Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 03:33
Static task
static1
Behavioral task
behavioral1
Sample
5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Resource
win10v2004-20241007-en
General
-
Target
5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
-
Size
1.5MB
-
MD5
cac1d4f15ef3ded5035137eb65f76334
-
SHA1
e8765a89bb9095471a3c267bdfe501729a20d6e3
-
SHA256
5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235
-
SHA512
f01c944e01587c14d2a16f88b24e6eb65e9eb6ad354132c426d8df2cdfc203b2817e0e5bc2f4d34abda11c2e8d67ec112972c283690e966f0fae637758def8ad
-
SSDEEP
24576:UNNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpRP:kzhWhCXQFN+0IEuQgyiVKH
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\upfc.exe\"" 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\upfc.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ClientEventLogMessages\\OfficeClickToRun.exe\"" 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\upfc.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ClientEventLogMessages\\OfficeClickToRun.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\TextInputHost\\TextInputHost.exe\"" 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\upfc.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ClientEventLogMessages\\OfficeClickToRun.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\TextInputHost\\TextInputHost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\SppExtComObj.exe\"" 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\upfc.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ClientEventLogMessages\\OfficeClickToRun.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\TextInputHost\\TextInputHost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\SppExtComObj.exe\", \"C:\\Windows\\System32\\XpsDocumentTargetPrint\\SppExtComObj.exe\"" 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\upfc.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ClientEventLogMessages\\OfficeClickToRun.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\TextInputHost\\TextInputHost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\SppExtComObj.exe\", \"C:\\Windows\\System32\\XpsDocumentTargetPrint\\SppExtComObj.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\wininit.exe\"" 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\upfc.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ClientEventLogMessages\\OfficeClickToRun.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\TextInputHost\\TextInputHost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\SppExtComObj.exe\", \"C:\\Windows\\System32\\XpsDocumentTargetPrint\\SppExtComObj.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\wininit.exe\", \"C:\\Program Files (x86)\\Windows NT\\OfficeClickToRun.exe\"" 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\upfc.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ClientEventLogMessages\\OfficeClickToRun.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\TextInputHost\\TextInputHost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\SppExtComObj.exe\", \"C:\\Windows\\System32\\XpsDocumentTargetPrint\\SppExtComObj.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\wininit.exe\", \"C:\\Program Files (x86)\\Windows NT\\OfficeClickToRun.exe\", \"C:\\PerfLogs\\smss.exe\"" 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe -
Process spawned unexpected child process 8 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1504 3544 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3524 3544 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2592 3544 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4696 3544 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4772 3544 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3484 3544 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 3544 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2360 3544 schtasks.exe 83 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1724 powershell.exe 4524 powershell.exe 2232 powershell.exe 4688 powershell.exe 1784 powershell.exe 3416 powershell.exe 3604 powershell.exe 4236 powershell.exe 2700 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe -
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation SppExtComObj.exe -
Executes dropped EXE 13 IoCs
pid Process 1096 SppExtComObj.exe 5020 SppExtComObj.exe 1952 SppExtComObj.exe 4628 SppExtComObj.exe 4864 SppExtComObj.exe 2280 SppExtComObj.exe 1428 SppExtComObj.exe 1068 SppExtComObj.exe 548 SppExtComObj.exe 4988 SppExtComObj.exe 2208 SppExtComObj.exe 424 SppExtComObj.exe 2088 SppExtComObj.exe -
