files\Windows Defender Advanced Threat Protection\de-DE\fontdrvhost.exe	Containerreview.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\dllhost.exe	Containerreview.exe
File created	C:\Program Files\Internet Explorer\es-ES\conhost.exe	Containerreview.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\RCX574.tmp	Containerreview.exe
File opened for modification	C:\Program Files\Windows Defender Advanced Threat Protection\de-DE\RCXE45.tmp	Containerreview.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\RCX1059.tmp	Containerreview.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\conhost.exe	Containerreview.exe
File created	C:\Program Files\Internet Explorer\es-ES\088424020bedd6	Containerreview.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\services.exe	Containerreview.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\RCX2382.tmp	Containerreview.exe
File created	C:\Program Files (x86)\Microsoft\Edge\5940a34987c991	Containerreview.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\sysmon.exe	Containerreview.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\121e5b5079f7c0	Containerreview.exe
File created	C:\Program Files\Windows Portable Devices\69ddcba757bf72	Containerreview.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\c5b4cb5e9653cc	Containerreview.exe
File opened for modification	C:\Program Files\Windows Defender Advanced Threat Protection\de-DE\fontdrvhost.exe	Containerreview.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\services.exe	Containerreview.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\en-US\6cb0b6c459d5d3	Containerreview.exe
File created	C:\Windows\twain_32\taskhostw.exe	Containerreview.exe
File created	C:\Windows\twain_32\ea9f0e6c9e2dcd	Containerreview.exe
File opened for modification	C:\Windows\en-US\RCXFC56.tmp	Containerreview.exe
File opened for modification	C:\Windows\en-US\dwm.exe	Containerreview.exe
File opened for modification	C:\Windows\twain_32\RCXFFA3.tmp	Containerreview.exe
File opened for modification	C:\Windows\twain_32\taskhostw.exe	Containerreview.exe
File created	C:\Windows\en-US\dwm.exe	Containerreview.exe
File opened for modification	C:\Windows\TAPI\RCX1EEB.tmp	Containerreview.exe
File opened for modification	C:\Windows\TAPI\explorer.exe	Containerreview.exe
File created	C:\Windows\TAPI\7a0fd90576e088	Containerreview.exe
File opened for modification	C:\Windows\twain_32\RCX6F.tmp	Containerreview.exe
File created	C:\Windows\TAPI\explorer.exe	Containerreview.exe
File opened for modification	C:\Windows\en-US\RCXFCE3.tmp	Containerreview.exe
File opened for modification	C:\Windows\TAPI\RCX1E6D.tmp	Containerreview.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings	Containerreview.exe
Key created	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings	bot.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

pid	Process
6132	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2532	schtasks.exe
1804	schtasks.exe
3532	schtasks.exe
6016	schtasks.exe
1408	schtasks.exe
2324	schtasks.exe
1296	schtasks.exe
3000	schtasks.exe
3856	schtasks.exe
820	schtasks.exe
2596	schtasks.exe
1696	schtasks.exe
5072	schtasks.exe
4152	schtasks.exe
2876	schtasks.exe
5276	schtasks.exe
2432	schtasks.exe
2788	schtasks.exe
4016	schtasks.exe
2252	schtasks.exe
2396	schtasks.exe
3172	schtasks.exe
5608	schtasks.exe
5560	schtasks.exe
4760	schtasks.exe
4564	schtasks.exe
1944	schtasks.exe
3220	schtasks.exe
1412	schtasks.exe
1200	schtasks.exe
3156	schtasks.exe
4756	schtasks.exe
5656	schtasks.exe
1104	schtasks.exe
2372	schtasks.exe
5244	schtasks.exe
2264	schtasks.exe
5684	schtasks.exe
4456	schtasks.exe
5236	schtasks.exe
5060	schtasks.exe
5344	schtasks.exe
1568	schtasks.exe
4840	schtasks.exe
5760	schtasks.exe
5996	schtasks.exe
5308	schtasks.exe
5228	schtasks.exe
3916	schtasks.exe
5800	schtasks.exe
3160	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe
5456	Containerreview.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2768	WmiPrvSE.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe
2788	msedge.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeDebugPrivilege	5456	Containerreview.exe
Token: SeDebugPrivilege	2768	WmiPrvSE.exe
Token: SeBackupPrivilege	6048	vssvc.exe
Token: SeRestorePrivilege	6048	vssvc.exe
Token: SeAuditPrivilege	6048	vssvc.exe
Token: SeDebugPrivilege	1700	Containerreview.exe
Token: SeDebugPrivilege	3076	services.exe
Token: SeDebugPrivilege	2744	dwm.exe
Token: SeDebugPrivilege	3848	smss.exe
Token: SeDebugPrivilege	4940	sysmon.exe
Token: SeDebugPrivilege	4476	sihost.exe
Token: SeDebugPrivilege	732	conhost.exe
Token: SeDebugPrivilege	5208	fontdrvhost.exe
Token: SeDebugPrivilege	4288	TextInputHost.exe
Token: SeDebugPrivilege	5836	Containerreview.exe
Token: SeDebugPrivilege	4412	WmiPrvSE.exe
Token: SeDebugPrivilege	4724	explorer.exe
Token: SeDebugPrivilege	5440	dllhost.exe
Token: SeDebugPrivilege	756	taskhostw.exe
Token: SeDebugPrivilege	2668	csrss.exe
Token: SeDebugPrivilege	3188	services.exe
Token: SeDebugPrivilege	5612	dwm.exe
Token: SeDebugPrivilege	5408	spoolsv.exe
Token: SeDebugPrivilege	4792	smss.exe
Token: SeDebugPrivilege	3364	sysmon.exe
Token: SeDebugPrivilege	5208	sihost.exe
Token: SeDebugPrivilege	6120	Containerreview.exe
Token: SeDebugPrivilege	5160	conhost.exe
Token: SeDebugPrivilege	1844	services.exe
Token: SeDebugPrivilege	748	dwm.exe
Token: SeDebugPrivilege	1484	fontdrvhost.exe
Token: SeDebugPrivilege	2032	TextInputHost.exe
Token: SeDebugPrivilege	5720	smss.exe
Token: SeDebugPrivilege	1100	Containerreview.exe
Token: SeDebugPrivilege	2268	WmiPrvSE.exe
Token: SeDebugPrivilege	5900	sysmon.exe
Token: SeDebugPrivilege	3864	explorer.exe
Token: SeDebugPrivilege	4772	taskhostw.exe
Token: SeDebugPrivilege	1560	dllhost.exe
Token: SeDebugPrivilege	1600	csrss.exe
Token: SeDebugPrivilege	1556	sihost.exe
Token: SeDebugPrivilege	6012	conhost.exe
Token: SeDebugPrivilege	5916	services.exe
Token: SeDebugPrivilege	5176	spoolsv.exe
Token: SeDebugPrivilege	5408	dwm.exe
Token: SeDebugPrivilege	3344	Containerreview.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2788	msedge.exe
2788	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2768	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5304 wrote to memory of 1160	5304	bot.exe	81
PID 5304 wrote to memory of 1160	5304	bot.exe	81
PID 5304 wrote to memory of 1160	5304	bot.exe	81
PID 1160 wrote to memory of 5008	1160	WScript.exe	88
PID 1160 wrote to memory of 5008	1160	WScript.exe	88
PID 1160 wrote to memory of 5008	1160	WScript.exe	88
PID 5008 wrote to memory of 5456	5008	cmd.exe	90
PID 5008 wrote to memory of 5456	5008	cmd.exe	90
PID 5456 wrote to memory of 4044	5456	Containerreview.exe	144
PID 5456 wrote to memory of 4044	5456	Containerreview.exe	144
PID 5008 wrote to memory of 6132	5008	cmd.exe	146
PID 5008 wrote to memory of 6132	5008	cmd.exe	146
PID 5008 wrote to memory of 6132	5008	cmd.exe	146
PID 4044 wrote to memory of 4228	4044	cmd.exe	147
PID 4044 wrote to memory of 4228	4044	cmd.exe	147
PID 4044 wrote to memory of 2768	4044	cmd.exe	149
PID 4044 wrote to memory of 2768	4044	cmd.exe	149
PID 2768 wrote to memory of 5040	2768	WmiPrvSE.exe	150
PID 2768 wrote to memory of 5040	2768	WmiPrvSE.exe	150
PID 2768 wrote to memory of 5944	2768	WmiPrvSE.exe	151
PID 2768 wrote to memory of 5944	2768	WmiPrvSE.exe	151
PID 2768 wrote to memory of 2788	2768	WmiPrvSE.exe	157
PID 2768 wrote to memory of 2788	2768	WmiPrvSE.exe	157
PID 2788 wrote to memory of 4444	2788	msedge.exe	158
PID 2788 wrote to memory of 4444	2788	msedge.exe	158
PID 2788 wrote to memory of 3100	2788	msedge.exe	159
PID 2788 wrote to memory of 3100	2788	msedge.exe	159
PID 2788 wrote to memory of 3100	2788	msedge.exe	159
PID 2788 wrote to memory of 3100	2788	msedge.exe	159
PID 2788 wrote to memory of 3100	2788	msedge.exe	159
PID 2788 wrote to memory of 3100	2788	msedge.exe	159
PID 2788 wrote to memory of 3100	2788	msedge.exe	159
PID 2788 wrote to memory of 3100	2788	msedge.exe	159
PID 2788 wrote to memory of 3100	2788	msedge.exe	159
PID 2788 wrote to memory of 3100	2788	msedge.exe	159
PID 2788 wrote to memory of 3100	2788	msedge.exe	159
PID 2788 wrote to memory of 3100	2788	msedge.exe	159
PID 2788 wrote to memory of 3100	2788	msedge.exe	159
PID 2788 wrote to memory of 3100	2788	msedge.exe	159
PID 2788 wrote to memory of 3100	2788	msedge.exe	159
PID 2788 wrote to memory of 3100	2788	msedge.exe	159
PID 2788 wrote to memory of 3100	2788	msedge.exe	159
PID 2788 wrote to memory of 3100	2788	msedge.exe	159
PID 2788 wrote to memory of 3100	2788	msedge.exe	159
PID 2788 wrote to memory of 3100	2788	msedge.exe	159
PID 2788 wrote to memory of 3100	2788	msedge.exe	159
PID 2788 wrote to memory of 3100	2788	msedge.exe	159
PID 2788 wrote to memory of 3100	2788	msedge.exe	159
PID 2788 wrote to memory of 3100	2788	msedge.exe	159
PID 2788 wrote to memory of 3100	2788	msedge.exe	159
PID 2788 wrote to memory of 3100	2788	msedge.exe	159
PID 2788 wrote to memory of 3100	2788	msedge.exe	159
PID 2788 wrote to memory of 3100	2788	msedge.exe	159
PID 2788 wrote to memory of 3100	2788	msedge.exe	159
PID 2788 wrote to memory of 3100	2788	msedge.exe	159
PID 2788 wrote to memory of 3100	2788	msedge.exe	159
PID 2788 wrote to memory of 3100	2788	msedge.exe	159
PID 2788 wrote to memory of 3100	2788	msedge.exe	159
PID 2788 wrote to memory of 3100	2788	msedge.exe	159
PID 2788 wrote to memory of 3100	2788	msedge.exe	159
PID 2788 wrote to memory of 3100	2788	msedge.exe	159
PID 2788 wrote to memory of 3100	2788	msedge.exe	159
PID 2788 wrote to memory of 3100	2788	msedge.exe	159
PID 2788 wrote to memory of 3100	2788	msedge.exe	159

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Containerreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Containerreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Containerreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\bot.exe
"C:\Users\Admin\AppData\Local\Temp\bot.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5304
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\BridgeagentFont\E1OrDChd6wfhvlLu9Zc8rvL1kfwV.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\BridgeagentFont\LMbhEUlzAGhXQ88TEAwD9DBna.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5008
  - - C:\Users\Admin\AppData\Roaming\BridgeagentFont\Containerreview.exe
      "C:\Users\Admin\AppData\Roaming\BridgeagentFont\Containerreview.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:5456
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\g8OmkPCg94.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4044
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4228
      - C:\Users\Public\Downloads\WmiPrvSE.exe
        
        "C:\Users\Public\Downloads\WmiPrvSE.exe"
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4006af5-44eb-4125-bc45-efa280e0d481.vbs"
        7⤵
        
        PID:5040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b97db559-b74a-47df-83f2-a316bb976443.vbs"
        7⤵
        
        PID:5944
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://localhost:12941/
        7⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffdd04746f8,0x7ffdd0474708,0x7ffdd0474718
        8⤵
        
        PID:4444
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
        8⤵
        
        PID:3100
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
        8⤵
        
        PID:3352
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
        8⤵
        
        PID:3716
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
        8⤵
        
        PID:4472
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
        8⤵
        
        PID:1480
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
        8⤵
        
        PID:4460
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:1
        8⤵
        
        PID:4348
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:8
        8⤵
        
        PID:4828
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
        8⤵
        Drops file in Program Files directory
        
        PID:516
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x2a8,0x2ac,0x2b0,0x284,0x2b4,0x7ff70bb55460,0x7ff70bb55470,0x7ff70bb55480
        9⤵
        
        PID:5756
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:8
        8⤵
        
        PID:928
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
        8⤵
        
        PID:5424
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
        8⤵
        
        PID:544
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
        8⤵
        
        PID:3200
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
        8⤵
        
        PID:3516
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:1
        8⤵
        
        PID:1400
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1800 /prefetch:1
        8⤵
        
        PID:1072
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3040 /prefetch:2
        8⤵
        
        PID:3816
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
        8⤵
        
        PID:1600
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:1
        8⤵
        
        PID:552
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:6132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\en-US\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\en-US\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\en-US\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Windows\twain_32\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\twain_32\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Windows\twain_32\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\Edge\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft\Edge\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Public\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\de-DE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\de-DE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\de-DE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\es-ES\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\es-ES\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\es-ES\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Downloads\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Downloads\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Downloads\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\TAPI\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\TAPI\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\TAPI\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ContainerreviewC" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Containerreview.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Containerreview" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Containerreview.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ContainerreviewC" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Containerreview.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5656

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6048

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4688

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3628

C:\Recovery\WindowsRE\Containerreview.exe
"C:\Recovery\WindowsRE\Containerreview.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Program Files\Windows Security\BrowserCore\en-US\services.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\services.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3076

C:\Windows\en-US\dwm.exe
"C:\Windows\en-US\dwm.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2744

C:\Program Files\Windows Portable Devices\smss.exe
"C:\Program Files\Windows Portable Devices\smss.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3848

C:\Recovery\WindowsRE\sysmon.exe
"C:\Recovery\WindowsRE\sysmon.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4940

C:\Recovery\WindowsRE\sihost.exe
"C:\Recovery\WindowsRE\sihost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4476

C:\Program Files\Internet Explorer\es-ES\conhost.exe
"C:\Program Files\Internet Explorer\es-ES\conhost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:732

C:\Program Files\Windows Defender Advanced Threat Protection\de-DE\fontdrvhost.exe
"C:\Program Files\Windows Defender Advanced Threat Protection\de-DE\fontdrvhost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5208

C:\Recovery\WindowsRE\TextInputHost.exe
"C:\Recovery\WindowsRE\TextInputHost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4288

C:\Recovery\WindowsRE\Containerreview.exe
"C:\Recovery\WindowsRE\Containerreview.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5836

C:\Users\Public\Downloads\WmiPrvSE.exe
"C:\Users\Public\Downloads\WmiPrvSE.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4412

C:\Windows\TAPI\explorer.exe
"C:\Windows\TAPI\explorer.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4724

C:\Windows\twain_32\taskhostw.exe
"C:\Windows\twain_32\taskhostw.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:756

C:\Program Files (x86)\Microsoft\Edge\dllhost.exe
"C:\Program Files (x86)\Microsoft\Edge\dllhost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5440

C:\Recovery\WindowsRE\csrss.exe
"C:\Recovery\WindowsRE\csrss.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Program Files\Windows Security\BrowserCore\en-US\services.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\services.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3188

C:\Windows\en-US\dwm.exe
"C:\Windows\en-US\dwm.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5612

C:\Users\Public\spoolsv.exe
"C:\Users\Public\spoolsv.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5408

C:\Program Files\Windows Portable Devices\smss.exe
"C:\Program Files\Windows Portable Devices\smss.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4792

C:\Recovery\WindowsRE\sysmon.exe
"C:\Recovery\WindowsRE\sysmon.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3364

C:\Recovery\WindowsRE\sihost.exe
"C:\Recovery\WindowsRE\sihost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5208

C:\Recovery\WindowsRE\Containerreview.exe
"C:\Recovery\WindowsRE\Containerreview.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6120

C:\Program Files\Internet Explorer\es-ES\conhost.exe
"C:\Program Files\Internet Explorer\es-ES\conhost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5160

C:\Program Files\Windows Security\BrowserCore\en-US\services.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\services.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1844

C:\Windows\en-US\dwm.exe
"C:\Windows\en-US\dwm.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Program Files\Windows Defender Advanced Threat Protection\de-DE\fontdrvhost.exe
"C:\Program Files\Windows Defender Advanced Threat Protection\de-DE\fontdrvhost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Recovery\WindowsRE\TextInputHost.exe
"C:\Recovery\WindowsRE\TextInputHost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Program Files\Windows Portable Devices\smss.exe
"C:\Program Files\Windows Portable Devices\smss.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5720

C:\Recovery\WindowsRE\Containerreview.exe
"C:\Recovery\WindowsRE\Containerreview.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Users\Public\Downloads\WmiPrvSE.exe
"C:\Users\Public\Downloads\WmiPrvSE.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Recovery\WindowsRE\sysmon.exe
"C:\Recovery\WindowsRE\sysmon.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5900

C:\Windows\TAPI\explorer.exe
"C:\Windows\TAPI\explorer.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3864

C:\Windows\twain_32\taskhostw.exe
"C:\Windows\twain_32\taskhostw.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4772

C:\Program Files (x86)\Microsoft\Edge\dllhost.exe
"C:\Program Files (x86)\Microsoft\Edge\dllhost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Recovery\WindowsRE\csrss.exe
"C:\Recovery\WindowsRE\csrss.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Recovery\WindowsRE\sihost.exe
"C:\Recovery\WindowsRE\sihost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Program Files\Internet Explorer\es-ES\conhost.exe
"C:\Program Files\Internet Explorer\es-ES\conhost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6012

C:\Program Files\Windows Security\BrowserCore\en-US\services.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\services.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5916

C:\Users\Public\spoolsv.exe
"C:\Users\Public\spoolsv.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5176

C:\Windows\en-US\dwm.exe
"C:\Windows\en-US\dwm.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5408

C:\Recovery\WindowsRE\Containerreview.exe
"C:\Recovery\WindowsRE\Containerreview.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery