Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 15:45
Behavioral task
behavioral1
Sample
nursultan nexgen fix.exe
Resource
win7-20240221-en
General
-
Target
nursultan nexgen fix.exe
-
Size
1.5MB
-
MD5
a3d07c747770c9a471a44446e46e33d5
-
SHA1
8340534fb1770bae9660287ddb0496e243efcfe4
-
SHA256
16015088c3352a8257f420555e7ce6245aa0e6682deeca79bf7e08c24e1ac3de
-
SHA512
307cbdddaa9f426f8ceec060c2c0b1ab5ed3573e327dbcfdda7b1dfd22cf17559f017d835d71bdd15397fa95b0c7dfbfb4cd6b51cd5b2adc1d1cddc8ffe27f99
-
SSDEEP
24576:U2G/nvxW3Ww0tpfnNGcvUCxt9groiK5Cg3ZRvm43TzvmF2cK07:UbA30pfnLRRgrheJROuTzvIR
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 57 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2540 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2444 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2884 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2888 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2936 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2740 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2844 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1544 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2916 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1636 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2304 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1492 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1704 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 492 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2384 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2608 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2336 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1292 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1320 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1980 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2208 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2256 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1796 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2812 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1744 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 668 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1496 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1368 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 648 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1272 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 916 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3012 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3064 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 672 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1848 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 960 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 812 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 768 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 332 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 932 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1932 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1988 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 780 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1916 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2252 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1948 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2288 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2340 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2324 2448 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2328 2448 schtasks.exe -
Processes:
resource yara_rule \portagentbrowserweb\Containerruntime.exe dcrat behavioral1/memory/2648-13-0x0000000000070000-0x00000000001A2000-memory.dmp dcrat behavioral1/memory/1972-61-0x0000000000F40000-0x0000000001072000-memory.dmp dcrat -
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
Processes:
Containerruntime.execsrss.exepid process 2648 Containerruntime.exe 1972 csrss.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2636 cmd.exe 2636 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 ipinfo.io 7 ipinfo.io -
Drops file in Program Files directory 13 IoCs
Processes:
Containerruntime.exedescription ioc process File created C:\Program Files (x86)\Common Files\67c2f4240f387c Containerruntime.exe File created C:\Program Files (x86)\Windows Portable Devices\services.exe Containerruntime.exe File created C:\Program Files (x86)\Windows Portable Devices\c5b4cb5e9653cc Containerruntime.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\explorer.exe Containerruntime.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\7a0fd90576e088 Containerruntime.exe File created C:\Program Files (x86)\Common Files\Containerruntime.exe Containerruntime.exe File created C:\Program Files (x86)\Uninstall Information\System.exe Containerruntime.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\services.exe Containerruntime.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\services.exe Containerruntime.exe File created C:\Program Files (x86)\Uninstall Information\27d1bcfc3c54e0 Containerruntime.exe File created C:\Program Files\Windows NT\Accessories\es-ES\lsm.exe Containerruntime.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\c5b4cb5e9653cc Containerruntime.exe File created C:\Program Files\Windows NT\Accessories\es-ES\101b941d020240 Containerruntime.exe -
Drops file in Windows directory 4 IoCs
Processes:
Containerruntime.exedescription ioc process File created C:\Windows\PLA\Rules\de-DE\lsm.exe Containerruntime.exe File created C:\Windows\PLA\Rules\de-DE\101b941d020240 Containerruntime.exe File created C:\Windows\Migration\WTR\cmd.exe Containerruntime.exe File created C:\Windows\Migration\WTR\ebf1f9fa8afd6d Containerruntime.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 57 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2384 schtasks.exe 2884 schtasks.exe 2888 schtasks.exe 1848 schtasks.exe 1932 schtasks.exe 2252 schtasks.exe 2328 schtasks.exe 2948 schtasks.exe 2324 schtasks.exe 2204 schtasks.exe 2340 schtasks.exe 2336 schtasks.exe 1292 schtasks.exe 2256 schtasks.exe 2812 schtasks.exe 812 schtasks.exe 2936 schtasks.exe 1704 schtasks.exe 668 schtasks.exe 3064 schtasks.exe 2660 schtasks.exe 2608 schtasks.exe 2604 schtasks.exe 1496 schtasks.exe 1272 schtasks.exe 768 schtasks.exe 1636 schtasks.exe 1320 schtasks.exe 1744 schtasks.exe 2740 schtasks.exe 1796 schtasks.exe 960 schtasks.exe 780 schtasks.exe 2288 schtasks.exe 2916 schtasks.exe 2304 schtasks.exe 1492 schtasks.exe 2024 schtasks.exe 332 schtasks.exe 2444 schtasks.exe 3012 schtasks.exe 1988 schtasks.exe 2208 schtasks.exe 932 schtasks.exe 1916 schtasks.exe 1544 schtasks.exe 492 schtasks.exe 648 schtasks.exe 672 schtasks.exe 1948 schtasks.exe 916 schtasks.exe 2540 schtasks.exe 2756 schtasks.exe 2864 schtasks.exe 2844 schtasks.exe 1980 schtasks.exe 1368 schtasks.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Processes:
csrss.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 csrss.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 csrss.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
Containerruntime.execsrss.exepid process 2648 Containerruntime.exe 2648 Containerruntime.exe 2648 Containerruntime.exe 1972 csrss.exe 1972 csrss.exe 1972 csrss.exe 1972 csrss.exe 1972 csrss.exe 1972 csrss.exe 1972 csrss.exe 1972 csrss.exe 1972 csrss.exe 1972 csrss.exe 1972 csrss.exe 1972 csrss.exe 1972 csrss.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
csrss.exepid process 1972 csrss.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Containerruntime.execsrss.exedescription pid process Token: SeDebugPrivilege 2648 Containerruntime.exe Token: SeDebugPrivilege 1972 csrss.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
nursultan nexgen fix.exeWScript.execmd.exeContainerruntime.exedescription pid process target process PID 2988 wrote to memory of 2332 2988 nursultan nexgen fix.exe WScript.exe PID 2988 wrote to memory of 2332 2988 nursultan nexgen fix.exe WScript.exe PID 2988 wrote to memory of 2332 2988 nursultan nexgen fix.exe WScript.exe PID 2988 wrote to memory of 2332 2988 nursultan nexgen fix.exe WScript.exe PID 2332 wrote to memory of 2636 2332 WScript.exe cmd.exe PID 2332 wrote to memory of 2636 2332 WScript.exe cmd.exe PID 2332 wrote to memory of 2636 2332 WScript.exe cmd.exe PID 2332 wrote to memory of 2636 2332 WScript.exe cmd.exe PID 2636 wrote to memory of 2648 2636 cmd.exe Containerruntime.exe PID 2636 wrote to memory of 2648 2636 cmd.exe Containerruntime.exe PID 2636 wrote to memory of 2648 2636 cmd.exe Containerruntime.exe PID 2636 wrote to memory of 2648 2636 cmd.exe Containerruntime.exe PID 2648 wrote to memory of 1972 2648 Containerruntime.exe csrss.exe PID 2648 wrote to memory of 1972 2648 Containerruntime.exe csrss.exe PID 2648 wrote to memory of 1972 2648 Containerruntime.exe csrss.exe PID 2636 wrote to memory of 2344 2636 cmd.exe reg.exe PID 2636 wrote to memory of 2344 2636 cmd.exe reg.exe PID 2636 wrote to memory of 2344 2636 cmd.exe reg.exe PID 2636 wrote to memory of 2344 2636 cmd.exe reg.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe"C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\portagentbrowserweb\Containerruntime.exe"C:\portagentbrowserweb\Containerruntime.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\csrss.exe"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\csrss.exe"5⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1972 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:2344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Recent\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\Recent\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Recent\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Windows\PLA\Rules\de-DE\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\PLA\Rules\de-DE\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Windows\PLA\Rules\de-DE\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Searches\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\Searches\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Searches\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Windows\Migration\WTR\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Windows\Migration\WTR\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\portagentbrowserweb\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\portagentbrowserweb\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\portagentbrowserweb\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Start Menu\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Start Menu\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\My Documents\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\My Documents\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ContainerruntimeC" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\Containerruntime.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Containerruntime" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Containerruntime.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ContainerruntimeC" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\Containerruntime.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Uninstall Information\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Uninstall Information\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\portagentbrowserweb\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\portagentbrowserweb\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\portagentbrowserweb\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\Accessories\es-ES\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\es-ES\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\es-ES\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2328
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.batFilesize
157B
MD5c8f8a078dace2ff4cb106803c9199643
SHA1a5029ff4c4f0f24b0fbe2951c9a8002501ebd3b5
SHA2561b99d39fa273f33b072c67e0df7d33b1699fa17b7c7139467a658302a5ed0e0d
SHA512efaea3b4653768bbd135a0ec55319df2464f1d440ad982f31a5eff05c5ba5032f4718683ff6419c668bf1f34a117b5a101f56d1efc1d74ad93e692c52686f999
-
C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbeFilesize
220B
MD561a07f2f9e8e9b1f5175b2d60c3e3f18
SHA1e695b0c2b43c786453bf3f6ae504f0626951d281
SHA2565c75708ec9e4fe419a2fd1067bd5793bacb28140177cc6b36300fbf28e7c23d1
SHA5128ef3529f6bf504224e7803019f1e162aead7961bc1a5115f50fb5f580570e8b04707da21a7aab4eb7f1554a3b5333597fb3335e5f6a74dabfdb0583eecb35b5d
-
\portagentbrowserweb\Containerruntime.exeFilesize
1.2MB
MD55887a563351ca99247b7e2c448bd9f2e
SHA1b24695e88143863297535989900bb7521ea86d67
SHA256e74cbd74c838db604926e27322342c02f803b95f98680d4089b5c01ed93fb390
SHA512b7d82bd09ba64891b75bbb9356de74a1ed0835709a391698c1301825777418f57e4f2ae3c260d3f7b6ada05d0e7ddeb4a6b75901fdf53bdd82ffa2febb685107
-
memory/1972-61-0x0000000000F40000-0x0000000001072000-memory.dmpFilesize
1.2MB
-
memory/2648-13-0x0000000000070000-0x00000000001A2000-memory.dmpFilesize
1.2MB
-
memory/2648-14-0x0000000000600000-0x000000000061C000-memory.dmpFilesize
112KB
-
memory/2648-15-0x00000000007B0000-0x00000000007C6000-memory.dmpFilesize
88KB
-
memory/2648-16-0x0000000000620000-0x000000000062C000-memory.dmpFilesize
48KB