Overview

overview

10

Static

static

10

d37a1b9536...76.exe

windows7-x64

10

d37a1b9536...76.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-12-2024 05:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe

  • Size

    3.4MB

  • MD5

    54454792b2656605daffe22adb7750c0

  • SHA1

    14bc4b6c3b169b26efcb22b9dd913c9bdcb25c61

  • SHA256

    d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676

  • SHA512

    279c5bd9e09e45e86df9cd2421aa0a61f724ad8332e0f5409d33ed2ecea4ad4b38ed9c71e67184f08ff23088df5652d75afbb793eded50ef8230effd2597b679

  • SSDEEP

    49152:s3GMesEktOcTPuKyI1qd5i6JTnl9gs6ToWbepfutWiNFg20+5J3pS8Dzy8:nuEktPuu1qbhwDoWHgt+5JZS8fy8

Score
10/10
dcratevasioninfostealerrattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 42 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 24 IoCs
    evasiontrojan
  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 8 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Checks whether UAC is enabled 1 TTPs 16 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
  • Drops file in Program Files directory 11 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 8 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs
  • System policy modification 1 TTPs 24 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe
    "C:\Users\Admin\AppData\Local\Temp\d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3424
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KH4dUqS4NF.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4852
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:1532
        • C:\Windows\ImmersiveControlPanel\SystemSettings\View\sihost.exe
          "C:\Windows\ImmersiveControlPanel\SystemSettings\View\sihost.exe"
          3⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4600
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4cf72f6a-6545-4b8a-8d37-311af81c8ce1.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1064
            • C:\Windows\ImmersiveControlPanel\SystemSettings\View\sihost.exe
              C:\Windows\ImmersiveControlPanel\SystemSettings\View\sihost.exe
              5⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:4872
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4aba230-47a1-4a3e-9a98-cd4cc54fca50.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:3128
                • C:\Windows\ImmersiveControlPanel\SystemSettings\View\sihost.exe
                  C:\Windows\ImmersiveControlPanel\SystemSettings\View\sihost.exe
                  7⤵
                  • UAC bypass
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:1632
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53ff0f94-f867-4110-8889-7a9edce20e6a.vbs"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4780
                    • C:\Windows\ImmersiveControlPanel\SystemSettings\View\sihost.exe
                      C:\Windows\ImmersiveControlPanel\SystemSettings\View\sihost.exe
                      9⤵
                      • UAC bypass
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Checks whether UAC is enabled
                      • Modifies registry class
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      • System policy modification
                      PID:3776
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93107226-f2dc-4048-8fed-b26f75884f34.vbs"
                        10⤵
                        • Suspicious use of WriteProcessMemory
                        PID:756
                        • C:\Windows\ImmersiveControlPanel\SystemSettings\View\sihost.exe
                          C:\Windows\ImmersiveControlPanel\SystemSettings\View\sihost.exe
                          11⤵
                          • UAC bypass
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Modifies registry class
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          • System policy modification
                          PID:1492
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ffa0fd84-c9c7-4ef2-b36e-d76f82aa1268.vbs"
                            12⤵
                            • Suspicious use of WriteProcessMemory
                            PID:3664
                            • C:\Windows\ImmersiveControlPanel\SystemSettings\View\sihost.exe
                              C:\Windows\ImmersiveControlPanel\SystemSettings\View\sihost.exe
                              13⤵
                              • UAC bypass
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Modifies registry class
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              • System policy modification
                              PID:4356
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3315fb0c-6743-4254-b1de-870728889367.vbs"
                                14⤵
                                • Suspicious use of WriteProcessMemory
                                PID:2360
                                • C:\Windows\ImmersiveControlPanel\SystemSettings\View\sihost.exe
                                  C:\Windows\ImmersiveControlPanel\SystemSettings\View\sihost.exe
                                  15⤵
                                  • UAC bypass
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Checks whether UAC is enabled
                                  • Modifies registry class
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of WriteProcessMemory
                                  • System policy modification
                                  PID:3236
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d985b26e-1551-4140-91a3-1b7a5f534b35.vbs"
                                    16⤵
                                      PID:3040
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a281336-3c28-4d44-86a7-460e27782328.vbs"
                                      16⤵
                                        PID:4008
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b0a7b98-02e6-4676-b3af-61c4b951f6fb.vbs"
                                    14⤵
                                      PID:1060
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5905b10-9db5-4769-9ae8-be46186378b1.vbs"
                                  12⤵
                                    PID:3392
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2f781ff-46ed-456c-88f8-3a40e04af1a6.vbs"
                                10⤵
                                  PID:1792
                            • C:\Windows\System32\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de95dfdb-9016-4542-976b-069f8be73ca3.vbs"
                              8⤵
                                PID:3872
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f388054-101a-4944-a33f-ce22b373d155.vbs"
                            6⤵
                              PID:1364
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0bdfe3d-1a2f-4373-9ac3-ae819f0f5e72.vbs"
                          4⤵
                            PID:3048
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:3348
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4564
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2748
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\Idle.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:3508
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:1232
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:1960
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\IME\it-IT\csrss.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4964
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\IME\it-IT\csrss.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:3068
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\IME\it-IT\csrss.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4960
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\SearchApp.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:5040
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\SearchApp.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4468
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\SearchApp.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:3272
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dllhost.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:1596
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2940
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2044
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Updates\Download\sysmon.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:5052
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Updates\Download\sysmon.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:1048
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Updates\Download\sysmon.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:648
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\StartMenuExperienceHost.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2656
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2908
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2888
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\csrss.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2024
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\csrss.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:448
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\csrss.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:760
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\ja-JP\services.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:588
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\services.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:3032
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\ja-JP\services.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:1720
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4044
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4676
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:432
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Pictures\lsass.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:1764
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Pictures\lsass.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2936
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Pictures\lsass.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4068
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676d" /sc MINUTE /mo 12 /tr "'C:\Windows\de-DE\d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4380
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676" /sc ONLOGON /tr "'C:\Windows\de-DE\d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2464
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676d" /sc MINUTE /mo 12 /tr "'C:\Windows\de-DE\d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:3848
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Windows\ImmersiveControlPanel\SystemSettings\View\sihost.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:3756
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\ImmersiveControlPanel\SystemSettings\View\sihost.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2892
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Windows\ImmersiveControlPanel\SystemSettings\View\sihost.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:1648
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Users\Default\NetHood\sysmon.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4412
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default\NetHood\sysmon.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:384
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Users\Default\NetHood\sysmon.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:3648

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log
                      Filesize

                      1KB

                      MD5

                      49b64127208271d8f797256057d0b006

                      SHA1

                      b99bd7e2b4e9ed24de47fb3341ea67660b84cca1

                      SHA256

                      2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77

                      SHA512

                      f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\3315fb0c-6743-4254-b1de-870728889367.vbs
                      Filesize

                      739B

                      MD5

                      b497b3ec9717ae59f0f62acf247b7131

                      SHA1

                      8664123eab9e269f62bd30aca56118fd75a41ba7

                      SHA256

                      6eabd14b0adca28d9baaff541fe0ff4d71e83311a5e5415e4209f8998483859e

                      SHA512

                      e0038591e428fe901835b353f84fa84eb627d172eb2cba130cafd682b95f6ab8031bc375e0056fc1571ef336ce54fe19cdb8928755aae76922539ea89541764e

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\4cf72f6a-6545-4b8a-8d37-311af81c8ce1.vbs
                      Filesize

                      739B

                      MD5

                      eaf60c203ef1e7338ad075c5d52acbc6

                      SHA1

                      40c250f4e4e8fd6849469a7a5dd2e08633787223

                      SHA256

                      54a11a902ee0cc1a78f275ba49e81463309ea715a22e1c57c23fd845fecdc209

                      SHA512

                      9e799245f8058ca5e7082546c1c3edc783d2d6dd7aacc6e03c69ced9b836f9961519ba99a77fa152239cb1cfbc57ae63f83e5b532f7a0493ab3ea664147a63e4

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\53ff0f94-f867-4110-8889-7a9edce20e6a.vbs
                      Filesize

                      739B

                      MD5

                      0d1d4bc491e35f03c88dca311e2c1fba

                      SHA1

                      def9108d64b67b24d591d8690e5d5c8194d72ca0

                      SHA256

                      14aef7b1398e5666ecf8c57fcb8164955dcdf4e59ec44859ab4ad32f3de8ef3f

                      SHA512

                      babffefc3e99ce167b311a8f51d973b4d92f1138ebad571272779ceca7d9082225da9d64024976b5a53d2a3f08a089a500b767d4715a81a7995829f2348d0644

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\93107226-f2dc-4048-8fed-b26f75884f34.vbs
                      Filesize

                      739B

                      MD5

                      8283d4d133d0566105dbd215ded6e0b3

                      SHA1

                      30410cd3847fdfdf01c5e13df5ee389ebb467dd4

                      SHA256

                      75ab46d8a12a983412f4e48de65ac90f098af6af7bd590def6b569e99e79c996

                      SHA512

                      a8a90d874927d61778c4a5629641993608cb9c01caddac6ef443b17c1aa660ab76d89a93570a74c841453dd9d4eb637413053c0ac8b5a9181c4f5c82e02173ea

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\KH4dUqS4NF.bat
                      Filesize

                      228B

                      MD5

                      f8d6d53f73ae79c51ad4cd7d1f429971

                      SHA1

                      f78e7702c0eba57a6ae01596b6f192e305caf794

                      SHA256

                      205e01ca00ac2f449417e4900d7fe9b3f7a03ba1aeb9b3981b70874928d4b0f6

                      SHA512

                      14c687334a4d642be3c429988a1ca3c28aee82ca7d227a6816917853959373a35308731c38b461e7a508e10ae1e5953a139af9692eaa903ed8561107d2e6c3dc

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\c0bdfe3d-1a2f-4373-9ac3-ae819f0f5e72.vbs
                      Filesize

                      515B

                      MD5

                      790746e3d1d8a168929ed38a941148ca

                      SHA1

                      fd9269b7aaf3e7a21954bceb52f3d4ffe4d319e9

                      SHA256

                      877dc4d26543848939b7ca3a1fde0f8af4fdb3b1121eeaa876e2610d27186410

                      SHA512

                      47469fbf8311ce3e572c283b3e889f2d9379a85074be9e2e9764b11cccc0a713eb6ddc3f0c6c2e86fbe9bbcebedb20f596dc98c5db684c5808825a0c418600e3

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\d985b26e-1551-4140-91a3-1b7a5f534b35.vbs
                      Filesize

                      739B

                      MD5

                      230ea14e490be5079b83afe8a4c3ddde

                      SHA1

                      1a657d1c6aa6146d298c2a64057e334ab7318144

                      SHA256

                      a00df80fae3e40e045dc30174e7300932749a472a54fb5d846819802f856850c

                      SHA512

                      59f83c6dd4c3aceca0a863ed2d9b5e237d0306b5f4942feaa469993ac0779e47b3fa71761928109c268a6ca04d44d4d30d168d8767ad54d2f17d6e45a85f8823

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\e4aba230-47a1-4a3e-9a98-cd4cc54fca50.vbs
                      Filesize

                      739B

                      MD5

                      6f5111fd72644adef965f90c8bb381e4

                      SHA1

                      ddb1b4d1d6b940f070dc92782a4e3ef3f278686c

                      SHA256

                      aee03087ffa82b05ee1a7e5c4ddc5bc29643307d8b9eba0322ee8908df4756e0

                      SHA512

                      df039517c173f50d10597078a19652ed8bcd5c7676b33d132482345e9dbec7b1d422ca981440a0bfb7bea712da548616856e59665bb31c4e997f600d6b13a1e4

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\ffa0fd84-c9c7-4ef2-b36e-d76f82aa1268.vbs
                      Filesize

                      739B

                      MD5

                      941c713ffbff97c19a62688e22de1907

                      SHA1

                      3c1bfac603bad26ecf6fb0d2436977beba8d5776

                      SHA256

                      c63167f80687a2dde616ba14f8f1ba250a69fe1a1af3dc1946565cad58c32f41

                      SHA512

                      7d6919a70fd621090fc0928a954e1a711fb458d377f3902b6d41096a18288ce6d451e2b3f86e0b5727cdcbc3af0c0aeeb5caebc3cfa372cbb74ae84e9aff9990

                      Download Submit

                    • C:\Users\Default\dllhost.exe
                      Filesize

                      3.4MB

                      MD5

                      54454792b2656605daffe22adb7750c0

                      SHA1

                      14bc4b6c3b169b26efcb22b9dd913c9bdcb25c61

                      SHA256

                      d37a1b95368b3ba6cb549ee14af0e69891ad7b5f66e49f919f0e7e527532e676

                      SHA512

                      279c5bd9e09e45e86df9cd2421aa0a61f724ad8332e0f5409d33ed2ecea4ad4b38ed9c71e67184f08ff23088df5652d75afbb793eded50ef8230effd2597b679

                      Download Submit

                    • memory/1060-203-0x0000024492D70000-0x0000024492D99000-memory.dmp

                      Filesize

                      164KB

                      Download

                    • memory/1060-204-0x0000024494650000-0x000002449468B000-memory.dmp

                      Filesize

                      236KB

                      Download

                    • memory/1060-202-0x0000024492D20000-0x0000024492D5B000-memory.dmp

                      Filesize

                      236KB

                      Download

                    • memory/1364-107-0x00000254948A0000-0x00000254948C9000-memory.dmp

                      Filesize

                      164KB

                      Download

                    • memory/1364-106-0x0000025494850000-0x000002549488B000-memory.dmp

                      Filesize

                      236KB

                      Download

                    • memory/1364-108-0x0000025494D30000-0x0000025494D6B000-memory.dmp

                      Filesize

                      236KB

                      Download

                    • memory/1632-110-0x000000001B1E0000-0x000000001B1F2000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/1792-150-0x000001D1A4950000-0x000001D1A498B000-memory.dmp

                      Filesize

                      236KB

                      Download

                    • memory/1792-149-0x000001D1A2D00000-0x000001D1A2D29000-memory.dmp

                      Filesize

                      164KB

                      Download

                    • memory/1792-148-0x000001D1A2CB0000-0x000001D1A2CEB000-memory.dmp

                      Filesize

                      236KB

                      Download

                    • memory/2360-200-0x000001FC94310000-0x000001FC94339000-memory.dmp

                      Filesize

                      164KB

                      Download

                    • memory/2360-201-0x000001FC94340000-0x000001FC9437B000-memory.dmp

                      Filesize

                      236KB

                      Download

                    • memory/2360-199-0x000001FC942D0000-0x000001FC9430B000-memory.dmp

                      Filesize

                      236KB

                      Download

                    • memory/3048-101-0x000001EA486D0000-0x000001EA486F9000-memory.dmp

                      Filesize

                      164KB

                      Download

                    • memory/3048-102-0x000001EA48700000-0x000001EA4873B000-memory.dmp

                      Filesize

                      236KB

                      Download

                    • memory/3048-100-0x000001EA48690000-0x000001EA486CB000-memory.dmp

                      Filesize

                      236KB

                      Download

                    • memory/3128-105-0x000001F422C90000-0x000001F422CCB000-memory.dmp

                      Filesize

                      236KB

                      Download

                    • memory/3128-104-0x000001F4213A0000-0x000001F4213C9000-memory.dmp

                      Filesize

                      164KB

                      Download

                    • memory/3128-103-0x000001F421350000-0x000001F42138B000-memory.dmp

                      Filesize

                      236KB

                      Download

                    • memory/3236-278-0x000000001B4C0000-0x000000001B4D2000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/3392-192-0x000001F348AD0000-0x000001F348B0B000-memory.dmp

                      Filesize

                      236KB

                      Download

                    • memory/3392-191-0x000001F348AA0000-0x000001F348AC9000-memory.dmp

                      Filesize

                      164KB

                      Download

                    • memory/3392-190-0x000001F348A50000-0x000001F348A8B000-memory.dmp

                      Filesize

                      236KB

                      Download

                    • memory/3424-19-0x000000001BDA0000-0x000000001BDA8000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/3424-20-0x000000001BDB0000-0x000000001BDBC000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/3424-33-0x000000001C860000-0x000000001C868000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/3424-32-0x000000001C850000-0x000000001C85E000-memory.dmp

                      Filesize

                      56KB

                      Download

                    • memory/3424-31-0x000000001C740000-0x000000001C74A000-memory.dmp

                      Filesize

                      40KB

                      Download

                    • memory/3424-29-0x000000001C720000-0x000000001C728000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/3424-35-0x000000001C880000-0x000000001C888000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/3424-73-0x00007FF9CF880000-0x00007FF9D0341000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/3424-37-0x000000001C8A0000-0x000000001C8A8000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/3424-39-0x000000001C8C0000-0x000000001C8CC000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/3424-38-0x000000001C8B0000-0x000000001C8BA000-memory.dmp

                      Filesize

                      40KB

                      Download

                    • memory/3424-36-0x000000001C890000-0x000000001C89C000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/3424-30-0x000000001C730000-0x000000001C73C000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/3424-28-0x000000001C610000-0x000000001C61C000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/3424-27-0x000000001C600000-0x000000001C60C000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/3424-26-0x000000001C5F0000-0x000000001C5F8000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/3424-23-0x000000001CB00000-0x000000001D028000-memory.dmp

                      Filesize

                      5.2MB

                      Download

                    • memory/3424-25-0x000000001C5E0000-0x000000001C5EC000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/3424-24-0x000000001C5D0000-0x000000001C5DC000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/3424-21-0x000000001BDC0000-0x000000001BDC8000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/3424-22-0x000000001C5A0000-0x000000001C5B2000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/3424-34-0x000000001C870000-0x000000001C87E000-memory.dmp

                      Filesize

                      56KB

                      Download

                    • memory/3424-0-0x00007FF9CF883000-0x00007FF9CF885000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/3424-18-0x000000001BD90000-0x000000001BD9C000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/3424-17-0x000000001C550000-0x000000001C5A6000-memory.dmp

                      Filesize

                      344KB

                      Download

                    • memory/3424-1-0x0000000000BE0000-0x0000000000F4A000-memory.dmp

                      Filesize

                      3.4MB

                      Download

                    • memory/3424-2-0x00007FF9CF880000-0x00007FF9D0341000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/3424-3-0x00000000018B0000-0x00000000018BE000-memory.dmp

                      Filesize

                      56KB

                      Download

                    • memory/3424-16-0x000000001BC20000-0x000000001BC2A000-memory.dmp

                      Filesize

                      40KB

                      Download

                    • memory/3424-15-0x000000001BC10000-0x000000001BC20000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/3424-14-0x000000001BBF0000-0x000000001BBF8000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/3424-13-0x000000001BC00000-0x000000001BC0C000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/3424-12-0x000000001BBE0000-0x000000001BBF2000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/3424-8-0x00000000031B0000-0x00000000031B8000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/3424-10-0x000000001BBB0000-0x000000001BBC6000-memory.dmp

                      Filesize

                      88KB

                      Download

                    • memory/3424-11-0x000000001BBD0000-0x000000001BBD8000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/3424-9-0x000000001BBA0000-0x000000001BBB0000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/3424-7-0x000000001BD40000-0x000000001BD90000-memory.dmp

                      Filesize

                      320KB

                      Download

                    • memory/3424-6-0x0000000003190000-0x00000000031AC000-memory.dmp

                      Filesize

                      112KB

                      Download

                    • memory/3424-5-0x0000000003180000-0x0000000003188000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/3424-4-0x0000000003170000-0x000000000317E000-memory.dmp

                      Filesize

                      56KB

                      Download

                    • memory/3872-141-0x000001E97BA70000-0x000001E97BAAB000-memory.dmp

                      Filesize

                      236KB

                      Download

                    • memory/3872-143-0x000001E97D6E0000-0x000001E97D71B000-memory.dmp

                      Filesize

                      236KB

                      Download

                    • memory/3872-142-0x000001E97D6B0000-0x000001E97D6D9000-memory.dmp

                      Filesize

                      164KB

                      Download