Analysis
-
max time kernel
132s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 15:41
Behavioral task
behavioral1
Sample
nursultan nexgen fix.exe
Resource
win7-20240419-en
General
-
Target
nursultan nexgen fix.exe
-
Size
1.5MB
-
MD5
a3d07c747770c9a471a44446e46e33d5
-
SHA1
8340534fb1770bae9660287ddb0496e243efcfe4
-
SHA256
16015088c3352a8257f420555e7ce6245aa0e6682deeca79bf7e08c24e1ac3de
-
SHA512
307cbdddaa9f426f8ceec060c2c0b1ab5ed3573e327dbcfdda7b1dfd22cf17559f017d835d71bdd15397fa95b0c7dfbfb4cd6b51cd5b2adc1d1cddc8ffe27f99
-
SSDEEP
24576:U2G/nvxW3Ww0tpfnNGcvUCxt9groiK5Cg3ZRvm43TzvmF2cK07:UbA30pfnLRRgrheJROuTzvIR
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 33 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2464 2604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2480 2604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2588 2604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3056 2604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1228 2604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1256 2604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 2604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 2604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2812 2604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1432 2604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1752 2604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1772 2604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2284 2604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1656 2604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 304 2604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1464 2604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1192 2604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2368 2604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1180 2604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1108 2604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1680 2604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 2604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2224 2604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1932 2604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1960 2604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2212 2604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 320 2604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 476 2604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1400 2604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 896 2604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1660 2604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1920 2604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 684 2604 schtasks.exe -
Processes:
resource yara_rule C:\portagentbrowserweb\Containerruntime.exe dcrat behavioral1/memory/2896-13-0x0000000000870000-0x00000000009A2000-memory.dmp dcrat behavioral1/memory/1456-46-0x00000000010F0000-0x0000000001222000-memory.dmp dcrat -
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
Processes:
Containerruntime.exedwm.exepid process 2896 Containerruntime.exe 1456 dwm.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2672 cmd.exe 2672 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 8 IoCs
Processes:
Containerruntime.exedescription ioc process File created C:\Program Files\Microsoft Games\Hearts\fr-FR\0a1fd5f707cd16 Containerruntime.exe File created C:\Program Files\VideoLAN\dwm.exe Containerruntime.exe File created C:\Program Files\VideoLAN\6cb0b6c459d5d3 Containerruntime.exe File created C:\Program Files (x86)\Uninstall Information\services.exe Containerruntime.exe File created C:\Program Files (x86)\Uninstall Information\c5b4cb5e9653cc Containerruntime.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe Containerruntime.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\886983d96e3d3e Containerruntime.exe File created C:\Program Files\Microsoft Games\Hearts\fr-FR\sppsvc.exe Containerruntime.exe -
Drops file in Windows directory 5 IoCs
Processes:
Containerruntime.exedescription ioc process File created C:\Windows\Cursors\conhost.exe Containerruntime.exe File opened for modification C:\Windows\Cursors\conhost.exe Containerruntime.exe File created C:\Windows\Cursors\088424020bedd6 Containerruntime.exe File created C:\Windows\Web\Wallpaper\Characters\cmd.exe Containerruntime.exe File created C:\Windows\Web\Wallpaper\Characters\ebf1f9fa8afd6d Containerruntime.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 33 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1256 schtasks.exe 2212 schtasks.exe 1660 schtasks.exe 2480 schtasks.exe 2788 schtasks.exe 1464 schtasks.exe 1108 schtasks.exe 1932 schtasks.exe 1960 schtasks.exe 2792 schtasks.exe 2812 schtasks.exe 1180 schtasks.exe 1752 schtasks.exe 2368 schtasks.exe 1680 schtasks.exe 684 schtasks.exe 896 schtasks.exe 2588 schtasks.exe 1772 schtasks.exe 1656 schtasks.exe 2984 schtasks.exe 2224 schtasks.exe 476 schtasks.exe 1228 schtasks.exe 1192 schtasks.exe 1400 schtasks.exe 1920 schtasks.exe 2464 schtasks.exe 3056 schtasks.exe 2284 schtasks.exe 304 schtasks.exe 320 schtasks.exe 1432 schtasks.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
Containerruntime.exedwm.exepid process 2896 Containerruntime.exe 2896 Containerruntime.exe 2896 Containerruntime.exe 1456 dwm.exe 1456 dwm.exe 1456 dwm.exe 1456 dwm.exe 1456 dwm.exe 1456 dwm.exe 1456 dwm.exe 1456 dwm.exe 1456 dwm.exe 1456 dwm.exe 1456 dwm.exe 1456 dwm.exe 1456 dwm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dwm.exepid process 1456 dwm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Containerruntime.exedwm.exedescription pid process Token: SeDebugPrivilege 2896 Containerruntime.exe Token: SeDebugPrivilege 1456 dwm.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
nursultan nexgen fix.exeWScript.execmd.exeContainerruntime.execmd.exedescription pid process target process PID 2264 wrote to memory of 2424 2264 nursultan nexgen fix.exe WScript.exe PID 2264 wrote to memory of 2424 2264 nursultan nexgen fix.exe WScript.exe PID 2264 wrote to memory of 2424 2264 nursultan nexgen fix.exe WScript.exe PID 2264 wrote to memory of 2424 2264 nursultan nexgen fix.exe WScript.exe PID 2424 wrote to memory of 2672 2424 WScript.exe cmd.exe PID 2424 wrote to memory of 2672 2424 WScript.exe cmd.exe PID 2424 wrote to memory of 2672 2424 WScript.exe cmd.exe PID 2424 wrote to memory of 2672 2424 WScript.exe cmd.exe PID 2672 wrote to memory of 2896 2672 cmd.exe Containerruntime.exe PID 2672 wrote to memory of 2896 2672 cmd.exe Containerruntime.exe PID 2672 wrote to memory of 2896 2672 cmd.exe Containerruntime.exe PID 2672 wrote to memory of 2896 2672 cmd.exe Containerruntime.exe PID 2896 wrote to memory of 824 2896 Containerruntime.exe cmd.exe PID 2896 wrote to memory of 824 2896 Containerruntime.exe cmd.exe PID 2896 wrote to memory of 824 2896 Containerruntime.exe cmd.exe PID 2672 wrote to memory of 1440 2672 cmd.exe reg.exe PID 2672 wrote to memory of 1440 2672 cmd.exe reg.exe PID 2672 wrote to memory of 1440 2672 cmd.exe reg.exe PID 2672 wrote to memory of 1440 2672 cmd.exe reg.exe PID 824 wrote to memory of 2916 824 cmd.exe w32tm.exe PID 824 wrote to memory of 2916 824 cmd.exe w32tm.exe PID 824 wrote to memory of 2916 824 cmd.exe w32tm.exe PID 824 wrote to memory of 1456 824 cmd.exe dwm.exe PID 824 wrote to memory of 1456 824 cmd.exe dwm.exe PID 824 wrote to memory of 1456 824 cmd.exe dwm.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe"C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\portagentbrowserweb\Containerruntime.exe"C:\portagentbrowserweb\Containerruntime.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H0ntbKRuBn.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2916
-
C:\Program Files\VideoLAN\dwm.exe"C:\Program Files\VideoLAN\dwm.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1456 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:1440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Windows\Cursors\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Cursors\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\Cursors\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Windows\Web\Wallpaper\Characters\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Characters\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Windows\Web\Wallpaper\Characters\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Games\Hearts\fr-FR\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Hearts\fr-FR\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Games\Hearts\fr-FR\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Favorites\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Favorites\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Favorites\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\portagentbrowserweb\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\portagentbrowserweb\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\portagentbrowserweb\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:684
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2556
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\H0ntbKRuBn.batFilesize
198B
MD5a1f10fc71a5f21df55817a5ecd735eac
SHA169017eeaaadd22c6f398dca107d50e75edc8f08d
SHA256e9d67d974e52383af229b5ace9f30841c950abd8a29abf9724bd0f0e6e60c355
SHA5128d03761533597eba97fe31d550dbc9029ef03a42bf829069a1801a6fa788c50a9043ac7a38567ece1f20e38fb71397fe375a08a62b3594917f5a76aed24c2a94
-
C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.batFilesize
157B
MD5c8f8a078dace2ff4cb106803c9199643
SHA1a5029ff4c4f0f24b0fbe2951c9a8002501ebd3b5
SHA2561b99d39fa273f33b072c67e0df7d33b1699fa17b7c7139467a658302a5ed0e0d
SHA512efaea3b4653768bbd135a0ec55319df2464f1d440ad982f31a5eff05c5ba5032f4718683ff6419c668bf1f34a117b5a101f56d1efc1d74ad93e692c52686f999
-
C:\portagentbrowserweb\Containerruntime.exeFilesize
1.2MB
MD55887a563351ca99247b7e2c448bd9f2e
SHA1b24695e88143863297535989900bb7521ea86d67
SHA256e74cbd74c838db604926e27322342c02f803b95f98680d4089b5c01ed93fb390
SHA512b7d82bd09ba64891b75bbb9356de74a1ed0835709a391698c1301825777418f57e4f2ae3c260d3f7b6ada05d0e7ddeb4a6b75901fdf53bdd82ffa2febb685107
-
C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbeFilesize
220B
MD561a07f2f9e8e9b1f5175b2d60c3e3f18
SHA1e695b0c2b43c786453bf3f6ae504f0626951d281
SHA2565c75708ec9e4fe419a2fd1067bd5793bacb28140177cc6b36300fbf28e7c23d1
SHA5128ef3529f6bf504224e7803019f1e162aead7961bc1a5115f50fb5f580570e8b04707da21a7aab4eb7f1554a3b5333597fb3335e5f6a74dabfdb0583eecb35b5d
-
memory/1456-46-0x00000000010F0000-0x0000000001222000-memory.dmpFilesize
1.2MB
-
memory/2896-13-0x0000000000870000-0x00000000009A2000-memory.dmpFilesize
1.2MB
-
memory/2896-14-0x0000000000150000-0x000000000016C000-memory.dmpFilesize
112KB
-
memory/2896-15-0x0000000000190000-0x00000000001A6000-memory.dmpFilesize
88KB
-
memory/2896-16-0x0000000000170000-0x000000000017C000-memory.dmpFilesize
48KB