dcrat | 5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edc

Analysis

max time kernel
117s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2025 04:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
Size

2.3MB
MD5

97fa326a760987d1c96801f65c705bb0
SHA1

7024cfcb2f42320212f08fada83916189131717c
SHA256

5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edc
SHA512

ad0a599a90f368c710349bec888a1a491ee59f5e3d5c8d6e2703691cb584f1fc9ca10a1dbc5c4cbd4c7e26c6779c48ad4104051f4fc1cad3d1691de04cc84aef
SSDEEP

49152:P581k6pWQwY9zhWLCGUdeuGMvLq0jvYQxk:P58C6pgTEO0jvYQ

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3764	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3876	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	352	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3212	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3124	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4512	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4116	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3504	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3404	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4012	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4084	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3936	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3640	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4284	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3976	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4352	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4164	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4104	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	384	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	384	schtasks.exe	82

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/864-1-0x0000000000DC0000-0x0000000001010000-memory.dmp	dcrat
behavioral2/files/0x0007000000023c91-19.dat	dcrat

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dllhost.exe

Executes dropped EXE 11 IoCs

pid	Process
636	dllhost.exe
3140	dllhost.exe
2228	dllhost.exe
4600	dllhost.exe
1960	dllhost.exe
2564	dllhost.exe
2788	dllhost.exe
3140	dllhost.exe
4120	dllhost.exe
3028	dllhost.exe
3312	dllhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
36	pastebin.com
41	pastebin.com
42	pastebin.com
43	pastebin.com
50	pastebin.com
16	pastebin.com
23	pastebin.com
37	pastebin.com
38	pastebin.com
49	pastebin.com
51	pastebin.com
15	pastebin.com

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\55b276f4edf653	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
File created	C:\Program Files\Windows Mail\OfficeClickToRun.exe	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
File created	C:\Program Files (x86)\Windows Media Player\fr-FR\5d45d65db7e624	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
File created	C:\Program Files\Java\e1ef82546f0b02	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\ee2ad38f3d4382	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\RuntimeBroker.exe	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
File created	C:\Program Files\7-Zip\Lang\StartMenuExperienceHost.exe	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
File created	C:\Program Files\Windows Mail\e6c9b481da804f	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
File created	C:\Program Files\Uninstall Information\cc11b995f2a76d	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
File created	C:\Program Files\Java\SppExtComObj.exe	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Registry.exe	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
File created	C:\Program Files (x86)\Common Files\dllhost.exe	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
File opened for modification	C:\Program Files\7-Zip\Lang\StartMenuExperienceHost.exe	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
File created	C:\Program Files (x86)\Windows Media Player\fr-FR\5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
File created	C:\Program Files\Uninstall Information\winlogon.exe	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
File created	C:\Program Files (x86)\Common Files\5940a34987c991	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\9e8d7a4ca61bd9	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Performance\WinSAT\DataStore\0a1fd5f707cd16	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
File created	C:\Windows\SystemApps\explorer.exe	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
File created	C:\Windows\SystemApps\7a0fd90576e088	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
File created	C:\Windows\Branding\shellbrd\smss.exe	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
File created	C:\Windows\Branding\shellbrd\69ddcba757bf72	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
File created	C:\Windows\Performance\WinSAT\DataStore\sppsvc.exe	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dllhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1128	schtasks.exe
4576	schtasks.exe
224	schtasks.exe
3764	schtasks.exe
2992	schtasks.exe
4104	schtasks.exe
2684	schtasks.exe
2956	schtasks.exe
2292	schtasks.exe
3212	schtasks.exe
4616	schtasks.exe
3504	schtasks.exe
4012	schtasks.exe
4356	schtasks.exe
4464	schtasks.exe
212	schtasks.exe
4708	schtasks.exe
2628	schtasks.exe
4512	schtasks.exe
2412	schtasks.exe
4032	schtasks.exe
3404	schtasks.exe
2784	schtasks.exe
1052	schtasks.exe
1592	schtasks.exe
4284	schtasks.exe
2328	schtasks.exe
216	schtasks.exe
3976	schtasks.exe
4352	schtasks.exe
436	schtasks.exe
352	schtasks.exe
3936	schtasks.exe
1224	schtasks.exe
2488	schtasks.exe
3124	schtasks.exe
3640	schtasks.exe
1552	schtasks.exe
1208	schtasks.exe
3876	schtasks.exe
2200	schtasks.exe
2480	schtasks.exe
1928	schtasks.exe
4944	schtasks.exe
4116	schtasks.exe
1828	schtasks.exe
4084	schtasks.exe
916	schtasks.exe
1124	schtasks.exe
8	schtasks.exe
4164	schtasks.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
864	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
864	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
864	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
864	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
864	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
864	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
864	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
864	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
864	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
864	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
864	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
864	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
864	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
864	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
864	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
864	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
864	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
864	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
864	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
864	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
864	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
864	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
864	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
864	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
864	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
864	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
864	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
864	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
864	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
864	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
864	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
864	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
864	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
864	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
636	dllhost.exe
3140	dllhost.exe
2228	dllhost.exe
4600	dllhost.exe
1960	dllhost.exe
2564	dllhost.exe
2788	dllhost.exe
3140	dllhost.exe
4120	dllhost.exe
3028	dllhost.exe
3312	dllhost.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	864	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
Token: SeDebugPrivilege	636	dllhost.exe
Token: SeDebugPrivilege	3140	dllhost.exe
Token: SeDebugPrivilege	2228	dllhost.exe
Token: SeDebugPrivilege	4600	dllhost.exe
Token: SeDebugPrivilege	1960	dllhost.exe
Token: SeDebugPrivilege	2564	dllhost.exe
Token: SeDebugPrivilege	2788	dllhost.exe
Token: SeDebugPrivilege	3140	dllhost.exe
Token: SeDebugPrivilege	4120	dllhost.exe
Token: SeDebugPrivilege	3028	dllhost.exe
Token: SeDebugPrivilege	3312	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 1788	864	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe	134
PID 864 wrote to memory of 1788	864	5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe	134
PID 1788 wrote to memory of 1228	1788	cmd.exe	136
PID 1788 wrote to memory of 1228	1788	cmd.exe	136
PID 1788 wrote to memory of 636	1788	cmd.exe	141
PID 1788 wrote to memory of 636	1788	cmd.exe	141
PID 636 wrote to memory of 1512	636	dllhost.exe	143
PID 636 wrote to memory of 1512	636	dllhost.exe	143
PID 1512 wrote to memory of 868	1512	cmd.exe	145
PID 1512 wrote to memory of 868	1512	cmd.exe	145
PID 1512 wrote to memory of 3140	1512	cmd.exe	148
PID 1512 wrote to memory of 3140	1512	cmd.exe	148
PID 3140 wrote to memory of 4464	3140	dllhost.exe	149
PID 3140 wrote to memory of 4464	3140	dllhost.exe	149
PID 4464 wrote to memory of 1400	4464	cmd.exe	151
PID 4464 wrote to memory of 1400	4464	cmd.exe	151
PID 4464 wrote to memory of 2228	4464	cmd.exe	153
PID 4464 wrote to memory of 2228	4464	cmd.exe	153
PID 2228 wrote to memory of 4220	2228	dllhost.exe	155
PID 2228 wrote to memory of 4220	2228	dllhost.exe	155
PID 4220 wrote to memory of 4004	4220	cmd.exe	157
PID 4220 wrote to memory of 4004	4220	cmd.exe	157
PID 4220 wrote to memory of 4600	4220	cmd.exe	158
PID 4220 wrote to memory of 4600	4220	cmd.exe	158
PID 4600 wrote to memory of 1952	4600	dllhost.exe	159
PID 4600 wrote to memory of 1952	4600	dllhost.exe	159
PID 1952 wrote to memory of 3856	1952	cmd.exe	161
PID 1952 wrote to memory of 3856	1952	cmd.exe	161
PID 1952 wrote to memory of 1960	1952	cmd.exe	162
PID 1952 wrote to memory of 1960	1952	cmd.exe	162
PID 1960 wrote to memory of 3092	1960	dllhost.exe	163
PID 1960 wrote to memory of 3092	1960	dllhost.exe	163
PID 3092 wrote to memory of 2040	3092	cmd.exe	165
PID 3092 wrote to memory of 2040	3092	cmd.exe	165
PID 3092 wrote to memory of 2564	3092	cmd.exe	166
PID 3092 wrote to memory of 2564	3092	cmd.exe	166
PID 2564 wrote to memory of 1080	2564	dllhost.exe	167
PID 2564 wrote to memory of 1080	2564	dllhost.exe	167
PID 1080 wrote to memory of 2716	1080	cmd.exe	169
PID 1080 wrote to memory of 2716	1080	cmd.exe	169
PID 1080 wrote to memory of 2788	1080	cmd.exe	170
PID 1080 wrote to memory of 2788	1080	cmd.exe	170
PID 2788 wrote to memory of 1928	2788	dllhost.exe	171
PID 2788 wrote to memory of 1928	2788	dllhost.exe	171
PID 1928 wrote to memory of 3528	1928	cmd.exe	173
PID 1928 wrote to memory of 3528	1928	cmd.exe	173
PID 1928 wrote to memory of 3140	1928	cmd.exe	174
PID 1928 wrote to memory of 3140	1928	cmd.exe	174
PID 3140 wrote to memory of 5088	3140	dllhost.exe	175
PID 3140 wrote to memory of 5088	3140	dllhost.exe	175
PID 5088 wrote to memory of 4664	5088	cmd.exe	177
PID 5088 wrote to memory of 4664	5088	cmd.exe	177
PID 5088 wrote to memory of 4120	5088	cmd.exe	178
PID 5088 wrote to memory of 4120	5088	cmd.exe	178
PID 4120 wrote to memory of 4004	4120	dllhost.exe	179
PID 4120 wrote to memory of 4004	4120	dllhost.exe	179
PID 4004 wrote to memory of 4012	4004	cmd.exe	181
PID 4004 wrote to memory of 4012	4004	cmd.exe	181
PID 4004 wrote to memory of 3028	4004	cmd.exe	182
PID 4004 wrote to memory of 3028	4004	cmd.exe	182
PID 3028 wrote to memory of 4816	3028	dllhost.exe	183
PID 3028 wrote to memory of 4816	3028	dllhost.exe	183
PID 4816 wrote to memory of 1952	4816	cmd.exe	185
PID 4816 wrote to memory of 1952	4816	cmd.exe	185

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe
"C:\Users\Admin\AppData\Local\Temp\5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:864
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Im4812XXK6.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1228
- - C:\Program Files (x86)\Common Files\dllhost.exe
    "C:\Program Files (x86)\Common Files\dllhost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:636
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OxVZsORhRP.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1512
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:868
    - - C:\Program Files (x86)\Common Files\dllhost.exe
        
        "C:\Program Files (x86)\Common Files\dllhost.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3140
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9BpIS9nw5f.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1400
        
        C:\Program Files (x86)\Common Files\dllhost.exe
        
        "C:\Program Files (x86)\Common Files\dllhost.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RkPY472Oq9.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:4004
        
        C:\Program Files (x86)\Common Files\dllhost.exe
        
        "C:\Program Files (x86)\Common Files\dllhost.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KqyXtY4PgZ.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:3856
        
        C:\Program Files (x86)\Common Files\dllhost.exe
        
        "C:\Program Files (x86)\Common Files\dllhost.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ys8lvSze9b.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2040
        
        C:\Program Files (x86)\Common Files\dllhost.exe
        
        "C:\Program Files (x86)\Common Files\dllhost.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HAQQp9H1T4.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2716
        
        C:\Program Files (x86)\Common Files\dllhost.exe
        
        "C:\Program Files (x86)\Common Files\dllhost.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\79RMekxjZd.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:3528
        
        C:\Program Files (x86)\Common Files\dllhost.exe
        
        "C:\Program Files (x86)\Common Files\dllhost.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wUI7DLfHyj.bat"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:4664
        
        C:\Program Files (x86)\Common Files\dllhost.exe
        
        "C:\Program Files (x86)\Common Files\dllhost.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4120
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aoAocY3YSO.bat"
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:4012
        
        C:\Program Files (x86)\Common Files\dllhost.exe
        
        "C:\Program Files (x86)\Common Files\dllhost.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0LMDaVm4bI.bat"
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1952
        
        C:\Program Files (x86)\Common Files\dllhost.exe
        
        "C:\Program Files (x86)\Common Files\dllhost.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3312
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jddtUB3Qwl.bat"
        24⤵
        
        PID:3360
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\Branding\shellbrd\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Branding\shellbrd\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\Branding\shellbrd\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\Performance\WinSAT\DataStore\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\Performance\WinSAT\DataStore\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Templates\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Templates\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Templates\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\SystemApps\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\SystemApps\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\SystemApps\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN5" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN5" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edcN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Admin\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Desktop\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Public\Desktop\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Desktop\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Java\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:8

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Documents\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\All Users\Documents\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Documents\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Templates\dllhost.exe

Filesize
2.3MB

MD5
97fa326a760987d1c96801f65c705bb0

SHA1
7024cfcb2f42320212f08fada83916189131717c

SHA256
5c8bb6e672b99729898943e947d266b2f53f3514068cd89225741a80463c2edc

SHA512
ad0a599a90f368c710349bec888a1a491ee59f5e3d5c8d6e2703691cb584f1fc9ca10a1dbc5c4cbd4c7e26c6779c48ad4104051f4fc1cad3d1691de04cc84aef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\0LMDaVm4bI.bat

Filesize
212B

MD5
193ade3c279668f9560e76aab201ad8c

SHA1
47f6ef89fbbff45bd82d638b7cb3ce434a98fc92

SHA256
cd3f20c5d8f278a743f8a02da22169ccebcefa67624a58a30a9d9c1ceacb8e11

SHA512
a2731bd263969ec4b56b8de13cdf1c866291de61f3e7a6c754ab14cdf18c07f7654283d875a1aef99518690d4647c5462690638f706369242562b94836a20f8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\79RMekxjZd.bat

Filesize
212B

MD5
cb298e2f1a3876018114e24e9053d572

SHA1
2abd382629127a80054ae5cf9710623acf151360

SHA256
be93a3f6ce1e3a006dc93b175e2825ce7573e429ca129c80a5e9a49e87ccaf05

SHA512
07bc6512718b6a05b9544136213d093dd372fc2c8a6a53343048f18356f04aec61dcd1b619906c86e3bde9a022ecfa8a8361c42ce9cbd9cb36bcfdc39c151008

Download Submit
C:\Users\Admin\AppData\Local\Temp\9BpIS9nw5f.bat

Filesize
212B

MD5
a95107b97e7e0cf05a6f638c07fed81a

SHA1
0a46105f31591c17624da61691ebac3acd6a1fdd

SHA256
4a702e99514b06057d1c84b3287adbb8cd6e7dae17034f989c23e4464bc95757

SHA512
c2acd8ea59be6f85b577b8c7d636e76eb90cd42fb5c8cc5ebf9ee00543c990d9ce38b9d73da47efb5e8135c14744d24d2e4a9087af684cc983eab00d61217944

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAQQp9H1T4.bat

Filesize
212B

MD5
38c40a7bab1bd6f0cf76520aa5f062b3

SHA1
26d4e0b381660d8421b251ae79950282e169ccb6

SHA256
136d10e332bed92b4bf96dacb808237286bbf78bc881392c8a37b5526cb72eb7

SHA512
7ead37d82ff96f783c99b10f0f945687f9db48e93d8f18dace4532c8cec191c5c82bca8b1e676b57eb704d59d0469da1c25157c772b456f9feb792310a2499ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Im4812XXK6.bat

Filesize
212B

MD5
d9e00f64851e2c349f047612d2e7fb0c

SHA1
0166db7aef51a7e2743fc82a900efe7909872617

SHA256
0429c0b9f19956671d75d10f06cc546bd9fdc8bf9f2e7a1709fda541c081eecc

SHA512
789fe8bc417c660b7affde546a4c05d94b583f3e40f5dd969c9abf24b00009b95b0cf9ff2fc243622d6383a30eed96689d48f260359ef33fba642023df448eb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\KqyXtY4PgZ.bat

Filesize
212B

MD5
c7ff113f358636681c91671b14ac84cf

SHA1
7e4e2d6bd7dde740847e3c626a256d4d8b7d5b5f

SHA256
46f8e90b830fca70674bea2f78dc373aedfe2d9e4ec6c1dd4b147b1f9745226c

SHA512
7fcfac76b1cf6bdba5cd1cb1de9cca7b7fa3d1d4fcb97a4cba66b1e28262e913512a71989a335a831b0a1a660c29e160109ec7b463327992eb924e431f561929

Download Submit
C:\Users\Admin\AppData\Local\Temp\OxVZsORhRP.bat

Filesize
212B

MD5
1a678d334ce978145017657f7299d0ec

SHA1
3c44c75e062fcd9aab52d52ddbf87e815c338c71

SHA256
0444cf3ea5532f6dca094ffc5431caa83b266bf7d10321e7ae58f71daab70998

SHA512
53b70b201e0681d4696c519a65b49745eb9fb04638952c27911d2e189136b3fac656c44497dc55749c7a4da5e97ddf88c88c137588f670e216b689ab79fbc3f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RkPY472Oq9.bat

Filesize
212B

MD5
dfbd445c7b578517ad0be2621718997e

SHA1
413cd489a3674845c33bf14254c31b2cb60c56d9

SHA256
63e608d595a8aaf492c3b8e634867dbff552ccb2d430856c97b47c785c46f087

SHA512
232806c4d9873c53160c2cab34405ac041b2d9196c68071c6fc66af9e560d68fb8ff60329454d6c7eb115f35cb5ef2a1aed946ce46a4f27000e482684bb13cb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ys8lvSze9b.bat

Filesize
212B

MD5
fcc2ff0a56cd6ccd3941ec3d3cc4bc7b

SHA1
0ff1e2f5719eff2af8479b3bf93b4c7c3eef544f

SHA256
5a65d2babdcf85c9def89d48f91fb2aad797bb7ef6648445479fb514ca86873a

SHA512
f7847731acba8d423a428fb6502a0ace15844625136d0aa95866b4d900efa5731e0acc83e68569d7202fffd54e97617529742daa4851a2be023d6ea61237c047

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoAocY3YSO.bat

Filesize
212B

MD5
a78504c650b62fe50aa52274e6968420

SHA1
42344275d414bd1b4cf0ba3ec06af81c087d8ae0

SHA256
a12c17941e9cb68d08029e092c49d8da5fffbcd57b59aca4493119aebd094f7f

SHA512
d02b8a1bcabd77dd7088c2de510725447f2bee052a971878a34dd24239f3131ce03ec6d50072d066b7305d7d8b3fc7afba9f76adf37dfa3d5e85e65ff368f845

Download Submit
C:\Users\Admin\AppData\Local\Temp\jddtUB3Qwl.bat

Filesize
212B

MD5
62c97c8dbea03b4e94c959199d3979c9

SHA1
7d966f5d00ee5f71782562fb6e0fb607498f4df8

SHA256
6300f62f8a388c7b838b20346a3f3fd80affec7250baa3a94f12f934d2c82a5d

SHA512
c070734bd21a985a13e6ccca8733f7f1f70d45d16142f78e130306ad03d43b15a03c5198f144cf31538094e2cd8a9d2ae8b28a2c78eec8822760999c018ae7da

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUI7DLfHyj.bat

Filesize
212B

MD5
8901f40911692612867ba052f2c4a4a0

SHA1
96d0fae8023dd671feac2b7c904db041f3613cd6

SHA256
492cdee3a7e32c951c22735732c73d97932239c21ddcb922656407b12a4df17b

SHA512
5d7b7231e655f95256c4746435ab3566458ff6ca327e2e289129fe5ce21fb13b5eacd00d4b3ee01a2894ff3ca4266bd9cb13f74e78f3d0407100de6e9de7f4c2

Download Submit
memory/636-55-0x0000000002A10000-0x0000000002A22000-memory.dmp

Filesize
72KB

Download
memory/864-6-0x000000001C170000-0x000000001C1C6000-memory.dmp

Filesize
344KB

Download
memory/864-7-0x000000001BC40000-0x000000001BC52000-memory.dmp

Filesize
72KB

Download
memory/864-8-0x000000001CA80000-0x000000001CFA8000-memory.dmp

Filesize
5.2MB

Download
memory/864-5-0x000000001BC20000-0x000000001BC36000-memory.dmp

Filesize
88KB

Download
memory/864-2-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp

Filesize
10.8MB

Download
memory/864-1-0x0000000000DC0000-0x0000000001010000-memory.dmp

Filesize
2.3MB

Download
memory/864-9-0x000000001BC50000-0x000000001BC5E000-memory.dmp

Filesize
56KB

Download
memory/864-4-0x000000001C1C0000-0x000000001C210000-memory.dmp

Filesize
320KB

Download
memory/864-10-0x000000001C230000-0x000000001C238000-memory.dmp

Filesize
32KB

Download
memory/864-0-0x00007FFBFD203000-0x00007FFBFD205000-memory.dmp

Filesize
8KB

Download
memory/864-50-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp

Filesize
10.8MB

Download
memory/864-3-0x00000000017D0000-0x00000000017EC000-memory.dmp

Filesize
112KB

Download
memory/1960-85-0x0000000002C60000-0x0000000002CB6000-memory.dmp

Filesize
344KB

Download
memory/2564-92-0x000000001B060000-0x000000001B0B6000-memory.dmp

Filesize
344KB

Download
memory/2788-100-0x0000000000F30000-0x0000000000F42000-memory.dmp

Filesize
72KB

Download
memory/2788-99-0x0000000002A10000-0x0000000002A66000-memory.dmp

Filesize
344KB

Download
memory/3140-107-0x00000000027F0000-0x0000000002802000-memory.dmp

Filesize
72KB

Download
memory/3140-64-0x000000001C360000-0x000000001C3B6000-memory.dmp

Filesize
344KB

Download
memory/4600-78-0x0000000003030000-0x0000000003042000-memory.dmp

Filesize
72KB

Download
memory/4600-77-0x000000001BA20000-0x000000001BA76000-memory.dmp

Filesize
344KB

Download