dcrat | 26bda6e083db3a3c3ccaf29434850d91bbb9e10c48886a6f6a06bbf6c183448d

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-01-2025 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54eff01605da5e7cbdb382c98ece2c2a.exe
Size

1.9MB
MD5

54eff01605da5e7cbdb382c98ece2c2a
SHA1

be2ecfc24603a5e282bdfbb7780a03c1410879b8
SHA256

26bda6e083db3a3c3ccaf29434850d91bbb9e10c48886a6f6a06bbf6c183448d
SHA512

dd00705fb9741c6400145e2433af42605264a95e4c1fe44ee1579ac464463f9b493d8bdef98af4a5b03d717cd79357674cc09e5b8780c4ffe31a9704b08c89d0
SSDEEP

49152:gWLMtwyMxRizAwgueOJNN3lRHiKLWDWU:gLwyMb9ue0NTH2P

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Updates\\upfc.exe\", \"C:\\Windows\\Tasks\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Users\\All Users\\dllhost.exe\""	54eff01605da5e7cbdb382c98ece2c2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Updates\\upfc.exe\", \"C:\\Windows\\Tasks\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Users\\All Users\\dllhost.exe\", \"C:\\Windows\\Downloaded Program Files\\fontdrvhost.exe\""	54eff01605da5e7cbdb382c98ece2c2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Updates\\upfc.exe\", \"C:\\Windows\\Tasks\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Users\\All Users\\dllhost.exe\", \"C:\\Windows\\Downloaded Program Files\\fontdrvhost.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\54eff01605da5e7cbdb382c98ece2c2a.exe\""	54eff01605da5e7cbdb382c98ece2c2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Updates\\upfc.exe\""	54eff01605da5e7cbdb382c98ece2c2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Updates\\upfc.exe\", \"C:\\Windows\\Tasks\\dllhost.exe\""	54eff01605da5e7cbdb382c98ece2c2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Updates\\upfc.exe\", \"C:\\Windows\\Tasks\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\""	54eff01605da5e7cbdb382c98ece2c2a.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	3480	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4448	3480	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	3480	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	3480	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	3480	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3220	3480	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4260	3480	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	3480	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	3480	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3544	3480	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3764	3480	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	3480	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	3480	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	3480	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	3480	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	3480	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3396	3480	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	3480	schtasks.exe	83

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	54eff01605da5e7cbdb382c98ece2c2a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dllhost.exe

