Analysis
-
max time kernel
53s -
max time network
60s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
23-10-2024 02:31
Static task
static1
Behavioral task
behavioral1
Sample
PedikClient.exe
Resource
win11-20241007-en
General
-
Target
PedikClient.exe
-
Size
1.7MB
-
MD5
28d6347c722e5cac5ae9245b16d4754c
-
SHA1
45a79b7368ec79516ab1772188bec1b36c43d498
-
SHA256
eb0e511e7656cf46b8632c82afd2c54fc28ca897fc852229839d67e9a23700e1
-
SHA512
643465e266e0bd5b2659d68bd3752cd53c88be29f3fe1805523196c1b3720279e34919f4a6d53c1e3a867f3b1d5c38c4abb8c7d68cce13cc11e62de911aac181
-
SSDEEP
49152:MfZ8c3XIwfnWpiDwDFyeEPk3Oy89y1iRW4SEXtTd15:MhVXIwfIdceEPk3O/y1iRW4SutJ15
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 18 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Offline Web Pages\\backgroundTaskHost.exe\", \"C:\\Users\\Public\\Libraries\\SppExtComObj.exe\", \"C:\\Program Files\\7-Zip\\Lang\\unsecapp.exe\", \"C:\\Program Files\\Uninstall Information\\sppsvc.exe\", \"C:\\Windows\\PolicyDefinitions\\en-US\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\smss.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Offline Web Pages\\backgroundTaskHost.exe\", \"C:\\Users\\Public\\Libraries\\SppExtComObj.exe\", \"C:\\Program Files\\7-Zip\\Lang\\unsecapp.exe\", \"C:\\Program Files\\Uninstall Information\\sppsvc.exe\", \"C:\\Windows\\PolicyDefinitions\\en-US\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\smss.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\dllhost.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Offline Web Pages\\backgroundTaskHost.exe\", \"C:\\Users\\Public\\Libraries\\SppExtComObj.exe\", \"C:\\Program Files\\7-Zip\\Lang\\unsecapp.exe\", \"C:\\Program Files\\Uninstall Information\\sppsvc.exe\", \"C:\\Windows\\PolicyDefinitions\\en-US\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\smss.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\dllhost.exe\", \"C:\\Users\\Public\\Downloads\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Windows\\Provisioning\\Cosa\\OEM\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Offline Web Pages\\backgroundTaskHost.exe\", \"C:\\Users\\Public\\Libraries\\SppExtComObj.exe\", \"C:\\Program Files\\7-Zip\\Lang\\unsecapp.exe\", \"C:\\Program Files\\Uninstall Information\\sppsvc.exe\", \"C:\\Windows\\PolicyDefinitions\\en-US\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\smss.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\dllhost.exe\", \"C:\\Users\\Public\\Downloads\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Windows\\Provisioning\\Cosa\\OEM\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Windows\\IdentityCRL\\INT\\fontdrvhost.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Offline Web Pages\\backgroundTaskHost.exe\", \"C:\\Users\\Public\\Libraries\\SppExtComObj.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Offline Web Pages\\backgroundTaskHost.exe\", \"C:\\Users\\Public\\Libraries\\SppExtComObj.exe\", \"C:\\Program Files\\7-Zip\\Lang\\unsecapp.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Offline Web Pages\\backgroundTaskHost.exe\", \"C:\\Users\\Public\\Libraries\\SppExtComObj.exe\", \"C:\\Program Files\\7-Zip\\Lang\\unsecapp.exe\", \"C:\\Program Files\\Uninstall Information\\sppsvc.exe\", \"C:\\Windows\\PolicyDefinitions\\en-US\\RuntimeBroker.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Offline Web Pages\\backgroundTaskHost.exe\", \"C:\\Users\\Public\\Libraries\\SppExtComObj.exe\", \"C:\\Program Files\\7-Zip\\Lang\\unsecapp.exe\", \"C:\\Program Files\\Uninstall Information\\sppsvc.exe\", \"C:\\Windows\\PolicyDefinitions\\en-US\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\smss.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\dllhost.exe\", \"C:\\Users\\Public\\Downloads\\sihost.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Offline Web Pages\\backgroundTaskHost.exe\", \"C:\\Users\\Public\\Libraries\\SppExtComObj.exe\", \"C:\\Program Files\\7-Zip\\Lang\\unsecapp.exe\", \"C:\\Program Files\\Uninstall Information\\sppsvc.exe\", \"C:\\Windows\\PolicyDefinitions\\en-US\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\smss.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\dllhost.exe\", \"C:\\Users\\Public\\Downloads\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Offline Web Pages\\backgroundTaskHost.exe\", \"C:\\Users\\Public\\Libraries\\SppExtComObj.exe\", \"C:\\Program Files\\7-Zip\\Lang\\unsecapp.exe\", \"C:\\Program Files\\Uninstall Information\\sppsvc.exe\", \"C:\\Windows\\PolicyDefinitions\\en-US\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\smss.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\dllhost.exe\", \"C:\\Users\\Public\\Downloads\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Windows\\Provisioning\\Cosa\\OEM\\spoolsv.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Offline Web Pages\\backgroundTaskHost.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Offline Web Pages\\backgroundTaskHost.exe\", \"C:\\Users\\Public\\Libraries\\SppExtComObj.exe\", \"C:\\Program Files\\7-Zip\\Lang\\unsecapp.exe\", \"C:\\Program Files\\Uninstall Information\\sppsvc.exe\", \"C:\\Windows\\PolicyDefinitions\\en-US\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\smss.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Offline Web Pages\\backgroundTaskHost.exe\", \"C:\\Users\\Public\\Libraries\\SppExtComObj.exe\", \"C:\\Program Files\\7-Zip\\Lang\\unsecapp.exe\", \"C:\\Program Files\\Uninstall Information\\sppsvc.exe\", \"C:\\Windows\\PolicyDefinitions\\en-US\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\smss.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\dllhost.exe\", \"C:\\Users\\Public\\Downloads\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Windows\\Provisioning\\Cosa\\OEM\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Offline Web Pages\\backgroundTaskHost.exe\", \"C:\\Users\\Public\\Libraries\\SppExtComObj.exe\", \"C:\\Program Files\\7-Zip\\Lang\\unsecapp.exe\", \"C:\\Program Files\\Uninstall Information\\sppsvc.exe\", \"C:\\Windows\\PolicyDefinitions\\en-US\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\smss.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\dllhost.exe\", \"C:\\Users\\Public\\Downloads\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Windows\\Provisioning\\Cosa\\OEM\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Windows\\IdentityCRL\\INT\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Adobe\\backgroundTaskHost.exe\", \"C:\\Users\\All Users\\Desktop\\dllhost.exe\", \"C:\\Windows\\bcastdvr\\fontdrvhost.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Offline Web Pages\\backgroundTaskHost.exe\", \"C:\\Users\\Public\\Libraries\\SppExtComObj.exe\", \"C:\\Program Files\\7-Zip\\Lang\\unsecapp.exe\", \"C:\\Program Files\\Uninstall Information\\sppsvc.exe\", \"C:\\Windows\\PolicyDefinitions\\en-US\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\smss.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\dllhost.exe\", \"C:\\Users\\Public\\Downloads\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Windows\\Provisioning\\Cosa\\OEM\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Windows\\IdentityCRL\\INT\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Adobe\\backgroundTaskHost.exe\", \"C:\\Users\\All Users\\Desktop\\dllhost.exe\", \"C:\\Windows\\bcastdvr\\fontdrvhost.exe\", \"C:\\Users\\Admin\\Registry.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Offline Web Pages\\backgroundTaskHost.exe\", \"C:\\Users\\Public\\Libraries\\SppExtComObj.exe\", \"C:\\Program Files\\7-Zip\\Lang\\unsecapp.exe\", \"C:\\Program Files\\Uninstall Information\\sppsvc.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Offline Web Pages\\backgroundTaskHost.exe\", \"C:\\Users\\Public\\Libraries\\SppExtComObj.exe\", \"C:\\Program Files\\7-Zip\\Lang\\unsecapp.exe\", \"C:\\Program Files\\Uninstall Information\\sppsvc.exe\", \"C:\\Windows\\PolicyDefinitions\\en-US\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\smss.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\dllhost.exe\", \"C:\\Users\\Public\\Downloads\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Windows\\Provisioning\\Cosa\\OEM\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Windows\\IdentityCRL\\INT\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Adobe\\backgroundTaskHost.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Offline Web Pages\\backgroundTaskHost.exe\", \"C:\\Users\\Public\\Libraries\\SppExtComObj.exe\", \"C:\\Program Files\\7-Zip\\Lang\\unsecapp.exe\", \"C:\\Program Files\\Uninstall Information\\sppsvc.exe\", \"C:\\Windows\\PolicyDefinitions\\en-US\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\smss.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\dllhost.exe\", \"C:\\Users\\Public\\Downloads\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Windows\\Provisioning\\Cosa\\OEM\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Windows\\IdentityCRL\\INT\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Adobe\\backgroundTaskHost.exe\", \"C:\\Users\\All Users\\Desktop\\dllhost.exe\"" SystemUpdates.exe -
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 968 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3436 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 752 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3176 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3392 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3568 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 72 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2252 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4972 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4944 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3060 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4364 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2332 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1440 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4968 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4832 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4064 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3180 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2688 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 656 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1388 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1664 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3624 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2708 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4044 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 224 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3844 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3592 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2676 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4740 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3900 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2852 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4588 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3372 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4412 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2976 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2528 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3388 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1080 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3960 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2136 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2208 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4460 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2160 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3320 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4784 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1248 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2376 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2880 3876 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1928 3876 schtasks.exe 89 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SystemUpdates.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SystemUpdates.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SystemUpdates.exe -
resource yara_rule behavioral1/files/0x001a00000002aabc-6.dat dcrat behavioral1/files/0x001900000002aac1-30.dat dcrat behavioral1/memory/2060-32-0x0000000000960000-0x0000000000AF0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1716 powershell.exe 5084 powershell.exe 4604 powershell.exe 4284 powershell.exe 3656 powershell.exe 2092 powershell.exe 3896 powershell.exe 1160 powershell.exe 4676 powershell.exe 3140 powershell.exe 3468 powershell.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 4504 netsh.exe -
Executes dropped EXE 4 IoCs
pid Process 1092 Injector.exe 2896 ExInjector.exe 2060 SystemUpdates.exe 1596 backgroundTaskHost.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 34 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Recovery\\WindowsRE\\sihost.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Users\\Public\\Downloads\\sihost.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Users\\Public\\Downloads\\sihost.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\IdentityCRL\\INT\\fontdrvhost.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files (x86)\\Adobe\\backgroundTaskHost.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\Offline Web Pages\\backgroundTaskHost.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Users\\Public\\Libraries\\SppExtComObj.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\PolicyDefinitions\\en-US\\RuntimeBroker.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\WindowsRE\\winlogon.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\All Users\\Desktop\\dllhost.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Uninstall Information\\sppsvc.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\smss.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\Provisioning\\Cosa\\OEM\\spoolsv.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\IdentityCRL\\INT\\fontdrvhost.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\bcastdvr\\fontdrvhost.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Uninstall Information\\sppsvc.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\dllhost.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Users\\Admin\\Registry.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\Offline Web Pages\\backgroundTaskHost.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\smss.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\WindowsRE\\smss.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files (x86)\\Adobe\\backgroundTaskHost.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\All Users\\Desktop\\dllhost.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Users\\Admin\\Registry.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Users\\Public\\Libraries\\SppExtComObj.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files\\7-Zip\\Lang\\unsecapp.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\PolicyDefinitions\\en-US\\RuntimeBroker.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Recovery\\WindowsRE\\sihost.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\dllhost.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files\\7-Zip\\Lang\\unsecapp.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\WindowsRE\\winlogon.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\Provisioning\\Cosa\\OEM\\spoolsv.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\WindowsRE\\smss.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\bcastdvr\\fontdrvhost.exe\"" SystemUpdates.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemUpdates.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SystemUpdates.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ipinfo.io 6 ipinfo.io -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\7laDcN0rCRiiFFEryGzr87P90jYlcM.bat Injector.exe File opened for modification C:\Windows\SysWOW64\SystemUpdates.exe Injector.exe File created C:\Windows\SysWOW64\Pj3sASAQmYbZO22AgnND3YNrHBGc.vbe Injector.exe File opened for modification C:\Windows\SysWOW64\Pj3sASAQmYbZO22AgnND3YNrHBGc.vbe Injector.exe File created C:\Windows\SysWOW64\Explower.exe ExInjector.exe File created C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_240617921 Injector.exe File created C:\Windows\SysWOW64\SystemUpdates.exe Injector.exe File opened for modification C:\Windows\SysWOW64\Explower.exe ExInjector.exe File opened for modification C:\Windows\SysWOW64\7laDcN0rCRiiFFEryGzr87P90jYlcM.bat Injector.exe -
Drops file in Program Files directory 10 IoCs
description ioc Process File created C:\Program Files\WindowsPowerShell\Modules\Pester\dllhost.exe SystemUpdates.exe File created C:\Program Files (x86)\Adobe\eddb19405b7ce1 SystemUpdates.exe File created C:\Program Files\7-Zip\Lang\29c1c3cc0f7685 SystemUpdates.exe File created C:\Program Files\Uninstall Information\sppsvc.exe SystemUpdates.exe File created C:\Program Files\Uninstall Information\0a1fd5f707cd16 SystemUpdates.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe SystemUpdates.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\69ddcba757bf72 SystemUpdates.exe File created C:\Program Files\WindowsPowerShell\Modules\Pester\5940a34987c991 SystemUpdates.exe File created C:\Program Files (x86)\Adobe\backgroundTaskHost.exe SystemUpdates.exe File created C:\Program Files\7-Zip\Lang\unsecapp.exe SystemUpdates.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\IdentityCRL\INT\fontdrvhost.exe SystemUpdates.exe File created C:\Windows\IdentityCRL\INT\5b884080fd4f94 SystemUpdates.exe File created C:\Windows\bcastdvr\5b884080fd4f94 SystemUpdates.exe File created C:\Windows\Offline Web Pages\backgroundTaskHost.exe SystemUpdates.exe File created C:\Windows\Offline Web Pages\eddb19405b7ce1 SystemUpdates.exe File created C:\Windows\PolicyDefinitions\en-US\9e8d7a4ca61bd9 SystemUpdates.exe File created C:\Windows\Provisioning\Cosa\OEM\spoolsv.exe SystemUpdates.exe File opened for modification C:\Windows\Offline Web Pages\backgroundTaskHost.exe SystemUpdates.exe File created C:\Windows\PolicyDefinitions\en-US\RuntimeBroker.exe SystemUpdates.exe File created C:\Windows\Provisioning\Cosa\OEM\f3b6ecef712a24 SystemUpdates.exe File created C:\Windows\bcastdvr\fontdrvhost.exe SystemUpdates.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PedikClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Injector.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ExInjector.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings Injector.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings backgroundTaskHost.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 3496 reg.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4832 schtasks.exe 3388 schtasks.exe 3960 schtasks.exe 3060 schtasks.exe 4044 schtasks.exe 2208 schtasks.exe 2880 schtasks.exe 4972 schtasks.exe 2136 schtasks.exe 4460 schtasks.exe 3180 schtasks.exe 3624 schtasks.exe 2528 schtasks.exe 4944 schtasks.exe 2716 schtasks.exe 1440 schtasks.exe 4064 schtasks.exe 2688 schtasks.exe 224 schtasks.exe 4784 schtasks.exe 2376 schtasks.exe 3392 schtasks.exe 4412 schtasks.exe 1248 schtasks.exe 2708 schtasks.exe 3900 schtasks.exe 968 schtasks.exe 2252 schtasks.exe 2676 schtasks.exe 4740 schtasks.exe 1080 schtasks.exe 3176 schtasks.exe 2992 schtasks.exe 2852 schtasks.exe 2976 schtasks.exe 3320 schtasks.exe 1928 schtasks.exe 72 schtasks.exe 656 schtasks.exe 2160 schtasks.exe 3436 schtasks.exe 2552 schtasks.exe 4968 schtasks.exe 3844 schtasks.exe 4588 schtasks.exe 3372 schtasks.exe 4364 schtasks.exe 2332 schtasks.exe 2604 schtasks.exe 3592 schtasks.exe 752 schtasks.exe 3568 schtasks.exe 1388 schtasks.exe 1664 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe 2896 ExInjector.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2896 ExInjector.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 2976 msedge.exe 2976 msedge.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
description pid Process Token: SeDebugPrivilege 2896 ExInjector.exe Token: 33 2896 ExInjector.exe Token: SeIncBasePriorityPrivilege 2896 ExInjector.exe Token: SeDebugPrivilege 2060 SystemUpdates.exe Token: SeDebugPrivilege 4604 powershell.exe Token: SeDebugPrivilege 3140 powershell.exe Token: SeDebugPrivilege 4676 powershell.exe Token: SeDebugPrivilege 2092 powershell.exe Token: SeDebugPrivilege 3468 powershell.exe Token: SeDebugPrivilege 4284 powershell.exe Token: SeDebugPrivilege 1160 powershell.exe Token: SeDebugPrivilege 3896 powershell.exe Token: SeDebugPrivilege 5084 powershell.exe Token: SeDebugPrivilege 1716 powershell.exe Token: SeDebugPrivilege 3656 powershell.exe Token: SeDebugPrivilege 1596 backgroundTaskHost.exe Token: 33 2896 ExInjector.exe Token: SeIncBasePriorityPrivilege 2896 ExInjector.exe Token: 33 2896 ExInjector.exe Token: SeIncBasePriorityPrivilege 2896 ExInjector.exe Token: SeBackupPrivilege 1920 vssvc.exe Token: SeRestorePrivilege 1920 vssvc.exe Token: SeAuditPrivilege 1920 vssvc.exe Token: 33 2896 ExInjector.exe Token: SeIncBasePriorityPrivilege 2896 ExInjector.exe Token: 33 2896 ExInjector.exe Token: SeIncBasePriorityPrivilege 2896 ExInjector.exe Token: 33 2896 ExInjector.exe Token: SeIncBasePriorityPrivilege 2896 ExInjector.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe 2976 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1092 Injector.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4360 wrote to memory of 1092 4360 PedikClient.exe 81 PID 4360 wrote to memory of 1092 4360 PedikClient.exe 81 PID 4360 wrote to memory of 1092 4360 PedikClient.exe 81 PID 1092 wrote to memory of 892 1092 Injector.exe 85 PID 1092 wrote to memory of 892 1092 Injector.exe 85 PID 1092 wrote to memory of 892 1092 Injector.exe 85 PID 4360 wrote to memory of 2896 4360 PedikClient.exe 86 PID 4360 wrote to memory of 2896 4360 PedikClient.exe 86 PID 4360 wrote to memory of 2896 4360 PedikClient.exe 86 PID 2896 wrote to memory of 4504 2896 ExInjector.exe 87 PID 2896 wrote to memory of 4504 2896 ExInjector.exe 87 PID 2896 wrote to memory of 4504 2896 ExInjector.exe 87 PID 892 wrote to memory of 608 892 WScript.exe 90 PID 892 wrote to memory of 608 892 WScript.exe 90 PID 892 wrote to memory of 608 892 WScript.exe 90 PID 608 wrote to memory of 2060 608 cmd.exe 92 PID 608 wrote to memory of 2060 608 cmd.exe 92 PID 2060 wrote to memory of 4676 2060 SystemUpdates.exe 147 PID 2060 wrote to memory of 4676 2060 SystemUpdates.exe 147 PID 2060 wrote to memory of 2092 2060 SystemUpdates.exe 148 PID 2060 wrote to memory of 2092 2060 SystemUpdates.exe 148 PID 2060 wrote to memory of 3468 2060 SystemUpdates.exe 149 PID 2060 wrote to memory of 3468 2060 SystemUpdates.exe 149 PID 2060 wrote to memory of 3656 2060 SystemUpdates.exe 150 PID 2060 wrote to memory of 3656 2060 SystemUpdates.exe 150 PID 2060 wrote to memory of 4284 2060 SystemUpdates.exe 151 PID 2060 wrote to memory of 4284 2060 SystemUpdates.exe 151 PID 2060 wrote to memory of 4604 2060 SystemUpdates.exe 152 PID 2060 wrote to memory of 4604 2060 SystemUpdates.exe 152 PID 2060 wrote to memory of 5084 2060 SystemUpdates.exe 153 PID 2060 wrote to memory of 5084 2060 SystemUpdates.exe 153 PID 2060 wrote to memory of 3140 2060 SystemUpdates.exe 154 PID 2060 wrote to memory of 3140 2060 SystemUpdates.exe 154 PID 2060 wrote to memory of 1716 2060 SystemUpdates.exe 155 PID 2060 wrote to memory of 1716 2060 SystemUpdates.exe 155 PID 2060 wrote to memory of 1160 2060 SystemUpdates.exe 156 PID 2060 wrote to memory of 1160 2060 SystemUpdates.exe 156 PID 2060 wrote to memory of 3896 2060 SystemUpdates.exe 157 PID 2060 wrote to memory of 3896 2060 SystemUpdates.exe 157 PID 2060 wrote to memory of 1596 2060 SystemUpdates.exe 169 PID 2060 wrote to memory of 1596 2060 SystemUpdates.exe 169 PID 608 wrote to memory of 3496 608 cmd.exe 171 PID 608 wrote to memory of 3496 608 cmd.exe 171 PID 608 wrote to memory of 3496 608 cmd.exe 171 PID 1596 wrote to memory of 4804 1596 backgroundTaskHost.exe 172 PID 1596 wrote to memory of 4804 1596 backgroundTaskHost.exe 172 PID 1596 wrote to memory of 4832 1596 backgroundTaskHost.exe 173 PID 1596 wrote to memory of 4832 1596 backgroundTaskHost.exe 173 PID 1596 wrote to memory of 2976 1596 backgroundTaskHost.exe 177 PID 1596 wrote to memory of 2976 1596 backgroundTaskHost.exe 177 PID 2976 wrote to memory of 5052 2976 msedge.exe 178 PID 2976 wrote to memory of 5052 2976 msedge.exe 178 PID 2976 wrote to memory of 2208 2976 msedge.exe 179 PID 2976 wrote to memory of 2208 2976 msedge.exe 179 PID 2976 wrote to memory of 2208 2976 msedge.exe 179 PID 2976 wrote to memory of 2208 2976 msedge.exe 179 PID 2976 wrote to memory of 2208 2976 msedge.exe 179 PID 2976 wrote to memory of 2208 2976 msedge.exe 179 PID 2976 wrote to memory of 2208 2976 msedge.exe 179 PID 2976 wrote to memory of 2208 2976 msedge.exe 179 PID 2976 wrote to memory of 2208 2976 msedge.exe 179 PID 2976 wrote to memory of 2208 2976 msedge.exe 179 PID 2976 wrote to memory of 2208 2976 msedge.exe 179 PID 2976 wrote to memory of 2208 2976 msedge.exe 179 -
System policy modification 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SystemUpdates.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SystemUpdates.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SystemUpdates.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\PedikClient.exe"C:\Users\Admin\AppData\Local\Temp\PedikClient.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Injector.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Injector.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\System32\Pj3sASAQmYbZO22AgnND3YNrHBGc.vbe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\System32\7laDcN0rCRiiFFEryGzr87P90jYlcM.bat" "4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Windows\SysWOW64\SystemUpdates.exe"C:\Windows\System32\SystemUpdates.exe"5⤵
- Modifies WinLogon for persistence
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2060 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2092
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3468
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3656
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4284
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3140
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1160
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3896
-
-
C:\Windows\Offline Web Pages\backgroundTaskHost.exe"C:\Windows\Offline Web Pages\backgroundTaskHost.exe"6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1596 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\588a0ab1-09fa-454b-9581-743068643cc0.vbs"7⤵PID:4804
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a91c6384-ebaf-48a5-b526-6e1a6228c8db.vbs"7⤵PID:4832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://localhost:13991/7⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdaabc3cb8,0x7ffdaabc3cc8,0x7ffdaabc3cd88⤵PID:5052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,1944120763067716088,10070162806130131716,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2044 /prefetch:28⤵PID:2208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,1944120763067716088,10070162806130131716,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 /prefetch:38⤵PID:1552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,1944120763067716088,10070162806130131716,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:88⤵PID:1116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,1944120763067716088,10070162806130131716,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:18⤵PID:1564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,1944120763067716088,10070162806130131716,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:18⤵PID:2712
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f5⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3496
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExInjector.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExInjector.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExInjector.exe" "ExInjector.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4504
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Windows\Offline Web Pages\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Windows\Offline Web Pages\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Libraries\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Public\Libraries\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:72
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Libraries\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\PolicyDefinitions\en-US\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\en-US\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\PolicyDefinitions\en-US\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\WindowsPowerShell\Modules\Pester\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\Pester\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\WindowsPowerShell\Modules\Pester\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Downloads\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Public\Downloads\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Downloads\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\Provisioning\Cosa\OEM\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Provisioning\Cosa\OEM\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\Provisioning\Cosa\OEM\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\IdentityCRL\INT\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\INT\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\IdentityCRL\INT\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Desktop\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Desktop\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\bcastdvr\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\bcastdvr\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\bcastdvr\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Admin\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1920
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4840
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3656
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
5Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56ecc5181b6e1191594ad2cd73f031ffb
SHA182237578f56ee3d741327ff09f504c70eb8d3ab3
SHA256bb8735726a65e09f0af04837e37aeada304aaa6e7dde53c1f1ae9b3beba05d64
SHA5127e1b3bbd39a45303d1f820993e28bdcf476c626d663b35b4c4f3fe3288c566661cd8846ca55fa731a2a987b64c5d6d8d0a819e97073ac76f5ffb998b9656492e
-
Filesize
152B
MD5d91478312beae099b8ed57e547611ba2
SHA14b927559aedbde267a6193e3e480fb18e75c43d7
SHA256df43cd7779d9fc91fd0416155d6771bc81565e98be38689cb17caece256bf043
SHA5124086c4ebe410a37d0124fc8bd00c58775e70ab2b7b5a39b4e49b332ce5b4866c6775707436395467aff9596507c96fb4896f3bf0249c5b9c99a927f31dcc1a96
-
Filesize
152B
MD5d7145ec3fa29a4f2df900d1418974538
SHA11368d579635ba1a53d7af0ed89bf0b001f149f9d
SHA256efc56eb46cf3352bf706c0309d5d740bca6ac06142f9bdc5e8344b81d4d83d59
SHA5125bb663ede88f8b7c96b09c1214aac68eda99bc09525ac383baa96914ff7d553ea1aed09e3c9d16893d791c81ddb164c682dfbb4759ac0bc751221f3e36558a91
-
Filesize
5KB
MD54c9cc14051bbf4502d29e5829b74a523
SHA19f8238d3694ddef4b84a60c5acb3436bb7525756
SHA2561052580cb5c2526228545715d569e8529979ae98dbacc994cf6e986208319c75
SHA512d30ed2846482bd2b7df95db18e780d26a048dadc925d61bd5051d1eb1bed018919b96f9a2df5753aef79b2ecca29f6f3f9aeff37a629bcd21f6e13adf3a71a03
-
Filesize
5KB
MD5975c0b8a776129e195430260504b8146
SHA1a5b1f22ff0007a7cd683065d9352b313f810942e
SHA256812137166e730756d08a974b030a5a7940c31907e65f89b14bb55de24950b276
SHA5124207ed6681e9832d2bb39128e390728f9295b51aeb9ce4f672e9fcbe093e9614693de1637ba79c8926dbacc7d22c51e5994d9797558a4319a763d16c15c06ae4
-
Filesize
11KB
MD5aaa27cdb67f287e32cf918591c267a65
SHA18799b2aec84f4bf7d03c1cfbcebfa8c249b4bb06
SHA256d7bffa8fce66f8b521c77dc5f2ca02aee9d7b7480f6d6d819c9df852f0efa003
SHA512ac04543f0bd319dde0c7a91836596a4892dc5ce56a2d94a63ff73f2eccfc4c8b83320d6a2755a12206562736c801b8869b10230f5592bb0650042df8beb9c4bc
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
944B
MD57d760ca2472bcb9fe9310090d91318ce
SHA1cb316b8560b38ea16a17626e685d5a501cd31c4a
SHA2565c362b53c4a4578d8b57c51e1eac15f7f3b2447e43e0dad5102ecd003d5b41d4
SHA512141e8661d7348ebbc1f74f828df956a0c6e4cdb70f3b9d52623c9a30993bfd91da9ed7d8d284b84f173d3e6f47c876fb4a8295110895f44d97fd6cc4c5659c35
-
Filesize
944B
MD5408641808e457ab6e23d62e59b767753
SHA14205cfa0dfdfee6be08e8c0041d951dcec1d3946
SHA2563921178878eb416764a6993c4ed81a1f371040dda95c295af535563f168b4258
SHA512e7f3ffc96c7caad3d73c5cec1e60dc6c7d5ed2ced7d265fbd3a402b6f76fed310a087d2d5f0929ab90413615dad1d54fce52875750057cffe36ff010fc6323fb
-
Filesize
944B
MD545f53352160cf0903c729c35c8edfdce
SHA1b35a4d4fbaf2a3cc61e540fc03516dd70f3c34ab
SHA2569cf18d157a858fc143a6de5c2dd3f618516a527b34478ac478d8c94ff027b0d2
SHA512e3fa27a80a1df58acb49106c306dab22e5ed582f6b0cd7d9c3ef0a85e9f5919333257e88aa44f42a0e095fd577c9e12a02957a7845c0d109f821f32d8d3343f3
-
Filesize
944B
MD5dc4dd6766dd68388d8733f1b729f87e9
SHA17b883d87afec5be3eff2088409cd1f57f877c756
SHA2563407d8ad0c68a148aef81c7f124849573ac02097acd15f9bbe80f86e0498e826
SHA5123084c1b7bb0fd998cddb8c917bac87f163a0f134a420158db4f354cb81ec1d5d65d3bac1d9b3e11b0a6707deacece47f819b1ed55ddf2b1d287fbdb244bf65a4
-
Filesize
944B
MD5471b8a0c5be798c5e4debee5bd13669d
SHA1d73a4082bd95bc04adeaf7940987bc08fbea422d
SHA256e6bd4c1b6a65bfd69111ce45a2581ee74b5d0145995dd6e398bf624f511995ae
SHA512b28ca7b329472bfc110e61df3948369d80f21c0287f9c642f510493c6809ba80ba6f7da28d60dc5c6258d5137a688821553a9fba91e017a55b1a839ad2b5fa55
-
Filesize
727B
MD598be80478abb88ac204c2582b165e4fc
SHA163ecc1f2ead4b712e6c713a80c4c98ae0e702907
SHA2567db900d5d34e507d552189c9b0502142447cfcca4630e1d7b8cb93e1bc35ad1c
SHA512a2bc3805f1160a4c8e354190cc987967025f61a689ec9a4ebe25823f0e5ced0cf61282a31e879eb04867710c038e22de6a6a26ed75419e74b9df64ba6143d4dc
-
Filesize
93KB
MD5358b0c4e6149fa783c37d963a0630047
SHA1ce7ef081d4e782b22ecf15ca096d90561403bc60
SHA256a530485ad896b0192ea934f8ac93279ed1c73320779b6a448ac8e5862e9faf0c
SHA51237f6d2187b68cb2d2db5e8385e369e5ec0bb461164646df77b44b07fb9471de507dfe1350083084bd848ea15063ec285a2545c3adabc7851249db22b27cde560
-
Filesize
1.9MB
MD5e659b7e15ff77b76ae1ca12de1b83419
SHA1d0fae57f6cb00bea8292eb160d9940a441aa7f7e
SHA256f70bf625085dfece9e5ea39f44319e36deec706dcebc0ca95fc0483d79ddf6ad
SHA512c65d52d4f59c68cb51e84c5dd00fc2772956d55fa5f43d518d75d3e36fb8e57bf0ef74ec5bd0a0e205fa52d99202a1faa2f9bec0ad6c7f7c1e654f0f945895d2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
503B
MD59af5889218ecb986d2253f0b803afd44
SHA17281fbc8952edcc510d845390dc9dfefe7e578f1
SHA25675d123b2c7a18735f5c4b74135ce7beb4e6f78a19d48f176eefe6162c4982dff
SHA5120f298365d1285f73ce3df8918aaa5cf8b342f6e8f5f5ba2db8c7e67134b0e5e36021eded8da3c8fbeff9c6e784cc3e00e514d133657945c6977535e4b131d68b
-
Filesize
151B
MD51a0f2f949a4c977ca148b7e1184e2e2b
SHA1d78e290750d6853e40ef64db981ec4e5bba28766
SHA25652c9d9f06608d68d470d89950315033cb377efba6a64e2fb4498d52648225e25
SHA51263f672ea105fb80655eae026f87d9944870c264eeaa6e9a5479e7dfbe76d91e4e7f0125b56349cbbdad032503936eb2598287aac74af725b0c811a35b582c2c9
-
Filesize
223B
MD56612f9c7e9436f5d51e7df6f409985f7
SHA1dea060fb3044be174fb983960ab43eaeeba35ef3
SHA2564a0840ee7da759b66e13978fcc0beddcc85e40fc2cd83e919c9850017031f390
SHA512648561fb34133feb0d14be666111ce53a472e35ed37080a68c4f7eba37c0a4f501229ffbf6ea97970f005cda34741fa290e4494c573b1a3c1e4b2a250e551b93
-
Filesize
1.5MB
MD5e75407ce1b2b4c1ba30e962aba6ba641
SHA1fec41afd8f8a3734e771c9b161dd872fba6e1377
SHA256f6bb9ad12d8ea272e48d60a9be80abc44643b16e0934f490ebcb92c1f41bbdf7
SHA5125bab00725900278d5952ccf2e5e95c454a2004a272c186b2f3707ce703a55c9fff846c72f0d04dcf898a0fb31d0cb3f9ea32e0ffb12c689113e899902e61b596