0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-12-2024 20:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
Size

65KB
MD5

915756ae44759560e8476467163b0f5d
SHA1

02c6eeb6a68c4fab801061321645c3cf118b823a
SHA256

0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb
SHA512

4d7b862f7e4dd4856eac8e5982eb7ed10afddb943661b84cd8f06293fed80e26a65595a89b6abdd1d99bd6154791169006a6d0a4f572de756a691cfb9889049c
SSDEEP

1536:bukC8Q3PoN36tJQviFw1noU5BnvA7fLteF3nLrB9z3n+aF9buS9vM:bukC8Q3PoN36tJQviFCocBnIfWl9zOa+

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dllhost.exe	dllhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dllhost.exe	dllhost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dllhost.url	dllhost.exe

Executes dropped EXE 3 IoCs

pid	Process
4496	dllhost.exe
3100	dllhost.exe
2412	dllhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost.exe = "\"C:\\ProgramData\\dllhost.exe\" .."	dllhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dllhost.exe = "\"C:\\ProgramData\\dllhost.exe\" .."	dllhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Kills process with taskkill 6 IoCs

evasion

pid	Process
4140	taskkill.exe
3508	taskkill.exe
452	taskkill.exe
2124	taskkill.exe
3720	taskkill.exe
1308	taskkill.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1516	schtasks.exe
2236	schtasks.exe
1064	schtasks.exe
656	schtasks.exe
3584	schtasks.exe
820	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeDebugPrivilege	2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
Token: SeDebugPrivilege	4496	dllhost.exe
Token: 33	4496	dllhost.exe
Token: SeIncBasePriorityPrivilege	4496	dllhost.exe
Token: 33	4496	dllhost.exe
Token: SeIncBasePriorityPrivilege	4496	dllhost.exe
Token: 33	4496	dllhost.exe
Token: SeIncBasePriorityPrivilege	4496	dllhost.exe
Token: 33	4496	dllhost.exe
Token: SeIncBasePriorityPrivilege	4496	dllhost.exe
Token: 33	4496	dllhost.exe
Token: SeIncBasePriorityPrivilege	4496	dllhost.exe
Token: 33	4496	dllhost.exe
Token: SeIncBasePriorityPrivilege	4496	dllhost.exe
Token: 33	4496	dllhost.exe
Token: SeIncBasePriorityPrivilege	4496	dllhost.exe
Token: SeDebugPrivilege	3100	dllhost.exe
Token: 33	4496	dllhost.exe
Token: SeIncBasePriorityPrivilege	4496	dllhost.exe
Token: 33	4496	dllhost.exe
Token: SeIncBasePriorityPrivilege	4496	dllhost.exe
Token: 33	4496	dllhost.exe
Token: SeIncBasePriorityPrivilege	4496	dllhost.exe
Token: 33	4496	dllhost.exe
Token: SeIncBasePriorityPrivilege	4496	dllhost.exe
Token: 33	4496	dllhost.exe
Token: SeIncBasePriorityPrivilege	4496	dllhost.exe
Token: 33	4496	dllhost.exe
Token: SeIncBasePriorityPrivilege	4496	dllhost.exe
Token: 33	4496	dllhost.exe
Token: SeIncBasePriorityPrivilege	4496	dllhost.exe
Token: SeDebugPrivilege	2412	dllhost.exe
Token: 33	4496	dllhost.exe
Token: SeIncBasePriorityPrivilege	4496	dllhost.exe
Token: 33	4496	dllhost.exe
Token: SeIncBasePriorityPrivilege	4496	dllhost.exe
Token: 33	4496	dllhost.exe
Token: SeIncBasePriorityPrivilege	4496	dllhost.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 4496	2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe	84
PID 2872 wrote to memory of 4496	2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe	84
PID 2872 wrote to memory of 4496	2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe	84
PID 2872 wrote to memory of 396	2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe	85
PID 2872 wrote to memory of 396	2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe	85
PID 2872 wrote to memory of 396	2872	0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe	85
PID 396 wrote to memory of 4124	396	cmd.exe	87
PID 396 wrote to memory of 4124	396	cmd.exe	87
PID 396 wrote to memory of 4124	396	cmd.exe	87
PID 4496 wrote to memory of 4140	4496	dllhost.exe	91
PID 4496 wrote to memory of 4140	4496	dllhost.exe	91
PID 4496 wrote to memory of 4140	4496	dllhost.exe	91
PID 4496 wrote to memory of 4772	4496	dllhost.exe	93
PID 4496 wrote to memory of 4772	4496	dllhost.exe	93
PID 4496 wrote to memory of 4772	4496	dllhost.exe	93
PID 4496 wrote to memory of 1516	4496	dllhost.exe	95
PID 4496 wrote to memory of 1516	4496	dllhost.exe	95
PID 4496 wrote to memory of 1516	4496	dllhost.exe	95
PID 4496 wrote to memory of 3508	4496	dllhost.exe	109
PID 4496 wrote to memory of 3508	4496	dllhost.exe	109
PID 4496 wrote to memory of 3508	4496	dllhost.exe	109
PID 4496 wrote to memory of 3804	4496	dllhost.exe	111
PID 4496 wrote to memory of 3804	4496	dllhost.exe	111
PID 4496 wrote to memory of 3804	4496	dllhost.exe	111
PID 4496 wrote to memory of 2236	4496	dllhost.exe	113
PID 4496 wrote to memory of 2236	4496	dllhost.exe	113
PID 4496 wrote to memory of 2236	4496	dllhost.exe	113
PID 4496 wrote to memory of 452	4496	dllhost.exe	115
PID 4496 wrote to memory of 452	4496	dllhost.exe	115
PID 4496 wrote to memory of 452	4496	dllhost.exe	115
PID 4496 wrote to memory of 1108	4496	dllhost.exe	117
PID 4496 wrote to memory of 1108	4496	dllhost.exe	117
PID 4496 wrote to memory of 1108	4496	dllhost.exe	117
PID 4496 wrote to memory of 1064	4496	dllhost.exe	119
PID 4496 wrote to memory of 1064	4496	dllhost.exe	119
PID 4496 wrote to memory of 1064	4496	dllhost.exe	119
PID 4496 wrote to memory of 2124	4496	dllhost.exe	122
PID 4496 wrote to memory of 2124	4496	dllhost.exe	122
PID 4496 wrote to memory of 2124	4496	dllhost.exe	122
PID 4496 wrote to memory of 4948	4496	dllhost.exe	124
PID 4496 wrote to memory of 4948	4496	dllhost.exe	124
PID 4496 wrote to memory of 4948	4496	dllhost.exe	124
PID 4496 wrote to memory of 656	4496	dllhost.exe	126
PID 4496 wrote to memory of 656	4496	dllhost.exe	126
PID 4496 wrote to memory of 656	4496	dllhost.exe	126
PID 4496 wrote to memory of 3720	4496	dllhost.exe	128
PID 4496 wrote to memory of 3720	4496	dllhost.exe	128
PID 4496 wrote to memory of 3720	4496	dllhost.exe	128
PID 4496 wrote to memory of 3356	4496	dllhost.exe	130
PID 4496 wrote to memory of 3356	4496	dllhost.exe	130
PID 4496 wrote to memory of 3356	4496	dllhost.exe	130
PID 4496 wrote to memory of 3584	4496	dllhost.exe	132
PID 4496 wrote to memory of 3584	4496	dllhost.exe	132
PID 4496 wrote to memory of 3584	4496	dllhost.exe	132
PID 4496 wrote to memory of 1308	4496	dllhost.exe	136
PID 4496 wrote to memory of 1308	4496	dllhost.exe	136
PID 4496 wrote to memory of 1308	4496	dllhost.exe	136
PID 4496 wrote to memory of 2040	4496	dllhost.exe	138
PID 4496 wrote to memory of 2040	4496	dllhost.exe	138
PID 4496 wrote to memory of 2040	4496	dllhost.exe	138
PID 4496 wrote to memory of 820	4496	dllhost.exe	140
PID 4496 wrote to memory of 820	4496	dllhost.exe	140
PID 4496 wrote to memory of 820	4496	dllhost.exe	140

C:\Users\Admin\AppData\Local\Temp\0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe
"C:\Users\Admin\AppData\Local\Temp\0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872
- C:\ProgramData\dllhost.exe
  "C:\ProgramData\dllhost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4496
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f im Wireshark.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:4140
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4772
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\ProgramData\dllhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1516
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f im Wireshark.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:3508
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3804
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\ProgramData\dllhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2236
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f im Wireshark.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:452
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1108
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\ProgramData\dllhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1064
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f im Wireshark.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2124
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4948
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\ProgramData\dllhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:656
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f im Wireshark.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:3720
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3356
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\ProgramData\dllhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3584
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f im Wireshark.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:1308
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2040
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\ProgramData\dllhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:820
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\Admin\AppData\Local\Temp\0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:396
- - C:\Windows\SysWOW64\choice.exe
    choice /C Y /N /D Y /T 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4124

C:\ProgramData\dllhost.exe
C:\ProgramData\dllhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3100

C:\ProgramData\dllhost.exe
C:\ProgramData\dllhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\dllhost.exe

Filesize
65KB

MD5
915756ae44759560e8476467163b0f5d

SHA1
02c6eeb6a68c4fab801061321645c3cf118b823a

SHA256
0a5fe6735794d87d1cb917aa4b92947f571eff6b5541008cc1f76a666df4fbfb

SHA512
4d7b862f7e4dd4856eac8e5982eb7ed10afddb943661b84cd8f06293fed80e26a65595a89b6abdd1d99bd6154791169006a6d0a4f572de756a691cfb9889049c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dllhost.exe.log

Filesize
319B

MD5
da4fafeffe21b7cb3a8c170ca7911976

SHA1
50ef77e2451ab60f93f4db88325b897d215be5ad

SHA256
7341a4a13e81cbb5b7f39ec47bb45f84836b08b8d8e3ea231d2c7dad982094f7

SHA512
0bc24b69460f31a0ebc0628b99908d818ee85feb7e4b663271d9375b30cced0cd55a0bbf8edff1281a4c886ddf4476ffc989c283069cdcb1235ffcb265580fc6

Download Submit
memory/2872-0-0x0000000074D32000-0x0000000074D33000-memory.dmp

Filesize
4KB

Download
memory/2872-1-0x0000000074D30000-0x00000000752E1000-memory.dmp

Filesize
5.7MB

Download
memory/2872-2-0x0000000074D30000-0x00000000752E1000-memory.dmp

Filesize
5.7MB

Download
memory/2872-14-0x0000000074D30000-0x00000000752E1000-memory.dmp

Filesize
5.7MB

Download
memory/4496-12-0x0000000074D30000-0x00000000752E1000-memory.dmp

Filesize
5.7MB

Download
memory/4496-15-0x0000000074D30000-0x00000000752E1000-memory.dmp

Filesize
5.7MB

Download
memory/4496-13-0x0000000074D30000-0x00000000752E1000-memory.dmp

Filesize
5.7MB

Download
memory/4496-19-0x0000000074D30000-0x00000000752E1000-memory.dmp

Filesize
5.7MB

Download
memory/4496-20-0x0000000074D30000-0x00000000752E1000-memory.dmp

Filesize
5.7MB

Download
memory/4496-21-0x0000000074D30000-0x00000000752E1000-memory.dmp

Filesize
5.7MB

Download