Executes dropped EXE 15 IoCs

pid	Process
3048	dllhost.exe
2640	dllhost.exe
3392	dllhost.exe
732	dllhost.exe
2796	dllhost.exe
3328	dllhost.exe
1764	dllhost.exe
1728	dllhost.exe
64	dllhost.exe
3604	dllhost.exe
2240	dllhost.exe
1816	dllhost.exe
464	dllhost.exe
4828	dllhost.exe
5004	dllhost.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files\\Microsoft Office\\Updates\\upfc.exe\""	54eff01605da5e7cbdb382c98ece2c2a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Tasks\\dllhost.exe\""	54eff01605da5e7cbdb382c98ece2c2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Tasks\\dllhost.exe\""	54eff01605da5e7cbdb382c98ece2c2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\All Users\\dllhost.exe\""	54eff01605da5e7cbdb382c98ece2c2a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\Downloaded Program Files\\fontdrvhost.exe\""	54eff01605da5e7cbdb382c98ece2c2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\Downloaded Program Files\\fontdrvhost.exe\""	54eff01605da5e7cbdb382c98ece2c2a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files\\Microsoft Office\\Updates\\upfc.exe\""	54eff01605da5e7cbdb382c98ece2c2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Recovery\\WindowsRE\\taskhostw.exe\""	54eff01605da5e7cbdb382c98ece2c2a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\All Users\\dllhost.exe\""	54eff01605da5e7cbdb382c98ece2c2a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\54eff01605da5e7cbdb382c98ece2c2a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\54eff01605da5e7cbdb382c98ece2c2a.exe\""	54eff01605da5e7cbdb382c98ece2c2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\54eff01605da5e7cbdb382c98ece2c2a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\54eff01605da5e7cbdb382c98ece2c2a.exe\""	54eff01605da5e7cbdb382c98ece2c2a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Recovery\\WindowsRE\\taskhostw.exe\""	54eff01605da5e7cbdb382c98ece2c2a.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC9048034FC19844C590E4512C2A109D8D.TMP	csc.exe
File created	\??\c:\Windows\System32\ewkptm.exe	csc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\Updates\upfc.exe	54eff01605da5e7cbdb382c98ece2c2a.exe
File created	C:\Program Files\Microsoft Office\Updates\ea1d8f6d871115	54eff01605da5e7cbdb382c98ece2c2a.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Downloaded Program Files\fontdrvhost.exe	54eff01605da5e7cbdb382c98ece2c2a.exe
File opened for modification	C:\Windows\Downloaded Program Files\fontdrvhost.exe	54eff01605da5e7cbdb382c98ece2c2a.exe
File created	C:\Windows\Downloaded Program Files\5b884080fd4f94	54eff01605da5e7cbdb382c98ece2c2a.exe
File created	C:\Windows\Tasks\dllhost.exe	54eff01605da5e7cbdb382c98ece2c2a.exe
File created	C:\Windows\Tasks\5940a34987c991	54eff01605da5e7cbdb382c98ece2c2a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 7 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3768	PING.EXE
1168	PING.EXE
3876	PING.EXE
864	PING.EXE
2276	PING.EXE
3948	PING.EXE
4828	PING.EXE

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	54eff01605da5e7cbdb382c98ece2c2a.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dllhost.exe

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

pid	Process
3876	PING.EXE
864	PING.EXE
2276	PING.EXE
3948	PING.EXE
4828	PING.EXE
3768	PING.EXE
1168	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2320	schtasks.exe
2516	schtasks.exe
5056	schtasks.exe
2008	schtasks.exe
4260	schtasks.exe
2240	schtasks.exe
4448	schtasks.exe
3544	schtasks.exe
3764	schtasks.exe
2800	schtasks.exe
1568	schtasks.exe
3396	schtasks.exe
2576	schtasks.exe
2024	schtasks.exe
3220	schtasks.exe
1268	schtasks.exe
5012	schtasks.exe
1052	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe
3660	54eff01605da5e7cbdb382c98ece2c2a.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	3660	54eff01605da5e7cbdb382c98ece2c2a.exe
Token: SeDebugPrivilege	3048	dllhost.exe
Token: SeDebugPrivilege	2640	dllhost.exe
Token: SeDebugPrivilege	3392	dllhost.exe
Token: SeDebugPrivilege	732	dllhost.exe
Token: SeDebugPrivilege	2796	dllhost.exe
Token: SeDebugPrivilege	3328	dllhost.exe
Token: SeDebugPrivilege	1764	dllhost.exe
Token: SeDebugPrivilege	1728	dllhost.exe
Token: SeDebugPrivilege	64	dllhost.exe
Token: SeDebugPrivilege	3604	dllhost.exe
Token: SeDebugPrivilege	2240	dllhost.exe
Token: SeDebugPrivilege	1816	dllhost.exe
Token: SeDebugPrivilege	464	dllhost.exe
Token: SeDebugPrivilege	4828	dllhost.exe
Token: SeDebugPrivilege	5004	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3660 wrote to memory of 3936	3660	54eff01605da5e7cbdb382c98ece2c2a.exe	87
PID 3660 wrote to memory of 3936	3660	54eff01605da5e7cbdb382c98ece2c2a.exe	87
PID 3936 wrote to memory of 2640	3936	csc.exe	89
PID 3936 wrote to memory of 2640	3936	csc.exe	89
PID 3660 wrote to memory of 1316	3660	54eff01605da5e7cbdb382c98ece2c2a.exe	105
PID 3660 wrote to memory of 1316	3660	54eff01605da5e7cbdb382c98ece2c2a.exe	105
PID 1316 wrote to memory of 1896	1316	cmd.exe	107
PID 1316 wrote to memory of 1896	1316	cmd.exe	107
PID 1316 wrote to memory of 864	1316	cmd.exe	108
PID 1316 wrote to memory of 864	1316	cmd.exe	108
PID 1316 wrote to memory of 3048	1316	cmd.exe	117
PID 1316 wrote to memory of 3048	1316	cmd.exe	117
PID 3048 wrote to memory of 1768	3048	dllhost.exe	123
PID 3048 wrote to memory of 1768	3048	dllhost.exe	123
PID 1768 wrote to memory of 4392	1768	cmd.exe	125
PID 1768 wrote to memory of 4392	1768	cmd.exe	125
PID 1768 wrote to memory of 2276	1768	cmd.exe	126
PID 1768 wrote to memory of 2276	1768	cmd.exe	126
PID 1768 wrote to memory of 2640	1768	cmd.exe	128
PID 1768 wrote to memory of 2640	1768	cmd.exe	128
PID 2640 wrote to memory of 3348	2640	dllhost.exe	133
PID 2640 wrote to memory of 3348	2640	dllhost.exe	133
PID 3348 wrote to memory of 5116	3348	cmd.exe	135
PID 3348 wrote to memory of 5116	3348	cmd.exe	135
PID 3348 wrote to memory of 224	3348	cmd.exe	136
PID 3348 wrote to memory of 224	3348	cmd.exe	136
PID 3348 wrote to memory of 3392	3348	cmd.exe	139
PID 3348 wrote to memory of 3392	3348	cmd.exe	139
PID 3392 wrote to memory of 3524	3392	dllhost.exe	142
PID 3392 wrote to memory of 3524	3392	dllhost.exe	142
PID 3524 wrote to memory of 3652	3524	cmd.exe	144
PID 3524 wrote to memory of 3652	3524	cmd.exe	144
PID 3524 wrote to memory of 3948	3524	cmd.exe	145
PID 3524 wrote to memory of 3948	3524	cmd.exe	145
PID 3524 wrote to memory of 732	3524	cmd.exe	147
PID 3524 wrote to memory of 732	3524	cmd.exe	147
PID 732 wrote to memory of 1996	732	dllhost.exe	150
PID 732 wrote to memory of 1996	732	dllhost.exe	150
PID 1996 wrote to memory of 4528	1996	cmd.exe	152
PID 1996 wrote to memory of 4528	1996	cmd.exe	152
PID 1996 wrote to memory of 1184	1996	cmd.exe	153
PID 1996 wrote to memory of 1184	1996	cmd.exe	153
PID 1996 wrote to memory of 2796	1996	cmd.exe	155
PID 1996 wrote to memory of 2796	1996	cmd.exe	155
PID 2796 wrote to memory of 2032	2796	dllhost.exe	158
PID 2796 wrote to memory of 2032	2796	dllhost.exe	158
PID 2032 wrote to memory of 1336	2032	cmd.exe	160
PID 2032 wrote to memory of 1336	2032	cmd.exe	160
PID 2032 wrote to memory of 4828	2032	cmd.exe	161
PID 2032 wrote to memory of 4828	2032	cmd.exe	161
PID 2032 wrote to memory of 3328	2032	cmd.exe	163
PID 2032 wrote to memory of 3328	2032	cmd.exe	163
PID 3328 wrote to memory of 4676	3328	dllhost.exe	166
PID 3328 wrote to memory of 4676	3328	dllhost.exe	166
PID 4676 wrote to memory of 3748	4676	cmd.exe	168
PID 4676 wrote to memory of 3748	4676	cmd.exe	168
PID 4676 wrote to memory of 3064	4676	cmd.exe	169
PID 4676 wrote to memory of 3064	4676	cmd.exe	169
PID 4676 wrote to memory of 1764	4676	cmd.exe	171
PID 4676 wrote to memory of 1764	4676	cmd.exe	171
PID 1764 wrote to memory of 2764	1764	dllhost.exe	174
PID 1764 wrote to memory of 2764	1764	dllhost.exe	174
PID 2764 wrote to memory of 2252	2764	cmd.exe	176
PID 2764 wrote to memory of 2252	2764	cmd.exe	176

