Overview

overview

10

Static

static

3

e9d26b96dd...bN.exe

windows7-x64

10

e9d26b96dd...bN.exe

windows10-2004-x64

Analysis

  • max time kernel
    31s
  • max time network
    44s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-10-2024 19:28

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe

  • Size

    4.9MB

  • MD5

    b3122af5e8a9fb754de586ed15e82010

  • SHA1

    1742944ca846cf6a21912116aea128dc073cd379

  • SHA256

    e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684ab

  • SHA512

    35cee29e3cf2c1116a01e24491a572c065c482c2038fbd71676f2a18ce9eb550997ac81c45f8b2411036e615082a634f72175cf48c08e5ebc64b4e7a6a8b5319

  • SSDEEP

    49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score
10/10
colibridcratbuild1discoveryevasionexecutioninfostealerloaderrattrojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
rc4.plain

Signatures

  • Colibri Loader

    A loader sold as MaaS first seen in August 2021.

    loadercolibri
  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 45 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 9 IoCs
    evasiontrojan
  • DCRat payload 1 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 16 IoCs
  • Drops file in Windows directory 20 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 9 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe
    "C:\Users\Admin\AppData\Local\Temp\e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4228
    • C:\Users\Admin\AppData\Local\Temp\tmp8AAF.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp8AAF.tmp.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2152
      • C:\Users\Admin\AppData\Local\Temp\tmp8AAF.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp8AAF.tmp.exe"
        3⤵
        • Executes dropped EXE
        PID:1004
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2880
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4464
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3056
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2396
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3948
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3496
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1056
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4364
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2492
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1060
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2028
    • C:\Recovery\WindowsRE\lsass.exe
      "C:\Recovery\WindowsRE\lsass.exe"
      2⤵
      • UAC bypass
      • Checks computer location settings
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2276
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7f4a64a-92ea-4de4-b574-f5b7aaed44da.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5112
        • C:\Recovery\WindowsRE\lsass.exe
          C:\Recovery\WindowsRE\lsass.exe
          4⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4896
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e925ac4f-8bc7-4670-9c51-6eb5a78137ef.vbs"
            5⤵
              PID:5056
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a44b2b2-ecf5-4b42-95b2-f405c2610583.vbs"
              5⤵
                PID:5004
              • C:\Users\Admin\AppData\Local\Temp\tmpD716.tmp.exe
                "C:\Users\Admin\AppData\Local\Temp\tmpD716.tmp.exe"
                5⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1376
                • C:\Users\Admin\AppData\Local\Temp\tmpD716.tmp.exe
                  "C:\Users\Admin\AppData\Local\Temp\tmpD716.tmp.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:4472
                  • C:\Users\Admin\AppData\Local\Temp\tmpD716.tmp.exe
                    "C:\Users\Admin\AppData\Local\Temp\tmpD716.tmp.exe"
                    7⤵
                    • Executes dropped EXE
                    PID:4640
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24608cd0-3731-424c-8221-23f4c8e2df25.vbs"
            3⤵
              PID:4424
            • C:\Users\Admin\AppData\Local\Temp\tmpB853.tmp.exe
              "C:\Users\Admin\AppData\Local\Temp\tmpB853.tmp.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2484
              • C:\Users\Admin\AppData\Local\Temp\tmpB853.tmp.exe
                "C:\Users\Admin\AppData\Local\Temp\tmpB853.tmp.exe"
                4⤵
                • Executes dropped EXE
                PID:400
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\winlogon.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3400
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\winlogon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1600
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\winlogon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1752
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\Downloaded Program Files\wininit.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:680
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\wininit.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2556
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\Downloaded Program Files\wininit.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3064
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2452
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2016
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4328
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\GameBarPresenceWriter\fontdrvhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4744
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3116
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\GameBarPresenceWriter\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1296
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\dllhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4444
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\setup\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5056
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1508
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Public\csrss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1636
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1628
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Public\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2032
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Program Files\dotnet\host\fxr\7.0.16\sihost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5020
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\dotnet\host\fxr\7.0.16\sihost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2968
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files\dotnet\host\fxr\7.0.16\sihost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1496
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:848
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:788
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4784
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4452
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4304
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3468
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\csrss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4256
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4972
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1920
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4052
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:404
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:908
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\SppExtComObj.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1968
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows Security\SppExtComObj.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4460
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Security\SppExtComObj.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2708
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\CbsTemp\dllhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2732
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\CbsTemp\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:532
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\CbsTemp\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:392
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\IME\fontdrvhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1408
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\IME\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3608
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\IME\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4920
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\Containers\serviced\explorer.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:232
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Containers\serviced\explorer.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:264
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\Containers\serviced\explorer.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3952

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Microsoft OneDrive\setup\dllhost.exe
          Filesize

          4.9MB

          MD5

          b3122af5e8a9fb754de586ed15e82010

          SHA1

          1742944ca846cf6a21912116aea128dc073cd379

          SHA256

          e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684ab

          SHA512

          35cee29e3cf2c1116a01e24491a572c065c482c2038fbd71676f2a18ce9eb550997ac81c45f8b2411036e615082a634f72175cf48c08e5ebc64b4e7a6a8b5319

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lsass.exe.log
          Filesize

          1KB

          MD5

          4a667f150a4d1d02f53a9f24d89d53d1

          SHA1

          306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

          SHA256

          414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

          SHA512

          4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          d85ba6ff808d9e5444a4b369f5bc2730

          SHA1

          31aa9d96590fff6981b315e0b391b575e4c0804a

          SHA256

          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

          SHA512

          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          cadef9abd087803c630df65264a6c81c

          SHA1

          babbf3636c347c8727c35f3eef2ee643dbcc4bd2

          SHA256

          cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

          SHA512

          7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\24608cd0-3731-424c-8221-23f4c8e2df25.vbs
          Filesize

          483B

          MD5

          3aa5ef6d6364a757f04116b367a1c3bf

          SHA1

          9eeda1eee90910f5ee2690ab4f37d23284ae808b

          SHA256

          20e92d0db1fa1669b2673af9eb09823ebaa9e53e6fb0cbfa6ba1f72565842de4

          SHA512

          d8be807667c1ace69b175302576db3c31f6580b090f0e20d16cae333f90d891bd5e235fe3378a340ceecd72bdf9ae76fdc0b79fdedac506261ba33b3bb770403

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bniyk2rz.05k.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\b7f4a64a-92ea-4de4-b574-f5b7aaed44da.vbs
          Filesize

          707B

          MD5

          a8feb203d47c01bde8b7af427a6b0050

          SHA1

          06698fc848de3a20b4be73facd9475ac94717525

          SHA256

          52044f9a774a7547c7f18337ca4b6a1b05fac5c6c293c59f7acfc6d30b177e4c

          SHA512

          c92131ec8b3faeaba0aba43b40670ea2d81429433dfc774ab893b4a4a500f14e1cbb52c0ddf6ce6bd106eda0ef9cf6d910d04e457b0561feb8b252b264d55e45

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\e925ac4f-8bc7-4670-9c51-6eb5a78137ef.vbs
          Filesize

          707B

          MD5

          ea04ce0617840309d030674938a068a4

          SHA1

          b69ab785b5dcbc705fc361a44a0c3a172d6963a7

          SHA256

          f3337acd8e10db2cb7c68f749772fec0c82bcdc4f1bb7dbefd7d82df3ab79ee9

          SHA512

          143ad916e0aebe78fd3cde9c29ba048e8b2946b2f82cc6554680c3f9b6c81ea7082b3f869a4795cf93cc5efa8808ef8a38462954abdb55d26bdc53b562a5afe7

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmp8AAF.tmp.exe
          Filesize

          75KB

          MD5

          e0a68b98992c1699876f818a22b5b907

          SHA1

          d41e8ad8ba51217eb0340f8f69629ccb474484d0

          SHA256

          2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

          SHA512

          856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

          Download Submit

        • C:\Users\Default\RCX9709.tmp
          Filesize

          4.9MB

          MD5

          5407045b0fc773edf3bd0d78856f5bd4

          SHA1

          83593d978efc055178710f6692b2319ae88e0b7d

          SHA256

          aa05068f4895e5917bddab869f425c576d262984fa74b16efe4b7e11e2a4f15a

          SHA512

          3a4efdbfec219c3e74c757177156428e9a12c1e2484c9252bf8132c0f25d9a463b8b8e464edc95656c3d1757a8fb851a95e155ffe21b090d6b6db3a998eee1a8

          Download Submit

        • C:\Windows\IME\RCXA400.tmp
          Filesize

          4.9MB

          MD5

          ce433a5c1a242b693388db30f9c6214b

          SHA1

          e7b55d2050247008c9574ca7a94cce8434b40bdc

          SHA256

          89c9cd75bec137fae86d159b53f4344b3e63e2dae8138137c6f54cbcb2632296

          SHA512

          991c3064827e613a4900a41ee32697863c4e49e147201f5324c450662ab98ab1d7f56f7df0fc79a0f46c6e6e9c199977fcf974f360a0570481b63ec33310eae4

          Download Submit

        • memory/1004-75-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2396-227-0x000002924B570000-0x000002924B592000-memory.dmp

          Filesize

          136KB

          Download

        • memory/4228-8-0x0000000002D80000-0x0000000002D96000-memory.dmp

          Filesize

          88KB

          Download

        • memory/4228-9-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4228-13-0x0000000002DD0000-0x0000000002DDA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4228-16-0x000000001B8E0000-0x000000001B8E8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/4228-18-0x000000001BA90000-0x000000001BA9C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/4228-17-0x000000001B8F0000-0x000000001B8F8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/4228-15-0x000000001B8D0000-0x000000001B8DE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4228-12-0x000000001C600000-0x000000001CB28000-memory.dmp

          Filesize

          5.2MB

          Download

        • memory/4228-10-0x0000000002DB0000-0x0000000002DBA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4228-11-0x0000000002DC0000-0x0000000002DD2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4228-146-0x00007FFABC2B3000-0x00007FFABC2B5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4228-14-0x0000000002DE0000-0x0000000002DEE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4228-161-0x00007FFABC2B0000-0x00007FFABCD71000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4228-0-0x00007FFABC2B3000-0x00007FFABC2B5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4228-5-0x000000001BA40000-0x000000001BA90000-memory.dmp

          Filesize

          320KB

          Download

        • memory/4228-329-0x00007FFABC2B0000-0x00007FFABCD71000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4228-6-0x0000000001350000-0x0000000001358000-memory.dmp

          Filesize

          32KB

          Download

        • memory/4228-7-0x0000000002D70000-0x0000000002D80000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4228-4-0x0000000002D50000-0x0000000002D6C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/4228-3-0x000000001B910000-0x000000001BA3E000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4228-2-0x00007FFABC2B0000-0x00007FFABCD71000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4228-1-0x0000000000600000-0x0000000000AF4000-memory.dmp

          Filesize

          5.0MB

          Download