7e18416de1803f8e39a3f4459532f5debeeb67d0d7e497b64b23de4cf698c062

Analysis

max time kernel
1s
max time network
145s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
06/01/2024, 21:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
Size

892KB
MD5

610e02f193b3d0e040c3d978c70dd1d1
SHA1

7fd26d773d299807e99dc3a6c75929a718cc97a4
SHA256

7e18416de1803f8e39a3f4459532f5debeeb67d0d7e497b64b23de4cf698c062
SHA512

40848701a1a7fbf99e75c80172e5eed96512cf049072c8e532d4ec25856a9afd239c5614a6c77eab9310f2dd55ef150521d83137c2961e696beb188b3fe590c9
SSDEEP

12288:5zm1bWq/4jLF39hjDGcuSY44BuOVQ44tDXDeNRQt8VH9De7KVlVt6A+:5Ch/otJD7uiSQ47Bt6A+

Score

4^/10

Malware Config

Signatures

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\Microsoft\0a1fd5f707cd16	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\101b941d020240	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\sppsvc.exe	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\sppsvc.exe	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\fr-FR\taskhost.exe	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
File created	C:\Windows\fr-FR\b75386f1303e64	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2792	schtasks.exe
1136	schtasks.exe
592	schtasks.exe
2112	schtasks.exe
1632	schtasks.exe
2116	schtasks.exe
1628	schtasks.exe
1984	schtasks.exe
3024	schtasks.exe
1784	schtasks.exe
896	schtasks.exe
2888	schtasks.exe
1460	schtasks.exe
2424	schtasks.exe
1428	schtasks.exe

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

pid	Process
2724	PING.EXE
2496	PING.EXE
2068	PING.EXE
2184	PING.EXE
1432	PING.EXE
2684	PING.EXE
2836	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 2592	1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe	51
PID 1540 wrote to memory of 2592	1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe	51
PID 1540 wrote to memory of 2592	1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe	51
PID 1540 wrote to memory of 2640	1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe	50
PID 1540 wrote to memory of 2640	1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe	50
PID 1540 wrote to memory of 2640	1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe	50
PID 1540 wrote to memory of 2656	1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe	49
PID 1540 wrote to memory of 2656	1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe	49
PID 1540 wrote to memory of 2656	1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe	49
PID 1540 wrote to memory of 2660	1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe	48
PID 1540 wrote to memory of 2660	1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe	48
PID 1540 wrote to memory of 2660	1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe	48
PID 1540 wrote to memory of 2676	1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe	46
PID 1540 wrote to memory of 2676	1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe	46
PID 1540 wrote to memory of 2676	1540	7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe	46

C:\Users\Admin\AppData\Local\Temp\7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe
"C:\Users\Admin\AppData\Local\Temp\7E18416DE1803F8E39A3F4459532F5DEBEEB67D0D7E49.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dnGtTG4KbA.bat"
  2⤵
  PID:1860
- - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe
    "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe"
    3⤵
    PID:1508
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HRKp7XGsej.bat"
      4⤵
      PID:700
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe"
        5⤵
        
        PID:912
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RAcs8leQAB.bat"
        6⤵
        
        PID:2540
        
        C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe"
        7⤵
        
        PID:2440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vTHQNFoTQv.bat"
        8⤵
        
        PID:2732
        
        C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe"
        9⤵
        
        PID:2608
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Cg5rz6h3MO.bat"
        10⤵
        
        PID:2900
        
        C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe"
        11⤵
        
        PID:1540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\26i24I6rG0.bat"
        12⤵
        
        PID:2156
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:412
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:344
        
        C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe"
        13⤵
        
        PID:1184
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\igsUyaB4hX.bat"
        14⤵
        
        PID:564
        
        C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe"
        15⤵
        
        PID:3000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\g08gBSmlqM.bat"
        16⤵
        
        PID:2964
        
        C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe"
        17⤵
        
        PID:2080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jcydu7dUmM.bat"
        18⤵
        
        PID:2652
        
        C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe"
        19⤵
        
        PID:2020
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1fnMmvhPbk.bat"
        20⤵
        
        PID:2332
        
        C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe"
        21⤵
        
        PID:1984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\owZj4RhEvd.bat"
        22⤵
        
        PID:2108
        
        C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe"
        23⤵
        
        PID:1936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ge8uHQboyx.bat"
        24⤵
        
        PID:2156
        
        C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe"
        25⤵
        
        PID:828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0H3zCkvC0l.bat"
        26⤵
        
        PID:2840
        
        C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe"
        27⤵
        
        PID:1712
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GMPvjC3Nss.bat"
        28⤵
        
        PID:2556
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        Runs ping.exe
        
        PID:2684
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\lsm.exe'
  2⤵
  PID:2676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe'
  2⤵
  PID:2660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\taskhost.exe'
  2⤵
  PID:2656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'
  2⤵
  PID:2640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\sppsvc.exe'
  2⤵
  PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe'" /f
1⤵
- Creates scheduled task(s)
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1460

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1504

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\lsm.exe'" /f
1⤵
- Creates scheduled task(s)
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Windows\fr-FR\taskhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\fr-FR\taskhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Windows\fr-FR\taskhost.exe'" /f
1⤵
- Creates scheduled task(s)
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Creates scheduled task(s)
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\sppsvc.exe'" /f
1⤵
- Creates scheduled task(s)
PID:1984

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:2836

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2872

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:2724

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2804

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:2496

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1940

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:2068

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1360

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:2836

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2288

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:2184

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:284

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:1992

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2612

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:1432

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:660

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:1428

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:324

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:564

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:876

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:2312

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/912-126-0x000007FEF5F70000-0x000007FEF695C000-memory.dmp

Filesize
9.9MB

Download
memory/912-125-0x00000000001F0000-0x00000000002D6000-memory.dmp

Filesize
920KB

Download
memory/1508-117-0x00000000779B0000-0x00000000779B1000-memory.dmp

Filesize
4KB

Download
memory/1508-111-0x000000001ADA0000-0x000000001AE20000-memory.dmp

Filesize
512KB

Download
memory/1508-97-0x0000000001190000-0x0000000001276000-memory.dmp

Filesize
920KB

Download
memory/1508-98-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp

Filesize
9.9MB

Download
memory/1508-99-0x000000001ADA0000-0x000000001AE20000-memory.dmp

Filesize
512KB

Download
memory/1508-106-0x00000000779F0000-0x00000000779F1000-memory.dmp

Filesize
4KB

Download
memory/1508-113-0x00000000779C0000-0x00000000779C1000-memory.dmp

Filesize
4KB

Download
memory/1508-112-0x00000000779D0000-0x00000000779D1000-memory.dmp

Filesize
4KB

Download
memory/1508-116-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp

Filesize
9.9MB

Download
memory/1508-123-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp

Filesize
9.9MB

Download
memory/1508-101-0x0000000077A20000-0x0000000077A21000-memory.dmp

Filesize
4KB

Download
memory/1508-103-0x0000000077A10000-0x0000000077A11000-memory.dmp

Filesize
4KB

Download
memory/1508-105-0x0000000077A00000-0x0000000077A01000-memory.dmp

Filesize
4KB

Download
memory/1508-109-0x00000000779E0000-0x00000000779E1000-memory.dmp

Filesize
4KB

Download
memory/1540-88-0x000007FEF5F70000-0x000007FEF695C000-memory.dmp

Filesize
9.9MB

Download
memory/1540-4-0x0000000000200000-0x000000000020E000-memory.dmp

Filesize
56KB

Download
memory/1540-7-0x0000000000210000-0x000000000021C000-memory.dmp

Filesize
48KB

Download
memory/1540-21-0x00000000779D0000-0x00000000779D1000-memory.dmp

Filesize
4KB

Download
memory/1540-94-0x000007FEF5F70000-0x000007FEF695C000-memory.dmp

Filesize
9.9MB

Download
memory/1540-1-0x000007FEF5F70000-0x000007FEF695C000-memory.dmp

Filesize
9.9MB

Download
memory/1540-22-0x00000000779C0000-0x00000000779C1000-memory.dmp

Filesize
4KB

Download
memory/1540-24-0x0000000000710000-0x000000000072C000-memory.dmp

Filesize
112KB

Download
memory/1540-26-0x0000000001FE0000-0x0000000001FF8000-memory.dmp

Filesize
96KB

Download
memory/1540-18-0x00000000779E0000-0x00000000779E1000-memory.dmp

Filesize
4KB

Download
memory/1540-5-0x0000000077A20000-0x0000000077A21000-memory.dmp

Filesize
4KB

Download
memory/1540-2-0x0000000000690000-0x0000000000710000-memory.dmp

Filesize
512KB

Download
memory/1540-8-0x0000000077A10000-0x0000000077A11000-memory.dmp

Filesize
4KB

Download
memory/1540-10-0x0000000000310000-0x000000000031C000-memory.dmp

Filesize
48KB

Download
memory/1540-11-0x0000000077A00000-0x0000000077A01000-memory.dmp

Filesize
4KB

Download
memory/1540-13-0x0000000000320000-0x000000000032C000-memory.dmp

Filesize
48KB

Download
memory/1540-0-0x0000000000220000-0x0000000000306000-memory.dmp

Filesize
920KB

Download
memory/1540-14-0x00000000779F0000-0x00000000779F1000-memory.dmp

Filesize
4KB

Download
memory/1540-15-0x0000000000690000-0x0000000000710000-memory.dmp

Filesize
512KB

Download
memory/1540-17-0x0000000000330000-0x000000000033C000-memory.dmp

Filesize
48KB

Download
memory/1540-20-0x0000000000340000-0x000000000034E000-memory.dmp

Filesize
56KB

Download
memory/2592-71-0x000007FEED6C0000-0x000007FEEE05D000-memory.dmp

Filesize
9.6MB

Download
memory/2592-76-0x0000000002270000-0x00000000022F0000-memory.dmp

Filesize
512KB

Download
memory/2592-75-0x000007FEED6C0000-0x000007FEEE05D000-memory.dmp

Filesize
9.6MB

Download
memory/2592-85-0x000007FEED6C0000-0x000007FEEE05D000-memory.dmp

Filesize
9.6MB

Download
memory/2592-79-0x0000000002270000-0x00000000022F0000-memory.dmp

Filesize
512KB

Download
memory/2592-78-0x0000000002270000-0x00000000022F0000-memory.dmp

Filesize
512KB

Download
memory/2592-72-0x0000000002270000-0x00000000022F0000-memory.dmp

Filesize
512KB

Download
memory/2640-70-0x000007FEED6C0000-0x000007FEEE05D000-memory.dmp

Filesize
9.6MB

Download
memory/2640-74-0x000000000285B000-0x00000000028C2000-memory.dmp

Filesize
412KB

Download
memory/2640-63-0x000007FEED6C0000-0x000007FEEE05D000-memory.dmp

Filesize
9.6MB

Download
memory/2640-51-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/2640-64-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/2640-67-0x0000000002854000-0x0000000002857000-memory.dmp

Filesize
12KB

Download
memory/2640-66-0x000007FEED6C0000-0x000007FEEE05D000-memory.dmp

Filesize
9.6MB

Download
memory/2656-68-0x000007FEED6C0000-0x000007FEEE05D000-memory.dmp

Filesize
9.6MB

Download
memory/2656-53-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download
memory/2656-69-0x0000000001EA0000-0x0000000001F20000-memory.dmp

Filesize
512KB

Download
memory/2656-73-0x0000000001EAB000-0x0000000001F12000-memory.dmp

Filesize
412KB

Download
memory/2656-65-0x0000000001EA4000-0x0000000001EA7000-memory.dmp

Filesize
12KB

Download
memory/2660-77-0x0000000002F3B000-0x0000000002FA2000-memory.dmp

Filesize
412KB

Download
memory/2660-80-0x000007FEED6C0000-0x000007FEEE05D000-memory.dmp

Filesize
9.6MB

Download
memory/2660-82-0x0000000002F34000-0x0000000002F37000-memory.dmp

Filesize
12KB

Download
memory/2660-81-0x0000000002F30000-0x0000000002FB0000-memory.dmp

Filesize
512KB

Download
memory/2676-84-0x000007FEED6C0000-0x000007FEEE05D000-memory.dmp

Filesize
9.6MB

Download
memory/2676-87-0x0000000002CB0000-0x0000000002D30000-memory.dmp

Filesize
512KB

Download
memory/2676-86-0x0000000002CB4000-0x0000000002CB7000-memory.dmp

Filesize
12KB

Download
memory/2676-83-0x000007FEED6C0000-0x000007FEEE05D000-memory.dmp

Filesize
9.6MB

Download