Adds Run key to start application 2 TTPs 16 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Documents and Settings\\upfc.exe\"" 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\wininit.exe\"" 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files (x86)\\Windows NT\\OfficeClickToRun.exe\"" 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\PerfLogs\\smss.exe\"" 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ClientEventLogMessages\\OfficeClickToRun.exe\"" 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\TextInputHost\\TextInputHost.exe\"" 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\TextInputHost\\TextInputHost.exe\"" 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\System32\\XpsDocumentTargetPrint\\SppExtComObj.exe\"" 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\PerfLogs\\smss.exe\"" 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Documents and Settings\\upfc.exe\"" 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ClientEventLogMessages\\OfficeClickToRun.exe\"" 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\SppExtComObj.exe\"" 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\SppExtComObj.exe\"" 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\wininit.exe\"" 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files (x86)\\Windows NT\\OfficeClickToRun.exe\"" 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\System32\\XpsDocumentTargetPrint\\SppExtComObj.exe\"" 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SppExtComObj.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SppExtComObj.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SppExtComObj.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SppExtComObj.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SppExtComObj.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SppExtComObj.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SppExtComObj.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\System32\XpsDocumentTargetPrint\SppExtComObj.exe 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe File created C:\Windows\System32\XpsDocumentTargetPrint\SppExtComObj.exe 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe File created C:\Windows\System32\XpsDocumentTargetPrint\e1ef82546f0b02 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe File opened for modification C:\Windows\System32\XpsDocumentTargetPrint\RCXC299.tmp 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe -
Drops file in Program Files directory 16 IoCs
description ioc Process File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\e1ef82546f0b02 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe File opened for modification C:\Program Files (x86)\Windows NT\RCXC720.tmp 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe File opened for modification C:\Program Files (x86)\Windows NT\OfficeClickToRun.exe 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe File opened for modification C:\Program Files\Mozilla Firefox\defaults\pref\wininit.exe 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages\OfficeClickToRun.exe 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe File opened for modification C:\Program Files\Mozilla Firefox\defaults\pref\RCXC51B.tmp 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe File created C:\Program Files (x86)\Windows NT\OfficeClickToRun.exe 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages\OfficeClickToRun.exe 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages\e6c9b481da804f 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe File created C:\Program Files\Mozilla Firefox\defaults\pref\wininit.exe 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe File created C:\Program Files\Mozilla Firefox\defaults\pref\56085415360792 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe File created C:\Program Files (x86)\Windows NT\e6c9b481da804f 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages\RCXBBA1.tmp 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCXC018.tmp 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost\RCXBE13.tmp 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost\TextInputHost.exe 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe File created C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost\TextInputHost.exe 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe File created C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost\22eafd247d37c3 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 14 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings SppExtComObj.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1504 schtasks.exe 3524 schtasks.exe 2592 schtasks.exe 4696 schtasks.exe 4772 schtasks.exe 3484 schtasks.exe 2824 schtasks.exe 2360 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 388 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe 388 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe 388 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe 388 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe 388 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe 388 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe 388 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe 388 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe 388 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe 388 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe 388 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe 388 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe 388 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe 388 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe 388 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe 388 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe 388 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe 388 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe 388 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe 388 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe 388 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe 388 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe 388 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe 388 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe 4524 powershell.exe 4524 powershell.exe 388 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe 388 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe 1784 powershell.exe 1784 powershell.exe 2232 powershell.exe 3604 powershell.exe 3604 powershell.exe 4236 powershell.exe 4236 powershell.exe 2700 powershell.exe 2700 powershell.exe 1724 powershell.exe 1724 powershell.exe 3416 powershell.exe 3416 powershell.exe 4688 powershell.exe 4688 powershell.exe 3604 powershell.exe 388 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe 2700 powershell.exe 388 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe 1784 powershell.exe 4524 powershell.exe 4236 powershell.exe 2232 powershell.exe 2232 powershell.exe 3416 powershell.exe 1724 powershell.exe 4688 powershell.exe 1096 SppExtComObj.exe 1096 SppExtComObj.exe 1096 SppExtComObj.exe 1096 SppExtComObj.exe 1096 SppExtComObj.exe 1096 SppExtComObj.exe 1096 SppExtComObj.exe 1096 SppExtComObj.exe 1096 SppExtComObj.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 388 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe Token: SeDebugPrivilege 4524 powershell.exe Token: SeDebugPrivilege 1784 powershell.exe Token: SeDebugPrivilege 2232 powershell.exe Token: SeDebugPrivilege 3604 powershell.exe Token: SeDebugPrivilege 4236 powershell.exe Token: SeDebugPrivilege 3416 powershell.exe Token: SeDebugPrivilege 2700 powershell.exe Token: SeDebugPrivilege 1724 powershell.exe Token: SeDebugPrivilege 4688 powershell.exe Token: SeDebugPrivilege 1096 SppExtComObj.exe Token: SeDebugPrivilege 5020 SppExtComObj.exe Token: SeDebugPrivilege 1952 SppExtComObj.exe Token: SeDebugPrivilege 4628 SppExtComObj.exe Token: SeDebugPrivilege 4864 SppExtComObj.exe Token: SeDebugPrivilege 2280 SppExtComObj.exe Token: SeDebugPrivilege 1428 SppExtComObj.exe Token: SeDebugPrivilege 1068 SppExtComObj.exe Token: SeDebugPrivilege 548 SppExtComObj.exe Token: SeDebugPrivilege 4988 SppExtComObj.exe Token: SeDebugPrivilege 2208 SppExtComObj.exe Token: SeDebugPrivilege 424 SppExtComObj.exe Token: SeDebugPrivilege 2088 SppExtComObj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 388 wrote to memory of 1784 388 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe 93 PID 388 wrote to memory of 1784 388 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe 93 PID 388 wrote to memory of 4688 388 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe 94 PID 388 wrote to memory of 4688 388 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe 94 PID 388 wrote to memory of 2700 388 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe 95 PID 388 wrote to memory of 2700 388 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe 95 PID 388 wrote to memory of 2232 388 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe 96 PID 388 wrote to memory of 2232 388 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe 96 PID 388 wrote to memory of 4524 388 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe 97 PID 388 wrote to memory of 4524 388 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe 97 PID 388 wrote to memory of 1724 388 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe 98 PID 388 wrote to memory of 1724 388 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe 98 PID 388 wrote to memory of 4236 388 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe 99 PID 388 wrote to memory of 4236 388 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe 99 PID 388 wrote to memory of 3604 388 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe 100 PID 388 wrote to memory of 3604 388 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe 100 PID 388 wrote to memory of 3416 388 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe 101 PID 388 wrote to memory of 3416 388 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe 101 PID 388 wrote to memory of 1096 388 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe 111 PID 388 wrote to memory of 1096 388 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe 111 PID 1096 wrote to memory of 616 1096 SppExtComObj.exe 112 PID 1096 wrote to memory of 616 1096 SppExtComObj.exe 112 PID 1096 wrote to memory of 4024 1096 SppExtComObj.exe 113 PID 1096 wrote to memory of 4024 1096 SppExtComObj.exe 113 PID 616 wrote to memory of 5020 616 WScript.exe 121 PID 616 wrote to memory of 5020 616 WScript.exe 121 PID 5020 wrote to memory of 4872 5020 SppExtComObj.exe 122 PID 5020 wrote to memory of 4872 5020 SppExtComObj.exe 122 PID 5020 wrote to memory of 4480 5020 SppExtComObj.exe 123 PID 5020 wrote to memory of 4480 5020 SppExtComObj.exe 123 PID 4872 wrote to memory of 1952 4872 WScript.exe 130 PID 4872 wrote to memory of 1952 4872 WScript.exe 130 PID 1952 wrote to memory of 2684 1952 SppExtComObj.exe 131 PID 1952 wrote to memory of 2684 1952 SppExtComObj.exe 131 PID 1952 wrote to memory of 1572 1952 SppExtComObj.exe 132 PID 1952 wrote to memory of 1572 1952 SppExtComObj.exe 132 PID 2684 wrote to memory of 4628 2684 WScript.exe 134 PID 2684 wrote to memory of 4628 2684 WScript.exe 134 PID 4628 wrote to memory of 4256 4628 SppExtComObj.exe 135 PID 4628 wrote to memory of 4256 4628 SppExtComObj.exe 135 PID 4628 wrote to memory of 2052 4628 SppExtComObj.exe 136 PID 4628 wrote to memory of 2052 4628 SppExtComObj.exe 136 PID 4256 wrote to memory of 4864 4256 WScript.exe 137 PID 4256 wrote to memory of 4864 4256 WScript.exe 137 PID 4864 wrote to memory of 3208 4864 SppExtComObj.exe 138 PID 4864 wrote to memory of 3208 4864 SppExtComObj.exe 138 PID 4864 wrote to memory of 1060 4864 SppExtComObj.exe 139 PID 4864 wrote to memory of 1060 4864 SppExtComObj.exe 139 PID 3208 wrote to memory of 2280 3208 WScript.exe 140 PID 3208 wrote to memory of 2280 3208 WScript.exe 140 PID 2280 wrote to memory of 3276 2280 SppExtComObj.exe 141 PID 2280 wrote to memory of 3276 2280 SppExtComObj.exe 141 PID 2280 wrote to memory of 1176 2280 SppExtComObj.exe 142 PID 2280 wrote to memory of 1176 2280 SppExtComObj.exe 142 PID 3276 wrote to memory of 1428 3276 WScript.exe 143 PID 3276 wrote to memory of 1428 3276 WScript.exe 143 PID 1428 wrote to memory of 2088 1428 SppExtComObj.exe 144 PID 1428 wrote to memory of 2088 1428 SppExtComObj.exe 144 PID 1428 wrote to memory of 2348 1428 SppExtComObj.exe 145 PID 1428 wrote to memory of 2348 1428 SppExtComObj.exe 145 PID 2088 wrote to memory of 1068 2088 WScript.exe 146 PID 2088 wrote to memory of 1068 2088 WScript.exe 146 PID 1068 wrote to memory of 2744 1068 SppExtComObj.exe 147 PID 1068 wrote to memory of 2744 1068 SppExtComObj.exe 147 -
System policy modification 1 TTPs 42 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe"C:\Users\Admin\AppData\Local\Temp\5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:388 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\upfc.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages\OfficeClickToRun.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost\TextInputHost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2232
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\XpsDocumentTargetPrint\SppExtComObj.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\defaults\pref\wininit.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4236
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\OfficeClickToRun.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\smss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3416
-
-
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1096 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a55cf13-9239-40e4-9616-728817d0b0a4.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe"4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5020 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75bd27e0-5442-4959-9706-4947a321dc63.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe"6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1952 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67121733-6b95-4cc8-b531-31c20c9600dd.vbs"7⤵
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe"8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4628 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a112bd9f-7935-4bbd-8b42-0972ec7381a4.vbs"9⤵
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe"10⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4864 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32874317-6337-4fd8-a8be-888e882d34ad.vbs"11⤵
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe"12⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2280 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\394cd2ad-1174-4f2c-ad7f-ee29870606f8.vbs"13⤵
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe"14⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1428 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d5051f9-9666-408e-8cef-0e7eeaca75d5.vbs"15⤵
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe"16⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1068 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94157912-2525-4731-8627-b22fc575edc5.vbs"17⤵PID:2744
-
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe"18⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:548 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f4dd790-20b9-46c0-acdf-470a9dc91d8c.vbs"19⤵PID:2120
-
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe"20⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4988 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12510e34-886e-4021-b97c-5ffc6498cc93.vbs"21⤵PID:4056
-
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe"22⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2208 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d6ae87a-4c61-407e-9ff8-77ebb14e28cf.vbs"23⤵PID:4436
-
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe"24⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:424 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\993d1984-501b-4afc-8d16-4aaa1dfed846.vbs"25⤵PID:1888
-
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe"26⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2088 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18f43ac6-9d77-4c2d-a1e4-966c85123454.vbs"27⤵PID:1204
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77cc42b0-9534-4f8e-88cb-83fc1ac29ab3.vbs"27⤵PID:2092
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4cc4b5f7-d92b-414d-8a14-d84b80f23ac7.vbs"25⤵PID:2476
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c909a5f-33d8-411d-9ad2-e30689949d27.vbs"23⤵PID:2420
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5221ebd8-42a8-4d13-8acc-6385d0b0e764.vbs"21⤵PID:4672
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65e9b657-e048-416b-a14e-6d38355b1698.vbs"19⤵PID:1384
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8ab1052-d995-4271-b8be-4783af2e390e.vbs"17⤵PID:1984
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a527a541-3738-4e72-aa10-b50ab3b3bd64.vbs"15⤵PID:2348
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60618a5d-96f0-4a3d-b2fc-5dd76e0bd81c.vbs"13⤵PID:1176
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23bf3db3-24ce-46a4-82be-318c7fd6d48d.vbs"11⤵PID:1060
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3101ea53-f79e-42c1-b924-1f5bbd94447c.vbs"9⤵PID:2052
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f535b84-ff60-4ad4-b9bb-4f7521b9cd67.vbs"7⤵PID:1572
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be022fe8-44ca-4c9c-92d7-8069c3291f2b.vbs"5⤵PID:4480
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74d3a9da-3a22-4be7-a1af-9095339e746c.vbs"3⤵PID:4024
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Documents and Settings\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\XpsDocumentTargetPrint\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\PerfLogs\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD552e48d73865cfb8ee0750ef2dc3cd210
SHA1238363714a870301797e50269e1bd24ae22b4f01
SHA2565467550e220512208370c4eb14f71b9c5664a3ebd9f92a71c9f2be814a678073
SHA5127f25b34e8a14abc62df55b671580f662d97697d461e2991fb8b008b7b81079ebffc0f3741e33b1e7ac73a81c8b22edbdccdbd4bead6d443c358eb947af7d6978
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
766B
MD5eafc0e0db257e29adf7ebf2b4723d7ec
SHA10b1955e673595d5c2621ab07fe7cd7907aea3b28
SHA256fde9a0d159b199e896d3531ff5d87ca74e543c894dcdcf23b238e13105effd49
SHA51256baa1156ff5f5a061ee158dfd5c48549e4b4e78dffcff57de22cee4c31c35c552aa04fa403ec66b15cc35c1b7b4f325b89fad52c4d2a327632b3501ebef5cf2
-
Filesize
766B
MD5eb3518c64dd5b81faff3178e5fe81677
SHA1d841d1cb0fdcdc3a4f754b2c002317a1453c139c
SHA25679c93669cccfdfd6146934ca105f2c61f02aa8c40c6ce246f4373eb9a2163366
SHA5126e2fec5fef06216b917e807d3d49a12bcfc82e8a0fde9ace9488c2325cc96bdfa4379aba42736d0b84049979c05fcc9dffac9122090610cf9ee1db3fd13c6dd1
-
Filesize
765B
MD52e3c04735e9341b12e799d39c87e23bb
SHA19367e2ecf9723bd7fb88baff80868bddf63e38f6
SHA256961261550c3997bdf626429ab1f8239000cf96fdc3b2b25e4c57f8c2975a6ad2
SHA5124712d5fd13b7273dff2e02ed225808810bf63c1de780acfbff4ad4293aed14995ff70210c59441af1a72ee5e90b778ebbfbb12b400ab607625d12bbe447deb71
-
Filesize
766B
MD5704f03761dfcc9297ada058c5b2a3589
SHA1830ef322d10877a80f0ff684a6297f29e06b1f7d
SHA256a61e2b4008e4f114e0798a1128970ce80f45c3e9fadb923692843f2f50c7305b
SHA512e3cd96265a33b4a5e8c486f172d4ab959776b5f59dbfaf81b7a3423d72003b882e59897081086f430333bd57c2010051fc06e06f4258d1414945e80219407472
-
Filesize
766B
MD5c8d372ad56b657c4aa64b5902363773b
SHA19e653e40f0e83278181019832f5d6e05f03e195d
SHA2569bfd4b2930ea6a2f4eae97f064ce54312f8b26f7a85507a1ab436d5e1066f1bd
SHA5122671f5ffb53cf3a9329d0df3dd790969d0aab48775e0185eed4b4ba8bfd62d709d23816368c087a1bf9268158e5f0864d999722eeedd9bda97aa871af13b3a94
-
Filesize
766B
MD58712942f236949c424c29f2788970a3b
SHA1c49d8010857afe5b81911127fe602857ad8e87f3
SHA25664e4fe489400a73f2131d8c3dbbc2c03f565c5b14e31d38cf09fe80ac050636e
SHA5129066c64e9698108cc4be072ba85dbbb95f041eb6c4658cd55faa047efddca8cddd4a512b673a93ff08b680ae5732077644d464d6ce7ccf28a8131e4f9143b5e5
-
Filesize
766B
MD505a5dc5a66a54d5d04d2eb2d7b2f65cb
SHA1add0cb7cdc9c6fa6071b385d7c026c3ce75c61ee
SHA256574dc0ababf0c6e535f5a708db5cbfc99d9ca1a0f083b5cbff3282d47ba3f76d
SHA51288b055b30e01a62c002e7222d2e7b675072d8b683878b52abbf3c12942edb3b7cb410d682ef9372dd078657366cca151868f2949ddd4efb61098e2c91c570588
-
Filesize
766B
MD533fac97d6b7d8d3b4204bebcfafa0e65
SHA1f7aefe0c08263c6ecd861e1899e690a36edaaa3a
SHA256c80acfb730a840b26f10632859d4aaea4a4f975fe3f09b44f4ab4b0caf62ff58
SHA5129cc65e7590b82556b19a5ac784a1662c83626564fbbba4d9c42ea7796d6e8d20a0ad9f96e42648cf6f2cdf7005636a403276369e6d1ad552e9dffff5a26b5bbe
-
Filesize
542B
MD5c03d849f0e71ad52da5cafa248e52007
SHA1653ae8463b7d5a5ed4a6e477015e0f5be4422a0a
SHA2564fd8d01bb12246fbc7f77ec271e32b23e265ec5699567403da78c00aad9586a0
SHA512c81ad5c34d5f8e3e58bb7165abd0ca7b5243d60560cb412c8c0e9c0819153e7bc545fdc6957e57fcdab376b6f939a4ee0a14aa2b901f8c4ce7468cb4fbd83cba
-
Filesize
766B
MD5996b22d5f65a9305b440c066fac68e31
SHA14ffcc14b2199873a4be6141fbad28be06c7ffce7
SHA256950a747f0085f605226add88fa4c081cd8436c57b2d9d0d1c2ede73b53eeead5
SHA512d2c1a349e45a4e5824b10bb29de9617a0d48cfdac5249025f8a3ed4ec1d1d9bc502f548ed99386b17c5175d2aa0fe6f6079f0df5fe51963a8f62bc9610b9438b
-
Filesize
766B
MD5407ece99e6d0e573ac917e1a855490a0
SHA121c3f18da7de8ddacbcb186d6060480fcefcd74e
SHA256fe556ae1eabb62bee8ec243a4b6413cc1c2297ac17494c3ddfd06d5694425cb0
SHA51220747324107a6af284d0c7c0e498cee813875da2713358ac1f29cafd03774acfb17f91eb8e205cc01e122b9c966df3c38f8114b91fee079d3814fcd0ebf69b39
-
Filesize
765B
MD50d86b571e4813a7c0b70fe5a1f5b782f
SHA1b34190d6a1235cbcb06a4757060294045d5533eb
SHA25680da1302bfb6f1e24b6477a473596c4b7564c7b773b13f463234a51e29e87334
SHA51220da6c75cc12e766f9c9178de09182437bbf0a5446d7ddc315ca6ee9023d75af1387379a8b83899f0bc62d13e12d06ec465f3086f0198ede2ede88da3e297392
-
Filesize
766B
MD581b807136f0bc71224f08d7b7ea025a2
SHA13460f666ac5f725bfaa0fd6398c7edbdf536588a
SHA256dbd62ba2ec3e095ac3637a1a579b273f5357c0b33197b35717482fc603dc3eb5
SHA512bbd166d573afae2592c3e63d583ca21e31626cdde0397ca5394380be51277b83c3f17c9287047a70ff17ba5e08f972ce2f792c000bb225d85526c9f3732a1446
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
766B
MD5cdc3aca4686ada90eeef24598b88b37a
SHA17fb2bb35678243a7fa0711415954d70544491885
SHA256052e310603c1da14f62872552d0965d49fbbc5215673701b0672ff04ad7226e9
SHA5126032a90ccd943086eb6c071c66a8ee6abbf3c8de814e94a727a97c3a04156eee0bc507c8d5d6725b433679948127828536c83ca836b5038d82d935b44dad6490
-
Filesize
1.5MB
MD5cac1d4f15ef3ded5035137eb65f76334
SHA1e8765a89bb9095471a3c267bdfe501729a20d6e3
SHA2565fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235
SHA512f01c944e01587c14d2a16f88b24e6eb65e9eb6ad354132c426d8df2cdfc203b2817e0e5bc2f4d34abda11c2e8d67ec112972c283690e966f0fae637758def8ad
-
Filesize
1.5MB
MD5e5a04830de1f447384993c2972e2ab37
SHA19b424dafdbb66a6d4de08680cf915466e3e70e5f
SHA256641f5b40d3b0de6dd2b50d249ac802e20f5e8ceb86f528c6b9fba5ecb2c7004a
SHA5123129e13dffc723154f94c2b1b2446d411d47713a7e7b316cb46b4b777079e9019b07c7a7adeb5e73150496c92e2dd9208a10c1f9225d082fccea7fecd89f7c78