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\54eff01605da5e7cbdb382c98ece2c2a.exe
"C:\Users\Admin\AppData\Local\Temp\54eff01605da5e7cbdb382c98ece2c2a.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3660
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kce2hhdc\kce2hhdc.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3936
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC7B5.tmp" "c:\Windows\System32\CSC9048034FC19844C590E4512C2A109D8D.TMP"
    3⤵
    PID:2640
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\txxvc8dktP.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1896
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:864
- - C:\Users\All Users\dllhost.exe
    "C:\Users\All Users\dllhost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0zcoxmH8Pr.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1768
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:4392
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2276
    - - C:\Users\All Users\dllhost.exe
        
        "C:\Users\All Users\dllhost.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2640
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cHG0lItX2O.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3348
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:5116
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:224
        
        C:\Users\All Users\dllhost.exe
        
        "C:\Users\All Users\dllhost.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3392
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RUQLKbDAyI.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:3652
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3948
        
        C:\Users\All Users\dllhost.exe
        
        "C:\Users\All Users\dllhost.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oqD6e5Rlo4.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:4528
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1184
        
        C:\Users\All Users\dllhost.exe
        
        "C:\Users\All Users\dllhost.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Qp3qGlURdT.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:1336
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4828
        
        C:\Users\All Users\dllhost.exe
        
        "C:\Users\All Users\dllhost.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3328
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jcydu7dUmM.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:3748
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:3064
        
        C:\Users\All Users\dllhost.exe
        
        "C:\Users\All Users\dllhost.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ege7x4f51h.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2252
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:3948
        
        C:\Users\All Users\dllhost.exe
        
        "C:\Users\All Users\dllhost.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tnXcb7QBZk.bat"
        18⤵
        
        PID:384
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:396
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:4416
        
        C:\Users\All Users\dllhost.exe
        
        "C:\Users\All Users\dllhost.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:64
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wV103PPj9V.bat"
        20⤵
        
        PID:4932
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:776
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3768
        
        C:\Users\All Users\dllhost.exe
        
        "C:\Users\All Users\dllhost.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ege7x4f51h.bat"
        22⤵
        
        PID:5116
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:752
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2000
        
        C:\Users\All Users\dllhost.exe
        
        "C:\Users\All Users\dllhost.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R3sykWUIoO.bat"
        24⤵
        
        PID:4700
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:4956
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1764
        
        C:\Users\All Users\dllhost.exe
        
        "C:\Users\All Users\dllhost.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p52E8qRc0z.bat"
        26⤵
        
        PID:2936
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:3772
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1168
        
        C:\Users\All Users\dllhost.exe
        
        "C:\Users\All Users\dllhost.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:464
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OLOaIFVkFd.bat"
        28⤵
        
        PID:2096
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:64
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:5056
        
        C:\Users\All Users\dllhost.exe
        
        "C:\Users\All Users\dllhost.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4h6CQ3Ghzc.bat"
        30⤵
        
        PID:3276
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:816
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:4224
        
        C:\Users\All Users\dllhost.exe
        
        "C:\Users\All Users\dllhost.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wV103PPj9V.bat"
        32⤵
        
        PID:2812
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:3392
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        33⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Updates\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Updates\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Updates\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\Tasks\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Tasks\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\Tasks\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\Downloaded Program Files\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Windows\Downloaded Program Files\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "54eff01605da5e7cbdb382c98ece2c2a5" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\Temp\54eff01605da5e7cbdb382c98ece2c2a.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "54eff01605da5e7cbdb382c98ece2c2a" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\54eff01605da5e7cbdb382c98ece2c2a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "54eff01605da5e7cbdb382c98ece2c2a5" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\54eff01605da5e7cbdb382c98ece2c2a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\Updates\upfc.exe

Filesize
1.9MB

MD5
54eff01605da5e7cbdb382c98ece2c2a

SHA1
be2ecfc24603a5e282bdfbb7780a03c1410879b8

SHA256
26bda6e083db3a3c3ccaf29434850d91bbb9e10c48886a6f6a06bbf6c183448d

SHA512
dd00705fb9741c6400145e2433af42605264a95e4c1fe44ee1579ac464463f9b493d8bdef98af4a5b03d717cd79357674cc09e5b8780c4ffe31a9704b08c89d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

Filesize
1KB

MD5
935ecb30a8e13f625a9a89e3b0fcbf8f

SHA1
41cb046b7b5f89955fd53949efad8e9f3971d731

SHA256
2a7b829afe6a140bb37d24cc7711749c20cdaaf9cc7c4a182ff081180b4d99e9

SHA512
1210281612b0101ce63555a1a7855589ff68e1eac5b8a2461e10808c5b92c5dd111be72406c2923a94e10b687ceda43dc24d8c22a49dab40a4af793ee6b740aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\0zcoxmH8Pr.bat

Filesize
158B

MD5
75249a16e16d8f665117e8978ab3f572

SHA1
d2587db4fc177ccf5d013836419c3db1e8fa2b1a

SHA256
56db8aaf4f1daaf1dd5f49519bcf80fe4ad468c6822feddf12428ece15759560

SHA512
e8a6dbd5077724817a0ed1b3a6c14ef570b99ecb029b96d21573c63f4480beb07820c0ea88793bb7b6864b0d61e66359b772be12a34c15c14e11478dc5f4bc15

Download Submit
C:\Users\Admin\AppData\Local\Temp\4h6CQ3Ghzc.bat

Filesize
206B

MD5
55c06dd5bb0c6eaf83b03cc5a8643d95

SHA1
03003c32a0cbb667c393f714e644c5abd743f362

SHA256
22ab729d2a19d0d1a2d8b12f42200e00a388699c55bd2f4adbbf87b3a423320c

SHA512
5b442353697883f7f89b471019a4d335be9a677cab5b6c5f1a004b645177148660ac6e39d176c1450868efabb714ad83f299f837d26d2d2c018e2e0860730366

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ege7x4f51h.bat

Filesize
206B

MD5
240a97d1b6044f161d6fc3309f4c6431

SHA1
aa9c41859a06e2dac1c67f8979f0ab7fa233c411

SHA256
c9a4435526cac653f8ce6ae9d35bb3d5a34c69c5e94e84fc795fe8ab1e5c44d2

SHA512
659a765639f87db12e978d687edfe98ab112364e298c150aa9b9b2da0b5afa71b1e036eee0be98a573db0e3699b4f6ef3c7798a9a9c1b27d096a1eb2ceb61bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jcydu7dUmM.bat

Filesize
206B

MD5
39d318cd1db1cbf372f2a9514a06d83f

SHA1
0397f5f80cdc405493749704941a560cfa7eb5a0

SHA256
fb6446709237cccdeb0f3eeb2f124b60886f6e7598ed82de0508c3a53ab6e359

SHA512
66ba865b75dc99bc97a4e9a9d314163793498a89437632073364fe922f5187e1120f0206764e68a50fa04efe79c5a1ac19f0925359f5fd8686d75c7e752b4ad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\OLOaIFVkFd.bat

Filesize
206B

MD5
1d3b3fcb73595e52a1aaa761d8ff695b

SHA1
c4f21410fc6281f1e01db71d3f13bb6e3aca1684

SHA256
73556fd827a5b2a66379596eb23d642e077e8fba673f6a6f3773f74173c812c9

SHA512
87d291d8f98aff2030d09b1f54d138b42c230dc61dc7f97c056c33fd9d0a552fdc77e5d5982508627d8662903a3888e400f5db1a518068980582d478419fa369

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qp3qGlURdT.bat

Filesize
158B

MD5
0dd37b6c2997d62bc3a5ec8cdd0558b9

SHA1
35c8085059af255140a8f4b3f93eae185c1cb71c

SHA256
e3afd289847df654f3bc1b7b885008470b985c97bc887aa9f450b1d83ee5c3da

SHA512
148ddbbd5fa91a6320adc3ac6db9ffc27931da54523c72bda2a507eca795b66ac50418da7064636ffcf924b07c8b590fa42fd864732accaadcd1c779e3731f7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\R3sykWUIoO.bat

Filesize
206B

MD5
466159535b803a6ee6d2936410a5d81e

SHA1
df3a2be52a1f6d684b2b447d55eae8c06eb0ef72

SHA256
bbca5927debd6459e15346ee4135cf2f3eeddf3d36dbebab5e1f90e89e11c213

SHA512
4e393f407256ba63ed70b5503631f3363a77b46ca6af61702a169bfee60f4dfbd5f15a1b618bec6d45eb488dc527e24a26cc7dbf6e6d7679f64be76f3749983b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC7B5.tmp

Filesize
1KB

MD5
9465a9ebc9702ba3b2decfcd45caf585

SHA1
43790dc97691713c8482113d1533644fb99dfedf

SHA256
f6bc03f7c2c6439e6c4f546e49b1dbaf13e68cf3059d183c949b64e65cf2936f

SHA512
d2b0899ab5d88844c48f654984f532255bb652950c509c7e93bc04fda0b068b014fba09bc18aa3c2882cbbd5e658f9e97b91e93817c288e1baad09136ec8b164

Download Submit
C:\Users\Admin\AppData\Local\Temp\RUQLKbDAyI.bat

Filesize
158B

MD5
fa191e1dbcc474999236ad517604be2a

SHA1
da20532b2547b0afb5d1e346ac7fb57ba8e3501a

SHA256
baa6ce99c2216bbd2b912575b8338a9313d9d1f348fc430a34921e09a1e3bc57

SHA512
110bfd2c371d8eee676a771118e76b8b61fc12ecef30718eb9a03d35d9a3ea14a444981cadc608e820184eba5d3f8a0282d2a5a439b1ab6363ef35ec21d650ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\cHG0lItX2O.bat

Filesize
206B

MD5
04ef3f794fe9ab4f86612adfb64d2e30

SHA1
5117be65ffd5eed4077bc967f920cd4575a33e55

SHA256
c35b95ea48cb793bb969df35cf87790038c217143fccf469bb1b9896042f7c38

SHA512
9f45585f53105f4b21c4255a6bc973d49c2da1075ca3abad5ff7f63a0f360151ecd5dbeefc8dbc9f47d8e73852d858953d104881182db4a5b134bdd872785644

Download Submit
C:\Users\Admin\AppData\Local\Temp\oqD6e5Rlo4.bat

Filesize
206B

MD5
e8206bb38689195c652a9b69a4d341a4

SHA1
9e8030f95c8729bc33e3925afdc85bc208e3ea2b

SHA256
a574769793139b3e4730d1585c1186fa62a65cc0c1fcff4ef5c39ec11a5ed7e9

SHA512
b6c224c34746ad7541f236699cc9b6bfda0ae3bc9ea2d53bd838490d7bd0942c3d19969331a36faa1bab5b71312dddda314aaf2e4e07dc54c91cda342cadd241

Download Submit
C:\Users\Admin\AppData\Local\Temp\p52E8qRc0z.bat

Filesize
158B

MD5
edb5a72e76d538f1d14ea0a805519365

SHA1
e9c5b8e6ccc67e6f182c8158f8a1ef420303dfbb

SHA256
97a59426585df6abd64bfe385b521fa7ef22a8cf7514df7cf03473ae298e7222

SHA512
5cc2ab725410c8c19e271b71a249bf5b05a0a03e26dbb3587d5e369b5449fc1767227c4fffc07d0405b088f50e6eaef5ff1f582881b3af61501caf6f51ef51f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tnXcb7QBZk.bat

