Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 15:44
Behavioral task
behavioral1
Sample
nursultan nexgen fix.exe
Resource
win7-20240508-en
General
-
Target
nursultan nexgen fix.exe
-
Size
1.5MB
-
MD5
a3d07c747770c9a471a44446e46e33d5
-
SHA1
8340534fb1770bae9660287ddb0496e243efcfe4
-
SHA256
16015088c3352a8257f420555e7ce6245aa0e6682deeca79bf7e08c24e1ac3de
-
SHA512
307cbdddaa9f426f8ceec060c2c0b1ab5ed3573e327dbcfdda7b1dfd22cf17559f017d835d71bdd15397fa95b0c7dfbfb4cd6b51cd5b2adc1d1cddc8ffe27f99
-
SSDEEP
24576:U2G/nvxW3Ww0tpfnNGcvUCxt9groiK5Cg3ZRvm43TzvmF2cK07:UbA30pfnLRRgrheJROuTzvIR
Malware Config
Signatures
-
DcRat 64 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exenursultan nexgen fix.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeContainerruntime.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3160 schtasks.exe 628 schtasks.exe 1704 schtasks.exe 4268 schtasks.exe 4856 schtasks.exe 5068 schtasks.exe 4636 schtasks.exe 956 schtasks.exe 644 schtasks.exe 3248 schtasks.exe 5064 schtasks.exe 4680 schtasks.exe 4112 schtasks.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation nursultan nexgen fix.exe 908 schtasks.exe 2184 schtasks.exe 2920 schtasks.exe 4040 schtasks.exe 1480 schtasks.exe 4180 schtasks.exe 3228 schtasks.exe 2396 schtasks.exe File created C:\Windows\Containers\serviced\eddb19405b7ce1 Containerruntime.exe 2156 schtasks.exe 2484 schtasks.exe 3032 schtasks.exe 4040 schtasks.exe 1912 schtasks.exe 2296 schtasks.exe 3008 schtasks.exe 3908 schtasks.exe File created C:\Program Files (x86)\Windows Defender\0a1fd5f707cd16 Containerruntime.exe 1792 schtasks.exe 4444 schtasks.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\ea9f0e6c9e2dcd Containerruntime.exe 4628 schtasks.exe 2932 schtasks.exe 2652 schtasks.exe 5100 schtasks.exe 3816 schtasks.exe 1604 schtasks.exe 2480 schtasks.exe 1548 schtasks.exe 1008 schtasks.exe 2392 schtasks.exe 4692 schtasks.exe 2848 schtasks.exe 4396 schtasks.exe 4368 schtasks.exe 936 schtasks.exe 4868 schtasks.exe 756 schtasks.exe 2236 schtasks.exe 1900 schtasks.exe 3928 schtasks.exe 2552 schtasks.exe 1844 schtasks.exe 3684 schtasks.exe 4524 schtasks.exe File created C:\Program Files\Microsoft Office 15\ClientX64\24dbde2999530e Containerruntime.exe File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\088424020bedd6 Containerruntime.exe 3536 schtasks.exe 1588 schtasks.exe 4388 schtasks.exe -
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4112 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3548 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 908 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4868 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 756 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1412 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4680 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3928 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3160 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4040 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1704 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1916 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 956 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3496 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2484 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4268 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3816 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4856 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4396 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1604 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2396 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1456 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 936 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1912 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1480 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 732 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3032 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4628 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1668 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2480 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5064 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2296 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1844 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3008 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2184 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3324 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4112 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4068 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4380 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1792 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1548 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1008 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2652 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2156 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4040 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 644 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2236 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3908 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5068 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1900 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3536 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3228 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1920 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2392 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4588 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4692 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3860 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4636 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2848 4604 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4220 4604 schtasks.exe -
Processes:
resource yara_rule C:\portagentbrowserweb\Containerruntime.exe dcrat behavioral2/memory/4388-13-0x00000000008C0000-0x00000000009F2000-memory.dmp dcrat -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
nursultan nexgen fix.exeWScript.exeContainerruntime.exeContainerruntime.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation nursultan nexgen fix.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Containerruntime.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Containerruntime.exe -
Executes dropped EXE 3 IoCs
Processes:
Containerruntime.exeContainerruntime.exeOfficeClickToRun.exepid process 4388 Containerruntime.exe 3952 Containerruntime.exe 5064 OfficeClickToRun.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 18 IoCs
Processes:
Containerruntime.exeContainerruntime.exedescription ioc process File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\088424020bedd6 Containerruntime.exe File created C:\Program Files\Microsoft Office 15\ClientX64\24dbde2999530e Containerruntime.exe File created C:\Program Files\Internet Explorer\uk-UA\e1ef82546f0b02 Containerruntime.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\24dbde2999530e Containerruntime.exe File created C:\Program Files\Windows Multimedia Platform\ea9f0e6c9e2dcd Containerruntime.exe File created C:\Program Files (x86)\Windows Defender\0a1fd5f707cd16 Containerruntime.exe File created C:\Program Files\Windows Mail\sihost.exe Containerruntime.exe File created C:\Program Files\Windows Mail\66fc9ff0ee96c2 Containerruntime.exe File created C:\Program Files\Windows Multimedia Platform\taskhostw.exe Containerruntime.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\taskhostw.exe Containerruntime.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\ea9f0e6c9e2dcd Containerruntime.exe File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\conhost.exe Containerruntime.exe File opened for modification C:\Program Files\Windows Mail\sihost.exe Containerruntime.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\taskhostw.exe Containerruntime.exe File created C:\Program Files (x86)\Windows Defender\sppsvc.exe Containerruntime.exe File created C:\Program Files\Microsoft Office 15\ClientX64\WmiPrvSE.exe Containerruntime.exe File created C:\Program Files\Internet Explorer\uk-UA\SppExtComObj.exe Containerruntime.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe Containerruntime.exe -
Drops file in Windows directory 8 IoCs
Processes:
Containerruntime.exeContainerruntime.exedescription ioc process File created C:\Windows\Containers\serviced\67c2f4240f387c Containerruntime.exe File created C:\Windows\diagnostics\upfc.exe Containerruntime.exe File created C:\Windows\Containers\serviced\backgroundTaskHost.exe Containerruntime.exe File created C:\Windows\Containers\serviced\eddb19405b7ce1 Containerruntime.exe File created C:\Windows\ServiceState\Registry.exe Containerruntime.exe File created C:\Windows\de-DE\MoUsoCoreWorker.exe Containerruntime.exe File created C:\Windows\de-DE\1f93f77a7f4778 Containerruntime.exe File created C:\Windows\Containers\serviced\Containerruntime.exe Containerruntime.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3228 schtasks.exe 1920 schtasks.exe 4588 schtasks.exe 3248 schtasks.exe 3032 schtasks.exe 2920 schtasks.exe 2652 schtasks.exe 3684 schtasks.exe 4040 schtasks.exe 3496 schtasks.exe 4368 schtasks.exe 5100 schtasks.exe 1588 schtasks.exe 4856 schtasks.exe 2396 schtasks.exe 2932 schtasks.exe 4068 schtasks.exe 2236 schtasks.exe 5068 schtasks.exe 3860 schtasks.exe 4636 schtasks.exe 3548 schtasks.exe 956 schtasks.exe 4112 schtasks.exe 2480 schtasks.exe 4220 schtasks.exe 4524 schtasks.exe 3828 schtasks.exe 1480 schtasks.exe 732 schtasks.exe 1912 schtasks.exe 2552 schtasks.exe 2392 schtasks.exe 4180 schtasks.exe 1916 schtasks.exe 4268 schtasks.exe 1900 schtasks.exe 4692 schtasks.exe 4868 schtasks.exe 2184 schtasks.exe 3160 schtasks.exe 1704 schtasks.exe 4396 schtasks.exe 1456 schtasks.exe 2872 schtasks.exe 1008 schtasks.exe 756 schtasks.exe 3928 schtasks.exe 2848 schtasks.exe 1604 schtasks.exe 2296 schtasks.exe 3816 schtasks.exe 4444 schtasks.exe 2156 schtasks.exe 3908 schtasks.exe 3008 schtasks.exe 4112 schtasks.exe 4628 schtasks.exe 3324 schtasks.exe 1792 schtasks.exe 4388 schtasks.exe 908 schtasks.exe 936 schtasks.exe 2484 schtasks.exe -
Modifies registry class 3 IoCs
Processes:
nursultan nexgen fix.exeContainerruntime.exeContainerruntime.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings nursultan nexgen fix.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings Containerruntime.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings Containerruntime.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 36 IoCs
Processes:
Containerruntime.exeContainerruntime.exeOfficeClickToRun.exepid process 4388 Containerruntime.exe 4388 Containerruntime.exe 4388 Containerruntime.exe 4388 Containerruntime.exe 4388 Containerruntime.exe 4388 Containerruntime.exe 4388 Containerruntime.exe 3952 Containerruntime.exe 3952 Containerruntime.exe 3952 Containerruntime.exe 3952 Containerruntime.exe 3952 Containerruntime.exe 3952 Containerruntime.exe 3952 Containerruntime.exe 3952 Containerruntime.exe 3952 Containerruntime.exe 3952 Containerruntime.exe 3952 Containerruntime.exe 3952 Containerruntime.exe 3952 Containerruntime.exe 3952 Containerruntime.exe 3952 Containerruntime.exe 3952 Containerruntime.exe 5064 OfficeClickToRun.exe 5064 OfficeClickToRun.exe 5064 OfficeClickToRun.exe 5064 OfficeClickToRun.exe 5064 OfficeClickToRun.exe 5064 OfficeClickToRun.exe 5064 OfficeClickToRun.exe 5064 OfficeClickToRun.exe 5064 OfficeClickToRun.exe 5064 OfficeClickToRun.exe 5064 OfficeClickToRun.exe 5064 OfficeClickToRun.exe 5064 OfficeClickToRun.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OfficeClickToRun.exepid process 5064 OfficeClickToRun.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Containerruntime.exeContainerruntime.exeOfficeClickToRun.exedescription pid process Token: SeDebugPrivilege 4388 Containerruntime.exe Token: SeDebugPrivilege 3952 Containerruntime.exe Token: SeDebugPrivilege 5064 OfficeClickToRun.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
nursultan nexgen fix.exeWScript.execmd.exeContainerruntime.execmd.exeContainerruntime.execmd.exedescription pid process target process PID 3444 wrote to memory of 2604 3444 nursultan nexgen fix.exe WScript.exe PID 3444 wrote to memory of 2604 3444 nursultan nexgen fix.exe WScript.exe PID 3444 wrote to memory of 2604 3444 nursultan nexgen fix.exe WScript.exe PID 2604 wrote to memory of 2976 2604 WScript.exe cmd.exe PID 2604 wrote to memory of 2976 2604 WScript.exe cmd.exe PID 2604 wrote to memory of 2976 2604 WScript.exe cmd.exe PID 2976 wrote to memory of 4388 2976 cmd.exe Containerruntime.exe PID 2976 wrote to memory of 4388 2976 cmd.exe Containerruntime.exe PID 4388 wrote to memory of 4560 4388 Containerruntime.exe cmd.exe PID 4388 wrote to memory of 4560 4388 Containerruntime.exe cmd.exe PID 2976 wrote to memory of 628 2976 cmd.exe reg.exe PID 2976 wrote to memory of 628 2976 cmd.exe reg.exe PID 2976 wrote to memory of 628 2976 cmd.exe reg.exe PID 4560 wrote to memory of 4140 4560 cmd.exe w32tm.exe PID 4560 wrote to memory of 4140 4560 cmd.exe w32tm.exe PID 4560 wrote to memory of 3952 4560 cmd.exe Containerruntime.exe PID 4560 wrote to memory of 3952 4560 cmd.exe Containerruntime.exe PID 3952 wrote to memory of 2448 3952 Containerruntime.exe cmd.exe PID 3952 wrote to memory of 2448 3952 Containerruntime.exe cmd.exe PID 2448 wrote to memory of 1772 2448 cmd.exe w32tm.exe PID 2448 wrote to memory of 1772 2448 cmd.exe w32tm.exe PID 2448 wrote to memory of 5064 2448 cmd.exe OfficeClickToRun.exe PID 2448 wrote to memory of 5064 2448 cmd.exe OfficeClickToRun.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe"C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe"1⤵
- DcRat
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\portagentbrowserweb\Containerruntime.exe"C:\portagentbrowserweb\Containerruntime.exe"4⤵
- DcRat
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uUEmIR9WAS.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:4140
-
C:\portagentbrowserweb\Containerruntime.exe"C:\portagentbrowserweb\Containerruntime.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ihwhrf84dF.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1772
-
C:\Users\Admin\My Documents\OfficeClickToRun.exe"C:\Users\Admin\My Documents\OfficeClickToRun.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:5064 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\taskhostw.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Music\upfc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Default\Music\upfc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Music\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Windows\Containers\serviced\backgroundTaskHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
PID:4680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\Containers\serviced\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Windows\Containers\serviced\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Packages\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Packages\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Packages\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\sppsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jdk-1.8\jre\legal\javafx\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\jre\legal\javafx\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jdk-1.8\jre\legal\javafx\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\WmiPrvSE.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\sihost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\sihost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:5064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\uk-UA\SppExtComObj.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\uk-UA\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\uk-UA\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:1844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 11 /tr "'C:\Windows\de-DE\MoUsoCoreWorker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Windows\de-DE\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 9 /tr "'C:\Windows\de-DE\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
PID:4380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:1548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ContainerruntimeC" /sc MINUTE /mo 7 /tr "'C:\Windows\Containers\serviced\Containerruntime.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Containerruntime" /sc ONLOGON /tr "'C:\Windows\Containers\serviced\Containerruntime.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ContainerruntimeC" /sc MINUTE /mo 6 /tr "'C:\Windows\Containers\serviced\Containerruntime.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Application Data\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
PID:4040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Application Data\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\portagentbrowserweb\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\portagentbrowserweb\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\portagentbrowserweb\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\USOShared\Logs\User\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
PID:3536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\USOShared\Logs\User\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\USOShared\Logs\User\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Public\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\My Documents\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
PID:3684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\My Documents\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
PID:4180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\RuntimeBroker.exe'" /f1⤵
- DcRat
- Creates scheduled task(s)
PID:4524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
PID:3248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
PID:4368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Saved Games\RuntimeBroker.exe'" /f1⤵
- Creates scheduled task(s)
PID:3828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
PID:5100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Saved Games\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
PID:1588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\portagentbrowserweb\smss.exe'" /f1⤵
- DcRat
- Creates scheduled task(s)
PID:4444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\portagentbrowserweb\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
PID:4388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\portagentbrowserweb\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:628
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Containerruntime.exe.logFilesize
1KB
MD57800fca2323a4130444c572374a030f4
SHA140c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa
SHA25629f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e
SHA512c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554
-
C:\Users\Admin\AppData\Local\Temp\ihwhrf84dF.batFilesize
213B
MD5561d919aa649d58e71cff90a195a78e6
SHA16f0166b112355a91c5dc877be24d9904a635be6d
SHA25657473b5b991ba7f1cef39b59cfd56648b0d7482b523c731c012b080afa83b829
SHA5121c470b7f619b6afe2217e052129c95df6c81c3aa1476f1f0119327df3fa8f5c230924b9000d86e5bf8fb615b234880d7a39f891a9189c28003c9300c12636a27
-
C:\Users\Admin\AppData\Local\Temp\uUEmIR9WAS.batFilesize
208B
MD56fa83ea24e5e366a15696a73dd9be177
SHA19bfc85a7cadfc9943f428e592aa045e47f24f366
SHA2568c5ffd6b2bac6715a32dc63751fd5f53858f67f11e128a1c5afabc6e3b1b1641
SHA512b68ea64667949e3c993bec8647e2e2649123ff882391e94a625e1642ce468311b157b82192e68afc085d1b632b81bf8d155d9de9248d7b26d785081e5eb31635
-
C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.batFilesize
157B
MD5c8f8a078dace2ff4cb106803c9199643
SHA1a5029ff4c4f0f24b0fbe2951c9a8002501ebd3b5
SHA2561b99d39fa273f33b072c67e0df7d33b1699fa17b7c7139467a658302a5ed0e0d
SHA512efaea3b4653768bbd135a0ec55319df2464f1d440ad982f31a5eff05c5ba5032f4718683ff6419c668bf1f34a117b5a101f56d1efc1d74ad93e692c52686f999
-
C:\portagentbrowserweb\Containerruntime.exeFilesize
1.2MB
MD55887a563351ca99247b7e2c448bd9f2e
SHA1b24695e88143863297535989900bb7521ea86d67
SHA256e74cbd74c838db604926e27322342c02f803b95f98680d4089b5c01ed93fb390
SHA512b7d82bd09ba64891b75bbb9356de74a1ed0835709a391698c1301825777418f57e4f2ae3c260d3f7b6ada05d0e7ddeb4a6b75901fdf53bdd82ffa2febb685107
-
C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbeFilesize
220B
MD561a07f2f9e8e9b1f5175b2d60c3e3f18
SHA1e695b0c2b43c786453bf3f6ae504f0626951d281
SHA2565c75708ec9e4fe419a2fd1067bd5793bacb28140177cc6b36300fbf28e7c23d1
SHA5128ef3529f6bf504224e7803019f1e162aead7961bc1a5115f50fb5f580570e8b04707da21a7aab4eb7f1554a3b5333597fb3335e5f6a74dabfdb0583eecb35b5d
-
memory/4388-12-0x00007FFA18223000-0x00007FFA18225000-memory.dmpFilesize
8KB
-
memory/4388-13-0x00000000008C0000-0x00000000009F2000-memory.dmpFilesize
1.2MB
-
memory/4388-14-0x000000001B4C0000-0x000000001B4DC000-memory.dmpFilesize
112KB
-
memory/4388-15-0x000000001BD00000-0x000000001BD50000-memory.dmpFilesize
320KB
-
memory/4388-16-0x000000001B530000-0x000000001B546000-memory.dmpFilesize
88KB
-
memory/4388-17-0x000000001B550000-0x000000001B55C000-memory.dmpFilesize
48KB