a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4

General

Target

a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Size

1.8MB
MD5

3a58fb8bddcd783603cd2db060bb393c
SHA1

9322cb54e34843470ac96a70b475c1e3beaa21a1
SHA256

a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4
SHA512

eefedae8e6273910931eefe05eb6530d6e4790b116e69cf37717c467eaba43074dda3fc34e84ab6dcc92dee8ac93aa41d95a5314066ffb7d68a5ca01ad445b7c

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 17 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\lsass.exe\", \"C:\\Documents and Settings\\lsm.exe\", \"C:\\Documents and Settings\\Idle.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\lsass.exe\", \"C:\\Documents and Settings\\lsm.exe\", \"C:\\Documents and Settings\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\explorer.exe\", \"C:\\ProgramData\\Adobe\\Updater6\\taskhost.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\lsass.exe\", \"C:\\Documents and Settings\\lsm.exe\", \"C:\\Documents and Settings\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\explorer.exe\", \"C:\\ProgramData\\Adobe\\Updater6\\taskhost.exe\", \"C:\\ProgramData\\Favorites\\lsass.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\lsass.exe\", \"C:\\Documents and Settings\\lsm.exe\", \"C:\\Documents and Settings\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\explorer.exe\", \"C:\\ProgramData\\Adobe\\Updater6\\taskhost.exe\", \"C:\\ProgramData\\Favorites\\lsass.exe\", \"C:\\ProgramData\\Microsoft Help\\lsm.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Idle.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\lsass.exe\", \"C:\\Documents and Settings\\lsm.exe\", \"C:\\Documents and Settings\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\explorer.exe\", \"C:\\ProgramData\\Adobe\\Updater6\\taskhost.exe\", \"C:\\ProgramData\\Favorites\\lsass.exe\", \"C:\\ProgramData\\Microsoft Help\\lsm.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\csrss.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\", \"C:\\Documents and Settings\\services.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\lsass.exe\", \"C:\\Documents and Settings\\lsm.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\lsass.exe\", \"C:\\Documents and Settings\\lsm.exe\", \"C:\\Documents and Settings\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\explorer.exe\", \"C:\\ProgramData\\Adobe\\Updater6\\taskhost.exe\", \"C:\\ProgramData\\Favorites\\lsass.exe\", \"C:\\ProgramData\\Microsoft Help\\lsm.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\lsass.exe\", \"C:\\Documents and Settings\\lsm.exe\", \"C:\\Documents and Settings\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\explorer.exe\", \"C:\\ProgramData\\Adobe\\Updater6\\taskhost.exe\", \"C:\\ProgramData\\Favorites\\lsass.exe\", \"C:\\ProgramData\\Microsoft Help\\lsm.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\explorer.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\lsass.exe\", \"C:\\Documents and Settings\\lsm.exe\", \"C:\\Documents and Settings\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\explorer.exe\", \"C:\\ProgramData\\Adobe\\Updater6\\taskhost.exe\", \"C:\\ProgramData\\Favorites\\lsass.exe\", \"C:\\ProgramData\\Microsoft Help\\lsm.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\csrss.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\winlogon.exe\", \"C:\\ProgramData\\Start Menu\\lsass.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\lsass.exe\", \"C:\\Documents and Settings\\lsm.exe\", \"C:\\Documents and Settings\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\explorer.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\lsass.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\lsass.exe\", \"C:\\Documents and Settings\\lsm.exe\", \"C:\\Documents and Settings\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\explorer.exe\", \"C:\\ProgramData\\Adobe\\Updater6\\taskhost.exe\", \"C:\\ProgramData\\Favorites\\lsass.exe\", \"C:\\ProgramData\\Microsoft Help\\lsm.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\csrss.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\winlogon.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\", \"C:\\Documents and Settings\\services.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\lsass.exe\", \"C:\\Documents and Settings\\lsm.exe\", \"C:\\Documents and Settings\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\explorer.exe\", \"C:\\ProgramData\\Adobe\\Updater6\\taskhost.exe\", \"C:\\ProgramData\\Favorites\\lsass.exe\", \"C:\\ProgramData\\Microsoft Help\\lsm.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\csrss.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\winlogon.exe\", \"C:\\ProgramData\\Start Menu\\lsass.exe\", \"C:\\Documents and Settings\\smss.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	460	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	1516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	1516	schtasks.exe

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

2984 services.exe

pid	process
2984	services.exe

Adds Run key to start application 2 TTPs 17 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\ProgramData\\Start Menu\\lsass.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\ProgramData\\Documents\\csrss.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\lsass.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\ProgramData\\Microsoft Help\\lsm.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\csrss.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Public\\Videos\\Sample Videos\\winlogon.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Windows Mail\\de-DE\\taskhost.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Documents and Settings\\services.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\explorer.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\explorer.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Documents and Settings\\Idle.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\ProgramData\\Favorites\\lsass.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Documents and Settings\\lsm.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\ProgramData\\Adobe\\Updater6\\taskhost.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Idle.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Documents and Settings\\smss.exe\""	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe

Drops file in Program Files directory 20 IoCs

Processes:

a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\RCXCD01.tmp	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\RCXD83E.tmp	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\RCXDE0C.tmp	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\csrss.exe	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
File created	C:\Program Files (x86)\Windows Mail\de-DE\taskhost.exe	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\csrss.exe	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\de-DE\RCXB85A.tmp	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
File created	C:\Program Files (x86)\Windows Mail\de-DE\b75386f1303e64	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\7a0fd90576e088	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Idle.exe	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\6ccacd8608530f	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\886983d96e3d3e	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\RCXD8AC.tmp	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Idle.exe	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\RCXDE7B.tmp	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\de-DE\taskhost.exe	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\explorer.exe	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\de-DE\RCXB740.tmp	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\RCXCC93.tmp	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\explorer.exe	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1384	schtasks.exe
1532	schtasks.exe
2168	schtasks.exe
2264	schtasks.exe
2644	schtasks.exe
1000	schtasks.exe
1832	schtasks.exe
2396	schtasks.exe
2492	schtasks.exe
1628	schtasks.exe
460	schtasks.exe
2620	schtasks.exe
2764	schtasks.exe
1496	schtasks.exe
2076	schtasks.exe
2100	schtasks.exe
2416	schtasks.exe
2688	schtasks.exe
320	schtasks.exe
2052	schtasks.exe
2708	schtasks.exe
1912	schtasks.exe
2000	schtasks.exe
2192	schtasks.exe
2308	schtasks.exe
2512	schtasks.exe
2576	schtasks.exe
908	schtasks.exe
1056	schtasks.exe
624	schtasks.exe
2284	schtasks.exe
1716	schtasks.exe
1648	schtasks.exe
1984	schtasks.exe
2352	schtasks.exe
2144	schtasks.exe
2376	schtasks.exe
2728	schtasks.exe
580	schtasks.exe
1704	schtasks.exe
896	schtasks.exe
1336	schtasks.exe
2216	schtasks.exe
2536	schtasks.exe
2600	schtasks.exe
1132	schtasks.exe
976	schtasks.exe
1480	schtasks.exe
592	schtasks.exe
1608	schtasks.exe
2668	schtasks.exe
2796	schtasks.exe
996	schtasks.exe
684	schtasks.exe
824	schtasks.exe
2556	schtasks.exe
1008	schtasks.exe
1912	schtasks.exe
2328	schtasks.exe
760	schtasks.exe
2124	schtasks.exe
1596	schtasks.exe
868	schtasks.exe
2236	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe

pid	process
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exeservices.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Token: SeDebugPrivilege	2984	services.exe
Token: SeDebugPrivilege	2908	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe

description	pid	process	target process
PID 2040 wrote to memory of 2908	2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe	powershell.exe
PID 2040 wrote to memory of 2908	2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe	powershell.exe
PID 2040 wrote to memory of 2908	2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe	powershell.exe
PID 2040 wrote to memory of 2984	2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe	services.exe
PID 2040 wrote to memory of 2984	2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe	services.exe
PID 2040 wrote to memory of 2984	2040	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe	services.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe

C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe
"C:\Users\Admin\AppData\Local\Temp\a1c3e1f6e6b81321e3cf866d05f5b19987203bcd576e9e3e2398641490f0bfb4.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2908
- C:\Documents and Settings\services.exe
  "C:\Documents and Settings\services.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CcI7taskhost" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "vSrdtaskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\de-DE\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "8vB3taskhost" /sc ONSTART /tr "'C:\Program Files (x86)\Windows Mail\de-DE\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Tp83services" /sc MINUTE /mo 11 /tr "'C:\Documents and Settings\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hb0Uservices" /sc ONLOGON /tr "'C:\Documents and Settings\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Dwocservices" /sc ONSTART /tr "'C:\Documents and Settings\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc MINUTE /mo 8 /tr "'C:\Documents and Settings\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "yfRncsrss" /sc MINUTE /mo 8 /tr "'C:\ProgramData\Documents\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "oQtLcsrss" /sc ONLOGON /tr "'C:\ProgramData\Documents\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1iVCcsrss" /sc ONSTART /tr "'C:\ProgramData\Documents\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc MINUTE /mo 9 /tr "'C:\ProgramData\Documents\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tGyJtaskhost" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Pictures\Sample Pictures\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SS0gtaskhost" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "336mtaskhost" /sc ONSTART /tr "'C:\Users\Public\Pictures\Sample Pictures\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\Sample Pictures\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9V32lsass" /sc MINUTE /mo 14 /tr "'C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "By5Plsass" /sc ONLOGON /tr "'C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "h2t8lsass" /sc ONSTART /tr "'C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc MINUTE /mo 8 /tr "'C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DOP4lsm" /sc MINUTE /mo 9 /tr "'C:\Documents and Settings\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "L8Gllsm" /sc ONLOGON /tr "'C:\Documents and Settings\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "zMRVlsm" /sc ONSTART /tr "'C:\Documents and Settings\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc MINUTE /mo 13 /tr "'C:\Documents and Settings\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "8NRTIdle" /sc MINUTE /mo 6 /tr "'C:\Documents and Settings\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BouGIdle" /sc ONLOGON /tr "'C:\Documents and Settings\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "87eEIdle" /sc ONSTART /tr "'C:\Documents and Settings\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc MINUTE /mo 7 /tr "'C:\Documents and Settings\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "m5Wjexplorer" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "XOEZexplorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7sjcexplorer" /sc ONSTART /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1Luitaskhost" /sc MINUTE /mo 8 /tr "'C:\ProgramData\Adobe\Updater6\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wKk3taskhost" /sc ONLOGON /tr "'C:\ProgramData\Adobe\Updater6\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "D7gftaskhost" /sc ONSTART /tr "'C:\ProgramData\Adobe\Updater6\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc MINUTE /mo 7 /tr "'C:\ProgramData\Adobe\Updater6\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4OXzlsass" /sc MINUTE /mo 11 /tr "'C:\ProgramData\Favorites\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MxwBlsass" /sc ONLOGON /tr "'C:\ProgramData\Favorites\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "kcVrlsass" /sc ONSTART /tr "'C:\ProgramData\Favorites\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc MINUTE /mo 6 /tr "'C:\ProgramData\Favorites\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "q6tplsm" /sc MINUTE /mo 11 /tr "'C:\ProgramData\Microsoft Help\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bHm5lsm" /sc ONLOGON /tr "'C:\ProgramData\Microsoft Help\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Q9Zdlsm" /sc ONSTART /tr "'C:\ProgramData\Microsoft Help\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc MINUTE /mo 14 /tr "'C:\ProgramData\Microsoft Help\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "41quIdle" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tpOXIdle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "uZEhIdle" /sc ONSTART /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "nZTTexplorer" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "zlHMexplorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WGShexplorer" /sc ONSTART /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fTm4csrss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "8kjdcsrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "QCCgcsrss" /sc ONSTART /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "btFqwinlogon" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Videos\Sample Videos\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "p6QVwinlogon" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1yZVwinlogon" /sc ONSTART /tr "'C:\Users\Public\Videos\Sample Videos\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Videos\Sample Videos\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RsURlsass" /sc MINUTE /mo 12 /tr "'C:\ProgramData\Start Menu\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "krbAlsass" /sc ONLOGON /tr "'C:\ProgramData\Start Menu\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "rkJOlsass" /sc ONSTART /tr "'C:\ProgramData\Start Menu\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc MINUTE /mo 8 /tr "'C:\ProgramData\Start Menu\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hX9tsmss" /sc MINUTE /mo 10 /tr "'C:\Documents and Settings\smss.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Bem0smss" /sc ONLOGON /tr "'C:\Documents and Settings\smss.exe'" /rl HIGHEST /f
1⤵
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "zZfTsmss" /sc ONSTART /tr "'C:\Documents and Settings\smss.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc MINUTE /mo 9 /tr "'C:\Documents and Settings\smss.exe'" /f
1⤵
- Creates scheduled task(s)
PID:2796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Winlogon Helper DLL

Privilege Escalation

Bypass User Account Control

Scheduled Task

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\services.exe

Filesize
1.8MB

MD5
07058fd5f1fc2c4176fed9696b6f724c

SHA1
29811a4adb11d1a93cdf468428de1e20a3fd9bec

SHA256
bbfe5c224fd63d8a04f3a832916042244f91b63c9760860e7fa21e2f577b3faf

SHA512
fe4e5013b615e1428b3e549b303bcd5af465b388aebf75769036d9eba7a5568cf587538e753a74ea619ccd12d68d768dcdd0cd742757ac0f301e3e54be3ce997

Download Submit
C:\Users\services.exe

Filesize
1.8MB

MD5
07058fd5f1fc2c4176fed9696b6f724c

SHA1
29811a4adb11d1a93cdf468428de1e20a3fd9bec

SHA256
bbfe5c224fd63d8a04f3a832916042244f91b63c9760860e7fa21e2f577b3faf

SHA512
fe4e5013b615e1428b3e549b303bcd5af465b388aebf75769036d9eba7a5568cf587538e753a74ea619ccd12d68d768dcdd0cd742757ac0f301e3e54be3ce997

Download Submit
memory/2040-72-0x00000000022D0000-0x00000000022D8000-memory.dmp

Filesize
32KB

Download
memory/2040-59-0x00000000001E0000-0x00000000001F0000-memory.dmp

Filesize
64KB

Download
memory/2040-58-0x0000000000150000-0x0000000000158000-memory.dmp

Filesize
32KB

Download
memory/2040-73-0x00000000022E0000-0x00000000022EC000-memory.dmp

Filesize
48KB

Download
memory/2040-60-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2040-74-0x00000000022F0000-0x00000000022FC000-memory.dmp

Filesize
48KB

Download
memory/2040-62-0x00000000005C0000-0x00000000005D0000-memory.dmp

Filesize
64KB

Download
memory/2040-63-0x00000000005B0000-0x00000000005BA000-memory.dmp

Filesize
40KB

Download
memory/2040-64-0x00000000005D0000-0x00000000005DC000-memory.dmp

Filesize
48KB

Download
memory/2040-65-0x0000000000B00000-0x0000000000B08000-memory.dmp

Filesize
32KB

Download
memory/2040-66-0x0000000000B20000-0x0000000000B28000-memory.dmp

Filesize
32KB

Download
memory/2040-67-0x0000000000B10000-0x0000000000B1C000-memory.dmp

Filesize
48KB

Download
memory/2040-68-0x0000000000B30000-0x0000000000B38000-memory.dmp

Filesize
32KB

Download
memory/2040-69-0x0000000000B40000-0x0000000000B4C000-memory.dmp

Filesize
48KB

Download
memory/2040-70-0x0000000000BD0000-0x0000000000BDC000-memory.dmp

Filesize
48KB

Download
memory/2040-71-0x0000000000BE0000-0x0000000000BEA000-memory.dmp

Filesize
40KB

Download
memory/2040-54-0x0000000000BF0000-0x0000000000DB8000-memory.dmp

Filesize
1.8MB

Download
memory/2040-57-0x0000000000580000-0x000000000059C000-memory.dmp

Filesize
112KB

Download
memory/2040-61-0x00000000005A0000-0x00000000005B2000-memory.dmp

Filesize
72KB

Download
memory/2040-75-0x0000000002300000-0x000000000230A000-memory.dmp

Filesize
40KB

Download
memory/2040-76-0x000000001A790000-0x000000001A79C000-memory.dmp

Filesize
48KB

Download
memory/2040-55-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

Filesize
9.9MB

Download
memory/2040-56-0x000000001B0F0000-0x000000001B0F2000-memory.dmp

Filesize
8KB

Download
memory/2908-77-0x000007FEFB9D1000-0x000007FEFB9D3000-memory.dmp

Filesize
8KB

Download
memory/2908-78-0x000007FEEADD0000-0x000007FEEB92D000-memory.dmp

Filesize
11.4MB

Download
memory/2908-83-0x000007FEED240000-0x000007FEEDBDD000-memory.dmp

Filesize
9.6MB

Download
memory/2908-85-0x0000000002770000-0x0000000002772000-memory.dmp

Filesize
8KB

Download
memory/2908-86-0x000007FEED240000-0x000007FEEDBDD000-memory.dmp

Filesize
9.6MB

Download
memory/2908-87-0x0000000002772000-0x0000000002774000-memory.dmp

Filesize
8KB

Download
memory/2908-88-0x0000000002774000-0x0000000002777000-memory.dmp

Filesize
12KB

Download
memory/2908-82-0x000000001B800000-0x000000001BAFF000-memory.dmp

Filesize
3.0MB

Download
memory/2908-90-0x000000000277B000-0x000000000279A000-memory.dmp

Filesize
124KB

Download
memory/2984-81-0x0000000000C00000-0x0000000000DC8000-memory.dmp

Filesize
1.8MB

Download
memory/2984-84-0x000000001B130000-0x000000001B132000-memory.dmp

Filesize
8KB

Download
memory/2984-89-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads