Analysis
-
max time kernel
126s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 15:41
Behavioral task
behavioral1
Sample
nursultan nexgen fix.exe
Resource
win7-20240508-en
General
-
Target
nursultan nexgen fix.exe
-
Size
1.5MB
-
MD5
a3d07c747770c9a471a44446e46e33d5
-
SHA1
8340534fb1770bae9660287ddb0496e243efcfe4
-
SHA256
16015088c3352a8257f420555e7ce6245aa0e6682deeca79bf7e08c24e1ac3de
-
SHA512
307cbdddaa9f426f8ceec060c2c0b1ab5ed3573e327dbcfdda7b1dfd22cf17559f017d835d71bdd15397fa95b0c7dfbfb4cd6b51cd5b2adc1d1cddc8ffe27f99
-
SSDEEP
24576:U2G/nvxW3Ww0tpfnNGcvUCxt9groiK5Cg3ZRvm43TzvmF2cK07:UbA30pfnLRRgrheJROuTzvIR
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 48 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2012 1684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1996 1684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4564 1684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3008 1684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2164 1684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 1684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1816 1684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4184 1684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1968 1684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 1684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 972 1684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4520 1684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3932 1684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3184 1684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4492 1684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5068 1684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4524 1684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2084 1684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2252 1684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4940 1684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4140 1684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2096 1684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3168 1684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5056 1684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1080 1684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1596 1684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4180 1684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 1684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 1684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1112 1684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 64 1684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 1684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3228 1684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1672 1684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 1684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3880 1684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1656 1684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 1684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5000 1684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3540 1684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2608 1684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 516 1684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4444 1684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3672 1684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1964 1684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3816 1684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4636 1684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1364 1684 schtasks.exe -
Processes:
resource yara_rule C:\portagentbrowserweb\Containerruntime.exe dcrat behavioral2/memory/4600-13-0x0000000000D20000-0x0000000000E52000-memory.dmp dcrat -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
nursultan nexgen fix.exeWScript.exeContainerruntime.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation nursultan nexgen fix.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation Containerruntime.exe -
Executes dropped EXE 2 IoCs
Processes:
Containerruntime.exeOfficeClickToRun.exepid process 4600 Containerruntime.exe 1936 OfficeClickToRun.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 16 IoCs
Processes:
Containerruntime.exedescription ioc process File created C:\Program Files\Windows Portable Devices\fontdrvhost.exe Containerruntime.exe File created C:\Program Files (x86)\Windows Media Player\de-DE\OfficeClickToRun.exe Containerruntime.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe Containerruntime.exe File created C:\Program Files\WindowsPowerShell\088424020bedd6 Containerruntime.exe File created C:\Program Files (x86)\Google\Update\sppsvc.exe Containerruntime.exe File created C:\Program Files (x86)\Windows NT\Accessories\en-US\ee2ad38f3d4382 Containerruntime.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\5940a34987c991 Containerruntime.exe File created C:\Program Files\WindowsPowerShell\conhost.exe Containerruntime.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\24dbde2999530e Containerruntime.exe File created C:\Program Files (x86)\Windows Media Player\de-DE\e6c9b481da804f Containerruntime.exe File created C:\Program Files (x86)\Windows NT\Accessories\en-US\088424020bedd6 Containerruntime.exe File created C:\Program Files (x86)\Google\Update\0a1fd5f707cd16 Containerruntime.exe File created C:\Program Files\Windows Portable Devices\5b884080fd4f94 Containerruntime.exe File created C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe Containerruntime.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\dllhost.exe Containerruntime.exe File created C:\Program Files (x86)\Windows NT\Accessories\en-US\Registry.exe Containerruntime.exe -
Drops file in Windows directory 2 IoCs
Processes:
Containerruntime.exedescription ioc process File created C:\Windows\debug\SppExtComObj.exe Containerruntime.exe File created C:\Windows\debug\e1ef82546f0b02 Containerruntime.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2616 schtasks.exe 1992 schtasks.exe 1976 schtasks.exe 3168 schtasks.exe 1596 schtasks.exe 2960 schtasks.exe 1112 schtasks.exe 1672 schtasks.exe 2096 schtasks.exe 2164 schtasks.exe 2204 schtasks.exe 4140 schtasks.exe 2824 schtasks.exe 5000 schtasks.exe 1996 schtasks.exe 4564 schtasks.exe 1816 schtasks.exe 1968 schtasks.exe 4520 schtasks.exe 3932 schtasks.exe 4492 schtasks.exe 5068 schtasks.exe 2012 schtasks.exe 2024 schtasks.exe 516 schtasks.exe 4636 schtasks.exe 1364 schtasks.exe 64 schtasks.exe 3184 schtasks.exe 2608 schtasks.exe 3008 schtasks.exe 2084 schtasks.exe 2252 schtasks.exe 3228 schtasks.exe 1656 schtasks.exe 3540 schtasks.exe 3672 schtasks.exe 972 schtasks.exe 4180 schtasks.exe 3880 schtasks.exe 3816 schtasks.exe 4184 schtasks.exe 4940 schtasks.exe 5056 schtasks.exe 1080 schtasks.exe 4444 schtasks.exe 1964 schtasks.exe 4524 schtasks.exe -
Modifies registry class 2 IoCs
Processes:
nursultan nexgen fix.exeContainerruntime.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings nursultan nexgen fix.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings Containerruntime.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
Containerruntime.exeOfficeClickToRun.exepid process 4600 Containerruntime.exe 4600 Containerruntime.exe 4600 Containerruntime.exe 4600 Containerruntime.exe 4600 Containerruntime.exe 4600 Containerruntime.exe 4600 Containerruntime.exe 1936 OfficeClickToRun.exe 1936 OfficeClickToRun.exe 1936 OfficeClickToRun.exe 1936 OfficeClickToRun.exe 1936 OfficeClickToRun.exe 1936 OfficeClickToRun.exe 1936 OfficeClickToRun.exe 1936 OfficeClickToRun.exe 1936 OfficeClickToRun.exe 1936 OfficeClickToRun.exe 1936 OfficeClickToRun.exe 1936 OfficeClickToRun.exe 1936 OfficeClickToRun.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OfficeClickToRun.exepid process 1936 OfficeClickToRun.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Containerruntime.exeOfficeClickToRun.exedescription pid process Token: SeDebugPrivilege 4600 Containerruntime.exe Token: SeDebugPrivilege 1936 OfficeClickToRun.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
nursultan nexgen fix.exeWScript.execmd.exeContainerruntime.execmd.exedescription pid process target process PID 4672 wrote to memory of 4452 4672 nursultan nexgen fix.exe WScript.exe PID 4672 wrote to memory of 4452 4672 nursultan nexgen fix.exe WScript.exe PID 4672 wrote to memory of 4452 4672 nursultan nexgen fix.exe WScript.exe PID 4452 wrote to memory of 3624 4452 WScript.exe cmd.exe PID 4452 wrote to memory of 3624 4452 WScript.exe cmd.exe PID 4452 wrote to memory of 3624 4452 WScript.exe cmd.exe PID 3624 wrote to memory of 4600 3624 cmd.exe Containerruntime.exe PID 3624 wrote to memory of 4600 3624 cmd.exe Containerruntime.exe PID 4600 wrote to memory of 544 4600 Containerruntime.exe cmd.exe PID 4600 wrote to memory of 544 4600 Containerruntime.exe cmd.exe PID 3624 wrote to memory of 1576 3624 cmd.exe reg.exe PID 3624 wrote to memory of 1576 3624 cmd.exe reg.exe PID 3624 wrote to memory of 1576 3624 cmd.exe reg.exe PID 544 wrote to memory of 4548 544 cmd.exe w32tm.exe PID 544 wrote to memory of 4548 544 cmd.exe w32tm.exe PID 544 wrote to memory of 1936 544 cmd.exe OfficeClickToRun.exe PID 544 wrote to memory of 1936 544 cmd.exe OfficeClickToRun.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe"C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\portagentbrowserweb\Containerruntime.exe"C:\portagentbrowserweb\Containerruntime.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RLFQadQlTM.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:4548
-
C:\Program Files (x86)\Windows Media Player\de-DE\OfficeClickToRun.exe"C:\Program Files (x86)\Windows Media Player\de-DE\OfficeClickToRun.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1936 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:1576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\portagentbrowserweb\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\portagentbrowserweb\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\portagentbrowserweb\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files\WindowsPowerShell\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files\WindowsPowerShell\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Update\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ContainerruntimeC" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Containerruntime.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Containerruntime" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Containerruntime.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ContainerruntimeC" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Containerruntime.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Downloads\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Downloads\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:64
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Windows\debug\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\debug\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Windows\debug\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\portagentbrowserweb\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\portagentbrowserweb\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\portagentbrowserweb\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1364
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RLFQadQlTM.batFilesize
235B
MD59293a79bca46264b0dbbe662abeea91c
SHA1e9939199b0f590ff13b61373c02552e51fab3f8a
SHA256ac3f61dd9c030a7aca8b92b1fa0ca9ef7b3f74ee8e5f1acbab8286d3e6cb0975
SHA512475160cc30c28e1853f748189cca0b7282f8fbe1e4bf28a5751fcf120f9733aa7c174eb169b1eebbd7f51f23e61146cf841c430d8653f65d2e8fb247edbf418f
-
C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.batFilesize
157B
MD5c8f8a078dace2ff4cb106803c9199643
SHA1a5029ff4c4f0f24b0fbe2951c9a8002501ebd3b5
SHA2561b99d39fa273f33b072c67e0df7d33b1699fa17b7c7139467a658302a5ed0e0d
SHA512efaea3b4653768bbd135a0ec55319df2464f1d440ad982f31a5eff05c5ba5032f4718683ff6419c668bf1f34a117b5a101f56d1efc1d74ad93e692c52686f999
-
C:\portagentbrowserweb\Containerruntime.exeFilesize
1.2MB
MD55887a563351ca99247b7e2c448bd9f2e
SHA1b24695e88143863297535989900bb7521ea86d67
SHA256e74cbd74c838db604926e27322342c02f803b95f98680d4089b5c01ed93fb390
SHA512b7d82bd09ba64891b75bbb9356de74a1ed0835709a391698c1301825777418f57e4f2ae3c260d3f7b6ada05d0e7ddeb4a6b75901fdf53bdd82ffa2febb685107
-
C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbeFilesize
220B
MD561a07f2f9e8e9b1f5175b2d60c3e3f18
SHA1e695b0c2b43c786453bf3f6ae504f0626951d281
SHA2565c75708ec9e4fe419a2fd1067bd5793bacb28140177cc6b36300fbf28e7c23d1
SHA5128ef3529f6bf504224e7803019f1e162aead7961bc1a5115f50fb5f580570e8b04707da21a7aab4eb7f1554a3b5333597fb3335e5f6a74dabfdb0583eecb35b5d
-
memory/4600-12-0x00007FFE22D33000-0x00007FFE22D35000-memory.dmpFilesize
8KB
-
memory/4600-13-0x0000000000D20000-0x0000000000E52000-memory.dmpFilesize
1.2MB
-
memory/4600-14-0x0000000002F00000-0x0000000002F1C000-memory.dmpFilesize
112KB
-
memory/4600-15-0x000000001C150000-0x000000001C1A0000-memory.dmpFilesize
320KB
-
memory/4600-16-0x000000001B990000-0x000000001B9A6000-memory.dmpFilesize
88KB
-
memory/4600-17-0x0000000002EE0000-0x0000000002EEC000-memory.dmpFilesize
48KB