Analysis
-
max time kernel
62s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 15:38
Behavioral task
behavioral1
Sample
nursultan nexgen fix.exe
Resource
win7-20240508-en
General
-
Target
nursultan nexgen fix.exe
-
Size
1.5MB
-
MD5
a3d07c747770c9a471a44446e46e33d5
-
SHA1
8340534fb1770bae9660287ddb0496e243efcfe4
-
SHA256
16015088c3352a8257f420555e7ce6245aa0e6682deeca79bf7e08c24e1ac3de
-
SHA512
307cbdddaa9f426f8ceec060c2c0b1ab5ed3573e327dbcfdda7b1dfd22cf17559f017d835d71bdd15397fa95b0c7dfbfb4cd6b51cd5b2adc1d1cddc8ffe27f99
-
SSDEEP
24576:U2G/nvxW3Ww0tpfnNGcvUCxt9groiK5Cg3ZRvm43TzvmF2cK07:UbA30pfnLRRgrheJROuTzvIR
Malware Config
Signatures
-
DcRat 64 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeContainerruntime.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1912 schtasks.exe 3036 schtasks.exe 856 schtasks.exe 2100 schtasks.exe 2688 schtasks.exe 2412 schtasks.exe 444 schtasks.exe 2640 schtasks.exe 2844 schtasks.exe 880 schtasks.exe 2012 schtasks.exe 1472 schtasks.exe File created C:\Program Files\Windows Portable Devices\67c2f4240f387c Containerruntime.exe 1012 schtasks.exe 2896 schtasks.exe 2600 schtasks.exe 1516 schtasks.exe 3032 schtasks.exe 1868 schtasks.exe 2628 schtasks.exe 2384 schtasks.exe 2672 schtasks.exe 2488 schtasks.exe 2772 schtasks.exe 2056 schtasks.exe 1328 schtasks.exe 476 schtasks.exe 2792 schtasks.exe 2576 schtasks.exe 2352 schtasks.exe 2380 schtasks.exe 1768 schtasks.exe 2032 schtasks.exe 2368 schtasks.exe 356 schtasks.exe 2940 schtasks.exe 2284 schtasks.exe 1840 schtasks.exe 2832 schtasks.exe 2376 schtasks.exe 2144 schtasks.exe 1280 schtasks.exe 2384 schtasks.exe 2532 schtasks.exe 1988 schtasks.exe 1768 schtasks.exe 1020 schtasks.exe 304 schtasks.exe 904 schtasks.exe 1756 schtasks.exe 444 schtasks.exe 2420 schtasks.exe 2592 schtasks.exe 616 schtasks.exe 2520 schtasks.exe File created C:\Windows\es-ES\winlogon.exe Containerruntime.exe File created C:\Windows\es-ES\cc11b995f2a76d Containerruntime.exe 2484 schtasks.exe 2932 schtasks.exe 2896 schtasks.exe 1512 schtasks.exe 764 schtasks.exe 692 schtasks.exe 1004 schtasks.exe -
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2412 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2384 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2484 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3032 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2532 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 304 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1004 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1472 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2352 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2628 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1868 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1912 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2284 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 348 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1012 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1876 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2692 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1840 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2688 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2196 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 444 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3036 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2832 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2380 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2420 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1768 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 904 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2064 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 880 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1988 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1488 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2012 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2144 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2032 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2016 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1216 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 856 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2592 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1556 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1328 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 476 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 764 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1768 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2376 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2844 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1516 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 616 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2520 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2488 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1020 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1280 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1756 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2384 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2772 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 444 2392 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 692 2392 schtasks.exe -
Processes:
resource yara_rule \portagentbrowserweb\Containerruntime.exe dcrat behavioral1/memory/2588-13-0x0000000000150000-0x0000000000282000-memory.dmp dcrat behavioral1/memory/2856-37-0x0000000000D60000-0x0000000000E92000-memory.dmp dcrat behavioral1/memory/2272-170-0x0000000000D20000-0x0000000000E52000-memory.dmp dcrat -
Disables Task Manager via registry modification
-
Executes dropped EXE 4 IoCs
Processes:
Containerruntime.exeContainerruntime.exeContainerruntime.exeIdle.exepid process 2588 Containerruntime.exe 2856 Containerruntime.exe 1424 Containerruntime.exe 2272 Idle.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2520 cmd.exe 2520 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 12 IoCs
Processes:
Containerruntime.exeContainerruntime.exeContainerruntime.exedescription ioc process File created C:\Program Files\Windows Portable Devices\Containerruntime.exe Containerruntime.exe File created C:\Program Files\Windows Portable Devices\67c2f4240f387c Containerruntime.exe File created C:\Program Files (x86)\Windows Defender\ja-JP\chrome.exe Containerruntime.exe File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\42af1c969fbb7b Containerruntime.exe File created C:\Program Files\Mozilla Firefox\spoolsv.exe Containerruntime.exe File created C:\Program Files\Mozilla Firefox\f3b6ecef712a24 Containerruntime.exe File created C:\Program Files\Windows Media Player\en-US\wininit.exe Containerruntime.exe File created C:\Program Files\Windows Media Player\en-US\56085415360792 Containerruntime.exe File created C:\Program Files (x86)\Windows Defender\ja-JP\7a73b78f679a6f Containerruntime.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\wininit.exe Containerruntime.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\56085415360792 Containerruntime.exe File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\audiodg.exe Containerruntime.exe -
Drops file in Windows directory 7 IoCs
Processes:
Containerruntime.exeContainerruntime.exedescription ioc process File created C:\Windows\de-DE\7a73b78f679a6f Containerruntime.exe File created C:\Windows\Performance\WinSAT\DataStore\lsm.exe Containerruntime.exe File created C:\Windows\Performance\WinSAT\DataStore\101b941d020240 Containerruntime.exe File created C:\Windows\es-ES\winlogon.exe Containerruntime.exe File opened for modification C:\Windows\es-ES\winlogon.exe Containerruntime.exe File created C:\Windows\es-ES\cc11b995f2a76d Containerruntime.exe File created C:\Windows\de-DE\chrome.exe Containerruntime.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2600 schtasks.exe 2628 schtasks.exe 2520 schtasks.exe 2576 schtasks.exe 2384 schtasks.exe 1004 schtasks.exe 2792 schtasks.exe 1876 schtasks.exe 2692 schtasks.exe 1556 schtasks.exe 1280 schtasks.exe 1988 schtasks.exe 2016 schtasks.exe 476 schtasks.exe 1516 schtasks.exe 444 schtasks.exe 2932 schtasks.exe 1488 schtasks.exe 2012 schtasks.exe 2144 schtasks.exe 1936 schtasks.exe 348 schtasks.exe 1768 schtasks.exe 1756 schtasks.exe 2640 schtasks.exe 1912 schtasks.exe 2592 schtasks.exe 2484 schtasks.exe 1012 schtasks.exe 2032 schtasks.exe 2384 schtasks.exe 1332 schtasks.exe 2412 schtasks.exe 1840 schtasks.exe 2196 schtasks.exe 2636 schtasks.exe 1768 schtasks.exe 616 schtasks.exe 2368 schtasks.exe 2284 schtasks.exe 2064 schtasks.exe 880 schtasks.exe 856 schtasks.exe 764 schtasks.exe 2896 schtasks.exe 1020 schtasks.exe 2772 schtasks.exe 1868 schtasks.exe 2672 schtasks.exe 2832 schtasks.exe 904 schtasks.exe 1328 schtasks.exe 2488 schtasks.exe 1512 schtasks.exe 3032 schtasks.exe 2420 schtasks.exe 2960 schtasks.exe 2896 schtasks.exe 2844 schtasks.exe 2056 schtasks.exe 1472 schtasks.exe 3036 schtasks.exe 444 schtasks.exe 2100 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
Containerruntime.exeContainerruntime.exechrome.exeContainerruntime.exeIdle.exepid process 2588 Containerruntime.exe 2588 Containerruntime.exe 2588 Containerruntime.exe 2856 Containerruntime.exe 844 chrome.exe 844 chrome.exe 1424 Containerruntime.exe 1424 Containerruntime.exe 1424 Containerruntime.exe 2272 Idle.exe 2272 Idle.exe 2272 Idle.exe 2272 Idle.exe 2272 Idle.exe 2272 Idle.exe 2272 Idle.exe 2272 Idle.exe 2272 Idle.exe 2272 Idle.exe 2272 Idle.exe 2272 Idle.exe 2272 Idle.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Containerruntime.exeContainerruntime.exechrome.exeContainerruntime.exeIdle.exedescription pid process Token: SeDebugPrivilege 2588 Containerruntime.exe Token: SeDebugPrivilege 2856 Containerruntime.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeDebugPrivilege 1424 Containerruntime.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeDebugPrivilege 2272 Idle.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe Token: SeShutdownPrivilege 844 chrome.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
Processes:
chrome.exepid process 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe -
Suspicious use of SendNotifyMessage 32 IoCs
Processes:
chrome.exepid process 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe 844 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
nursultan nexgen fix.exeWScript.execmd.exeContainerruntime.execmd.exechrome.exedescription pid process target process PID 1700 wrote to memory of 2144 1700 nursultan nexgen fix.exe WScript.exe PID 1700 wrote to memory of 2144 1700 nursultan nexgen fix.exe WScript.exe PID 1700 wrote to memory of 2144 1700 nursultan nexgen fix.exe WScript.exe PID 1700 wrote to memory of 2144 1700 nursultan nexgen fix.exe WScript.exe PID 2144 wrote to memory of 2520 2144 WScript.exe cmd.exe PID 2144 wrote to memory of 2520 2144 WScript.exe cmd.exe PID 2144 wrote to memory of 2520 2144 WScript.exe cmd.exe PID 2144 wrote to memory of 2520 2144 WScript.exe cmd.exe PID 2520 wrote to memory of 2588 2520 cmd.exe Containerruntime.exe PID 2520 wrote to memory of 2588 2520 cmd.exe Containerruntime.exe PID 2520 wrote to memory of 2588 2520 cmd.exe Containerruntime.exe PID 2520 wrote to memory of 2588 2520 cmd.exe Containerruntime.exe PID 2588 wrote to memory of 2720 2588 Containerruntime.exe cmd.exe PID 2588 wrote to memory of 2720 2588 Containerruntime.exe cmd.exe PID 2588 wrote to memory of 2720 2588 Containerruntime.exe cmd.exe PID 2520 wrote to memory of 2540 2520 cmd.exe reg.exe PID 2520 wrote to memory of 2540 2520 cmd.exe reg.exe PID 2520 wrote to memory of 2540 2520 cmd.exe reg.exe PID 2520 wrote to memory of 2540 2520 cmd.exe reg.exe PID 2720 wrote to memory of 2204 2720 cmd.exe w32tm.exe PID 2720 wrote to memory of 2204 2720 cmd.exe w32tm.exe PID 2720 wrote to memory of 2204 2720 cmd.exe w32tm.exe PID 2720 wrote to memory of 2856 2720 cmd.exe Containerruntime.exe PID 2720 wrote to memory of 2856 2720 cmd.exe Containerruntime.exe PID 2720 wrote to memory of 2856 2720 cmd.exe Containerruntime.exe PID 844 wrote to memory of 284 844 chrome.exe chrome.exe PID 844 wrote to memory of 284 844 chrome.exe chrome.exe PID 844 wrote to memory of 284 844 chrome.exe chrome.exe PID 844 wrote to memory of 1436 844 chrome.exe chrome.exe PID 844 wrote to memory of 1436 844 chrome.exe chrome.exe PID 844 wrote to memory of 1436 844 chrome.exe chrome.exe PID 844 wrote to memory of 1436 844 chrome.exe chrome.exe PID 844 wrote to memory of 1436 844 chrome.exe chrome.exe PID 844 wrote to memory of 1436 844 chrome.exe chrome.exe PID 844 wrote to memory of 1436 844 chrome.exe chrome.exe PID 844 wrote to memory of 1436 844 chrome.exe chrome.exe PID 844 wrote to memory of 1436 844 chrome.exe chrome.exe PID 844 wrote to memory of 1436 844 chrome.exe chrome.exe PID 844 wrote to memory of 1436 844 chrome.exe chrome.exe PID 844 wrote to memory of 1436 844 chrome.exe chrome.exe PID 844 wrote to memory of 1436 844 chrome.exe chrome.exe PID 844 wrote to memory of 1436 844 chrome.exe chrome.exe PID 844 wrote to memory of 1436 844 chrome.exe chrome.exe PID 844 wrote to memory of 1436 844 chrome.exe chrome.exe PID 844 wrote to memory of 1436 844 chrome.exe chrome.exe PID 844 wrote to memory of 1436 844 chrome.exe chrome.exe PID 844 wrote to memory of 1436 844 chrome.exe chrome.exe PID 844 wrote to memory of 1436 844 chrome.exe chrome.exe PID 844 wrote to memory of 1436 844 chrome.exe chrome.exe PID 844 wrote to memory of 1436 844 chrome.exe chrome.exe PID 844 wrote to memory of 1436 844 chrome.exe chrome.exe PID 844 wrote to memory of 1436 844 chrome.exe chrome.exe PID 844 wrote to memory of 1436 844 chrome.exe chrome.exe PID 844 wrote to memory of 1436 844 chrome.exe chrome.exe PID 844 wrote to memory of 1436 844 chrome.exe chrome.exe PID 844 wrote to memory of 1436 844 chrome.exe chrome.exe PID 844 wrote to memory of 1436 844 chrome.exe chrome.exe PID 844 wrote to memory of 1436 844 chrome.exe chrome.exe PID 844 wrote to memory of 1436 844 chrome.exe chrome.exe PID 844 wrote to memory of 1436 844 chrome.exe chrome.exe PID 844 wrote to memory of 1436 844 chrome.exe chrome.exe PID 844 wrote to memory of 1436 844 chrome.exe chrome.exe PID 844 wrote to memory of 1436 844 chrome.exe chrome.exe PID 844 wrote to memory of 1436 844 chrome.exe chrome.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe"C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\portagentbrowserweb\Containerruntime.exe"C:\portagentbrowserweb\Containerruntime.exe"4⤵
- DcRat
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N8SyuyWpl3.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2204
-
C:\portagentbrowserweb\Containerruntime.exe"C:\portagentbrowserweb\Containerruntime.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2856 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\um8HIFfzyt.bat"7⤵PID:2888
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1004
-
C:\portagentbrowserweb\Containerruntime.exe"C:\portagentbrowserweb\Containerruntime.exe"8⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1424 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VXmV8iK6sd.bat"9⤵PID:676
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1556
-
C:\Users\Admin\Idle.exe"C:\Users\Admin\Idle.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:2540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\es-ES\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\es-ES\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\es-ES\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:2532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\SendTo\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
PID:304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\SendTo\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ContainerruntimeC" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\Containerruntime.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
PID:2352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Containerruntime" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\Containerruntime.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ContainerruntimeC" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\Containerruntime.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Desktop\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Desktop\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:2688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2672
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5b09758,0x7fef5b09768,0x7fef5b097782⤵PID:284
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 --field-trial-handle=1288,i,15004230773894207021,6634837885155707188,131072 /prefetch:22⤵PID:1436
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1500 --field-trial-handle=1288,i,15004230773894207021,6634837885155707188,131072 /prefetch:82⤵PID:1504
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1592 --field-trial-handle=1288,i,15004230773894207021,6634837885155707188,131072 /prefetch:82⤵PID:944
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2268 --field-trial-handle=1288,i,15004230773894207021,6634837885155707188,131072 /prefetch:12⤵PID:1240
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2272 --field-trial-handle=1288,i,15004230773894207021,6634837885155707188,131072 /prefetch:12⤵PID:1384
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3188 --field-trial-handle=1288,i,15004230773894207021,6634837885155707188,131072 /prefetch:22⤵PID:2364
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3284 --field-trial-handle=1288,i,15004230773894207021,6634837885155707188,131072 /prefetch:12⤵PID:1744
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3416 --field-trial-handle=1288,i,15004230773894207021,6634837885155707188,131072 /prefetch:82⤵PID:2516
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3536 --field-trial-handle=1288,i,15004230773894207021,6634837885155707188,131072 /prefetch:82⤵PID:2488
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3480 --field-trial-handle=1288,i,15004230773894207021,6634837885155707188,131072 /prefetch:82⤵PID:1912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Documents\My Music\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Documents\My Music\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3036
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:1252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chromec" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\chrome.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\chrome.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chromec" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\chrome.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chromec" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\chrome.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
PID:2380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\chrome.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chromec" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\chrome.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chromec" /sc MINUTE /mo 13 /tr "'C:\portagentbrowserweb\chrome.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\portagentbrowserweb\chrome.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chromec" /sc MINUTE /mo 6 /tr "'C:\portagentbrowserweb\chrome.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Pictures\Sample Pictures\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\Sample Pictures\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\audiodg.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ContainerruntimeC" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\Containerruntime.exe'" /f1⤵
- Process spawned unexpected child process
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Containerruntime" /sc ONLOGON /tr "'C:\Users\Default User\Containerruntime.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ContainerruntimeC" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\Containerruntime.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\Sample Pictures\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\Sample Pictures\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:2376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chromec" /sc MINUTE /mo 11 /tr "'C:\Windows\de-DE\chrome.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\Windows\de-DE\chrome.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chromec" /sc MINUTE /mo 10 /tr "'C:\Windows\de-DE\chrome.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\en-US\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\en-US\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\en-US\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chromec" /sc MINUTE /mo 9 /tr "'C:\portagentbrowserweb\chrome.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\portagentbrowserweb\chrome.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chromec" /sc MINUTE /mo 13 /tr "'C:\portagentbrowserweb\chrome.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\taskhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
PID:692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\Performance\WinSAT\DataStore\lsm.exe'" /f1⤵
- DcRat
- Creates scheduled task(s)
PID:2056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\lsm.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:1332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Windows\Performance\WinSAT\DataStore\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
PID:2576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chromec" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Templates\chrome.exe'" /f1⤵
- DcRat
- Creates scheduled task(s)
PID:2100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\Users\Default\Templates\chrome.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
PID:2368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chromec" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Templates\chrome.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
PID:2640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\explorer.exe'" /f1⤵
- Creates scheduled task(s)
PID:1936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
PID:1512
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmpFilesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
5KB
MD580e1eec4586acb751915a651dc5c82d3
SHA1521f3b72a9e98d2b3cbfadd1ed536fbdbfdbcc67
SHA25607da6b05889728a97ee94f97e3e5f2054fd9b537aa674ce05e1d59732cfed699
SHA51225ef428e6d794ddb7fcb874b442518748f11b175409886bd52bf2647e7a1af38c152ea1f65e54665068abd941581b66f64ab27111bbb1d15c09bcb23d6baabea
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
5KB
MD5a20585fc4c09fc90b00aba0826e18e74
SHA1b2f17afbb0c5522dea7dac32ab11d2a8c59c3fdd
SHA256bff96d508f8f9825fc2df2c41b21c8e5b5f3b04991bf0a28aca0cd428acdd47c
SHA5125299311272dfaa15543d14addc3cc1f36bba93f30d9dabd0d573d10227ec0a4eebd46eea6e98f9473fca71d96e3a41db2d8623f7952eb2b06c724678fdeeee86
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmpFilesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
282KB
MD5fdb43021b34764389cae493814fd5775
SHA1d9f93eba47e454aad6e4c7bc244e1d2325a03e1e
SHA256c01c236b1747ef72af05e500f7c35aa66f1f02f0752507228461210bc771e60e
SHA512d9401273e9f1585dc7769279c7645b52fdcde64e26f50c1aa1a31eca5885b1deafebaf991380f7bef517dafb4dde8af3c94b156cd29b56acc07099564c45b5f2
-
C:\Users\Admin\AppData\Local\Temp\N8SyuyWpl3.batFilesize
208B
MD5ce0480728a4da0444ab88a508efbc904
SHA1f8e16b6667f01222a2c09d4a393df3d181035878
SHA256dc74365cd4160201fedf53a346934d983c0709150a918500dcdb9e799124f605
SHA512f0c106d07dd42d3c1ce3da2f9c7e8a23833c5c7ed96297f152e13a645e82ff946c1f08ca835ce9180afc341c651c603dcfe0432828fd4f2dc34f6ea3939e75c2
-
C:\Users\Admin\AppData\Local\Temp\VXmV8iK6sd.batFilesize
188B
MD5f7a351fd8fd0f4819a1757d6b17f21e1
SHA1948cfabd492c1b3a18f243ea4bb698d6f529a228
SHA25696b9f5ca01302b138560f557a1a18c25c70f34f725d437aba1fb38bb1fa253f4
SHA5120e68d63d547d8dc02ce706b9e301770e2209bf882bad39244818a2629d03b939fd7d7b127a72f836feb5dd4973e7ca4d8306fca969c6380fa347525f36497502
-
C:\Users\Admin\AppData\Local\Temp\um8HIFfzyt.batFilesize
208B
MD5bb03dfc9b13b517e5500f1bdef2c2a19
SHA1885abf300c93b86e8f1d5e179979a427d372d2b7
SHA256eb81a241e7f0855e8bc88cc62f25724f242638641641b2bb9d709d3870159c51
SHA512b13a430442b85759945090a5271632c4b5af003d6a57c4ff23c16d530204be75f54e05d3ce56943f2f531f2696b7094f3a3aa714a37e013ca0c8d27e39ce756c
-
C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.batFilesize
157B
MD5c8f8a078dace2ff4cb106803c9199643
SHA1a5029ff4c4f0f24b0fbe2951c9a8002501ebd3b5
SHA2561b99d39fa273f33b072c67e0df7d33b1699fa17b7c7139467a658302a5ed0e0d
SHA512efaea3b4653768bbd135a0ec55319df2464f1d440ad982f31a5eff05c5ba5032f4718683ff6419c668bf1f34a117b5a101f56d1efc1d74ad93e692c52686f999
-
C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbeFilesize
220B
MD561a07f2f9e8e9b1f5175b2d60c3e3f18
SHA1e695b0c2b43c786453bf3f6ae504f0626951d281
SHA2565c75708ec9e4fe419a2fd1067bd5793bacb28140177cc6b36300fbf28e7c23d1
SHA5128ef3529f6bf504224e7803019f1e162aead7961bc1a5115f50fb5f580570e8b04707da21a7aab4eb7f1554a3b5333597fb3335e5f6a74dabfdb0583eecb35b5d
-
\??\pipe\crashpad_844_ETQDPUBCPWMUBZAVMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\portagentbrowserweb\Containerruntime.exeFilesize
1.2MB
MD55887a563351ca99247b7e2c448bd9f2e
SHA1b24695e88143863297535989900bb7521ea86d67
SHA256e74cbd74c838db604926e27322342c02f803b95f98680d4089b5c01ed93fb390
SHA512b7d82bd09ba64891b75bbb9356de74a1ed0835709a391698c1301825777418f57e4f2ae3c260d3f7b6ada05d0e7ddeb4a6b75901fdf53bdd82ffa2febb685107
-
memory/2272-170-0x0000000000D20000-0x0000000000E52000-memory.dmpFilesize
1.2MB
-
memory/2588-14-0x0000000000500000-0x000000000051C000-memory.dmpFilesize
112KB
-
memory/2588-16-0x0000000000540000-0x000000000054C000-memory.dmpFilesize
48KB
-
memory/2588-15-0x0000000000520000-0x0000000000536000-memory.dmpFilesize
88KB
-
memory/2588-13-0x0000000000150000-0x0000000000282000-memory.dmpFilesize
1.2MB
-
memory/2856-37-0x0000000000D60000-0x0000000000E92000-memory.dmpFilesize
1.2MB