Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

3fa967e458...0N.exe

windows7-x64

10

3fa967e458...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/09/2024, 08:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3fa967e458d7f812686b7576df2f8610N.exe

  • Size

    4.9MB

  • MD5

    3fa967e458d7f812686b7576df2f8610

  • SHA1

    026e534665614441cba339ff25e6cf9228a2c0ce

  • SHA256

    c1c0a02ee81af5dc6bb325de5e87983afc7817454a9b496858651fc49cc6069c

  • SHA512

    763e9f9f3a046759c416bb7fed4329ae1c4f420a53f7f3fc34dc87b931e531ee6a6c9c8605156485c4b305a297fd075667f38f81d10bff9f847ecbbe29cb976d

  • SSDEEP

    49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score
10/10
colibridcratbuild1discoveryevasionexecutioninfostealerloaderrattrojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
rc4.plain

Signatures

  • Colibri Loader

    A loader sold as MaaS first seen in August 2021.

    loadercolibri
  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 6 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 33 IoCs
    evasiontrojan
  • DCRat payload 1 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 10 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 32 IoCs
  • Checks whether UAC is enabled 1 TTPs 22 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 10 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 10 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 51 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 33 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\3fa967e458d7f812686b7576df2f8610N.exe
    "C:\Users\Admin\AppData\Local\Temp\3fa967e458d7f812686b7576df2f8610N.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:556
    • C:\Users\Admin\AppData\Local\Temp\tmp788E.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp788E.tmp.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2824
      • C:\Users\Admin\AppData\Local\Temp\tmp788E.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp788E.tmp.exe"
        3⤵
        • Executes dropped EXE
        PID:4436
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2636
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1488
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2180
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3180
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3988
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3532
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1996
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4524
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5092
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4196
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4724
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7ZWvxtVz9f.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2844
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:4504
        • C:\Recovery\WindowsRE\csrss.exe
          "C:\Recovery\WindowsRE\csrss.exe"
          3⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2832
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a23434a-e83d-48b3-be51-dc267738b706.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2936
            • C:\Recovery\WindowsRE\csrss.exe
              C:\Recovery\WindowsRE\csrss.exe
              5⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:1976
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a508f9eb-fbe2-4b03-8445-964d50048e80.vbs"
                6⤵
                  PID:2056
                  • C:\Recovery\WindowsRE\csrss.exe
                    C:\Recovery\WindowsRE\csrss.exe
                    7⤵
                    • UAC bypass
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Modifies registry class
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • System policy modification
                    PID:4636
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76a618b9-b0ca-4879-99d1-c003b7689144.vbs"
                      8⤵
                        PID:2804
                        • C:\Recovery\WindowsRE\csrss.exe
                          C:\Recovery\WindowsRE\csrss.exe
                          9⤵
                          • UAC bypass
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Modifies registry class
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • System policy modification
                          PID:1692
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50c7f7ad-d677-4e57-82c2-fe245d129975.vbs"
                            10⤵
                              PID:4968
                              • C:\Recovery\WindowsRE\csrss.exe
                                C:\Recovery\WindowsRE\csrss.exe
                                11⤵
                                • UAC bypass
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Checks whether UAC is enabled
                                • Modifies registry class
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                • System policy modification
                                PID:1912
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\039ca3b2-bc8e-49b2-bfe9-977a4da68e96.vbs"
                                  12⤵
                                    PID:1076
                                    • C:\Recovery\WindowsRE\csrss.exe
                                      C:\Recovery\WindowsRE\csrss.exe
                                      13⤵
                                      • UAC bypass
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Checks whether UAC is enabled
                                      • Modifies registry class
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      • System policy modification
                                      PID:1648
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6edf3c49-a5b5-4d34-b429-c69b5eaf911f.vbs"
                                        14⤵
                                          PID:2616
                                          • C:\Recovery\WindowsRE\csrss.exe
                                            C:\Recovery\WindowsRE\csrss.exe
                                            15⤵
                                            • UAC bypass
                                            • Checks computer location settings
                                            • Executes dropped EXE
                                            • Checks whether UAC is enabled
                                            • Modifies registry class
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            • System policy modification
                                            PID:4636
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1a991b5-7694-45c4-b145-c943c952e1e0.vbs"
                                              16⤵
                                                PID:1144
                                                • C:\Recovery\WindowsRE\csrss.exe
                                                  C:\Recovery\WindowsRE\csrss.exe
                                                  17⤵
                                                  • UAC bypass
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Checks whether UAC is enabled
                                                  • Modifies registry class
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • System policy modification
                                                  PID:3476
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b34c6baa-9025-4274-8202-3bec2daf7a53.vbs"
                                                    18⤵
                                                      PID:1188
                                                      • C:\Recovery\WindowsRE\csrss.exe
                                                        C:\Recovery\WindowsRE\csrss.exe
                                                        19⤵
                                                        • UAC bypass
                                                        • Checks computer location settings
                                                        • Executes dropped EXE
                                                        • Checks whether UAC is enabled
                                                        • Modifies registry class
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        • System policy modification
                                                        PID:2692
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\429a04df-1183-4aaf-8cae-9c1199c51e6b.vbs"
                                                          20⤵
                                                            PID:4480
                                                            • C:\Recovery\WindowsRE\csrss.exe
                                                              C:\Recovery\WindowsRE\csrss.exe
                                                              21⤵
                                                              • UAC bypass
                                                              • Executes dropped EXE
                                                              • Checks whether UAC is enabled
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              • System policy modification
                                                              PID:3688
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88519f2e-2d14-4f63-8287-2b4e282a89bb.vbs"
                                                                22⤵
                                                                  PID:3968
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1b2ca50-7a27-48d6-a08e-4a0b9ea1919a.vbs"
                                                                  22⤵
                                                                    PID:5032
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\118fe075-01a5-4379-84da-ab92a0149929.vbs"
                                                                20⤵
                                                                  PID:808
                                                                • C:\Users\Admin\AppData\Local\Temp\tmp1553.tmp.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\tmp1553.tmp.exe"
                                                                  20⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of SetThreadContext
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:4512
                                                                  • C:\Users\Admin\AppData\Local\Temp\tmp1553.tmp.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\tmp1553.tmp.exe"
                                                                    21⤵
                                                                    • Executes dropped EXE
                                                                    PID:1728
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aadaca08-d3ff-4715-8e04-27d20d4de6d9.vbs"
                                                              18⤵
                                                                PID:392
                                                              • C:\Users\Admin\AppData\Local\Temp\tmpE49E.tmp.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\tmpE49E.tmp.exe"
                                                                18⤵
                                                                • Executes dropped EXE
                                                                • System Location Discovery: System Language Discovery
                                                                PID:2748
                                                                • C:\Users\Admin\AppData\Local\Temp\tmpE49E.tmp.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\tmpE49E.tmp.exe"
                                                                  19⤵
                                                                  • Executes dropped EXE
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:3536
                                                                  • C:\Users\Admin\AppData\Local\Temp\tmpE49E.tmp.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\tmpE49E.tmp.exe"
                                                                    20⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious use of SetThreadContext
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:2152
                                                                    • C:\Users\Admin\AppData\Local\Temp\tmpE49E.tmp.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\tmpE49E.tmp.exe"
                                                                      21⤵
                                                                      • Executes dropped EXE
                                                                      PID:2404
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c9b901c-291a-4de2-8251-808ba7ca96c1.vbs"
                                                            16⤵
                                                              PID:4220
                                                            • C:\Users\Admin\AppData\Local\Temp\tmpB34D.tmp.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\tmpB34D.tmp.exe"
                                                              16⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of SetThreadContext
                                                              • System Location Discovery: System Language Discovery
                                                              PID:2804
                                                              • C:\Users\Admin\AppData\Local\Temp\tmpB34D.tmp.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\tmpB34D.tmp.exe"
                                                                17⤵
                                                                • Executes dropped EXE
                                                                PID:2868
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb43bf2c-bf36-4190-b540-76b6090bee3c.vbs"
                                                          14⤵
                                                            PID:884
                                                          • C:\Users\Admin\AppData\Local\Temp\tmp971B.tmp.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\tmp971B.tmp.exe"
                                                            14⤵
                                                            • Executes dropped EXE
                                                            • Suspicious use of SetThreadContext
                                                            • System Location Discovery: System Language Discovery
                                                            PID:4452
                                                            • C:\Users\Admin\AppData\Local\Temp\tmp971B.tmp.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\tmp971B.tmp.exe"
                                                              15⤵
                                                              • Executes dropped EXE
                                                              PID:5036
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f18c4a0-2990-49f9-aa81-844ce192883d.vbs"
                                                        12⤵
                                                          PID:4808
                                                        • C:\Users\Admin\AppData\Local\Temp\tmp64FE.tmp.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\tmp64FE.tmp.exe"
                                                          12⤵
                                                          • Executes dropped EXE
                                                          • Suspicious use of SetThreadContext
                                                          • System Location Discovery: System Language Discovery
                                                          PID:4864
                                                          • C:\Users\Admin\AppData\Local\Temp\tmp64FE.tmp.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\tmp64FE.tmp.exe"
                                                            13⤵
                                                            • Executes dropped EXE
                                                            PID:1624
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9871279-667f-4747-9523-a757d1eb41fc.vbs"
                                                      10⤵
                                                        PID:1776
                                                      • C:\Users\Admin\AppData\Local\Temp\tmp46E7.tmp.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\tmp46E7.tmp.exe"
                                                        10⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of SetThreadContext
                                                        • System Location Discovery: System Language Discovery
                                                        PID:388
                                                        • C:\Users\Admin\AppData\Local\Temp\tmp46E7.tmp.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\tmp46E7.tmp.exe"
                                                          11⤵
                                                          • Executes dropped EXE
                                                          PID:4816
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\efe6c854-83fb-4850-bb62-451af759e0aa.vbs"
                                                    8⤵
                                                      PID:2572
                                                    • C:\Users\Admin\AppData\Local\Temp\tmpEE48.tmp.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\tmpEE48.tmp.exe"
                                                      8⤵
                                                      • Executes dropped EXE
                                                      • Suspicious use of SetThreadContext
                                                      • System Location Discovery: System Language Discovery
                                                      PID:3064
                                                      • C:\Users\Admin\AppData\Local\Temp\tmpEE48.tmp.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\tmpEE48.tmp.exe"
                                                        9⤵
                                                        • Executes dropped EXE
                                                        PID:812
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dcee0053-0f0e-412e-b6de-47d51b1050a8.vbs"
                                                  6⤵
                                                    PID:4896
                                                  • C:\Users\Admin\AppData\Local\Temp\tmpBD35.tmp.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\tmpBD35.tmp.exe"
                                                    6⤵
                                                    • Executes dropped EXE
                                                    • Suspicious use of SetThreadContext
                                                    • System Location Discovery: System Language Discovery
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:3004
                                                    • C:\Users\Admin\AppData\Local\Temp\tmpBD35.tmp.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\tmpBD35.tmp.exe"
                                                      7⤵
                                                      • Executes dropped EXE
                                                      PID:4128
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec91756e-10c0-4067-9f63-70be14abc98c.vbs"
                                                4⤵
                                                  PID:3744
                                                • C:\Users\Admin\AppData\Local\Temp\tmp9FBA.tmp.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\tmp9FBA.tmp.exe"
                                                  4⤵
                                                  • Executes dropped EXE
                                                  • Suspicious use of SetThreadContext
                                                  • System Location Discovery: System Language Discovery
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:1704
                                                  • C:\Users\Admin\AppData\Local\Temp\tmp9FBA.tmp.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\tmp9FBA.tmp.exe"
                                                    5⤵
                                                    • Executes dropped EXE
                                                    PID:3012
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\taskhostw.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1864
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\taskhostw.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2704
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\taskhostw.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:4448
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:4012
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2080
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:4220