Filesize
206B

MD5
f743a2c22f38db12fa96891c68f0f61d

SHA1
74e1e837f678e6714351ca775352da708c34aca1

SHA256
73a45b1cac4e9dbd20eb3774dfcb5f09c0b3e3432e0cd00bad8adb6ddfcb19f9

SHA512
1342c30542fc45212715d3204a71ca3c1b9a8865a9f91f47b0dbba6af4c1be76bd22578e4a5fd1f0a2395f739f3574250fb58942bde09b0c0a65adfba1d91e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\txxvc8dktP.bat

Filesize
158B

MD5
5eef6bec2ff3041d3225c714432cbd49

SHA1
639ab3ec368f369aa63d4915dfb8e43e7ea4355d

SHA256
ed92012596c0202771cb1f41a44fd50fd1f5791080bf9192e23437968f8c3da9

SHA512
34b7fafeeefe0ae97dc9d79f662cc131e5d2f522b08286e7e950123ebbd9c766c53bc42faa59d5f67c76d25d2b7a2fc96a9d44b1800c10e54e7c3019acb74593

Download Submit
C:\Users\Admin\AppData\Local\Temp\wV103PPj9V.bat

Filesize
158B

MD5
62151a06ebbbd677a7a7ae5c1a5c858d

SHA1
e4598382dc1d2615f183dc17c2e4b1b75506e170

SHA256
1190f144db1b6f45524ac5d2d63ca14d0194190907428ee62aff8deb89cffc99

SHA512
d126df932fd2d49c2ac17176fdd77bc817dfa4db2423e1d453eda512589f35aec8e6b9bbc110dacd5965238df1223af7925ca64f6be8344da4771d98e246813c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kce2hhdc\kce2hhdc.0.cs

Filesize
382B

MD5
df737e4f4f12b38c425b2b2d9f1b80bf

SHA1
18f2e59d655db65ea8030e1bab1f4169f403b992

SHA256
07ef3946f22741ac0285808d0c1e0d454a0168da36e1721998063925248a11a9

SHA512
404ec5805d977971aed56bf4e998a187dba468de95e8a47f926c3f9621e728b6087690097ff5d35319b627eeb030becb7b7ded60c5f3d400771671666aa99879

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kce2hhdc\kce2hhdc.cmdline

Filesize
235B

MD5
3f6860aa28268517c123971c49760c42

SHA1
4bd01301de25fa068f86ef60468246a8f0703340

SHA256
5cd63dc34015f49c864b6430fa794d3af031c4f82e5a0998578887d0eb02854e

SHA512
92937dfd58c16e6a84181f3f231d52f13dcd4d263e646898e7733ede54f434dfab95ae22d239f623437a8a0923d6900948d44b51f0f3e838c54411139e925d47

Download Submit
\??\c:\Windows\System32\CSC9048034FC19844C590E4512C2A109D8D.TMP

Filesize
1KB

MD5
be99f41194f5159cc131a1a4353a0e0a

SHA1
f24e3bf06e777b4de8d072166cff693e43f2295c

SHA256
564d9051e5639603c83562a9ff2c2e478cc7e13d54faf39f761297bac78603bf

SHA512
51d1a50772bb7d689193e6a9b2e363185cf5438103644b2b68cf13e08274c5d99407b99f8cdc856143d28669f5ee4ee316041a8e33df42f55bfd181aa3f3c0f5

Download Submit
memory/64-187-0x000000001C620000-0x000000001C68B000-memory.dmp

Filesize
428KB

Download
memory/464-243-0x000000001C9E0000-0x000000001CA4B000-memory.dmp

Filesize
428KB

Download
memory/732-117-0x000000001BEA0000-0x000000001BF0B000-memory.dmp

Filesize
428KB

Download
memory/1728-173-0x000000001B540000-0x000000001B5AB000-memory.dmp

Filesize
428KB

Download
memory/1764-159-0x000000001B0A0000-0x000000001B10B000-memory.dmp

Filesize
428KB

Download
memory/1816-229-0x000000001C7A0000-0x000000001C80B000-memory.dmp

Filesize
428KB

Download
memory/2240-215-0x000000001C890000-0x000000001C8FB000-memory.dmp

Filesize
428KB

Download
memory/2640-89-0x000000001CA90000-0x000000001CAFB000-memory.dmp

Filesize
428KB

Download
memory/2796-131-0x000000001B5D0000-0x000000001B63B000-memory.dmp

Filesize
428KB

Download
memory/3048-74-0x000000001C770000-0x000000001C7DB000-memory.dmp

Filesize
428KB

Download
memory/3328-145-0x000000001C330000-0x000000001C39B000-memory.dmp

Filesize
428KB

Download
memory/3392-103-0x000000001BEE0000-0x000000001BF4B000-memory.dmp

Filesize
428KB

Download
memory/3604-201-0x000000001C0E0000-0x000000001C14B000-memory.dmp

Filesize
428KB

Download
memory/3660-13-0x00007FFD4F460000-0x00007FFD4FF21000-memory.dmp

Filesize
10.8MB

Download
memory/3660-12-0x000000001B0D0000-0x000000001B0E8000-memory.dmp

Filesize
96KB

Download
memory/3660-40-0x00007FFD4F460000-0x00007FFD4FF21000-memory.dmp

Filesize
10.8MB

Download
memory/3660-39-0x00007FFD4F460000-0x00007FFD4FF21000-memory.dmp

Filesize
10.8MB

Download
memory/3660-35-0x00007FFD4F460000-0x00007FFD4FF21000-memory.dmp

Filesize
10.8MB

Download
memory/3660-32-0x00007FFD4F460000-0x00007FFD4FF21000-memory.dmp

Filesize
10.8MB

Download
memory/3660-22-0x00007FFD4F460000-0x00007FFD4FF21000-memory.dmp

Filesize
10.8MB

Download
memory/3660-56-0x000000001B800000-0x000000001B86B000-memory.dmp

Filesize
428KB

Download
memory/3660-21-0x000000001B0F0000-0x000000001B0FC000-memory.dmp

Filesize
48KB

Download
memory/3660-19-0x00000000025E0000-0x00000000025EE000-memory.dmp

Filesize
56KB

Download
memory/3660-17-0x00000000025B0000-0x00000000025BC000-memory.dmp

Filesize
48KB

Download
memory/3660-0-0x00007FFD4F463000-0x00007FFD4F465000-memory.dmp

Filesize
8KB

Download
memory/3660-15-0x00000000025A0000-0x00000000025AC000-memory.dmp

Filesize
48KB

Download
memory/3660-50-0x00007FFD4F460000-0x00007FFD4FF21000-memory.dmp

Filesize
10.8MB

Download
memory/3660-10-0x000000001B470000-0x000000001B4C0000-memory.dmp

Filesize
320KB

Download
memory/3660-57-0x00007FFD4F460000-0x00007FFD4FF21000-memory.dmp

Filesize
10.8MB

Download
memory/3660-9-0x00000000025C0000-0x00000000025DC000-memory.dmp

Filesize
112KB

Download
memory/3660-7-0x00007FFD4F460000-0x00007FFD4FF21000-memory.dmp

Filesize
10.8MB

Download
memory/3660-6-0x0000000002480000-0x000000000248E000-memory.dmp

Filesize
56KB

Download
memory/3660-4-0x00007FFD4F460000-0x00007FFD4FF21000-memory.dmp

Filesize
10.8MB

Download
memory/3660-3-0x00007FFD4F460000-0x00007FFD4FF21000-memory.dmp

Filesize
10.8MB

Download
memory/3660-2-0x00007FFD4F460000-0x00007FFD4FF21000-memory.dmp

Filesize
10.8MB

Download
memory/3660-1-0x0000000000170000-0x0000000000364000-memory.dmp

Filesize
2.0MB

Download
memory/4828-257-0x0000000002930000-0x000000000299B000-memory.dmp

Filesize
428KB

Download
memory/5004-271-0x000000001CE00000-0x000000001CE6B000-memory.dmp

Filesize
428KB

Download