Overview

overview

10

Static

static

3

88f0ccbb0f...55.exe

windows7-x64

10

88f0ccbb0f...55.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    114s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2024 07:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe

  • Size

    4.9MB

  • MD5

    e27d9077d56e3cbdab770a0d9cbadf16

  • SHA1

    0e7fac5090694c16c4eca567438473aed3ac4c0f

  • SHA256

    88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155

  • SHA512

    2dc6629f1364c3b43bc2d481038bcf1c086dceed0b29b80dacbf8d4b52b27a06bce6769d45fbd0b753d6199205d7c08d6de59c3778c42280ff4c5eee3258ee88

  • SSDEEP

    49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8a:S

Score
10/10
colibridcratbuild1discoveryevasionexecutioninfostealerloaderrattrojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
rc4.plain

Signatures

  • Colibri Loader

    A loader sold as MaaS first seen in August 2021.

    loadercolibri
  • Colibri family
    colibri
  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 9 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 33 IoCs
    evasiontrojan
  • DCRat payload 1 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 11 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 32 IoCs
  • Checks whether UAC is enabled 1 TTPs 22 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 11 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 33 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
    "C:\Users\Admin\AppData\Local\Temp\88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2752
    • C:\Users\Admin\AppData\Local\Temp\tmpA04B.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpA04B.tmp.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4360
      • C:\Users\Admin\AppData\Local\Temp\tmpA04B.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmpA04B.tmp.exe"
        3⤵
        • Executes dropped EXE
        PID:4892
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4124
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4984
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4792
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4004
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3852
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1644
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1820
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2128
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1980
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3620
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2972
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5BG0YwgmTM.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4352
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2080
        • C:\Users\Admin\PrintHood\sppsvc.exe
          "C:\Users\Admin\PrintHood\sppsvc.exe"
          3⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4128
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ded1f8f4-71c0-4a7c-930d-3343166a9703.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3868
            • C:\Users\Admin\PrintHood\sppsvc.exe
              C:\Users\Admin\PrintHood\sppsvc.exe
              5⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:1608
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43acadd6-3000-409a-a7af-cb0ef5f0d4ba.vbs"
                6⤵
                  PID:3288
                  • C:\Users\Admin\PrintHood\sppsvc.exe
                    C:\Users\Admin\PrintHood\sppsvc.exe
                    7⤵
                    • UAC bypass
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Modifies registry class
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • System policy modification
                    PID:1580
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5eaeb18-38bb-4cf5-ba24-4e5aaf5611e9.vbs"
                      8⤵
                        PID:2136
                        • C:\Users\Admin\PrintHood\sppsvc.exe
                          C:\Users\Admin\PrintHood\sppsvc.exe
                          9⤵
                          • UAC bypass
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Modifies registry class
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • System policy modification
                          PID:3652
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7d1289b-9310-4af3-920d-89e709bb45a0.vbs"
                            10⤵
                              PID:2816
                              • C:\Users\Admin\PrintHood\sppsvc.exe
                                C:\Users\Admin\PrintHood\sppsvc.exe
                                11⤵
                                • UAC bypass
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Checks whether UAC is enabled
                                • Modifies registry class
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                • System policy modification
                                PID:548
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d97ded75-80ad-45ab-822a-9654558f4da7.vbs"
                                  12⤵
                                    PID:3612
                                    • C:\Users\Admin\PrintHood\sppsvc.exe
                                      C:\Users\Admin\PrintHood\sppsvc.exe
                                      13⤵
                                      • UAC bypass
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Checks whether UAC is enabled
                                      • Modifies registry class
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      • System policy modification
                                      PID:2420
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a6fdda5-3c2d-402c-af46-2bf81fb0db3d.vbs"
                                        14⤵
                                          PID:4152
                                          • C:\Users\Admin\PrintHood\sppsvc.exe
                                            C:\Users\Admin\PrintHood\sppsvc.exe
                                            15⤵
                                            • UAC bypass
                                            • Checks computer location settings
                                            • Executes dropped EXE
                                            • Checks whether UAC is enabled
                                            • Modifies registry class
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            • System policy modification
                                            PID:3572
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46edf3fb-cebd-4356-8213-e278b0e7de17.vbs"
                                              16⤵
                                                PID:4288
                                                • C:\Users\Admin\PrintHood\sppsvc.exe
                                                  C:\Users\Admin\PrintHood\sppsvc.exe
                                                  17⤵
                                                  • UAC bypass
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Checks whether UAC is enabled
                                                  • Modifies registry class
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • System policy modification
                                                  PID:3452
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c56f0a3-0bd0-47c2-bc0d-6bd7ab4009bb.vbs"
                                                    18⤵
                                                      PID:1992
                                                      • C:\Users\Admin\PrintHood\sppsvc.exe
                                                        C:\Users\Admin\PrintHood\sppsvc.exe
                                                        19⤵
                                                        • UAC bypass
                                                        • Checks computer location settings
                                                        • Executes dropped EXE
                                                        • Checks whether UAC is enabled
                                                        • Modifies registry class
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        • System policy modification
                                                        PID:2656
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0a642fe-c258-4b1d-af12-b47d82e10fa9.vbs"
                                                          20⤵
                                                            PID:1924
                                                            • C:\Users\Admin\PrintHood\sppsvc.exe
                                                              C:\Users\Admin\PrintHood\sppsvc.exe
                                                              21⤵
                                                              • UAC bypass
                                                              • Checks computer location settings
                                                              • Executes dropped EXE
                                                              • Checks whether UAC is enabled
                                                              • Modifies registry class
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              • System policy modification
                                                              PID:1392
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc76854e-a1ab-495c-9e3b-c09b5ad1850c.vbs"
                                                                22⤵
                                                                  PID:1176
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\438f72f9-9555-445a-b5ab-0847f63a15d2.vbs"
                                                                  22⤵
                                                                    PID:4008
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2979dd76-a871-4d35-910a-701cf22840a3.vbs"
                                                                20⤵
                                                                  PID:3828
                                                                • C:\Users\Admin\AppData\Local\Temp\tmp387B.tmp.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\tmp387B.tmp.exe"
                                                                  20⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of SetThreadContext
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:2920
                                                                  • C:\Users\Admin\AppData\Local\Temp\tmp387B.tmp.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\tmp387B.tmp.exe"
                                                                    21⤵
                                                                    • Executes dropped EXE
                                                                    PID:4432
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2586e38-215b-4b6a-b5cc-98e5852d697c.vbs"
                                                              18⤵
                                                                PID:4756
                                                              • C:\Users\Admin\AppData\Local\Temp\tmp1C19.tmp.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\tmp1C19.tmp.exe"
                                                                18⤵
                                                                • Executes dropped EXE
                                                                • Suspicious use of SetThreadContext
                                                                • System Location Discovery: System Language Discovery
                                                                PID:4188
                                                                • C:\Users\Admin\AppData\Local\Temp\tmp1C19.tmp.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\tmp1C19.tmp.exe"
                                                                  19⤵
                                                                  • Executes dropped EXE
                                                                  PID:2140
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d149e832-baba-4488-ad26-017d8b14ec06.vbs"
                                                            16⤵
                                                              PID:3556
                                                            • C:\Users\Admin\AppData\Local\Temp\tmpEBA3.tmp.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\tmpEBA3.tmp.exe"
                                                              16⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of SetThreadContext
                                                              • System Location Discovery: System Language Discovery
                                                              PID:2424
                                                              • C:\Users\Admin\AppData\Local\Temp\tmpEBA3.tmp.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\tmpEBA3.tmp.exe"
                                                                17⤵
                                                                • Executes dropped EXE
                                                                PID:3632
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2637330-98c7-48a9-b452-a44f728afbf5.vbs"
                                                          14⤵
                                                            PID:928
                                                          • C:\Users\Admin\AppData\Local\Temp\tmpBB4C.tmp.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\tmpBB4C.tmp.exe"
                                                            14⤵
                                                            • Executes dropped EXE
                                                            • Suspicious use of SetThreadContext
                                                            • System Location Discovery: System Language Discovery
                                                            PID:2920
                                                            • C:\Users\Admin\AppData\Local\Temp\tmpBB4C.tmp.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\tmpBB4C.tmp.exe"
                                                              15⤵
                                                              • Executes dropped EXE
                                                              PID:4184
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61ce5d9e-c834-4255-9b44-e38cd699ab9c.vbs"
                                                        12⤵
                                                          PID:2696
                                                        • C:\Users\Admin\AppData\Local\Temp\tmp89DC.tmp.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\tmp89DC.tmp.exe"
                                                          12⤵
                                                          • Executes dropped EXE
                                                          • Suspicious use of SetThreadContext
                                                          • System Location Discovery: System Language Discovery
                                                          PID:4972
                                                          • C:\Users\Admin\AppData\Local\Temp\tmp89DC.tmp.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\tmp89DC.tmp.exe"
                                                            13⤵
                                                            • Executes dropped EXE
                                                            PID:3260
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7b763fb-3daa-45f3-af48-5ec2b03f98d9.vbs"
                                                      10⤵
                                                        PID:2712
                                                      • C:\Users\Admin\AppData\Local\Temp\tmp584C.tmp.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\tmp584C.tmp.exe"
                                                        10⤵
                                                        • Executes dropped EXE
                                                        • System Location Discovery: System Language Discovery
                                                        PID:4796
                                                        • C:\Users\Admin\AppData\Local\Temp\tmp584C.tmp.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\tmp584C.tmp.exe"
                                                          11⤵
                                                          • Executes dropped EXE
                                                          • Suspicious use of SetThreadContext
                                                          • System Location Discovery: System Language Discovery
                                                          PID:2084
                                                          • C:\Users\Admin\AppData\Local\Temp\tmp584C.tmp.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\tmp584C.tmp.exe"
                                                            12⤵
                                                            • Executes dropped EXE
                                                            PID:2772
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79e7a660-ca33-4b85-a767-9162fde0777b.vbs"
                                                    8⤵
                                                      PID:2144
                                                    • C:\Users\Admin\AppData\Local\Temp\tmp2769.tmp.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\tmp2769.tmp.exe"
                                                      8⤵
                                                      • Executes dropped EXE
                                                      • System Location Discovery: System Language Discovery
                                                      PID:2664
                                                      • C:\Users\Admin\AppData\Local\Temp\tmp2769.tmp.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\tmp2769.tmp.exe"
                                                        9⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of SetThreadContext
                                                        • System Location Discovery: System Language Discovery
                                                        PID:4668
                                                        • C:\Users\Admin\AppData\Local\Temp\tmp2769.tmp.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\tmp2769.tmp.exe"
                                                          10⤵
                                                          • Executes dropped EXE
                                                          PID:2484
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\509d1fe1-ee33-4782-9967-bcc03fd97f70.vbs"
                                                  6⤵
                                                    PID:2032
                                                  • C:\Users\Admin\AppData\Local\Temp\tmpF721.tmp.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\tmpF721.tmp.exe"
                                                    6⤵
                                                    • Executes dropped EXE
                                                    • Suspicious use of SetThreadContext
                                                    • System Location Discovery: System Language Discovery
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:4424
                                                    • C:\Users\Admin\AppData\Local\Temp\tmpF721.tmp.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\tmpF721.tmp.exe"
                                                      7⤵
                                                      • Executes dropped EXE
                                                      PID:1752
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bbcb7542-62cb-43ce-8d06-ea35a21e74c4.vbs"
                                                4⤵
                                                  PID:3040
                                                • C:\Users\Admin\AppData\Local\Temp\tmpC728.tmp.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\tmpC728.tmp.exe"
                                                  4⤵
                                                  • Executes dropped EXE
                                                  • Suspicious use of SetThreadContext
                                                  • System Location Discovery: System Language Discovery
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:4616
                                                  • C:\Users\Admin\AppData\Local\Temp\tmpC728.tmp.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\tmpC728.tmp.exe"
                                                    5⤵
                                                    • Executes dropped EXE
                                                    PID:4596
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\PrintHood\sppsvc.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2132
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\sppsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1388
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\PrintHood\sppsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1580
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:4936
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2036
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2220
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2288
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3980
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:4764

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                            Filesize

                                            2KB

                                            MD5

                                            d85ba6ff808d9e5444a4b369f5bc2730

                                            SHA1

                                            31aa9d96590fff6981b315e0b391b575e4c0804a

                                            SHA256

                                            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                            SHA512

                                            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sppsvc.exe.log
                                            Filesize

                                            1KB

                                            MD5

                                            4a667f150a4d1d02f53a9f24d89d53d1

                                            SHA1

                                            306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

                                            SHA256

                                            414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

                                            SHA512

                                            4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                            Filesize

                                            944B

                                            MD5

                                            2e907f77659a6601fcc408274894da2e

                                            SHA1

                                            9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

                                            SHA256

                                            385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

                                            SHA512

                                            34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                            Filesize

                                            944B

                                            MD5

                                            3a6bad9528f8e23fb5c77fbd81fa28e8

                                            SHA1

                                            f127317c3bc6407f536c0f0600dcbcf1aabfba36

                                            SHA256

                                            986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

                                            SHA512

                                            846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                            Filesize

                                            944B

                                            MD5

                                            77d622bb1a5b250869a3238b9bc1402b

                                            SHA1

                                            d47f4003c2554b9dfc4c16f22460b331886b191b

                                            SHA256

                                            f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

                                            SHA512

                                            d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                            Filesize

                                            944B

                                            MD5

                                            e243a38635ff9a06c87c2a61a2200656

                                            SHA1

                                            ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

                                            SHA256

                                            af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

                                            SHA512

                                            4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                            Filesize

                                            944B

                                            MD5

                                            5f0ddc7f3691c81ee14d17b419ba220d

                                            SHA1

                                            f0ef5fde8bab9d17c0b47137e014c91be888ee53

                                            SHA256

                                            a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

                                            SHA512

                                            2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                            Filesize

                                            944B

                                            MD5

                                            6d3e9c29fe44e90aae6ed30ccf799ca8

                                            SHA1

                                            c7974ef72264bbdf13a2793ccf1aed11bc565dce

                                            SHA256

                                            2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

                                            SHA512

                                            60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                            Filesize

                                            944B

                                            MD5

                                            aaaac7c68d2b7997ed502c26fd9f65c2

                                            SHA1

                                            7c5a3731300d672bf53c43e2f9e951c745f7fbdf

                                            SHA256

                                            8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

                                            SHA512

                                            c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Temp\43acadd6-3000-409a-a7af-cb0ef5f0d4ba.vbs
                                            Filesize

                                            711B

                                            MD5

                                            7cb1865b2dfce2cf6476e5d067fc9385

                                            SHA1

                                            b9c38551ddc8d4f370ea8097646a2315b6929789

                                            SHA256

                                            5e2e5517e1c4273ed0c1ef96e92d540d890a9ddf820ed291447b1ca1c585dc60

                                            SHA512

                                            ed02cec04b2576d6e52fe90e345f0ed64064e2f914ded2442373054eddfbb5710297cfdb9330ec3bdee1db7d9ff6fdd052a7c4398f77934ebea94486cf6b74c2

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Temp\46edf3fb-cebd-4356-8213-e278b0e7de17.vbs
                                            Filesize

                                            711B

                                            MD5

                                            5721e2799ce1796e5f628c0078a5e027

                                            SHA1

                                            520f226162a36823be9c27a52ea3edf422301ada

                                            SHA256

                                            53cc6c5b3f7aadac5b92b8f987f2b435e53e07f304ea2ef8e658dfc9e33f7f68

                                            SHA512

                                            2d17cf03e281578c72f8b0fcb40473a6267fd779e48c46e7c06ae35a50aaaf4020361d5be938bcfaf64f950f8a8d3d66bec1891d9fc1e7c64ed7cffd20d7a898

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Temp\5BG0YwgmTM.bat
                                            Filesize

                                            200B

                                            MD5

                                            b3d9c0bb969c0b99ad1090617edb67ec

                                            SHA1

                                            d3ba7a8e4c88346da16067e59749c021bef99196

                                            SHA256

                                            9e463f719f946b6769f7bbacc1b3a8a7b56de0cb9ef8c276238508f83ba91ccf

                                            SHA512

                                            b7d3724aff5000b2cd9e9f8e30b46fd1cbe2075e77c36a93c54a83f9a7aeb7715ae633c2b52ebb9eda397fea14c0a84749e22ae93d7e108d304127c168e794af

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Temp\7a6fdda5-3c2d-402c-af46-2bf81fb0db3d.vbs
                                            Filesize

                                            711B

                                            MD5

                                            39b4a007c4f4965321cfda8d1e58b58f

                                            SHA1

                                            caa494d4eeb9601597ac403f79a57c880d0ad9b9

                                            SHA256

                                            03685cf77f8ab4a9d9fccff1340ef7a180801804e3b75d6bbf033a50519dceb1

                                            SHA512

                                            b6eec2c0a4063a0cc22f9623c7644cac057137272c0e70c372e9d11afa9f810aa323a1fbccb708d962962e5c1830b6a6e08a91b64b3993e578b380c4c4eacaa2

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lq4kibjm.33u.ps1
                                            Filesize

                                            60B

                                            MD5

                                            d17fe0a3f47be24a6453e9ef58c94641

                                            SHA1

                                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                            SHA256

                                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                            SHA512

                                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Temp\bbcb7542-62cb-43ce-8d06-ea35a21e74c4.vbs
                                            Filesize

                                            487B

                                            MD5

                                            934a523bdd64602f4edee0a87621e78d

                                            SHA1

                                            6e3dc6bbd5bf767c77579f619b97045eb8ef02eb

                                            SHA256

                                            9bfeba25404b67ad6a83e18409708bfc18412fe8e4626ef12f82a7d6a3a4f70b

                                            SHA512

                                            d0818bb3083b99775f66fa7a271cca75dc7d77c754344e9325f0332b3e69c9bdc80426177394d2fb2719e9c54f247de772f331c215c5a2e35d96ac4c7728bb6f

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Temp\d97ded75-80ad-45ab-822a-9654558f4da7.vbs
                                            Filesize

                                            710B

                                            MD5

                                            00ca4a47331b958ac0f10a56033104c5

                                            SHA1

                                            d286a94023d4cde3c06929d70c6c0ed58f69ae64

                                            SHA256

                                            13abb5b95fe3860408a6490776351a17a84bbc8cf4fbc5e45101693bed2ddf3a

                                            SHA512

                                            5e64be1d54d476c33619086c3a6bfb77fce08fa4a74d7d64b5f046b45ec103345df965b84310ec9fe6ef283f72aad7e71dc29621f2a1ef1ef880328f4a865dba

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Temp\ded1f8f4-71c0-4a7c-930d-3343166a9703.vbs
                                            Filesize

                                            711B

                                            MD5

                                            0ad1aecb28577b7be3e05175195526e1

                                            SHA1

                                            80130368cf398a6017925b459ee26b89d157df46

                                            SHA256

                                            a732a0004cca35dc2dd562a68defcd9bb9029dc733374a720175fac0c6120a15

                                            SHA512

                                            870786e1c96907da2521965e3891b447c675411da0c34e454c499cb1f286ba36e30da1fd6c0c7086d1c8cdc0d1d7274f1d7b8ef02bda5d414a37d8691ac0bb40

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Temp\f5eaeb18-38bb-4cf5-ba24-4e5aaf5611e9.vbs
                                            Filesize

                                            711B

                                            MD5

                                            716647468ca891ffa5f91b589fab30d1

                                            SHA1

                                            480114cd031773d8eede8b075bd47689c49d3920

                                            SHA256

                                            5d54ae10daacc8f0db1bd3a342a2861c3de457e4491685c727070d099a85af6b

                                            SHA512

                                            a3862dc80efe1fed1ef2058e7796c14487cdfc5f9835c97851a5a1dc041804e4a8f7274b84cec31e38ac87483f39c3190d6b1746ed40ded1835f9dfc3348ca19

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Temp\f7d1289b-9310-4af3-920d-89e709bb45a0.vbs
                                            Filesize

                                            711B

                                            MD5

                                            893512b81fd7932f0d2458f65fbe3e81

                                            SHA1

                                            e4e703bd4748cf9e5d6844ea61751bd90d5665c9

                                            SHA256

                                            2afb1289f00e285afb5a574bd26bd0a61843e5c2c79c92b4999b6ba2544a2c42

                                            SHA512

                                            72bc02c35323f689ab8fb32ff017c9025e00c340f380676c3c27f8af30bd28a2f9924d55d4f6c95a2291e177fb227a30e3d29fb69da073ed17bf74df00c10e74

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Temp\tmpA04B.tmp.exe
                                            Filesize

                                            75KB

                                            MD5

                                            e0a68b98992c1699876f818a22b5b907

                                            SHA1

                                            d41e8ad8ba51217eb0340f8f69629ccb474484d0

                                            SHA256

                                            2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

                                            SHA512

                                            856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

                                            Download Submit

                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\sppsvc.exe
                                            Filesize

                                            4.9MB

                                            MD5

                                            e27d9077d56e3cbdab770a0d9cbadf16

                                            SHA1

                                            0e7fac5090694c16c4eca567438473aed3ac4c0f

                                            SHA256

                                            88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155

                                            SHA512

                                            2dc6629f1364c3b43bc2d481038bcf1c086dceed0b29b80dacbf8d4b52b27a06bce6769d45fbd0b753d6199205d7c08d6de59c3778c42280ff4c5eee3258ee88

                                            Download Submit

                                          • memory/1608-218-0x000000001C680000-0x000000001C692000-memory.dmp

                                            Filesize

                                            72KB

                                            Download

                                          • memory/1644-76-0x000002A87B630000-0x000002A87B652000-memory.dmp

                                            Filesize

                                            136KB

                                            Download

                                          • memory/2752-11-0x000000001B410000-0x000000001B422000-memory.dmp

                                            Filesize

                                            72KB

                                            Download

                                          • memory/2752-10-0x000000001B400000-0x000000001B40A000-memory.dmp

                                            Filesize

                                            40KB

                                            Download

                                          • memory/2752-1-0x0000000000030000-0x0000000000524000-memory.dmp

                                            Filesize

                                            5.0MB

                                            Download

                                          • memory/2752-17-0x000000001BAC0000-0x000000001BAC8000-memory.dmp

                                            Filesize

                                            32KB

                                            Download

                                          • memory/2752-18-0x000000001BBD0000-0x000000001BBDC000-memory.dmp

                                            Filesize

                                            48KB

                                            Download

                                          • memory/2752-16-0x000000001BAB0000-0x000000001BAB8000-memory.dmp

                                            Filesize

                                            32KB

                                            Download

                                          • memory/2752-14-0x000000001BA90000-0x000000001BA9E000-memory.dmp

                                            Filesize

                                            56KB

                                            Download

                                          • memory/2752-15-0x000000001BAA0000-0x000000001BAAE000-memory.dmp

                                            Filesize

                                            56KB

                                            Download

                                          • memory/2752-13-0x000000001B420000-0x000000001B42A000-memory.dmp

                                            Filesize

                                            40KB

                                            Download

                                          • memory/2752-12-0x000000001BFC0000-0x000000001C4E8000-memory.dmp

                                            Filesize

                                            5.2MB

                                            Download

                                          • memory/2752-0-0x00007FFABFA63000-0x00007FFABFA65000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/2752-66-0x00007FFABFA60000-0x00007FFAC0521000-memory.dmp

                                            Filesize

                                            10.8MB

                                            Download

                                          • memory/2752-8-0x000000001B3E0000-0x000000001B3F6000-memory.dmp

                                            Filesize

                                            88KB

                                            Download

                                          • memory/2752-9-0x000000001B290000-0x000000001B2A0000-memory.dmp

                                            Filesize

                                            64KB

                                            Download

                                          • memory/2752-5-0x000000001BA40000-0x000000001BA90000-memory.dmp

                                            Filesize

                                            320KB

                                            Download

                                          • memory/2752-6-0x0000000002860000-0x0000000002868000-memory.dmp

                                            Filesize

                                            32KB

                                            Download

                                          • memory/2752-7-0x000000001B280000-0x000000001B290000-memory.dmp

                                            Filesize

                                            64KB

                                            Download

                                          • memory/2752-4-0x0000000002840000-0x000000000285C000-memory.dmp

                                            Filesize

                                            112KB

                                            Download

                                          • memory/2752-3-0x000000001B2B0000-0x000000001B3DE000-memory.dmp

                                            Filesize

                                            1.2MB

                                            Download

                                          • memory/2752-2-0x00007FFABFA60000-0x00007FFAC0521000-memory.dmp

                                            Filesize

                                            10.8MB

                                            Download

                                          • memory/3452-359-0x0000000003080000-0x0000000003092000-memory.dmp

                                            Filesize

                                            72KB

                                            Download

                                          • memory/4892-58-0x0000000000400000-0x0000000000407000-memory.dmp

                                            Filesize

                                            28KB

                                            Download