Analysis
-
max time kernel
142s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 15:39
Behavioral task
behavioral1
Sample
nursultan nexgen fix.exe
Resource
win7-20240215-en
General
-
Target
nursultan nexgen fix.exe
-
Size
1.5MB
-
MD5
a3d07c747770c9a471a44446e46e33d5
-
SHA1
8340534fb1770bae9660287ddb0496e243efcfe4
-
SHA256
16015088c3352a8257f420555e7ce6245aa0e6682deeca79bf7e08c24e1ac3de
-
SHA512
307cbdddaa9f426f8ceec060c2c0b1ab5ed3573e327dbcfdda7b1dfd22cf17559f017d835d71bdd15397fa95b0c7dfbfb4cd6b51cd5b2adc1d1cddc8ffe27f99
-
SSDEEP
24576:U2G/nvxW3Ww0tpfnNGcvUCxt9groiK5Cg3ZRvm43TzvmF2cK07:UbA30pfnLRRgrheJROuTzvIR
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2488 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2480 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2160 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2132 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1892 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1448 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1456 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1144 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1032 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2336 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1768 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2388 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1428 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1760 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1592 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1588 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1256 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 864 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1128 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2412 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2140 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1648 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 680 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1020 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 644 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1220 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1820 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1052 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 964 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1120 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2916 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1036 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1472 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 960 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 784 2672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2980 2672 schtasks.exe -
Processes:
resource yara_rule C:\portagentbrowserweb\Containerruntime.exe dcrat behavioral1/memory/2120-13-0x0000000000920000-0x0000000000A52000-memory.dmp dcrat behavioral1/memory/1640-52-0x0000000000C60000-0x0000000000D92000-memory.dmp dcrat -
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
Containerruntime.exeservices.exepid process 2120 Containerruntime.exe 1640 services.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2556 cmd.exe 2556 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 10 IoCs
Processes:
Containerruntime.exedescription ioc process File created C:\Program Files\Windows Journal\Templates\wininit.exe Containerruntime.exe File created C:\Program Files\Windows Journal\Templates\56085415360792 Containerruntime.exe File created C:\Program Files\Windows Mail\dwm.exe Containerruntime.exe File created C:\Program Files\VideoLAN\VLC\services.exe Containerruntime.exe File created C:\Program Files\VideoLAN\VLC\c5b4cb5e9653cc Containerruntime.exe File created C:\Program Files\Windows Mail\csrss.exe Containerruntime.exe File created C:\Program Files\Windows Mail\6cb0b6c459d5d3 Containerruntime.exe File created C:\Program Files\Windows Mail\886983d96e3d3e Containerruntime.exe File created C:\Program Files\Internet Explorer\es-ES\wininit.exe Containerruntime.exe File created C:\Program Files\Internet Explorer\es-ES\56085415360792 Containerruntime.exe -
Drops file in Windows directory 3 IoCs
Processes:
Containerruntime.exedescription ioc process File created C:\Windows\CSC\v2.0.6\lsass.exe Containerruntime.exe File created C:\Windows\Vss\smss.exe Containerruntime.exe File created C:\Windows\Vss\69ddcba757bf72 Containerruntime.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1892 schtasks.exe 1428 schtasks.exe 784 schtasks.exe 2552 schtasks.exe 2480 schtasks.exe 1456 schtasks.exe 2336 schtasks.exe 2824 schtasks.exe 2140 schtasks.exe 1448 schtasks.exe 2412 schtasks.exe 644 schtasks.exe 1740 schtasks.exe 1052 schtasks.exe 2488 schtasks.exe 1144 schtasks.exe 2388 schtasks.exe 1128 schtasks.exe 1020 schtasks.exe 1220 schtasks.exe 1472 schtasks.exe 2980 schtasks.exe 2132 schtasks.exe 1256 schtasks.exe 1820 schtasks.exe 1036 schtasks.exe 2160 schtasks.exe 1648 schtasks.exe 964 schtasks.exe 1768 schtasks.exe 1592 schtasks.exe 864 schtasks.exe 2000 schtasks.exe 1120 schtasks.exe 1032 schtasks.exe 1760 schtasks.exe 1588 schtasks.exe 1984 schtasks.exe 680 schtasks.exe 2960 schtasks.exe 2916 schtasks.exe 960 schtasks.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
Containerruntime.exeservices.exepid process 2120 Containerruntime.exe 2120 Containerruntime.exe 2120 Containerruntime.exe 1640 services.exe 1640 services.exe 1640 services.exe 1640 services.exe 1640 services.exe 1640 services.exe 1640 services.exe 1640 services.exe 1640 services.exe 1640 services.exe 1640 services.exe 1640 services.exe 1640 services.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
services.exepid process 1640 services.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Containerruntime.exeservices.exedescription pid process Token: SeDebugPrivilege 2120 Containerruntime.exe Token: SeDebugPrivilege 1640 services.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
nursultan nexgen fix.exeWScript.execmd.exeContainerruntime.execmd.exedescription pid process target process PID 2700 wrote to memory of 2080 2700 nursultan nexgen fix.exe WScript.exe PID 2700 wrote to memory of 2080 2700 nursultan nexgen fix.exe WScript.exe PID 2700 wrote to memory of 2080 2700 nursultan nexgen fix.exe WScript.exe PID 2700 wrote to memory of 2080 2700 nursultan nexgen fix.exe WScript.exe PID 2080 wrote to memory of 2556 2080 WScript.exe cmd.exe PID 2080 wrote to memory of 2556 2080 WScript.exe cmd.exe PID 2080 wrote to memory of 2556 2080 WScript.exe cmd.exe PID 2080 wrote to memory of 2556 2080 WScript.exe cmd.exe PID 2556 wrote to memory of 2120 2556 cmd.exe Containerruntime.exe PID 2556 wrote to memory of 2120 2556 cmd.exe Containerruntime.exe PID 2556 wrote to memory of 2120 2556 cmd.exe Containerruntime.exe PID 2556 wrote to memory of 2120 2556 cmd.exe Containerruntime.exe PID 2120 wrote to memory of 940 2120 Containerruntime.exe cmd.exe PID 2120 wrote to memory of 940 2120 Containerruntime.exe cmd.exe PID 2120 wrote to memory of 940 2120 Containerruntime.exe cmd.exe PID 940 wrote to memory of 3052 940 cmd.exe w32tm.exe PID 940 wrote to memory of 3052 940 cmd.exe w32tm.exe PID 940 wrote to memory of 3052 940 cmd.exe w32tm.exe PID 2556 wrote to memory of 2216 2556 cmd.exe reg.exe PID 2556 wrote to memory of 2216 2556 cmd.exe reg.exe PID 2556 wrote to memory of 2216 2556 cmd.exe reg.exe PID 2556 wrote to memory of 2216 2556 cmd.exe reg.exe PID 940 wrote to memory of 1640 940 cmd.exe services.exe PID 940 wrote to memory of 1640 940 cmd.exe services.exe PID 940 wrote to memory of 1640 940 cmd.exe services.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe"C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\portagentbrowserweb\Containerruntime.exe"C:\portagentbrowserweb\Containerruntime.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9L5366RhnT.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:3052
-
C:\Program Files\VideoLAN\VLC\services.exe"C:\Program Files\VideoLAN\VLC\services.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1640 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:2216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Journal\Templates\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\Templates\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\Templates\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Music\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Music\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Music\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\portagentbrowserweb\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\portagentbrowserweb\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\portagentbrowserweb\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\Vss\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Vss\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\Vss\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\es-ES\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\es-ES\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\es-ES\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\portagentbrowserweb\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\portagentbrowserweb\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\portagentbrowserweb\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Cookies\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Cookies\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2980
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\9L5366RhnT.batFilesize
207B
MD5696d442ded21fffd1984c006816f0e59
SHA1553fbdaaefc0fbe539b404e0e43c3c0cb461ac2f
SHA256c0ff4c9ba94aced6f5d649d209b5e2e232ed3db50fdb7f85e8d7b2ea439f9185
SHA5124774867e5c71236718975e98ccfd80f914d1cdc13d8b3ca427d2bceface43a75fcbde65d5b816681cb279f39ec557fa9a174997a9c775f79f5b7c8f86d7257d2
-
C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.batFilesize
157B
MD5c8f8a078dace2ff4cb106803c9199643
SHA1a5029ff4c4f0f24b0fbe2951c9a8002501ebd3b5
SHA2561b99d39fa273f33b072c67e0df7d33b1699fa17b7c7139467a658302a5ed0e0d
SHA512efaea3b4653768bbd135a0ec55319df2464f1d440ad982f31a5eff05c5ba5032f4718683ff6419c668bf1f34a117b5a101f56d1efc1d74ad93e692c52686f999
-
C:\portagentbrowserweb\Containerruntime.exeFilesize
1.2MB
MD55887a563351ca99247b7e2c448bd9f2e
SHA1b24695e88143863297535989900bb7521ea86d67
SHA256e74cbd74c838db604926e27322342c02f803b95f98680d4089b5c01ed93fb390
SHA512b7d82bd09ba64891b75bbb9356de74a1ed0835709a391698c1301825777418f57e4f2ae3c260d3f7b6ada05d0e7ddeb4a6b75901fdf53bdd82ffa2febb685107
-
C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbeFilesize
220B
MD561a07f2f9e8e9b1f5175b2d60c3e3f18
SHA1e695b0c2b43c786453bf3f6ae504f0626951d281
SHA2565c75708ec9e4fe419a2fd1067bd5793bacb28140177cc6b36300fbf28e7c23d1
SHA5128ef3529f6bf504224e7803019f1e162aead7961bc1a5115f50fb5f580570e8b04707da21a7aab4eb7f1554a3b5333597fb3335e5f6a74dabfdb0583eecb35b5d
-
memory/1640-52-0x0000000000C60000-0x0000000000D92000-memory.dmpFilesize
1.2MB
-
memory/2120-13-0x0000000000920000-0x0000000000A52000-memory.dmpFilesize
1.2MB
-
memory/2120-14-0x0000000000250000-0x000000000026C000-memory.dmpFilesize
112KB
-
memory/2120-15-0x00000000004F0000-0x0000000000506000-memory.dmpFilesize
88KB
-
memory/2120-16-0x0000000000590000-0x000000000059C000-memory.dmpFilesize
48KB