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\taskhostw.exe
                                            Filesize

                                            4.9MB

                                            MD5

                                            3fa967e458d7f812686b7576df2f8610

                                            SHA1

                                            026e534665614441cba339ff25e6cf9228a2c0ce

                                            SHA256

                                            c1c0a02ee81af5dc6bb325de5e87983afc7817454a9b496858651fc49cc6069c

                                            SHA512

                                            763e9f9f3a046759c416bb7fed4329ae1c4f420a53f7f3fc34dc87b931e531ee6a6c9c8605156485c4b305a297fd075667f38f81d10bff9f847ecbbe29cb976d

                                            Download Submit

                                          • C:\Recovery\WindowsRE\csrss.exe
                                            Filesize

                                            4.9MB

                                            MD5

                                            70c8ffdd9b442e7d83a2e0ebf8e01c79

                                            SHA1

                                            9958995f793b3e412fb2c604055ececc8d871db6

                                            SHA256

                                            09a27da6a18d8c9d8b0108e84bc659c827c1ffea969e211686a4fe81da1b9969

                                            SHA512

                                            a5e2e986e14c99768b1b95d5b59cb716e16238815896320c50adf9ff6a4f5b55d49aea86a80052cb0edfbf0f31d6d5f317d9ebab7cb7e6dc12da49a7f602fff7

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log
                                            Filesize

                                            1KB

                                            MD5

                                            4a667f150a4d1d02f53a9f24d89d53d1

                                            SHA1

                                            306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

                                            SHA256

                                            414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

                                            SHA512

                                            4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                            Filesize

                                            2KB

                                            MD5

                                            d85ba6ff808d9e5444a4b369f5bc2730

                                            SHA1

                                            31aa9d96590fff6981b315e0b391b575e4c0804a

                                            SHA256

                                            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                            SHA512

                                            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                            Filesize

                                            944B

                                            MD5

                                            2e907f77659a6601fcc408274894da2e

                                            SHA1

                                            9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

                                            SHA256

                                            385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

                                            SHA512

                                            34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                            Filesize

                                            944B

                                            MD5

                                            4d8567f2d1c8a09bbfe613145bf78577

                                            SHA1

                                            f2af10d629e6d7d2ecec76c34bd755ecf61be931

                                            SHA256

                                            7437b098af4618fbcefe7522942c862aeaf39a0b82ce05b0797185c552f22a3c

                                            SHA512

                                            89130e5c514e33f5108e308f300614dc63989f3e6a4e762a12982af341ab1c5748dd93fd185698dcf6d3a1ea7234228d04ad962e4ee0a15a683e988f115a84ea

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                            Filesize

                                            944B

                                            MD5

                                            5f0ddc7f3691c81ee14d17b419ba220d

                                            SHA1

                                            f0ef5fde8bab9d17c0b47137e014c91be888ee53

                                            SHA256

                                            a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

                                            SHA512

                                            2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                            Filesize

                                            944B

                                            MD5

                                            3a6bad9528f8e23fb5c77fbd81fa28e8

                                            SHA1

                                            f127317c3bc6407f536c0f0600dcbcf1aabfba36

                                            SHA256

                                            986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

                                            SHA512

                                            846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                            Filesize

                                            944B

                                            MD5

                                            d28a889fd956d5cb3accfbaf1143eb6f

                                            SHA1

                                            157ba54b365341f8ff06707d996b3635da8446f7

                                            SHA256

                                            21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

                                            SHA512

                                            0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                            Filesize

                                            944B

                                            MD5

                                            bd5940f08d0be56e65e5f2aaf47c538e

                                            SHA1

                                            d7e31b87866e5e383ab5499da64aba50f03e8443

                                            SHA256

                                            2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

                                            SHA512

                                            c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Temp\039ca3b2-bc8e-49b2-bfe9-977a4da68e96.vbs
                                            Filesize

                                            707B

                                            MD5

                                            eae4660664edcb8695ae3846f7205830

                                            SHA1

                                            02a95da0168923779e33fb62ad4815c072cb42ac

                                            SHA256

                                            ba6cbdd5d4a6b2c2f004effcce10ea706aebd82fcf2c11efbec4d2d8a919a0d9

                                            SHA512

                                            687bb0212bcc547500b215b8e5cfac586b687bdca77dfc4834e52afac14f03a4bf5e2092232387a98edd2d1b35e4b2272595154b98ac846e7b9cb218df8a421d

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Temp\50c7f7ad-d677-4e57-82c2-fe245d129975.vbs
                                            Filesize

                                            707B

                                            MD5

                                            26e77a994374b91be5b6786991488d00

                                            SHA1

                                            23f9140e064c32f92fecaa9555ce881ccd53a59c

                                            SHA256

                                            b9e38c9f510df4dfb41450ec5e8ddd51b3d09aff1868c52404a9ee9fbf00921b

                                            SHA512

                                            a05a0a344afabd5c792437dc856dcdc7eb14cd5357060b2dfbea2a83d801c21114d717a9d30ccdf627cf4399422e2f683f426ca79ac51aa235830491b840855c

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Temp\6edf3c49-a5b5-4d34-b429-c69b5eaf911f.vbs
                                            Filesize

                                            707B

                                            MD5

                                            e5fcdced7e3ac74aa44de01baba98864

                                            SHA1

                                            139bbf1f1d1e381bde662965a9710970dc6b4d5d

                                            SHA256

                                            bd8dbc35a0354d99a8c66ae5bc426b4ad081e254e9116ae4f84141efcf2853f9

                                            SHA512

                                            c84d7c9327ec5ab5ec682a08d1e3049b35dc027e2312ceea97529d64c25ce7464ea0c98bf10114f30cea19e8a58d46d80f8a65a098b246be6f0d84481563872d

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Temp\76a618b9-b0ca-4879-99d1-c003b7689144.vbs
                                            Filesize

                                            707B

                                            MD5

                                            c1e30855220ddb11f07e8ca5c2b0064f

                                            SHA1

                                            04522a094729452bd960fa7e190177a88ae3bdaf

                                            SHA256

                                            010ee10fc9c7e881a12542db318efdc18df973bd798b23e26b28528b8e9bf632

                                            SHA512

                                            357bae6d0b6c8f9cfa7aa573d6ec35a3c7e217e4e9df5f44b586c0e29d0308f111a3409a4fb0648347f444f0387007033378501d06d948cc20b6e2703e9fa690

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Temp\7ZWvxtVz9f.bat
                                            Filesize

                                            196B

                                            MD5

                                            db9c7f829c779c695d43ffb7ddf907fb

                                            SHA1

                                            b42a0caa96e3e1b35c90dc0b1e242d11f6a2bccb

                                            SHA256

                                            e6df6767111cda23d5bbf073aab59f5b116a735809eff846162ccae27333b8ac

                                            SHA512

                                            1c74aaeaa27940a2d19c819677987a73bc65c10549b857b18b3fa76234eee8e77e0392bf5b3e0ffc35f3d72342e838d19144faf252491f5834c80867fd3a3428

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Temp\8a23434a-e83d-48b3-be51-dc267738b706.vbs
                                            Filesize

                                            707B

                                            MD5

                                            d11b413263330af52d902c29175eb5be

                                            SHA1

                                            748d5dc07b769b1b236619ea00a0906b3c43f3ee

                                            SHA256

                                            9df4a8adb1ef1552d09d3c7336f4f7ae83c32a877321e44550c629234ac79574

                                            SHA512

                                            c0aadb38d6a65f860b97cd07f1ef53d2e4011b235ccfaf3588201e4240f6a75629c66af22177a6be215e260d0bc8b60caec070a5af45c85507e3c7cfcb6e7e35

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cjyklhdx.eht.ps1
                                            Filesize

                                            60B

                                            MD5

                                            d17fe0a3f47be24a6453e9ef58c94641

                                            SHA1

                                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                            SHA256

                                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                            SHA512

                                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Temp\a508f9eb-fbe2-4b03-8445-964d50048e80.vbs
                                            Filesize

                                            707B

                                            MD5

                                            60c4748488011cc86f667b44954cbc67

                                            SHA1

                                            5ecfedfa3616372e7b4e75ebb37d8aa46fbdf055

                                            SHA256

                                            0c99de019ed8a5cc55af8787f539e7d8d9ca923db67aad658166b746fef14f3a

                                            SHA512

                                            3bcf66d58eea1f38f863f92fb34002ac7d5e7e1e39041f9f9053fb687d5574e911f7d0df413bc97c5328238a3f91eebf671ef2222d87fcfefb45ea2804bc76ea

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Temp\ec91756e-10c0-4067-9f63-70be14abc98c.vbs
                                            Filesize

                                            483B

                                            MD5

                                            b9a24e9d38c389e184ca7e7790602f6f

                                            SHA1

                                            42e15a05dfc7ddbbe082caf0565d9060aed51711

                                            SHA256

                                            5605762cc33d6d261f7cf6d0a81e6518ce4f883bfed12df1d3b7f5b82f0a5f63

                                            SHA512

                                            d643e78769a250a3f375c828c4bfb60701eaecc8ae2360486bd769fdd75fad48734cd9cdb4e28c1a7d0dbad48e4f7cc8911ce0fe9136514002033ff0a9a0d712

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Temp\tmp788E.tmp.exe
                                            Filesize

                                            75KB

                                            MD5

                                            e0a68b98992c1699876f818a22b5b907

                                            SHA1

                                            d41e8ad8ba51217eb0340f8f69629ccb474484d0

                                            SHA256

                                            2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

                                            SHA512

                                            856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

                                            Download Submit

                                          • memory/556-11-0x000000001BAF0000-0x000000001BB02000-memory.dmp

                                            Filesize

                                            72KB

                                            Download

                                          • memory/556-9-0x000000001B260000-0x000000001B270000-memory.dmp

                                            Filesize

                                            64KB

                                            Download

                                          • memory/556-52-0x00007FFAEDF90000-0x00007FFAEEA51000-memory.dmp

                                            Filesize

                                            10.8MB

                                            Download

                                          • memory/556-1-0x0000000000100000-0x00000000005F4000-memory.dmp

                                            Filesize

                                            5.0MB

                                            Download

                                          • memory/556-2-0x000000001B4B0000-0x000000001B5DE000-memory.dmp

                                            Filesize

                                            1.2MB

                                            Download

                                          • memory/556-16-0x000000001BB80000-0x000000001BB88000-memory.dmp

                                            Filesize

                                            32KB

                                            Download

                                          • memory/556-17-0x000000001BB90000-0x000000001BB98000-memory.dmp

                                            Filesize

                                            32KB

                                            Download

                                          • memory/556-15-0x000000001BB20000-0x000000001BB2E000-memory.dmp

                                            Filesize

                                            56KB

                                            Download

                                          • memory/556-13-0x000000001BB00000-0x000000001BB0A000-memory.dmp

                                            Filesize

                                            40KB

                                            Download

                                          • memory/556-14-0x000000001BB10000-0x000000001BB1E000-memory.dmp

                                            Filesize

                                            56KB

                                            Download

                                          • memory/556-12-0x000000001C0B0000-0x000000001C5D8000-memory.dmp

                                            Filesize

                                            5.2MB

                                            Download

                                          • memory/556-0-0x00007FFAEDF93000-0x00007FFAEDF95000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/556-10-0x000000001BAE0000-0x000000001BAEA000-memory.dmp

                                            Filesize

                                            40KB

                                            Download

                                          • memory/556-18-0x000000001BBA0000-0x000000001BBAC000-memory.dmp

                                            Filesize

                                            48KB

                                            Download

                                          • memory/556-3-0x00007FFAEDF90000-0x00007FFAEEA51000-memory.dmp

                                            Filesize

                                            10.8MB

                                            Download

                                          • memory/556-8-0x000000001B480000-0x000000001B496000-memory.dmp

                                            Filesize

                                            88KB

                                            Download

                                          • memory/556-5-0x000000001BB30000-0x000000001BB80000-memory.dmp

                                            Filesize

                                            320KB

                                            Download

                                          • memory/556-6-0x0000000000E10000-0x0000000000E18000-memory.dmp

                                            Filesize

                                            32KB

                                            Download

                                          • memory/556-7-0x000000001B250000-0x000000001B260000-memory.dmp

                                            Filesize

                                            64KB

                                            Download

                                          • memory/556-4-0x000000001B230000-0x000000001B24C000-memory.dmp

                                            Filesize

                                            112KB

                                            Download

                                          • memory/1488-51-0x0000028DB92B0000-0x0000028DB92D2000-memory.dmp

                                            Filesize

                                            136KB

                                            Download

                                          • memory/1648-300-0x000000001D9F0000-0x000000001DA02000-memory.dmp

                                            Filesize

                                            72KB

                                            Download

                                          • memory/2832-182-0x0000000000040000-0x0000000000534000-memory.dmp

                                            Filesize

                                            5.0MB

                                            Download

                                          • memory/4436-65-0x0000000000400000-0x0000000000407000-memory.dmp

                                            Filesize

                                            28KB

                                            Download

                                          • memory/4636-230-0x000000001D9F0000-0x000000001DA02000-memory.dmp

                                            Filesize

                                            72KB

                                            Download