4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9

Analysis

max time kernel
120s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
20-01-2025 09:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Size

172KB
MD5

95c2b21ac9aedd8823d450270c157414
SHA1

0763082e03f8006e020796d0bdfc4c451bc6cc0c
SHA256

4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9
SHA512

22e813e752174b2ec2a67b5b5b069d2434e9fcba3675a1fc36372e1d54e6ff599bad61ffad7d2b695c391c3faa302a1521e2ec406652803f208b1f6bba6d9506
SSDEEP

3072:fJpOm5axh63laEo+pXX1pQD2UCohD8mxLCj+5cmeDye42L712xrpdJ8xLeb7UZ:hAm5oh63laEo+pXX1pkF8mxeq5+4m71V

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2668	sppcomapi.exe
2928	sppcomapi.exe
2332	sppcomapi.exe
792	sppcomapi.exe
2440	sppcomapi.exe
2072	sppcomapi.exe

Loads dropped DLL 9 IoCs

pid	Process
2740	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
2740	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
2740	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
2740	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
2668	sppcomapi.exe
2668	sppcomapi.exe
2928	sppcomapi.exe
2440	sppcomapi.exe
2440	sppcomapi.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	sppcomapi.exe
File opened (read-only)	\??\W:	sppcomapi.exe
File opened (read-only)	\??\Y:	sppcomapi.exe
File opened (read-only)	\??\q:	sppcomapi.exe
File opened (read-only)	\??\x:	sppcomapi.exe
File opened (read-only)	\??\I:	sppcomapi.exe
File opened (read-only)	\??\k:	sppcomapi.exe
File opened (read-only)	\??\W:	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
File opened (read-only)	\??\R:	sppcomapi.exe
File opened (read-only)	\??\J:	sppcomapi.exe
File opened (read-only)	\??\l:	sppcomapi.exe
File opened (read-only)	\??\S:	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
File opened (read-only)	\??\W:	sppcomapi.exe
File opened (read-only)	\??\N:	sppcomapi.exe
File opened (read-only)	\??\X:	sppcomapi.exe
File opened (read-only)	\??\h:	sppcomapi.exe
File opened (read-only)	\??\x:	sppcomapi.exe
File opened (read-only)	\??\U:	sppcomapi.exe
File opened (read-only)	\??\Z:	sppcomapi.exe
File opened (read-only)	\??\w:	sppcomapi.exe
File opened (read-only)	\??\z:	sppcomapi.exe
File opened (read-only)	\??\T:	sppcomapi.exe
File opened (read-only)	\??\a:	sppcomapi.exe
File opened (read-only)	\??\q:	sppcomapi.exe
File opened (read-only)	\??\Z:	sppcomapi.exe
File opened (read-only)	\??\x:	sppcomapi.exe
File opened (read-only)	\??\U:	sppcomapi.exe
File opened (read-only)	\??\O:	sppcomapi.exe
File opened (read-only)	\??\X:	sppcomapi.exe
File opened (read-only)	\??\p:	sppcomapi.exe
File opened (read-only)	\??\O:	sppcomapi.exe
File opened (read-only)	\??\h:	sppcomapi.exe
File opened (read-only)	\??\t:	sppcomapi.exe
File opened (read-only)	\??\u:	sppcomapi.exe
File opened (read-only)	\??\m:	sppcomapi.exe
File opened (read-only)	\??\R:	sppcomapi.exe
File opened (read-only)	\??\O:	sppcomapi.exe
File opened (read-only)	\??\U:	sppcomapi.exe
File opened (read-only)	\??\G:	sppcomapi.exe
File opened (read-only)	\??\G:	sppcomapi.exe
File opened (read-only)	\??\J:	sppcomapi.exe
File opened (read-only)	\??\R:	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
File opened (read-only)	\??\J:	sppcomapi.exe
File opened (read-only)	\??\k:	sppcomapi.exe
File opened (read-only)	\??\v:	sppcomapi.exe
File opened (read-only)	\??\w:	sppcomapi.exe
File opened (read-only)	\??\n:	sppcomapi.exe
File opened (read-only)	\??\I:	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
File opened (read-only)	\??\H:	sppcomapi.exe
File opened (read-only)	\??\X:	sppcomapi.exe
File opened (read-only)	\??\V:	sppcomapi.exe
File opened (read-only)	\??\l:	sppcomapi.exe
File opened (read-only)	\??\Z:	sppcomapi.exe
File opened (read-only)	\??\G:	sppcomapi.exe
File opened (read-only)	\??\B:	sppcomapi.exe
File opened (read-only)	\??\n:	sppcomapi.exe
File opened (read-only)	\??\z:	sppcomapi.exe
File opened (read-only)	\??\Y:	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
File opened (read-only)	\??\L:	sppcomapi.exe
File opened (read-only)	\??\N:	sppcomapi.exe
File opened (read-only)	\??\B:	sppcomapi.exe
File opened (read-only)	\??\O:	sppcomapi.exe
File opened (read-only)	\??\g:	sppcomapi.exe
File opened (read-only)	\??\X:	sppcomapi.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	icanhazip.com
5	icanhazip.com

Maps connected drives based on registry 3 TTPs 14 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	sppcomapi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	sppcomapi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	sppcomapi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	sppcomapi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	sppcomapi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	sppcomapi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	sppcomapi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	sppcomapi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	sppcomapi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	sppcomapi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	sppcomapi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	sppcomapi.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	sppcomapi.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\SJUQ3QWL.txt	sppcomapi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\SJUQ3QWL.txt	sppcomapi.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VAA428G8.txt	sppcomapi.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sppcomapi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sppcomapi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sppcomapi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sppcomapi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sppcomapi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sppcomapi.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000002a000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f011e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000055000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f011e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000080000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f011e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-4d-83-d4-98-db\WpadDecisionTime = 002a426d1a6bdb01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CD3E9AB8-C50E-449A-9003-0A81678A0B63}\WpadDecisionTime = 8080c0811a6bdb01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000006a000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f011e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-4d-83-d4-98-db\WpadDecisionTime = 006cb46d1a6bdb01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-4d-83-d4-98-db\WpadDecisionTime = e039506f1a6bdb01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f011e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CD3E9AB8-C50E-449A-9003-0A81678A0B63}\WpadDecisionTime = e0ef146d1a6bdb01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CD3E9AB8-C50E-449A-9003-0A81678A0B63}\WpadDecisionTime = 407d6e801a6bdb01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-4d-83-d4-98-db\WpadDecisionTime = e0816c921a6bdb01	sppcomapi.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000007000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f011e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-4d-83-d4-98-db\WpadDecisionTime = a0f48b6d1a6bdb01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-4d-83-d4-98-db\WpadDecisionTime = 80db976d1a6bdb01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000005f000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f011e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000007d000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f011e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000002c000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f011e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CD3E9AB8-C50E-449A-9003-0A81678A0B63}\WpadDecisionTime = 80c57c801a6bdb01	sppcomapi.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	sppcomapi.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CD3E9AB8-C50E-449A-9003-0A81678A0B63}\WpadDecisionReason = "1"	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-4d-83-d4-98-db\WpadDecisionTime = 605ff86c1a6bdb01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000015000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f011e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000023000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f011e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-4d-83-d4-98-db\WpadDecisionTime = 80b7146f1a6bdb01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-4d-83-d4-98-db\WpadDecisionTime = 20bf67921a6bdb01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CD3E9AB8-C50E-449A-9003-0A81678A0B63}\WpadDecisionTime = 80e6c0931a6bdb01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-4d-83-d4-98-db\WpadDecisionTime = 4072506d1a6bdb01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000001e000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f011e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CD3E9AB8-C50E-449A-9003-0A81678A0B63}\WpadDecisionTime = e01b6c801a6bdb01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CD3E9AB8-C50E-449A-9003-0A81678A0B63}\WpadDecisionTime = 201fbe811a6bdb01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000006c000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f011e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CD3E9AB8-C50E-449A-9003-0A81678A0B63}\WpadDecisionTime = 80ba5e6d1a6bdb01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000012000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f011e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CD3E9AB8-C50E-449A-9003-0A81678A0B63}\WpadDecisionTime = c0ff226f1a6bdb01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000072000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f011e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000074000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f011e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-4d-83-d4-98-db\WpadDecisionTime = 6080316d1a6bdb01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-4d-83-d4-98-db\WpadDecisionTime = c044df6d1a6bdb01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000002f000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f011e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000031000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f011e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000083000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f011e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CD3E9AB8-C50E-449A-9003-0A81678A0B63}\WpadDecisionTime = 00ddbc6c1a6bdb01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CD3E9AB8-C50E-449A-9003-0A81678A0B63}\WpadDecisionTime = 80b7146f1a6bdb01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000003c000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f011e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-4d-83-d4-98-db\WpadDecisionTime = e047c3931a6bdb01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CD3E9AB8-C50E-449A-9003-0A81678A0B63}\WpadDecisionTime = 2017ea6c1a6bdb01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-4d-83-d4-98-db\WpadDecisionTime = a0a7066d1a6bdb01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CD3E9AB8-C50E-449A-9003-0A81678A0B63}\WpadDecisionTime = 2038236d1a6bdb01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CD3E9AB8-C50E-449A-9003-0A81678A0B63}\WpadDecisionTime = 40d5fb6d1a6bdb01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000041000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f011e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-4d-83-d4-98-db\WpadDecisionTime = 004073801a6bdb01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000001d000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f011e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000021000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f011e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000037000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f011e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-4d-83-d4-98-db\WpadDecisionTime = 8080c0811a6bdb01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000064000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f011e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-4d-83-d4-98-db\WpadDecisionTime = 2017ea6c1a6bdb01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-4d-83-d4-98-db\WpadDecisionTime = 2038236d1a6bdb01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-4d-83-d4-98-db\WpadDecisionTime = c0ff226f1a6bdb01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CD3E9AB8-C50E-449A-9003-0A81678A0B63}\WpadDecisionTime = 60a175801a6bdb01	sppcomapi.exe

Modifies registry class 62 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sppsrv\shell\runas\command\ = "\"%1\" %*"	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\sppsrv\Content-Type = "application/x-msdownload"	sppcomapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sppsrv\DefaultIcon\ = "%1"	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe\shell\runas\command	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\runas	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\sppsrv	sppcomapi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	sppcomapi.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe\shell\open\command	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\Content-Type = "application/x-msdownload"	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\sppsrv\ = "Application"	sppcomapi.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\.exe\shell\runas\command	sppcomapi.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sppsrv	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sppsrv\shell\runas\command	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sppsrv\shell\runas\command\IsolatedCommand = "\"%1\" %*"	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\DefaultIcon\ = "%1"	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\sppsrv\shell\open\command	sppcomapi.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sppsrv\DefaultIcon	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\runas\command	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\sppsrv\shell\runas	sppcomapi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\.exe\ = "sppsrv"	sppcomapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\open\command	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\sppsrv\shell\open	sppcomapi.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\sppsrv\shell\runas\command	sppcomapi.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\.exe	sppcomapi.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\.exe\shell\open\command	sppcomapi.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\.exe\shell\open	sppcomapi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\NTService\\sppcomapi.exe\" /START \"%1\" %*"	sppcomapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\open	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sppsrv\shell\open	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\open\command\ = "\"C:\\ProgramData\\NTService\\sppcomapi.exe\" /START \"%1\" %*"	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\sppsrv\DefaultIcon\ = "%1"	sppcomapi.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\sppsrv\shell	sppcomapi.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\.exe\shell\runas	sppcomapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sppsrv\Content-Type = "application/x-msdownload"	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sppsrv\shell\open\command\IsolatedCommand = "\"%1\" %*"	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\.exe\DefaultIcon	sppcomapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sppsrv	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sppsrv\shell\runas	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe\DefaultIcon	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\sppsrv\shell\runas\command\IsolatedCommand = "\"%1\" %*"	sppcomapi.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sppsrv\shell\runas\command	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sppsrv\shell\open\command\ = "\"C:\\ProgramData\\NTService\\sppcomapi.exe\" /START \"%1\" %*"	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\sppsrv\shell\runas\command\ = "\"%1\" %*"	sppcomapi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\.exe\DefaultIcon\ = "%1"	sppcomapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sppsrv\shell\open\command	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\sppsrv\shell\open\command\IsolatedCommand = "\"%1\" %*"	sppcomapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "sppsrv"	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	sppcomapi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	sppcomapi.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sppsrv\shell\open\command	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\.exe\shell	sppcomapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sppsrv\shell	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\sppsrv\DefaultIcon	sppcomapi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	sppcomapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sppsrv\ = "Application"	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\sppsrv\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\NTService\\sppcomapi.exe\" /START \"%1\" %*"	sppcomapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\runas\command\ = "\"%1\" %*"	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2740	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
2928	sppcomapi.exe
2668	sppcomapi.exe
2332	sppcomapi.exe
792	sppcomapi.exe
2440	sppcomapi.exe
2072	sppcomapi.exe
2332	sppcomapi.exe
2928	sppcomapi.exe
2332	sppcomapi.exe
2072	sppcomapi.exe
2928	sppcomapi.exe
2332	sppcomapi.exe
2072	sppcomapi.exe
2928	sppcomapi.exe
2332	sppcomapi.exe
2072	sppcomapi.exe
2928	sppcomapi.exe
2332	sppcomapi.exe
2072	sppcomapi.exe
2928	sppcomapi.exe
2332	sppcomapi.exe
2072	sppcomapi.exe
2928	sppcomapi.exe
2332	sppcomapi.exe
2072	sppcomapi.exe
2928	sppcomapi.exe
2332	sppcomapi.exe
2072	sppcomapi.exe
2928	sppcomapi.exe
2332	sppcomapi.exe
2072	sppcomapi.exe
2928	sppcomapi.exe
2332	sppcomapi.exe
2072	sppcomapi.exe
2928	sppcomapi.exe
2332	sppcomapi.exe
2072	sppcomapi.exe
2928	sppcomapi.exe
2332	sppcomapi.exe
2072	sppcomapi.exe
2928	sppcomapi.exe
2332	sppcomapi.exe
2072	sppcomapi.exe
2928	sppcomapi.exe
2332	sppcomapi.exe
2072	sppcomapi.exe
2928	sppcomapi.exe
2332	sppcomapi.exe
2072	sppcomapi.exe
2928	sppcomapi.exe
2332	sppcomapi.exe
2072	sppcomapi.exe
2928	sppcomapi.exe
2332	sppcomapi.exe
2072	sppcomapi.exe
2928	sppcomapi.exe
2332	sppcomapi.exe
2072	sppcomapi.exe
2928	sppcomapi.exe
2332	sppcomapi.exe
2072	sppcomapi.exe
2928	sppcomapi.exe
2332	sppcomapi.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2740	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Token: SeIncBasePriorityPrivilege	2740	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
Token: SeIncBasePriorityPrivilege	2668	sppcomapi.exe
Token: SeIncBasePriorityPrivilege	2928	sppcomapi.exe
Token: SeIncBasePriorityPrivilege	2440	sppcomapi.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2332	sppcomapi.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2668	2740	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe	30
PID 2740 wrote to memory of 2668	2740	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe	30
PID 2740 wrote to memory of 2668	2740	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe	30
PID 2740 wrote to memory of 2668	2740	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe	30
PID 2740 wrote to memory of 2928	2740	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe	31
PID 2740 wrote to memory of 2928	2740	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe	31
PID 2740 wrote to memory of 2928	2740	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe	31
PID 2740 wrote to memory of 2928	2740	4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe	31
PID 2668 wrote to memory of 2332	2668	sppcomapi.exe	32
PID 2668 wrote to memory of 2332	2668	sppcomapi.exe	32
PID 2668 wrote to memory of 2332	2668	sppcomapi.exe	32
PID 2668 wrote to memory of 2332	2668	sppcomapi.exe	32
PID 2928 wrote to memory of 792	2928	sppcomapi.exe	33
PID 2928 wrote to memory of 792	2928	sppcomapi.exe	33
PID 2928 wrote to memory of 792	2928	sppcomapi.exe	33
PID 2928 wrote to memory of 792	2928	sppcomapi.exe	33
PID 2440 wrote to memory of 2072	2440	sppcomapi.exe	35
PID 2440 wrote to memory of 2072	2440	sppcomapi.exe	35
PID 2440 wrote to memory of 2072	2440	sppcomapi.exe	35
PID 2440 wrote to memory of 2072	2440	sppcomapi.exe	35

C:\Users\Admin\AppData\Local\Temp\4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe
"C:\Users\Admin\AppData\Local\Temp\4cc14a2de3546d445364cd8b09293e4ec6b7b82aa6d4f2a3723984735550cbe9.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740
- C:\ProgramData\NTService\sppcomapi.exe
  "C:\ProgramData\NTService\sppcomapi.exe" 1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Users\Admin\AppData\Roaming\NTService\sppcomapi.exe
    "C:\Users\Admin\AppData\Roaming\NTService\sppcomapi.exe" 1
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Maps connected drives based on registry
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2332
- C:\ProgramData\NTService\sppcomapi.exe
  "C:\ProgramData\NTService\sppcomapi.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\ProgramData\NTService\sppcomapi.exe
    "C:\ProgramData\NTService\sppcomapi.exe" 1
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Maps connected drives based on registry
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:792

C:\ProgramData\NTService\sppcomapi.exe
C:\ProgramData\NTService\sppcomapi.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440
- C:\ProgramData\NTService0\sppcomapi.exe
  "C:\ProgramData\NTService0\sppcomapi.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\NTService0\lielfeehdi.sys

Filesize
5KB

MD5
1ac6b4e611de4c9a89cefc7c0cdbcbf8

SHA1
193216685a6dd6e84758206f847cc9834ec3bb49

SHA256
b1bf1c017ee8612892c4b8f239235aedf76532ea714fe2a7d01054cf7ac7908c

SHA512
b1c6be05e553207f64a8ff0ed97cb32ddf7b53919418dbda0d1f158889f25523ee55f9e108f1b77604b2c526584e25c25d51486a8da7abd5e632b7177dbe48cc

Download Submit
C:\ProgramData\NTService0\losiicpog\isecfeaqqe.dmp

Filesize
8KB

MD5
74854f248b8af74b67df6362085e7044

SHA1
94dab57a614827a7f24786e1fe1479cbb5eafd64

SHA256
65c7bf08696dcf71ffe76b99da40b344856d3b698af0b29f1e180ac0209e8274

SHA512
5f0db4c60f5c7e5995c784b22c6efdd5fd9b28d74ad135f6eaae321efd36f7c4568911d3770868d8cd6e3eff95d84af541cd1e4420662813829bd41c0e1c8a84

Download Submit
C:\ProgramData\NTService0\losiicpog\upocelc.dat

Filesize
2KB

MD5
b5ae7a6e70041156b1e3faa41616ee63

SHA1
f84343bbb2764d9bdf55e976f5cd8c8340440ef9

SHA256
c099c65dba5ed3d6c41379071b07ee1d27f9c6ca73e6251aab0223ac070607f3

SHA512
fd354eb0db8ad68c348904f62313ad175a7e99d8536dde5df9e0c1b47cb0f66bf022e9d21332ab345ed0830d8e335e615b73483ad5e4b31ec5e588a1d148ec4b

Download Submit
C:\ProgramData\NTService0\socec.dat

Filesize
4KB

MD5
9a45b3ef5fc1c274810717527c29698d

SHA1
ed9c68d6086e3e0a43c48d512cba46bb5fe8ab6c

SHA256
502107658f3d98f013738fa3b47bebb382b491e231927e96fb597a57355910d9

SHA512
1a4167bf92bccf5d729a8b0477cfca5762a10c75dc25673119e53c21e7424beefe5cbd11331dba50679f4d48ce5fc61404df17c004552bb0d4dc8d81ede072bd

Download Submit
C:\ProgramData\NTService0\tasetoaxs\odd.sys

Filesize
1KB

MD5
f33e53c04d65be7bc40b80998ea32a06

SHA1
1a8002a12788e3d494ada737867076de21f5d0bd

SHA256
791ff95edac5d5e4432835a6559f8d97ddc65a0d7dfa63c13538964013c91711

SHA512
da05f689462633543a98ba0ecc8a341afc78b681c50e1152dd96b15a4ded2e8a967e8784d4092f58fd33755bb043afa77b2ec1e317b9933ecf9f8fba538d9017

Download Submit
C:\ProgramData\NTService0\tasetoaxs\utwa.ocx

Filesize
4KB

MD5
e118eaa89a8741575e256f90c33ec7a1

SHA1
ed66a2165849f71a62a99c4ba287b8b7fd1bc207

SHA256
3ec90448be43f522c4af1352b1772bb578d368333f018f78fac012d6b4b5a09c

SHA512
70945a013536ed6f0985903ca1498501bc5ea1538330a9c86f1e4872555adc6a265294f5c65ff413a3edf1ab95147ea88158bb1cc376d56efd588f6107126693

Download Submit
C:\ProgramData\NTService\sppcomapi.exe

Filesize
172KB

MD5
cb386fb8a2c0cbb4f6357c5bfc3d4445

SHA1
5b240a557881ac286cf7eb2f7654f3883dc6e998

SHA256
33181847c8213dc3718f615385e2a559442a1269b80da631f29e0363973109ed

SHA512
ce53f046eb36b1cbeea89ad9cd7ecafcd46efc23754738447c69de29331a65fa052f8452da6158aac2c9273286827720d162a17999eb3f65f0544a2330adc025

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\O2HUNI7R.txt

Filesize
220B

MD5
ed0dad5bb84aa03aebea557981fbb78f

SHA1
d8e54392a0a38ce3f5dfcaf95d83b2216420457c

SHA256
596bf4d63bfabd91e0f159383dbd9c7cb1aaed21151d2e656d733b8c59c9437d

SHA512
a799c57f45ba00a9cda7c925dc105d49fd3c37dd6011b59111f73f451698b6647219e040eb473a89d62f90533e99d3ddd377b558ac23aba98d5e58d43545c0f5

Download Submit
\Users\Admin\AppData\Roaming\NTService\sppcomapi.exe

Filesize
172KB

MD5
fcf0c0290e94d1a0137778bbd9fb41c4

SHA1
754b94bbea7dee153d2d7d88f7ade90e89a296d2

SHA256
e983f88796bc5b822110339d0d01ce89813110e495121aad7660bc01adf96ae1

SHA512
ef4bee5e2faac6efea607e4bc5ee4091bb0393b8b17ace5b33716d62fa9352f65563690f3cf765ea74262f17cc9edeabffe457b48bb8fa1829cfe009429b5088

Download Submit