b9e8d2ae255a3b585cd17cbfad39037f0bb9a7691b4977e08d248841017b1b2c

General

Target

b01e71436ccb703fbf02bf0e171f77ac.exe
Size

780KB
MD5

b01e71436ccb703fbf02bf0e171f77ac
SHA1

9acda7d69832cbfc66881302b5ab2691ad342c78
SHA256

b9e8d2ae255a3b585cd17cbfad39037f0bb9a7691b4977e08d248841017b1b2c
SHA512

a69c3969a2a62625604d1bdb1a8fe1e5d69100836d604c32e463b54854d7c60fd6c451246880ac6c84213955bba0bce6123882c16edc3d10ef8b89e5b13f464c

Score

10^/10

suricata

Malware Config

Signatures

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3828	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4204	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4512	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4104	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4092	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3848	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4336	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3856	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4080	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3088	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4308	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4188	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4304	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4284	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	516	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	488	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4588	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	116	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3800	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3928	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3312	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3456	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4216	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3680	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3692	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3468	4228	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	4228	schtasks.exe

suricata: ET MALWARE DCRAT Activity (GET)
suricata: ET MALWARE DCRAT Activity (GET)
suricata
Executes dropped EXE 1 IoCs

Processes:

SppExtComObj.exe

pid process

1156 SppExtComObj.exe

pid	process
1156	SppExtComObj.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b01e71436ccb703fbf02bf0e171f77ac.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	b01e71436ccb703fbf02bf0e171f77ac.exe

Drops file in Program Files directory 20 IoCs

Processes:

b01e71436ccb703fbf02bf0e171f77ac.exe

description	ioc	process
File created	C:\Program Files\Windows Photo Viewer\en-US\SppExtComObj.exe	b01e71436ccb703fbf02bf0e171f77ac.exe
File created	C:\Program Files\7-Zip\Lang\sppsvc.exe	b01e71436ccb703fbf02bf0e171f77ac.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\ee2ad38f3d4382	b01e71436ccb703fbf02bf0e171f77ac.exe
File created	C:\Program Files\Windows Media Player\en-US\ee2ad38f3d4382	b01e71436ccb703fbf02bf0e171f77ac.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\upfc.exe	b01e71436ccb703fbf02bf0e171f77ac.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe	b01e71436ccb703fbf02bf0e171f77ac.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\en-US\SppExtComObj.exe	b01e71436ccb703fbf02bf0e171f77ac.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\e1ef82546f0b02	b01e71436ccb703fbf02bf0e171f77ac.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe	b01e71436ccb703fbf02bf0e171f77ac.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\5940a34987c991	b01e71436ccb703fbf02bf0e171f77ac.exe
File created	C:\Program Files\7-Zip\Lang\0a1fd5f707cd16	b01e71436ccb703fbf02bf0e171f77ac.exe
File created	C:\Program Files (x86)\Windows Portable Devices\SppExtComObj.exe	b01e71436ccb703fbf02bf0e171f77ac.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\winlogon.exe	b01e71436ccb703fbf02bf0e171f77ac.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\Registry.exe	b01e71436ccb703fbf02bf0e171f77ac.exe
File created	C:\Program Files\Windows Media Player\en-US\Registry.exe	b01e71436ccb703fbf02bf0e171f77ac.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\e6c9b481da804f	b01e71436ccb703fbf02bf0e171f77ac.exe
File created	C:\Program Files (x86)\Windows Portable Devices\e1ef82546f0b02	b01e71436ccb703fbf02bf0e171f77ac.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\cc11b995f2a76d	b01e71436ccb703fbf02bf0e171f77ac.exe
File created	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\fontdrvhost.exe	b01e71436ccb703fbf02bf0e171f77ac.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\ea1d8f6d871115	b01e71436ccb703fbf02bf0e171f77ac.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4380	schtasks.exe
3088	schtasks.exe
1232	schtasks.exe
488	schtasks.exe
516	schtasks.exe
3828	schtasks.exe
4404	schtasks.exe
4920	schtasks.exe
4556	schtasks.exe
2100	schtasks.exe
2212	schtasks.exe
3800	schtasks.exe
3312	schtasks.exe
3456	schtasks.exe
3848	schtasks.exe
3692	schtasks.exe
2368	schtasks.exe
2200	schtasks.exe
4188	schtasks.exe
116	schtasks.exe
4104	schtasks.exe
2828	schtasks.exe
2908	schtasks.exe
3928	schtasks.exe
2372	schtasks.exe
4204	schtasks.exe
5092	schtasks.exe
400	schtasks.exe
2136	schtasks.exe
4308	schtasks.exe
4304	schtasks.exe
3856	schtasks.exe
4284	schtasks.exe
396	schtasks.exe
4892	schtasks.exe
880	schtasks.exe
2128	schtasks.exe
1128	schtasks.exe
3680	schtasks.exe
3004	schtasks.exe
1768	schtasks.exe
1732	schtasks.exe
216	schtasks.exe
4216	schtasks.exe
408	schtasks.exe
5028	schtasks.exe
1676	schtasks.exe
4588	schtasks.exe
4512	schtasks.exe
4092	schtasks.exe
4336	schtasks.exe
4080	schtasks.exe
4424	schtasks.exe
3468	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

b01e71436ccb703fbf02bf0e171f77ac.exeSppExtComObj.exe

pid	process
3436	b01e71436ccb703fbf02bf0e171f77ac.exe
3436	b01e71436ccb703fbf02bf0e171f77ac.exe
3436	b01e71436ccb703fbf02bf0e171f77ac.exe
3436	b01e71436ccb703fbf02bf0e171f77ac.exe
3436	b01e71436ccb703fbf02bf0e171f77ac.exe
3436	b01e71436ccb703fbf02bf0e171f77ac.exe
3436	b01e71436ccb703fbf02bf0e171f77ac.exe
3436	b01e71436ccb703fbf02bf0e171f77ac.exe
3436	b01e71436ccb703fbf02bf0e171f77ac.exe
3436	b01e71436ccb703fbf02bf0e171f77ac.exe
3436	b01e71436ccb703fbf02bf0e171f77ac.exe
3436	b01e71436ccb703fbf02bf0e171f77ac.exe
3436	b01e71436ccb703fbf02bf0e171f77ac.exe
3436	b01e71436ccb703fbf02bf0e171f77ac.exe
3436	b01e71436ccb703fbf02bf0e171f77ac.exe
3436	b01e71436ccb703fbf02bf0e171f77ac.exe
3436	b01e71436ccb703fbf02bf0e171f77ac.exe
1156	SppExtComObj.exe
1156	SppExtComObj.exe
1156	SppExtComObj.exe
1156	SppExtComObj.exe
1156	SppExtComObj.exe
1156	SppExtComObj.exe
1156	SppExtComObj.exe
1156	SppExtComObj.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

SppExtComObj.exe

pid process

1156 SppExtComObj.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

b01e71436ccb703fbf02bf0e171f77ac.exeSppExtComObj.exe

description pid process

Token: SeDebugPrivilege 3436 b01e71436ccb703fbf02bf0e171f77ac.exe
Token: SeDebugPrivilege 1156 SppExtComObj.exe

pid	process
1156	SppExtComObj.exe

description	pid	process
Token: SeDebugPrivilege	3436	b01e71436ccb703fbf02bf0e171f77ac.exe
Token: SeDebugPrivilege	1156	SppExtComObj.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

b01e71436ccb703fbf02bf0e171f77ac.exe

description	pid	process	target process
PID 3436 wrote to memory of 1156	3436	b01e71436ccb703fbf02bf0e171f77ac.exe	SppExtComObj.exe
PID 3436 wrote to memory of 1156	3436	b01e71436ccb703fbf02bf0e171f77ac.exe	SppExtComObj.exe

C:\Users\Admin\AppData\Local\Temp\b01e71436ccb703fbf02bf0e171f77ac.exe
"C:\Users\Admin\AppData\Local\Temp\b01e71436ccb703fbf02bf0e171f77ac.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3436

C:\Program Files (x86)\Windows Portable Devices\SppExtComObj.exe
"C:\Program Files (x86)\Windows Portable Devices\SppExtComObj.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\en-US\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONSTART /tr "'C:\Program Files\Windows Photo Viewer\en-US\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Application Data\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONSTART /tr "'C:\Users\All Users\Application Data\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONSTART /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONSTART /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc MINUTE /mo 6 /tr "'C:\ProgramData\regid.1991-06.com.microsoft\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\ProgramData\regid.1991-06.com.microsoft\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONSTART /tr "'C:\ProgramData\regid.1991-06.com.microsoft\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc MINUTE /mo 6 /tr "'C:\odt\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\odt\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONSTART /tr "'C:\odt\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc MINUTE /mo 5 /tr "'C:\ProgramData\Microsoft OneDrive\setup\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\ProgramData\Microsoft OneDrive\setup\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONSTART /tr "'C:\ProgramData\Microsoft OneDrive\setup\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONSTART /tr "'C:\Program Files\7-Zip\Lang\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONSTART /tr "'C:\Program Files (x86)\Windows Portable Devices\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONSTART /tr "'C:\Program Files (x86)\Windows Defender\it-IT\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc MINUTE /mo 10 /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONSTART /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc MINUTE /mo 7 /tr "'C:\ProgramData\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\S-1-5-21-2632097139-1792035885-811742494-1000\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\ProgramData\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\S-1-5-21-2632097139-1792035885-811742494-1000\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONSTART /tr "'C:\ProgramData\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\S-1-5-21-2632097139-1792035885-811742494-1000\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Desktop\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONSTART /tr "'C:\Users\Admin\Desktop\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONSTART /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONSTART /tr "'C:\Program Files (x86)\Windows Multimedia Platform\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\en-US\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\en-US\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONSTART /tr "'C:\Program Files\Windows Media Player\en-US\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONSTART /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc MINUTE /mo 13 /tr "'C:\ProgramData\Microsoft\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\ProgramData\Microsoft\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONSTART /tr "'C:\ProgramData\Microsoft\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Portable Devices\SppExtComObj.exe
Filesize
780KB

MD5
b01e71436ccb703fbf02bf0e171f77ac

SHA1
9acda7d69832cbfc66881302b5ab2691ad342c78

SHA256
b9e8d2ae255a3b585cd17cbfad39037f0bb9a7691b4977e08d248841017b1b2c

SHA512
a69c3969a2a62625604d1bdb1a8fe1e5d69100836d604c32e463b54854d7c60fd6c451246880ac6c84213955bba0bce6123882c16edc3d10ef8b89e5b13f464c

Download Submit
C:\Program Files (x86)\Windows Portable Devices\SppExtComObj.exe
Filesize
780KB

MD5
b01e71436ccb703fbf02bf0e171f77ac

SHA1
9acda7d69832cbfc66881302b5ab2691ad342c78

SHA256
b9e8d2ae255a3b585cd17cbfad39037f0bb9a7691b4977e08d248841017b1b2c

SHA512
a69c3969a2a62625604d1bdb1a8fe1e5d69100836d604c32e463b54854d7c60fd6c451246880ac6c84213955bba0bce6123882c16edc3d10ef8b89e5b13f464c

Download Submit
memory/1156-132-0x0000000000000000-mapping.dmp

Download
memory/1156-135-0x00007FFF9B190000-0x00007FFF9BC51000-memory.dmp

Filesize
10.8MB

Download
memory/3436-130-0x00000000009E0000-0x0000000000AAA000-memory.dmp

Filesize
808KB

Download
memory/3436-131-0x00007FFF9B190000-0x00007FFF9BC51000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads