a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4

Processes:

a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\lsass.exe\", \"C:\\Documents and Settings\\lsm.exe\", \"C:\\Documents and Settings\\Idle.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\lsass.exe\", \"C:\\Documents and Settings\\lsm.exe\", \"C:\\Documents and Settings\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\explorer.exe\", \"C:\\ProgramData\\Adobe\\Updater6\\taskhost.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\lsass.exe\", \"C:\\Documents and Settings\\lsm.exe\", \"C:\\Documents and Settings\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\explorer.exe\", \"C:\\ProgramData\\Adobe\\Updater6\\taskhost.exe\", \"C:\\ProgramData\\Favorites\\lsass.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\lsass.exe\", \"C:\\Documents and Settings\\lsm.exe\", \"C:\\Documents and Settings\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\explorer.exe\", \"C:\\ProgramData\\Adobe\\Updater6\\taskhost.exe\", \"C:\\ProgramData\\Favorites\\lsass.exe\", \"C:\\ProgramData\\Microsoft Help\\lsm.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Idle.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\lsass.exe\", \"C:\\Documents and Settings\\lsm.exe\", \"C:\\Documents and Settings\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\explorer.exe\", \"C:\\ProgramData\\Adobe\\Updater6\\taskhost.exe\", \"C:\\ProgramData\\Favorites\\lsass.exe\", \"C:\\ProgramData\\Microsoft Help\\lsm.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\csrss.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\", \"C:\\Documents and Settings\\services.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\lsass.exe\", \"C:\\Documents and Settings\\lsm.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\lsass.exe\", \"C:\\Documents and Settings\\lsm.exe\", \"C:\\Documents and Settings\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\explorer.exe\", \"C:\\ProgramData\\Adobe\\Updater6\\taskhost.exe\", \"C:\\ProgramData\\Favorites\\lsass.exe\", \"C:\\ProgramData\\Microsoft Help\\lsm.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\lsass.exe\", \"C:\\Documents and Settings\\lsm.exe\", \"C:\\Documents and Settings\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\explorer.exe\", \"C:\\ProgramData\\Adobe\\Updater6\\taskhost.exe\", \"C:\\ProgramData\\Favorites\\lsass.exe\", \"C:\\ProgramData\\Microsoft Help\\lsm.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\explorer.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\lsass.exe\", \"C:\\Documents and Settings\\lsm.exe\", \"C:\\Documents and Settings\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\explorer.exe\", \"C:\\ProgramData\\Adobe\\Updater6\\taskhost.exe\", \"C:\\ProgramData\\Favorites\\lsass.exe\", \"C:\\ProgramData\\Microsoft Help\\lsm.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\csrss.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\winlogon.exe\", \"C:\\ProgramData\\Start Menu\\lsass.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\lsass.exe\", \"C:\\Documents and Settings\\lsm.exe\", \"C:\\Documents and Settings\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\explorer.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\lsass.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\lsass.exe\", \"C:\\Documents and Settings\\lsm.exe\", \"C:\\Documents and Settings\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\explorer.exe\", \"C:\\ProgramData\\Adobe\\Updater6\\taskhost.exe\", \"C:\\ProgramData\\Favorites\\lsass.exe\", \"C:\\ProgramData\\Microsoft Help\\lsm.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\csrss.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\winlogon.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\lsass.exe\", \"C:\\Documents and Settings\\lsm.exe\", \"C:\\Documents and Settings\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\explorer.exe\", \"C:\\ProgramData\\Adobe\\Updater6\\taskhost.exe\", \"C:\\ProgramData\\Favorites\\lsass.exe\", \"C:\\ProgramData\\Microsoft Help\\lsm.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\csrss.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\winlogon.exe\", \"C:\\ProgramData\\Start Menu\\lsass.exe\", \"C:\\Documents and Settings\\smss.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	460	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	1516	schtasks.exe

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

2984 services.exe

pid	process
2984	services.exe

Adds Run key to start application 2 TTPs 17 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\ProgramData\\Start Menu\\lsass.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\ProgramData\\Documents\\csrss.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\lsass.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\ProgramData\\Microsoft Help\\lsm.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\csrss.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Public\\Videos\\Sample Videos\\winlogon.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Documents and Settings\\services.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\explorer.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\explorer.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Documents and Settings\\Idle.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\ProgramData\\Favorites\\lsass.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Documents and Settings\\lsm.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\ProgramData\\Adobe\\Updater6\\taskhost.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Idle.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Documents and Settings\\smss.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe

Drops file in Program Files directory 20 IoCs

Processes:

a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\RCXCD01.tmp	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\RCXD83E.tmp	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\RCXDE0C.tmp	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\csrss.exe	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
File created	C:\Program Files (x86)\Windows Mail\de-DE\taskhost.exe	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\csrss.exe	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\de-DE\RCXB85A.tmp	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
File created	C:\Program Files (x86)\Windows Mail\de-DE\b75386f1303e64	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\7a0fd90576e088	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Idle.exe	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\6ccacd8608530f	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\886983d96e3d3e	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\RCXD8AC.tmp	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Idle.exe	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\RCXDE7B.tmp	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\de-DE\taskhost.exe	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\explorer.exe	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\de-DE\RCXB740.tmp	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\RCXCC93.tmp	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\explorer.exe	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1384	schtasks.exe
1532	schtasks.exe
2168	schtasks.exe
2264	schtasks.exe
2644	schtasks.exe
1000	schtasks.exe
1832	schtasks.exe
2396	schtasks.exe
2492	schtasks.exe
1628	schtasks.exe
460	schtasks.exe
2620	schtasks.exe
2764	schtasks.exe
1496	schtasks.exe
2076	schtasks.exe
2100	schtasks.exe
2416	schtasks.exe
2688	schtasks.exe
320	schtasks.exe
2052	schtasks.exe
2708	schtasks.exe
1912	schtasks.exe
2000	schtasks.exe
2192	schtasks.exe
2308	schtasks.exe
2512	schtasks.exe
2576	schtasks.exe
908	schtasks.exe
1056	schtasks.exe
624	schtasks.exe
2284	schtasks.exe
1716	schtasks.exe
1648	schtasks.exe
1984	schtasks.exe
2352	schtasks.exe
2144	schtasks.exe
2376	schtasks.exe
2728	schtasks.exe
580	schtasks.exe
1704	schtasks.exe
896	schtasks.exe
1336	schtasks.exe
2216	schtasks.exe
2536	schtasks.exe
2600	schtasks.exe
1132	schtasks.exe
976	schtasks.exe
1480	schtasks.exe
592	schtasks.exe
1608	schtasks.exe
2668	schtasks.exe
2796	schtasks.exe
996	schtasks.exe
684	schtasks.exe
824	schtasks.exe
2556	schtasks.exe
1008	schtasks.exe
1912	schtasks.exe
2328	schtasks.exe
760	schtasks.exe
2124	schtasks.exe
1596	schtasks.exe
868	schtasks.exe
2236	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe

pid	process
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exeservices.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Token: SeDebugPrivilege	2984	services.exe
Token: SeDebugPrivilege	2908	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe

description	pid	process	target process
PID 2040 wrote to memory of 2908	2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe	powershell.exe
PID 2040 wrote to memory of 2908	2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe	powershell.exe
PID 2040 wrote to memory of 2908	2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe	powershell.exe
PID 2040 wrote to memory of 2984	2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe	services.exe
PID 2040 wrote to memory of 2984	2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe	services.exe
PID 2040 wrote to memory of 2984	2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe	services.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

Processes:

a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe

C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
"C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\Documents and Settings\services.exe
"C:\Documents and Settings\services.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CcI7taskhost" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "vSrdtaskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\de-DE\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "8vB3taskhost" /sc ONSTART /tr "'C:\Program Files (x86)\Windows Mail\de-DE\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Tp83services" /sc MINUTE /mo 11 /tr "'C:\Documents and Settings\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hb0Uservices" /sc ONLOGON /tr "'C:\Documents and Settings\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Dwocservices" /sc ONSTART /tr "'C:\Documents and Settings\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc MINUTE /mo 8 /tr "'C:\Documents and Settings\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "yfRncsrss" /sc MINUTE /mo 8 /tr "'C:\ProgramData\Documents\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "oQtLcsrss" /sc ONLOGON /tr "'C:\ProgramData\Documents\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1iVCcsrss" /sc ONSTART /tr "'C:\ProgramData\Documents\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc MINUTE /mo 9 /tr "'C:\ProgramData\Documents\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tGyJtaskhost" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Pictures\Sample Pictures\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SS0gtaskhost" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "336mtaskhost" /sc ONSTART /tr "'C:\Users\Public\Pictures\Sample Pictures\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\Sample Pictures\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9V32lsass" /sc MINUTE /mo 14 /tr "'C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "By5Plsass" /sc ONLOGON /tr "'C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "h2t8lsass" /sc ONSTART /tr "'C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc MINUTE /mo 8 /tr "'C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DOP4lsm" /sc MINUTE /mo 9 /tr "'C:\Documents and Settings\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "L8Gllsm" /sc ONLOGON /tr "'C:\Documents and Settings\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "zMRVlsm" /sc ONSTART /tr "'C:\Documents and Settings\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc MINUTE /mo 13 /tr "'C:\Documents and Settings\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "8NRTIdle" /sc MINUTE /mo 6 /tr "'C:\Documents and Settings\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BouGIdle" /sc ONLOGON /tr "'C:\Documents and Settings\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "87eEIdle" /sc ONSTART /tr "'C:\Documents and Settings\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc MINUTE /mo 7 /tr "'C:\Documents and Settings\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "m5Wjexplorer" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "XOEZexplorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7sjcexplorer" /sc ONSTART /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1Luitaskhost" /sc MINUTE /mo 8 /tr "'C:\ProgramData\Adobe\Updater6\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wKk3taskhost" /sc ONLOGON /tr "'C:\ProgramData\Adobe\Updater6\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "D7gftaskhost" /sc ONSTART /tr "'C:\ProgramData\Adobe\Updater6\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc MINUTE /mo 7 /tr "'C:\ProgramData\Adobe\Updater6\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4OXzlsass" /sc MINUTE /mo 11 /tr "'C:\ProgramData\Favorites\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MxwBlsass" /sc ONLOGON /tr "'C:\ProgramData\Favorites\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "kcVrlsass" /sc ONSTART /tr "'C:\ProgramData\Favorites\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc MINUTE /mo 6 /tr "'C:\ProgramData\Favorites\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "q6tplsm" /sc MINUTE /mo 11 /tr "'C:\ProgramData\Microsoft Help\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bHm5lsm" /sc ONLOGON /tr "'C:\ProgramData\Microsoft Help\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Q9Zdlsm" /sc ONSTART /tr "'C:\ProgramData\Microsoft Help\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc MINUTE /mo 14 /tr "'C:\ProgramData\Microsoft Help\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "41quIdle" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tpOXIdle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "uZEhIdle" /sc ONSTART /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "nZTTexplorer" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "zlHMexplorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WGShexplorer" /sc ONSTART /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fTm4csrss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "8kjdcsrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "QCCgcsrss" /sc ONSTART /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "btFqwinlogon" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Videos\Sample Videos\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "p6QVwinlogon" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1yZVwinlogon" /sc ONSTART /tr "'C:\Users\Public\Videos\Sample Videos\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Videos\Sample Videos\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RsURlsass" /sc MINUTE /mo 12 /tr "'C:\ProgramData\Start Menu\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "krbAlsass" /sc ONLOGON /tr "'C:\ProgramData\Start Menu\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "rkJOlsass" /sc ONSTART /tr "'C:\ProgramData\Start Menu\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc MINUTE /mo 8 /tr "'C:\ProgramData\Start Menu\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hX9tsmss" /sc MINUTE /mo 10 /tr "'C:\Documents and Settings\smss.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Bem0smss" /sc ONLOGON /tr "'C:\Documents and Settings\smss.exe'" /rl HIGHEST /f
1⤵
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "zZfTsmss" /sc ONSTART /tr "'C:\Documents and Settings\smss.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc MINUTE /mo 9 /tr "'C:\Documents and Settings\smss.exe'" /f
1⤵
- Creates scheduled task(s)
PID:2796

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

Defense Evasion

Modify Registry

4

Bypass User Account Control

T1088

Disabling Security Tools